Trust Services - Namirial Support · Each first-level chapter includes reference to the corresponding chapter in ETSI EN 319 401 [2]. 1.1 Overview NAMIRIAL operates a Public Key infrastructure

TrustServices

PracticeStatement

UnderapprovalbySupervisoryBody

Category: PracticeStatement DocumentNo.: NAMTSP-TSPS-MO-v1.0.docx

Writtenby: TSPDirector Confidentialitynotice: PublicDocument

Verifiedby: TSPDirector Version: 1.0

Approvedby: CEO Issuedate: 30/06/2016

NamirialS.p.A.

ChiefExecutiveOfficer

(Dr.DavideCeccucci)

TrustServicesPracticeStatement

Version1.0date30/06/2016

PublicDocument page2of36

–Thispageisintentionallyleftblank–




TableofContentsTableofContents.......................................................................................................................3

Historyofchanges.......................................................................................................................9

1 Introduction........................................................................................................................10

1.1 Overview............................................................................................................................................10

1.2 DocumentNameandIdentification...................................................................................................10

1.3 PKIParticipants...................................................................................................................................101.3.1 TrustServiceProvider.................................................................................................................................101.3.2 RegistrationAuthorities..............................................................................................................................101.3.3 Subscribers..................................................................................................................................................111.3.4 RelyingParties.............................................................................................................................................111.3.5 OtherParticipants.......................................................................................................................................11

1.4 CertificateUsage................................................................................................................................111.4.1 AppropriateCertificateUses.......................................................................................................................111.4.2 ProhibitedCertificateUses..........................................................................................................................11

1.5 PolicyAdministration..........................................................................................................................111.5.1 OrganisationAdministeringtheDocument................................................................................................111.5.2 ContactPerson............................................................................................................................................111.5.3 PersonDeterminingNAMIRIALPSSuitabilityforthePolicy.......................................................................111.5.4 NAMIRIALPSApprovalProcedures.............................................................................................................11

1.6 DefinitionsandAcronyms...................................................................................................................121.6.1 Terminology................................................................................................................................................121.6.2 Acronyms....................................................................................................................................................13

2 Publication andRepository responsibilities.......................................................................14

2.1 Repositories........................................................................................................................................14

2.2 PublicationofInformation..................................................................................................................142.2.1 PublicationandNotificationPolicies...........................................................................................................142.2.2 ItemsnotPublishedinthePracticeStatement...........................................................................................14

2.3 TimeorFrequencyofPublication.......................................................................................................142.3.1 DirectoryService.........................................................................................................................................14

2.4 AccessControlsonRepositories.........................................................................................................15

3 IdentificationandAuthentication........................................................................................15

3.1 Naming...............................................................................................................................................15

3.2 InitialIdentityValidation....................................................................................................................15

3.3 IdentificationandAuthenticationforRe-KeyRequests......................................................................15

3.4 IdentificationandAuthenticationforRevocationRequest.................................................................15




4 Certificate life-cycle operationalrequirements.................................................................15

4.1 CertificateApplication........................................................................................................................15

4.2 CertificateApplicationProcessing......................................................................................................15

4.3 CertificateIssuance............................................................................................................................154.3.1 CAActionsDuringCertificateIssuance.......................................................................................................154.3.2 NotificationtoSubscriberbytheCAofIssuanceofCertificate..................................................................15

4.4 CertificateAcceptance........................................................................................................................15

4.5 KeyPairandCertificateUsage............................................................................................................15

4.6 CertificateRenewal............................................................................................................................15

4.7 CertificateRe-Key...............................................................................................................................16

4.8 CertificateModification......................................................................................................................16

4.9 CertificateRevocationandSuspension...............................................................................................16

4.10 CertificateStatusServices................................................................................................................16

4.11 EndofSubscription...........................................................................................................................16

4.12 KeyEscrowandRecovery.................................................................................................................16

5 Facility,Management, andOperationalcontrols................................................................16

5.1 PhysicalControls................................................................................................................................165.1.1 SiteLocationandConstruction...................................................................................................................165.1.2 PhysicalAccess............................................................................................................................................175.1.3 PowerandAirConditioning........................................................................................................................175.1.4 WaterExposures.........................................................................................................................................175.1.5 FirePreventionandProtection...................................................................................................................175.1.6 MediaStorage.............................................................................................................................................175.1.7 WasteDisposal............................................................................................................................................175.1.8 Off-SiteBackup............................................................................................................................................17

5.2 ProceduralControls............................................................................................................................175.2.1 TrustedRoles...............................................................................................................................................175.2.2 NumberofPersonsRequiredperTask........................................................................................................185.2.3 IdentificationandAuthenticationforEachRole.........................................................................................185.2.4 RolesRequiringSeparationofDuties..........................................................................................................19

