Certificate Policy for Non-Qualified Certificates - MITA

Unclassified

Government of Malta GMICT P 0061:2007

Certificate Policy for Non-Qualified Certificates Policy

This document is part of the GMICT Policy Framework http://ictpolicies.gov.mt

Version 1.0

Effective Date 5 September 2007

GMICT P 0061:2007 Certificate Policy for Non-Qualified Certificates

Policy version 1.0

Unclassified Page i of ii

Table of Contents 1. Purpose ................................................................................................................................. 1 2. Scope of Applicability ............................................................................................................ 1 3. Definitions .............................................................................................................................. 1 4. Roles...................................................................................................................................... 2 5. Policy Statement.................................................................................................................... 3

5.1 Certificate Usage ............................................................................................................. 3 6. General, Legal, and Business Provisions.............................................................................. 4

6.1 Representations and Warranties ..................................................................................... 4 6.2 Limitations of Liability....................................................................................................... 5 6.3 Interpretation and Enforcement ....................................................................................... 6 6.4 Compliance Audit............................................................................................................. 6 6.5 Privacy and Data Protection ............................................................................................ 6 6.6 Intellectual Property Rights .............................................................................................. 6

7. Identification and Authentication ........................................................................................... 7 7.1 Naming............................................................................................................................. 7 7.2 Initial Identity Validation ................................................................................................... 7 7.3 Identification and Authentication of Requests for Renewal ............................................. 7 7.4 Identification and Authentication of Requests for Revocation ......................................... 7

8. Certificate Life-Cycle Operational Requirements .................................................................. 8 8.1 Certificate Application ...................................................................................................... 8 8.2 Certificate Application Processing ................................................................................... 8 8.3 Certificate Issuance ......................................................................................................... 8 8.4 Certificate Acceptance..................................................................................................... 8 8.5 Certificate Renewal.......................................................................................................... 9 8.6 Certificate Suspension and Revocation........................................................................... 9

9. Facility, Management and Operational Controls ................................................................. 10 9.1 Physical Controls ........................................................................................................... 10 9.2 Procedural Controls ....................................................................................................... 10 9.3 Personnel Controls ........................................................................................................ 10 9.4 Audit Logging and Procedures ...................................................................................... 10 9.5 Records Archival............................................................................................................ 11 9.6 Compromise and Disaster Recovery ............................................................................. 11 9.7 CA Termination .............................................................................................................. 11

10. Technical Security Controls............................................................................................... 12 10.1 Key Pair Generation and Installation ........................................................................... 12 10.2 Private Key Protection and Cryptographic Module Engineering Controls ................... 12 10.3 Other Aspects of Key Pair Management ..................................................................... 12 10.4 Activation Data............................................................................................................. 12 10.5 Computer Security Controls......................................................................................... 13 10.6 Life Cycle Technical Controls ...................................................................................... 13 10.7 Network Security Controls ........................................................................................... 13

11. Certificate and CRL Profiles .............................................................................................. 14 11.1 Certificate Profile.......................................................................................................... 14 11.2 CRL Profile................................................................................................................... 15

12. Specification Administration .............................................................................................. 16 12.1 Specification Change Procedures ............................................................................... 16 12.2 Publication and Notification Procedures ...................................................................... 16 12.3 Certification Practice Statement Approval Procedures................................................ 16

13. Document Information ....................................................................................................... 17 13.1 Related Documents ..................................................................................................... 17 13.2 References................................................................................................................... 17 13.3 Modification History...................................................................................................... 17

14. Issuing Authority ................................................................................................................ 17 15. Contact Information ........................................................................................................... 17


Policy version 1.0

Page ii of ii Unclassified


Policy version 1.0

Unclassified Page 1 of 17

1. Purpose This document establishes the Certificate Policy which governs a Certification Authority providing certification services to the Government of Malta.

2. Scope of Applicability The provisions of this document apply to digital certificates, in the form of a Public Key Certificate issued by a Certification Authority providing certification services to the Government of Malta under this Certificate Policy (hereinafter referred to as the “Certificate”). This Certificate Policy establishes when a Certificate may be used, as well as the procedures to be followed and the responsibilities of the parties involved.