5.3 PersonnelControls.............................................................................................................................195.3.1 Qualifications,Experience,andClearanceRequirements...........................................................................195.3.2 BackgroundCheckProcedures....................................................................................................................195.3.3 TrainingRequirements................................................................................................................................195.3.4 RetrainingFrequencyandRequirements....................................................................................................195.3.5 JobRotationFrequencyandSequence.......................................................................................................205.3.6 SanctionsforUnauthorizedActions............................................................................................................20




5.3.7 IndependentContractorRequirements......................................................................................................205.3.8 DocumentationSuppliedtoPersonnel.......................................................................................................20

5.4 Audit logging procedures................................................................................................................205.4.1 Typesofeventsrecorded..........................................................................................................................205.4.2 Frequencyofprocessing log.......................................................................................................................215.4.3 Retention period for audit log.................................................................................................................215.4.4 Protectionofaudit log................................................................................................................................215.4.5 Audit logbackupprocedures.....................................................................................................................215.4.6 Audit collectionsystem..............................................................................................................................215.4.7 NotificationtoEvent-CausingSubject.........................................................................................................215.4.8 VulnerabilityAssessments...........................................................................................................................21

5.5 RecordsArchival.................................................................................................................................215.5.1 TypesofRecordsArchived..........................................................................................................................215.5.2 RetentionPeriodforArchive.......................................................................................................................215.5.3 ProtectionofArchive..................................................................................................................................215.5.4 ArchiveBackupProcedures.........................................................................................................................215.5.5 RequirementsforTime-StampingofRecords.............................................................................................215.5.6 ArchiveCollectionSystem(InternalorExternal)........................................................................................215.5.7 ProcedurestoObtainandVerifyArchiveInformation................................................................................22

5.6 KeyChangeover..................................................................................................................................22

5.7 CompromiseandDisasterRecovery...................................................................................................225.7.1 IncidentandCompromiseHandlingProcedures.........................................................................................225.7.2 ComputingResources,Software,and/orDataareCorrupted....................................................................225.7.3 EntityPrivateKeyCompromiseProcedures................................................................................................225.7.4 BusinessContinuityCapabilitiesAfteraDisaster........................................................................................22

5.8 CATermination...................................................................................................................................23

6 Technical security controls.................................................................................................24

6.1 KeyPairGenerationandInstallation..................................................................................................246.1.1 KeyPairGeneration....................................................................................................................................246.1.2 PrivateKeyDeliverytoSubscriber..............................................................................................................246.1.3 PublicKeyDeliverytoCertificateIssuer......................................................................................................246.1.4 CAPublicKeyDeliverytoRelyingParties....................................................................................................246.1.5 KeySizes......................................................................................................................................................246.1.6 PublicKeyParametersGenerationandQualityChecking...........................................................................256.1.7 KeyUsagePurposes(asperX.509v3KeyUsageField)...............................................................................25

6.2 PrivateKeyProtectionandCryptographicModule............................................................................256.2.1 CryptographicModuleStandardsandControls..........................................................................................256.2.2 PrivateKey(noutofm)Multi-PersonControl............................................................................................25




6.2.3 PrivateKeyEscrow......................................................................................................................................256.2.4 PrivateKeyBackup......................................................................................................................................256.2.5 PrivateKeyArchival.....................................................................................................................................256.2.6 PrivateKeyTransferIntoorFromaCryptographicModule.......................................................................256.2.7 PrivateKeyStorageonCryptographicModule...........................................................................................256.2.8 MethodofActivatingPrivateKey...............................................................................................................256.2.9 MethodofDeactivatingPrivateKey...........................................................................................................256.2.10 MethodofDestroyingPrivateKey............................................................................................................266.2.11 CryptographicModuleRating...................................................................................................................26

6.3 OtherAspectsofKeyPairManagement.............................................................................................266.3.1 PublicKeyArchival......................................................................................................................................266.3.2 CertificateOperationalPeriodsandKeyPairUsagePeriods......................................................................26

6.4 ActivationData...................................................................................................................................266.4.1 ActivationDataGenerationandInstallation...............................................................................................266.4.2 ActivationDataProtection..........................................................................................................................266.4.3 OtherAspectsofActivationData................................................................................................................26

6.5 ComputerSecurityControls................................................................................................................266.5.1 SpecificComputerSecurityTechnicalRequirements..................................................................................266.5.2 ComputerSecurityRating...........................................................................................................................27

6.6 LifeCycleTechnicalControls..............................................................................................................276.6.1 SystemDevelopmentControls....................................................................................................................276.6.2 SecurityManagementControls...................................................................................................................276.6.3 LifeCycleSecurityControls.........................................................................................................................27

6.7 NetworkSecurityControls..................................................................................................................28

6.8 Time-Stamping...................................................................................................................................28

7 Certificate,CRL,andOCSPProfiles.......................................................................................28

7.1 CertificateProfile................................................................................................................................28

7.2 CRLProfile..........................................................................................................................................29

7.3 OCSPProfile........................................................................................................................................29

8 Complianceauditandotherassessments..........................................................................29

8.1 Frequencyorcircumstancesofassessment.....................................................................................29

8.2 Identity/qualificationsofassessor....................................................................................................29

8.3 Assessor’srelationshiptoassessedentity.......................................................................................29

8.4 Topicscoveredbyassessment..........................................................................................................29

8.5 Actionstakenasaresultofdeficiency.............................................................................................29

8.6 Communicationofresults.................................................................................................................30

9 Otherbusiness andlegalmatters.......................................................................................30




9.1 Fees....................................................................................................................................................309.1.1 CertificateIssuanceorRenewalFees..........................................................................................................309.1.2 CertificateAccessFees................................................................................................................................309.1.3 RevocationorStatusInformationAccessFees...........................................................................................309.1.4 FeesforOtherServices...............................................................................................................................309.1.5 RefundPolicy...............................................................................................................................................30

9.2 FinancialResponsibility......................................................................................................................309.2.1 InsuranceCoverage.....................................................................................................................................309.2.2 OtherAssets................................................................................................................................................309.2.3 InsuranceorWarrantyCoverageforEnd-Entities......................................................................................30

9.3 ConfidentialityofBusinessInformation..............................................................................................309.3.1 ScopeofConfidentialInformation..............................................................................................................309.3.2 InformationNotWithintheScopeofConfidentialInformation.................................................................309.3.3 ResponsibilitytoProtectConfidentialInformation.....................................................................................31

9.4 PrivacyofPersonalInformation.........................................................................................................319.4.1 PersonalDataProtectionPrinciples............................................................................................................319.4.2 PersonalInformationProcessedbyNAMIRIAL...........................................................................................319.4.3 ResponsibilitytoProtectPrivateInformation.............................................................................................319.4.4 NoticeandConsenttoUsePrivateInformation.........................................................................................319.4.5 DisclosurePursuanttoJudicialorAdministrativeProcess..........................................................................319.4.6 OtherInformationDisclosureCircumstances.............................................................................................31

9.5 IntellectualPropertyRights................................................................................................................31

9.6 RepresentationsandWarranties........................................................................................................319.6.1 TrustServiceProviderRepresentationsandWarranties............................................................................319.6.2 RARepresentationsandWarranties...........................................................................................................329.6.3 SubscriberRepresentationsandWarranties...............................................................................................329.6.4 RelyingPartyRepresentationsandWarranties..........................................................................................339.6.5 RepresentationsandWarrantiesofOtherParticipants..............................................................................33

9.7 DisclaimersofWarranties...................................................................................................................33

9.8 LimitationsofLiability........................................................................................................................33

9.9 Indemnities.........................................................................................................................................33

9.10 TermandTermination......................................................................................................................339.10.1 Term..........................................................................................................................................................339.10.2 Termination...............................................................................................................................................339.10.3 EffectofTerminationandSurvival............................................................................................................34

9.11 IndividualNoticesandCommunicationswithParticipants..............................................................34

9.12 Amendments....................................................................................................................................34




9.12.1 ProcedureforAmendment.......................................................................................................................349.12.2 NotificationMechanismandPeriod..........................................................................................................349.12.3 CircumstancesUnderWhichOIDMustbeChanged.................................................................................34

9.13 DisputeResolutionProvisions..........................................................................................................34

9.14 GoverningLaw..................................................................................................................................34

9.15 CompliancewithApplicableLaw......................................................................................................34

9.16 MiscellaneousProvisions..................................................................................................................359.16.1 EntireAgreement......................................................................................................................................359.16.2 Assignment................................................................................................................................................359.16.3 Severability................................................................................................................................................359.16.4 Enforcement(Attorneys'FeesandWaiverofRights)...............................................................................359.16.5 ForceMajeure...........................................................................................................................................35

9.17 OtherProvisions...............................................................................................................................35

References................................................................................................................................36




Historyofchanges

Version 1.0

Date 20/06/2016

Reasons Firstrelease

Modifications ---




1 IntroductionThis document is the Namirial S.p.A. Trust Services Practice Statement (hereafter NAMIRIAL PS) and outlines theprinciplesandpracticescommontoallNamirial’strustservices.ThisdocumentappliestoallentitiesparticipatinginorusingNamirial’strustservices.ThisdocumentdescribesthepracticesusedtocomplywiththeRegulation(EU)No910/2014(eIDAS).