3. Definitions Item Definition

Public Key Certificate

Public key of a user, together with some other information, rendered un-forgeable by encipherment with the private key of the Certification Authority which issued it.

Certificate Policy (CP)

Named set of rules that indicates the applicability of a Public Key Certificate to a particular community and/or class of application with common security requirements.

Certification Authority (CA)

Authority trusted by one or more users to create and assign Certificates.

Certification Practice Statement (CPS)

Statement of the practices owned by the CA which the CA employs in issuing Certificates.

Relying Party (RP)

Recipient of a Certificate who acts in reliance on that Certificate and/or digital signatures verified using that Certificate.

Subscriber A natural person identified in a Certificate as the holder of the private key associated with the public key given in the Certificate.


Policy version 1.0

Page 2 of 17 Unclassified

4. Roles The Certification Authority (CA), is the authority trusted by the users of the certification services (i.e. Subscribers as well as Relying Parties) to create and assign Certificates, The CA has overall responsibility for the provision of the certification services as described in this policy. A Registration Authority (RA) is an entity which may be assigned by the CA to perform applicant authentication, to assist Certificate applicants in applying for Certificates, to approve or reject Certificate applications, to revoke Certificates and to renew Certificates. A Subscriber is the natural person whose name appears as the subject in a Certificate, and who asserts that s/he uses his/her key and Certificate in accordance with this policy. The targeted Subscribers include, but are not limited to, Citizens of Malta who may wish to utilise the electronic services offered by the Government of Malta. A Relying Party (RP) is the entity who, by using a Certificate having another entity as its subject for client authentication, relies on the validity of the link between the Subscriber's name to a Public Key. A Relying Party may use information in the Certificate (such as CP identifiers) to determine the suitability of the Certificate for a particular use. Relying Parties include, but are not limited to, Departments and other Entities of the Government of Malta that provide on-line services. The Policy Management Authority (PMA) is the entity which owns this Certificate Policy and is responsible for the administration of this Certificate Policy. The PMA may amend this Certificate Policy, or any part thereof, at any time at its discretion.


Policy version 1.0


5. Policy Statement This Policy sets out and identifies the Non-Qualified Certificate Policy for the Certification Authority providing certification services to the Government of Malta. The Certificates shall be compatible with and meet the requirements laid down in this Certificate Policy. The key pair shall always be generated by the Subscriber. In this Certificate Policy, references to “Certificates” means the Certificates described in the CP and does not extend to “Qualified Certificates” within the meaning of the Electronic Commerce Act (Chapter 426 of the Laws of Malta). The Certificates issued under this Non-Qualified Certificate Policy shall have a CP identifier. This can be used by third parties to determine the applicability and trustworthiness of the Certificate for a particular application. This Identifier shall be 2.16.470.1.1.

5.1 Certificate Usage The Certificate provides a medium degree of assurance of the electronic identity of a Subscriber. The Certificate ensures the proper authentication since the individual applying for the Certificate must go to the appointed RA in person for official registration before a Certificate can be issued by the CA. For applications to be validated the person applying for the Certificate must present his/her identity card for verification. Certificates shall not be issued to individuals acting on behalf of a legal person. Certificates are personal to the relevant Subscriber and they are non-transferable. If a Relying Party relies upon a Certificate from an individual purporting to act on behalf of a person other than the Subscriber, the Relying Party does so entirely at its own risk. The Certificates are intended solely for client authentication to electronic services offered through the portal of the Government of Malta and for no other purposes. The CA shall not responsible for and offers no express or implied warranties regarding the performance of the Portal. Subject to clause 6.2, the Certificate may be used for other applications, provided its trustworthiness is decided by the parties themselves on the basis of the nature of the Certificate and the level of security of the procedures followed for issuing the Certificate. It is important to note that at this time the Certificate Policy is approved only for use of Certificates on the portal of the Government of Malta. Any use of Certificates by Subscribers for any digital signature or other applications outside of the portal is entirely at the parties’ own risk. The CA shall offer no express warranties regarding the fitness for purpose of the Certificates for any application not specifically approved in the CPS. To the fullest extent permitted by law, the CA shall disclaim any implied warranties to the contrary. Certificates shall be used only to the extent the use is consistent with applicable law. They are not designed, intended, or authorised for use in hazardous circumstances or for uses requiring fail-safe performance. CA Certificates may not be used for any functions except CA functions. In addition, Subscriber Certificates shall not be used as CA Certificates.