InspiredbytheETSIEN319400series,NAMIRIALhasdivided itsdocumentation intothreeparts:

• NAMIRIALTrustServicesPracticeStatement(NAMIRIALPS)describesgeneralpracticescommontoalltrustservices(thisdocument);

• partsthatarespecifictothecertificationservice(i.e.certificatepoliciesorcertificationpracticesstatement)aredescribedwithintheservice-basedpolicy and/or practicestatement(i.e.theoperativemanualforthecertificationservicerequiredfornationallaws);

• parts that are specific to the Time-Stamping service are described within the Time-Stamping AuthorityPracticeStatement.

Pursuant totheIETFRFC3647[4]thisdocument isdivided intonineparts.Topreserve theoutlinespecifiedbyRFC3647 [4], section headings thatdonot apply have the statement "Not applicable". Sections that describe actionsspecific to a single service contain only references to service-specific practice statements. If the subsections areomitted, asingle reference applies toallofthem.Each first-level chapter includes reference to the correspondingchapter inETSIEN319401[2].

1.1 OverviewNAMIRIAL operates a Public Key infrastructure in order to provide Trust Services. NAMIRIAL is currently usingdifferentrootcertification authorities,oneforeachservice.NAMIRIALdoesnotuseSubordinate CA-s.

TheNamirialS.p.A. TrustServicesPracticesStatement (NAMIRIALPS)presents thecriteriaestablished byNAMIRIALtoprovide electronic Trust Services, which enhance trust and confidence inelectronic transactions.NAMIRIAL PSdescribesNamirialS.p.A.(NAMIRIAL) practices of providing Qualified TrustServices inconformity with theeIDASregulation [1], legalactsofItaly, ETSIEN319401GeneralPolicyRequirements forTrustService Providers [2],andother related service-based standard requirements. Additionally NAMIRIAL follows CA/Browser Forum BaselineRequirements Certificate Policy fortheIssuance andManagement ofPublicly-Trusted Certificates [3].

This NAMIRIAL PS describes practices necessary for the achievement of the security level approved by theNAMIRIAL management.NAMIRIAL has achieved ISO/IEC 27001:2013certification.The statement of applicabilityincludesmoredetailed description ofsecuritymeasures.

In theeventof conflictbetweentheNAMIRIALPSandthepracticestatementsof specificservices,theprovisions ofthe practice statements of specific services shall prevail. In the event of conflict betweenthe original documentin English and the translateddocument in Italian, the original document inEnglish shallprevail.

1.2 DocumentNameandIdentificationThisdocument iscalled“NamirialS.p.A.TrustServices Practice Statement”.

1.3 PKIParticipants

1.3.1 TrustServiceProviderNAMIRIALisTrustServiceProvider (TSP).TherolesofNAMIRIALasTSParedefined inrelevant service-based Policyand/orPractice Statement.

Obligations andwarranties ofNAMIRIALaredescribed intheclause9.6.1ofthisNAMIRIALPS.

1.3.2 RegistrationAuthoritiesRegistration Authority (RA) and its roles are defined in relevant service-basedPolicy and/or PracticeStatement.

Obligations andwarranties ofRAaredescribed intheclause9.6.2ofthisNAMIRIALPS.




1.3.3 SubscribersSubscriber is specified in relevant service-based Policy and/or Practice Statement.Obligations andwarranties ofSubscriber aredescribed intheclause9.6.3ofthisNAMIRIALPS.

1.3.4 RelyingPartiesRelyingParty isdefined intheclause1.6.1 inthisNAMIRIALPS.

Obligations andwarranties ofRelyingPartyaredescribed intheclause9.6.4ofthisNAMIRIALPS.

1.3.5 OtherParticipantsSpecified inrelevant service-based Policyand/orPractice Statement.

1.4 CertificateUsage

1.4.1 AppropriateCertificateUsesSpecified inrelevant service-based Policyand/orPractice Statement.

1.4.2 ProhibitedCertificateUsesSpecified inrelevant service-based Policyand/orPractice Statement.

1.5 PolicyAdministration

1.5.1 OrganisationAdministeringtheDocumentThisNAMIRIALPSisadministered byNAMIRIAL.NamirialS.p.A.

RegistrycodeIT02046570426viaCadutisullavoro,4-60019-SENIGALLIA(AN)ItalyTel(+39)071.63494(Mon-Fri9.00-13.00,15.00-19.00GMT+01:00)Fax(+39)071.60910E-mail:[email protected]:http://www.namirialtsp.com/

1.5.2 ContactPersonTSPDirectorE-mail:[email protected]

1.5.3 PersonDeterminingNAMIRIALPSSuitabilityforthePolicyNotapplicable.

1.5.4 NAMIRIALPSApprovalProceduresAmendmentswhich do not change the meaning of the certificationpractice, such as correctionsofmisspellings,translation and updating of contact details, are documented in the versions and changes section of the presentdocumentandthefractionpartofthedocumentversionnumbershallbeenlarged.

Inthecaseofsubstantialchanges,thenewTrustServicePracticeStatementversionisclearlydistinguishablefromthepreviousones.Thenewversionbearsaserialnumberenlargedbyone.

The NAMIRIAL PS is approved by the NAMIRIAL Chief Executive Officer and the TSP Director. NAMIRIAL ensuresthatthepractices areproperly implemented byconducting regular internal auditsandconformity assessments.

All amendmentswill be submitted to the SupervisoryBody and the amended versionofNAMIRIALPS is publishedelectronicallyonNAMIRIAL’swebsitein“UnderapprovalbySupervisoryBody”state.DuringthisphasetheSubscriberhas the chance to provide reasoned comments. Once the Supervisory Body has approved the amendments theamendedversionofNAMIRIALPSisdefinitivelypublishedwiththestate“ApprovedbySupervisoryBodyon<date>”andthedocumentbecomeseffectivefromtheapprovaldatebytheSupervisoryBody.




1.6 DefinitionsandAcronyms

1.6.1 Terminology

Term Meaning

Certificate RevocationList

alistofinvalid (revoked, suspended) certificates.

Qualifiede-Signature(i.e.QualifiedElectronicSignature)

meansanadvancedelectronic signaturethatiscreatedbyaqualifiedelectronicsignaturecreationdevice,andwhichisbasedonaqualified certificate forelectronicsignatures

Directory Service certificate publication service

eIDASRegulation Regulation (EU)No910/2014 oftheEuropean Parliament andoftheCouncilof23July2014onelectronic identification andtrustservicesforelectronic transactions intheinternalmarketandrepealing Directive 1999/93/EC

e-Signature(i.e.ElectronicSignature)

datainelectronic formwhichareattachedtoorlogicallyassociatedwithotherelectronicdataandwhichisusedbythesignatory tosign.

Policy asetofrulesthatindicates theapplicability ofaTrustServiceTokentoaparticularcommunityand/orclassofapplicationwithcommon security requirements.

Practice Statement astatement ofthepractices thataTSPemploys inproviding aTrustService.

Registration Authority entitythatisresponsible foridentification andauthentication ofsubjectsofcertificates.Additionally, anRAacceptscertificateapplications, checkstheapplicationsand/orforwardstheapplications totheCA.

RelyingParty arecipientofaTrustService tokenwhoactsinrelianceonthatTrustService Token.

NOTE:RelyingPartiesincludepartiesverifyingaDigitalSignature usingapublickeycertificate.

Private key thekeyofakeypairthatiskeptsecretbytheholderofthekeypair,andthatis usedtocreatedigitalsignaturesand/ortodecryptelectronic recordsorfilesthatwereencryptedwiththecorresponding publickey.

PublicKey the key pair that may be publiclydisclosedby the holder ofcorresponding privatekeyandthatisusedbyRelyingPartytoverifydigitalsignaturescreatedwiththeholder’scorrespondingprivate key and/or to encrypt messagesso that they can bedecrypted onlywiththeholder’s corresponding privatekey.

RootCA thetoplevelCertificationAuthoritywhosecertificateisdistributedby applicationsoftwaresuppliersand that issuessubordinate NAMIRIALCAcertificates.

Sensitive Information informationwhichallowsforsimulationorreplicationofservice,oralsoforthedestructionorpublicationoftheserviceprivatekey.Italsoincludes personalinformation.

NAMIRIALCA aCertificationAuthorityofNAMIRIALwhosecertificate issignedbytheRootCA,oranother subordinate CA

Subscriber anentitysubscribing withTrustServiceProviderwhoislegallybound toany




Subscriber obligations.

Subscriber Certificate publickeyof a user,togetherwithsomeotherinformation,renderedun-forgeable byenciphermentwiththeprivatekeyoftheCertification Authority,which issued it.

Supervisory Body theauthoritywhich isdesignated bymember statetocarryoutthesupervisoryactivities overTrustServices andTrustServiceProviders undereIDAS [1]intheterritoryofthatmember state.

Time-Stamping Unit asetofhardwareandsoftwarewhichismanagedasaunitandhasasingle time-stampsigning keyactiveatatime

TrustService describedineIDAS[1]asanelectronicservicewhichisnormallyprovidedinreturnforremuneration andwhichconsistsof:

- the creation,verification,and validationof ElectronicSignatures, electronicsealsorelectronic time-stamps,electronicallyregistereddeliveryservicesandcertificates related totheseservices or

- the creation, verificationand validationof certificatesforwebsiteauthentication or

- -thepreservationofElectronicSignatures,sealsorcertificates related totheseservices.

TrustServiceProvider anentity thatprovides oneormoreelectronic TrustServices.