Policy version 1.0


6. General, Legal, and Business Provisions

6.1 Representations and Warranties

6.1.1 CA Representations and Warranties

The CA shall:

• be responsible for the creation and signing of Certificates binding Subscribers with their public verification keys;

• be responsible for promulgating Certificate status through the Certificate Revocation List (CRL);

• guarantee that all the requirements set out in this CP are complied with. It also assumes responsibility for ensuring such compliance and providing these services in accordance with its CPS;

• use its certificate signing Private Key only to sign Certificates and CRLs and for no other purpose;

• endeavour to provide Subscribers and Relying Parties with notice of their respective rights, privileges and obligations pertaining to their use of the Certificates it provides and any changes thereof;

• provide appropriate notice to all interested parties as to its procedures concerning the expiry, suspension, revocation and renewal of Certificates;

• protect the privacy of the persons concerned. The CA shall ensure that the personal data it receives shall be used solely for the provision of certification services, and that the Subscriber may consult and change this data;

• provide Subscribers and Relying Parties with the URL of its website where the CPS is published.

6.1.2 RA Representations and Warranties

In the case that the CA assigns a separate entity as an RA, the RA shall:

• comply with the applicable provisions of this CP and the CPS currently in effect, and with the terms and conditions of its agreement with the CA;

• guarantee that Subscribers are properly identified and authenticated as regards the personal identity of the Subscriber as a natural person;

• also guarantee that any applications for Certificates submitted to the CA are complete, accurate, valid and duly authorised;

• inform Subscribers of their respective rights, privileges and obligations pertaining to their use of keys, and the CA's procedures for the expiry, suspension, revocation and renewal of keys and Certificates;

• have a contractual obligation to implement appropriate measures for the physical security of the information and systems concerned, and the employees dealing with registration.

• protect the privacy of the persons concerned. The RA shall ensure that the personal data it receives shall be used solely for the provision of certification services, and that the Subscriber may consult and change this data.

The CA retains responsibility for the RA Representations and Warranties. However, the CA shall not be responsible for the registration or administration of Electronic Identity Accounts which shall be operated solely by the RA.


Policy version 1.0


6.1.3 Subscriber Representations and Warranties

The Subscriber shall:

• accept the procedures set by the CA in the CPS currently in effect for the provision of Certificates;

• when applying with the RA for the Certificate, submit precise, accurate and complete information, and comply with the corresponding registration procedures;

• use or rely on keys or Certificates only for purposes permitted by this CP and for no other purpose;

• be responsible for generation of the key pair using an algorithm and given key length (minimum 1024 bits) meeting the criteria set out in this CP;

• give an undertaking that s/he is the sole holder of the Private Key linked to the Public Key to be certified;

• protect the Private Key at all times against loss, disclosure, alteration or unauthorised use;

• immediately notify the CA in such manner as specified by the CA in the event of the compromise or suspected compromise of the Private Key or the activation data (e.g. PIN code);

• immediately inform the CA of any changes to the data on the Certificate.

6.1.4 Relying Party Representations and Warranties

The Relying Party shall:

• verify the validity, suspension or revocation of the Certificate using current revocation status information as indicated in this CP;

• take account of any limitations on the usage of the Certificate indicated either in the Certificate or the relevant terms and conditions;

• take all the other precautions prescribed in agreements or elsewhere.