TrustService Token a physical or binary (logical) object generated or issued as aresultoftheuseofaTrustService (e.g.certificate).

Qualified TrustService meansatrustserviceproviderwhoprovidesoneormorequalifiedtrustservicesandisgrantedthequalifiedstatusbytheSupervisory Body.

1.6.2 Acronyms

Term/Acronym Meaning

CA Certification Authority

CRL Certificate Revocation List

DMZ Demilitarised Zone

ETSI European TelecommunicationsStandards Institute

HSM Hardware SecurityModules

RA Registration Authority

NAMIRIAL NamirialS.p.A.TrustServiceProvider

NAMIRIALPS NamirialS.p.A.TrustServiceProvider Practice Statement

TSA Time-Stamping Authority

TSP TrustServiceProvider




TSU Time-Stamping Unit

UTC Coordinated Universal Time

2 Publication andRepository responsibilities

2.1 RepositoriesNAMIRIAL ensures that its repository is available 24 hours a day, 7 days a week with a minimum of 99,44%availability overallperyearwithascheduleddown-timethatdoesnotexceed0,28%annually.

2.2 PublicationofInformationNAMIRIALpublishes initspublicwebsitethe following information:

- The document “Operative Manual for the Certification Service” (as required by national laws), whichrepresentstheservice-basedpolicyandpracticestatementfortheCertificationServiceandcontains:

• CertificatePolicy(CP),

• CertificationPraticeStatement(CPS),

• conditions forinsurance policy,

• profiles,

• conditions foruseofcertificates,

• theURLsofCertificate Revocation Lists

- TrustServices Practices Statement;

- The Time-Stamping Authority Practice Statement, which represents the service-based policy and practicestatementfortheTime-StampingService;

- GeneralTermsandConditions;

- TermsandConditionsforUseofTime-StampingService;

- Auditresults;

- RootCAcertificates underwhichcertificates forsubscribers areissued;

- DataProtectionDisclaimer(Privacy);

- InsurancePolicy.

2.2.1 PublicationandNotificationPoliciesThisNAMIRIAL PS is published inNAMIRIAL's publicwebsite.NAMIRIAL PS is published in “under approval” statebeforetobecomeseffective.

2.2.2 ItemsnotPublishedinthePracticeStatementRefertoclause9.3.1ofthisNAMIRIALPS.

2.3 TimeorFrequencyofPublicationRefertoclause2.2.1ofNAMIRIALPS.

Information on certification status is published in accordance with clauses 4.9.7 and 4.9.9 of this NAMIRIALPS.

2.3.1 DirectoryServiceNAMIRIALdoesnotpublishinformation oncertificates viaLDAPdirectory service.




2.4 AccessControlsonRepositoriesInformation published inNAMIRIAL’srepositoryispublicandnotconsidered confidential information.

NAMIRIAL has implementedsecurity measuresin order to prevent unauthorizedaccess to add, delete, ormodifyentries into its repository. Publishing into NAMIRIAL’s repository is restricted to authorized employees ofNAMIRIAL.

3 IdentificationandAuthentication

3.1 NamingSpecified inrelevant service-based Policyand/orPractice Statement.

3.2 InitialIdentityValidationSpecified inrelevant service-based Policyand/orPractice Statement.

3.3 IdentificationandAuthenticationforRe-KeyRequestsSpecified inrelevant service-based Policyand/orPractice Statement.

3.4 IdentificationandAuthenticationforRevocationRequestSpecified inrelevant service-based Policyand/orPractice Statement.

4 Certificate life-cycle operationalrequirements

4.1 CertificateApplicationSpecified inrelevant service-based Policyand/orPractice Statement.

4.2 CertificateApplicationProcessingSpecified inrelevant service-based Policyand/orPractice Statement.

4.3 CertificateIssuance

4.3.1 CAActionsDuringCertificateIssuanceSpecified inrelevant service-based Policyand/orPractice Statement.

4.3.2 NotificationtoSubscriberbytheCAofIssuanceofCertificateSpecified inrelevant service-based Policyand/orPractice Statement.

4.4 CertificateAcceptanceSpecified inrelevant service-based Policyand/orPractice Statement.

4.5 KeyPairandCertificateUsageSpecified inrelevant service-based Policyand/orPractice Statement.

4.6 CertificateRenewalSpecified inrelevant service-based Policyand/orPractice Statement.




4.7 CertificateRe-KeySpecified inrelevant service-based Policyand/orPractice Statement.

4.8 CertificateModificationSpecified inrelevant service-based Policyand/orPractice Statement.

4.9 CertificateRevocationandSuspensionSpecified inrelevant service-based Policyand/orPractice Statement.

4.10 CertificateStatusServicesSpecified inrelevant service-based Policyand/orPractice Statement.

4.11 EndofSubscriptionSpecified inrelevant service-based Policyand/orPractice Statement.

4.12 KeyEscrowandRecoverySpecified inrelevant service-based Policyand/orPractice Statement.

5 Facility,Management,andOperationalcontrolsIn the fieldof securitymanagement,NAMIRIAL guides itselfby the generally recognisedstandards,e.g. ISO/IEC27001 [5],andotherstandards required byregulations andlaw.TheNAMIRIAL'ssecuritymanagementpolicydocumentsincludethesecuritycontrolsandoperatingprocedures forthe NAMIRIAL facilities, systems and information assets providing the services. NAMIRIAL carries outandrevisesrisk assessment regularly in order to evaluate business risks and determine the necessary security requirementsandoperational procedures.TheNAMIRIALmanagement establishes thesecurity policy,which forms abasis forconsistency andcompletenessofinformation security andmanagement support.

TheNAMIRIALChiefExecutiveOfficerapprovespoliciesandpractices relatedtoinformation security fortheoverallNAMIRIAL services. The NAMIRIAL management communicates information security policies and procedures toemployees and relevant external parties who are impacted by it. In addition, the NAMIRIAL managementsetsout the NAMIRIAL approach to manage information security objectives for Trust Services, including auditableprocedures forinternal control.

NAMIRIALhasachieved ISO/IEC 27001:2013certification.

5.1 PhysicalControlsTheNAMIRIAL services relies on secured premises to host its CA. NAMIRIAL is using physically separated space inserverroomsspecificallydesignedfordatacenteroperations.

5.1.1 SiteLocationandConstructionTheNAMIRIALservicesareconductedwithinaphysically protected environment thatdeters,prevents, anddetectsunauthoriseduse of, access to, or disclosure of Sensitive Informationand systems whethercovertorovert.

Theprotection provided iscommensurate with the identified risks. TheNAMIRIALensures thatphysical accesstocritical services iscontrolled andthatphysical riskstoitsassetsareminimised.




5.1.2 PhysicalAccessTheNAMIRIALdatacentersareprotected byaminimumofthreetiersofphysical security,withaccess tothelowertier requiredbefore gaining access to the higher tier. Access to the highest tier requirestheparticipation oftwopersons inTrustedRoles.

TheemployeesofNAMIRIALmaygainaccesstothefacilitiesconcernedwithTrustServicesofNAMIRIALonlyonthebasisofanapprovedlist.AlogiskeptforrecordingallentriestothedataprocessingcentreofNAMIRIAL.

TheownerofthepremiseshasnoindependentaccesstoNAMIRIAL-sservers.

Anypersonsenteringthisphysicallysecureareawillnotremaintherewithoutoversightbyanauthorisedperson.

5.1.3 PowerandAirConditioning

NAMIRIAL’ssecure facilities areequippedwith:

- powersystems toensure continuous, uninterrupted access toelectricpower;and

- heating, ventilation, airconditioning systems tocontrol thetemperature andrelativehumidity.

5.1.4 WaterExposuresNAMIRIAL has taken reasonable precautions to minimise the impact of water exposure to the informationsystems.

5.1.5 FirePreventionandProtectionNAMIRIAL has taken reasonableprecautionsto preventand extinguishfires or other damagingexposuretoflameorsmoke. Thefireprevention andprotectionmeasures oftheNAMIRIALhavebeendesigned tocomplywith localfiresafetyregulations.

5.1.6 MediaStoragePortable media, appliances and software may be removed from the premises of the NAMIRIAL pursuant to theestablishedprocedure.

5.1.7 WasteDisposalMediacontainingSensitive Informationare securelydisposedof whenno longer required.Paperdocuments andmaterials with Sensitive Information are shredded before disposal. Media used to collect or transmit SensitiveInformation are rendered unreadable before disposal. Anymedia with Sensitive Information removed from use(removable media, harddisksetc.)aresanitisedwhendecommissionedorrecycled forother use, toprevent dataleaks.

5.1.8 Off-SiteBackupNAMIRIAL performs routine backups of critical system data, audit log data, and other Sensitive Information.TheNAMIRIAL has dual data centres to ensure availability requirements. Databases in dual data centres aresynchronisedin real time. In addition,routine backupsare performed.Backupsof the most critical information(e.g.keysandconfigurations) arekeptoff-site insecure storage.

5.2 ProceduralControls

5.2.1 TrustedRolesTheemployees ofNAMIRIALhavejobdescriptions thatspecifythefollowingTrustedRolescriticalforsecurity:

- System Administrators: they are responsible for the installation, configuration and maintenance of theinformation systems,includingperformingthesystembackupandrecovery;

- SystemOperators:theyareresponsibleforoperatingthetrustworthysystemsonaday-to-daybasisandareauthorizedtoperformsystembackup;

- Security Officers: theyareresponsible for the administration of and the implementation of thesecuritypractices;




- FacilityOfficers:theyareinvolvedinday-to-dayoperations,particularlyinrelationtobuildingsandpremises.Likely areas of responsibility include for example: building and grounds maintenance, health and safety,physicalsecurityandspacemanagement.