6.2 Limitations of Liability To the extent permitted by law, the CA shall not be under any liability in respect of any loss or damage (including, without limitation, consequential loss or damage) which may be suffered or incurred or which may arise directly or indirectly in relation to the use or reliance upon Certificates issued under this Certificate Policy or associated public/private key pairs for any use that is not in accordance with this Certificate Policy and any other related agreements.

The total liability which may be incurred by the CA for damages sustained by the Subscriber or the Relying Party for any use or reliance on a Certificate as specified in this Certificate Policy shall be limited, in total, to Lm 860 (2000 EUR). This limitation shall be the same regardless of the number of digital signatures, transactions or claims relating to such Certificate. System maintenance or factors outside the control of the CA may affect such availability of services provided by the CA. The CA disclaims all liability of any kind whatsoever for matters outside of its control including the availability or working of the Internet, or telecommunications or other infrastructure systems.


Policy version 1.0


6.3 Interpretation and Enforcement The laws of the Government of Malta govern the enforceability, construction, interpretation and validity of this Certificate Policy.

6.4 Compliance Audit The CA shall be periodically audited. The PMA shall have the right to appoint the auditors required for this function. The appointment of the auditors shall be final and binding upon the CA. The CA shall have the right to request periodic and ad hoc inspections of the subordinate operations such as the RA function. The CA shall state the reason for any ad hoc inspection. The purpose of a compliance audit shall be to verify that the audited party has in place a system in accordance with this Certificate Policy, in order to assure the quality of the services that it provides, and that it complies with all of the requirements of this CP.

6.5 Privacy and Data Protection The CA shall collect and use personal information to deliver the services or carry out the transactions necessary for the issuing of Certificates, in accordance with any obligations stipulated under the Data Protection Act. Except as described in this Policy, the CA shall not disclose personal information without the subject’s consent. The CA may access and/or disclose personal information if such action is necessary to:

• comply with the laws of Malta; • protect and defend the rights or property of the Government of Malta; • act in urgent circumstances to protect the personal safety of Subscribers or

members of the public. The owner of private information may correct any inaccuracies or request any corrections in the private information provided by the data subject at any time.

6.6 Intellectual Property Rights All right, title and interest in all intellectual property rights in or associated with this Certificate Policy and Certificates, including all modifications and enhancements thereof, are and shall remain the exclusive property of the Government of Malta.


Policy version 1.0


7. Identification and Authentication

7.1 Naming Each Subscriber shall have a clearly distinguishable and unique x.501 Distinguished Name (DN) in the Certificate subject name field. The Subject name in a Certificate must be meaningful to the extent that the CA has associated the Certificate with a Subscriber.

7.2 Initial Identity Validation A request by an individual seeking to be a Subscriber must be presented by the individual in person.

The identity of a prospective Subscriber must be authenticated in any manner sufficient to satisfy the RA that the individual has the identity he or she claims to possess. The individual shall be required to present the Government-issued identity card, and other identifying documents.

7.3 Identification and Authentication of Requests for Renewal

All requests for renewal shall be authenticated by the RA, and the subsequent response shall be authenticated by the Subscriber. A Subscriber requesting renewal may authenticate the request using his/her valid Digital Signature key pair. Where the key pair has expired, the request for renewal must be authenticated in the same way as initial registration.

7.4 Identification and Authentication of Requests for Revocation

The CA or RA must authenticate a request for revocation of a Certificate. The authentication may be performed using privately shared information. A Subscriber requesting revocation may authenticate the request using his/her valid Digital Signature key pair.


Policy version 1.0


8. Certificate Life-Cycle Operational Requirements

8.1 Certificate Application The person applying for the Certificate must have previously obtained an electronic identity (eID) account, in accordance with the procedures for obtaining, and terms and conditions for, such an account. An individual applying for an eID account must apply by going in person to the appointed RA, taking the following documents:

• The order form, duly filled in and signed; • The applicant’s valid identity card, passport or equivalent official document.

8.2 Certificate Application Processing The RA shall approve an application for an eID account upon the successful identification and authentication of all required Subscriber information. The RA shall subsequently provide the applicant with the account information including the activation data. The RA shall reject an eID account application if identification and authentication of all required Subscriber information cannot be completed, or if the applicant fails to furnish supporting documentation upon request. Once the applicant activates the eID account, upon successful login to the electronic services portal of the Government of Malta, s/he shall be provided with an on-line facility to apply for a Certificate. The applicant shall be required to agree to the Subscriber Agreement. The RA shall send its approval of the Certificate Request to the CA. The RA may reject the application for a Certificate if this may bring the CA or the Government of Malta into disrepute.

8.3 Certificate Issuance On receipt of the approval of the Certificate Request from the RA, the CA shall issue the Certificate. The CA shall, either directly or through the RA, inform the applicant using electronic or written communication that it has issued such Certificate, and provide the Subscriber with access to the Certificate by notifying him/her that the Certificate is available and the procedure for obtaining it.

8.4 Certificate Acceptance The Certificate is deemed to have been accepted by the Subscriber when it is downloaded and when either (i) the Subscriber fails to object to it or its content within seven (7) working days of date of download or (ii) the Subscriber uses the Certificate within the seven day period, whichever is the earlier. The Subscriber Agreement is accepted by the Subscriber at the point where the Subscriber applies for the Certificate.


Policy version 1.0


The Subscriber shall immediately notify the RA of any errors in the content of the Certificate. Upon being informed by the RA, the CA shall revoke the Certificate and take the appropriate measures to reissue a Certificate for the Subscriber.

8.5 Certificate Renewal If the Subscriber’s keys and Certificate are still valid (i.e., not revoked, suspended, or expired), the CA shall accept applications for renewal that are electronically signed using the Private Key for which the Public Key is certified. In the case of renewal of a revoked, suspended or expired Certificate, the CA shall reconfirm the identity of the Subscriber and ensure that the information used to check the Subscriber’s identity in the past is still valid. The same validation procedure is followed for renewal as that used for the initial registration. The CA shall only issue a Certificate for a previously certified key if the security of the cryptographic parameters for this key is still adequate and the key concerned has not been compromised.

8.6 Certificate Suspension and Revocation The CA or the RA shall, upon being informed in writing, suspend a Certificate if the Subscriber so requests. The CA or the RA shall, upon being informed in writing, revoke a Certificate if:

• The Subscriber so requests; • the Private Key (including the activation data) of the Subscriber is lost, stolen or

potentially compromised; or, • any information in the Certificate changes; or • the Individual Subscriber dies.

The CA may, at its discretion, revoke a Certificate when an individual fails to comply with any agreement, any applicable law or where the CA reasonably believes it appropriate in the circumstances. The CA shall notify the RA and the affected individual of any revocation of a Certificate assigned to him/her.


Policy version 1.0


9. Facility, Management and Operational Controls

9.1 Physical Controls The CA shall ensure that the location of the computing facilities hosting the CA services be a Security Zone monitored for unauthorised intrusion at all times. The location shall have adequate power and air conditioning facilities, and shall be protected against flooding and fire. The CA servers shall be hosted in the Data Centre of the Government of Malta, and shall therefore adopt all the established physical controls. In addition, the CA equipment shall be hosted in a completely dedicated rack. Only approved personnel shall be allowed access to the CA servers, and third parties shall be properly escorted and supervised. An off-line backup of the contents of the CA servers shall be maintained using tape media in the assigned Disaster Recovery Site.

9.2 Procedural Controls The critical CA functions shall be separated to prevent any one person from maliciously using the CA system without detection. Each user’s system access shall be strictly limited to the actions that are required for fulfilling their roles and responsibilities.

The CA shall segregate the distinct personnel roles, distinguishing between the day-to-day operation of the CA system, the management and audit of those operations, and the management of major changes to the system’s policies, procedures or personnel.

9.3 Personnel Controls Persons shall be selected for any trusted role in the operation of the CA on the basis of their trustworthiness, and integrity. In addition, selected personnel would have successfully completed any appropriate training and have demonstrated their ability to perform the assigned duties. They also should not have previously been denied a security clearance, or been convicted of any felony offence.

9.4 Audit Logging and Procedures The CA shall, at minimum, record the:

• Generation of the CA and subordinate entity keys; • Changes to CA details and/or keys; • Changes to Certificate creation policies; • CA application start-up and shutdown; • Login and logout attempts; • Creation and revocation of Certificates; • Attempts to initialise, remove, enable, and disable Subscribers; and • Failed read-and-write operations on the Certificate and CRL directory.


Policy version 1.0


9.5 Records Archival The Certificates stored by the CA, including the CA (self-signed) Certificates, as well as the CRLs generated by the CA, shall be retained for at least two years after their expiration. The CA shall archive for a one year the audit logs generated by the CA software. The older versions of the documentation which defines the Governance and the Operation of the CA, including the Certificate Policy, the Certification Practice Statement and all the Agreements, shall also be retained for at least one year.

9.6 Compromise and Disaster Recovery The CA shall have appropriate emergency and/or disaster recovery plans and procedures. These shall include the re-establishment of the CA installation, including the initialisation of the CA equipment, the generation of the new private and Public Keys, and the re-issuing of all Subscriber Certificates. Without prejudice to Article 6.2, if the CA equipment is damaged and becomes inoperative, the CA operations shall be re-established as quickly as possible, giving priority to the ability to revoke Subscribers’ Certificates. If the CA cannot re-establish revocation capabilities, a decision shall be taken by the CA declaring the CA’s private signing key as compromised and the CA installation shall be rebuilt completely. The CA shall also be completely rebuilt in the case of a disaster in which the installation is physically damaged and all copies of the CA signature key are destroyed as a result.

9.7 CA Termination In the event the CA ceases operation or makes a major change in operations, the CA shall immediately notify the PMA as to all Entities for which it has issued Certificates. In the event the CA ceases operations, the CA shall arrange for the retention of the CA’s records, including copies of the Certificates, Private Keys, CRLs and Audit information.


Policy version 1.0


10. Technical Security Controls

10.1 Key Pair Generation and Installation The CA key generation shall be performed by personnel in trusted roles under multiple controls, and carried out using a device as described in section 10.2. Each digital signature key pair shall be generated using an algorithm approved by the PMA. The private signing key of the prospective Subscriber shall be generated by the holder and shall not be stored by the CA. The Public Key shall also be generated by the Subscriber and shall be transmitted to the CA in an on-line transaction in a secure manner as documented in the CPS. The CA shall use a 2048 bit RSA for its own CA signing key pair. Subscribers shall use 2048 bit RSA for their key pairs. Keys may be used for authentication and data integrity. CA signing keys are the only keys permitted to be used for signing Certificates and CRLs.

10.2 Private Key Protection and Cryptographic Module Engineering Controls

All CA Digital Signature key generation, key storage and Certificate signing operations shall be performed in a hardware cryptographic module rated as specified in FIPS 140-2 level 3.

All other CA cryptographic operations shall be performed in a cryptographic module validated to at least FIPS 140-2 Level 2.

10.3 Other Aspects of Key Pair Management The Certificate Operational Periods and Key Pair Usage Periods shall be as follows: Key/Certificate Key Length in Bits Maximum Validity Period

Root-CA 4096 21 years

Intermediate-CA 4096 20 years

Issuing-CA 2048 10 years

Subscriber 2048 5 years

10.4 Activation Data Any activation data must be unique and unpredictable. It must be protected from unauthorised use by a combination of cryptographic and physical access control mechanisms.

If a reusable password scheme is used, the mechanism shall include a facility to temporarily lock the account after a predetermined number of login attempts.


Policy version 1.0


10.5 Computer Security Controls The following computer security functions may be provided by the operating system, or through a combination of operating system, software, and physical safeguards:

• Require authenticated logins • Provide discretionary access control • Provide a security audit capability • Enforce separation of duties for roles • Require identification and authentication of roles and associated identities • Require use of cryptography for session communication and database security • Require a recovery mechanisms for keys and the CA system

10.6 Life Cycle Technical Controls The CA shall ensure that the CA software has been designed and developed under a structured development methodology, and has passed the necessary quality assurance. The CA shall indicate in the CPS its policies and procedures to prevent malicious software from being loaded onto the CA equipment. The CA hardware and software shall be dedicated to performing only CA-related tasks. There shall be no other applications, hardware devices, network connections or component software, which are not part of the CA operation.

10.7 Network Security Controls The CA shall ensure that adequate security controls are in place to provide CA integrity and availability through any open or general purpose network with which it is connected. The root and intermediate CA servers shall be kept disconnected from the network at all times, and the issuing servers shall be accessed only by specified servers through appropriately configured firewalls.


Policy version 1.0


11. Certificate and CRL Profiles

11.1 Certificate Profile The CA shall issue X.509 version 3 Certificates or a later version of X.509 Certificates if such use is approved by the PMA. The CA software shall support all the base X.509 fields: Field Name Description

Version Version of X.509 Certificate

Serial Number Unique serial number for Certificate

Signature Algorithm Identifier

The algorithm used by the CA to sign the Certificate

Issuer Name Name of the CA which signed the Certificate

Validity Period Start and end date/time for Certificate

Subject Name Name of the entity whose Public Key the Certificate identifies

Subject Public Key Information

Public Key of the entity and the Algorithm ID key

Any Certificate extensions used by Certificates issued under this Certificate Policy shall conform to the applicable parts of the X.509 Certificate and CRL Fields and Extensions Profile. The CA shall use the Triple DES encryption algorithm. The 3 independent key option provides the best security and is therefore the adopted option.


Policy version 1.0


11.2 CRL Profile The CA shall issue X.509 version 2 CRLs or a later version if such use is approved by the PMA. The CA software shall support the following CRL fields: Field Name Description

Certificate List Sequence of fields

Version Version of the encoded CRL

Signature The identifier for the algorithm used to sign the CRL

Issuer The CA which has issued and signed the CRL.

This Update The issue date of this CRL.

Next Update The date by which the next CRL will be issued

Revoked Certificates

List of Revoked Certificates, identified by the serial number, including date/time revoked.

Signature Algorithm The identifier for the algorithm used to sign the CRL

Signature Value Digital signature computed on the Certificate List.


Policy version 1.0


12. Specification Administration

12.1 Specification Change Procedures The PMA shall review this CP at least once every year. Errors, updates, or suggested changes to this CP shall be communicated to every Subscriber. Such communication must include a description of the change, a change justification, and contact information for the person requesting the change. All policy changes under consideration by the PMA shall be disseminated to interested parties. All interested parties shall provide their comments to the PMA in a manner to be prescribed by the PMA.

12.2 Publication and Notification Procedures This CP and any subsequent changes shall be made publicly available within one week of approval.

12.3 Certification Practice Statement Approval Procedures

The CA shall have a high level management body with final authority and responsibility for approving the Certification Practice Statement. The Management of the CA has responsibility for ensuring the practices are properly implemented. The CA shall define a review process for certification practices including responsibilities for maintaining the Certification Practice Statement. The CA shall give due notice of changes it intends to make in its Certification Practice Statement to the Subscribers and the Relying Parties and shall, following approval, make the revised Certification Practice Statement immediately available.


Policy version 1.0


13. Document Information

13.1 Related Documents None

13.2 References

Name Reference Location

Electronic Signatures and Infrastructures (ESI); Policy requirements for certification authorities issuing public key certificates.

ETSI TS 102 042 www.etsi.org

13.3 Modification History Version Effective Date Changes

1.0 5 September 2007 First release.

14. Issuing Authority This document has been compiled by the Malta Information Technology and Training Services Ltd and issued with the authority of the Chairman, CIO Council.

15. Contact Information Government ICT Policies, Directives, Standards and associated publications can be found at http://ictpolicies.gov.mt.

Any suggestions, queries or requests for clarification regarding Government ICT Policies, Directives and Standards may be forwarded to [email protected].