- System&Regulatory Auditors: they are is responsible for carrying out regular comprehensive review ofNAMIRIAL'sadherenceallapplicablelaws,regulationsandstandards;forthattheyhaveaccesstomonitorthedocumentarchivesandinformationsystemauditlogs.

- Data PrivacyOfficer: oversees all the activities related to the development, implementation,maintenanceandadherencetotheorganization’sprivacypoliciesandprocedures.Thesepoliciescoverthecollection,use,disclosureandprivacyofpersonalinformationincompliancewiththeItalianPrivacylaw(LegislativeDecreeno.196/2003).ThistrustedrolereportdirectlytotheBoardofDirectors.

- InformationSecurity&RiskManager:he/sheisresponsibleforthemanagementofinformationsecurityandrisk throughthe implementationof informationsecuritypolicies,proceduresandguidelines.He/she isalsoresponsible for conducting information security audits and carrying out periodical second-level internalcontrols.ThistrustedrolereportdirectlytotheBoardofDirectors.

- RA Administrator: manages and controls the internal RA operators within the Registration Authority ofNAMIRIALandtheexternalRAoperatorswithintheLRAs(LocalRegistrationAuthorities).

- RAOperator: onbehalfof theRegistrationAuthority (RA), theyare responsible for carryingout thedutiesoutlined in conformity with the NAMIRIAL policies and procedures specified for the identification andregistrationofsubscribers.

NAMIRIALhasdefineddifferent typeofSystemAdministratorswith internal regulationandtheassignment ismadepersonbypersonwithadecreeoftheCEO.Seeclause5.2.2fordetails.

NAMIRIAL ensures that personnel have achieved trusted status, and departmentalapproval is given beforesuchpersonnel are:

- Issuedaccessdevices andgranted access totherequired facilities; or

- IssuedelectroniccredentialstoaccessandperformspecificfunctionsonNAMIRIALorotherITsystems.

Security operations aremanaged by NAMIRIAL personnel in Trusted Roles, butmay actually be performed byanon-specialist,operationalpersonnel(undersupervision).

The roles of RA Administrator and RA Operator are also considered security critical as they are responsible foridentification and authentication of subjects of certificates and may be responsible for registration, certificatesuspension,termination ofsuspension andrevocation procedures.

5.2.2 NumberofPersonsRequiredperTaskTheNAMIRIAL has established, maintains and enforces rigorous control procedures toensure the segregationofduties based on job responsibility and toensure thatmultiple Trusted Persons are required toperform sensitivetasks.

The following activities require aminimumoftwodifferenttypesofSystem Administrators inTrusted Roles:

- generation ofcertification keys;

- backupofthecertification keys;

- restoration ofthecertification keys;

- management ofHSM-sandCAcoresystems located inSecureZone;

- physical visittodatacentres.

5.2.3 IdentificationandAuthenticationforEachRoleAllTrustedRolesareperformedbypersonsassigned into this rolebyNAMIRIALmanagementandacceptedby thispersontofulfillthisrole.

TheNAMIRIALhasimplementedanaccesscontrolsystem,whichidentifiesauthoritiesandregistersalltheNAMIRIALinformationsystemusersinatrustworthymanner.




Useraccountsarecreatedforpersonnelinspecificrolesthatneedaccesstothesysteminquestion.Allusersmustloginwiththeirpersonalaccount,andadministrativecommandsareonlyavailablewithexplicitpermissionandauditingoftheexecution.Filesystempermissionsandotherfeaturesavailableintheoperatingsystemsecuritymodelareusedtopreventanyotheruse.

Useraccountsarelockedassoonaspossiblewhentherolechangedictates.Accessrulesareauditedannually.

5.2.4 RolesRequiringSeparationofDutiesThe Trusted Roles of the SecurityOfficer, System& Regulatory Auditor and SystemAdministrators are completelyseparate and are staffed by different persons. A single person cannot have simultaneously types of SystemAdministrator.

5.3 PersonnelControls

5.3.1 Qualifications,Experience,andClearanceRequirementsTheemployeesoftheNAMIRIALhavereceivedadequatetrainingandhaveallthenecessaryexperienceforcarryingoutthedutiesspecified in the employment contract and job description beforetheyperformanyoperationalorsecurityfunctions.

All the employees of the NAMIRIAL have signed a non-disclosure agreement(NDA) to maintain the secrecy ofconfidentialinformationthathascometotheirknowledgeinthecourseoftheirperformance.

NAMIRIALmanagementhasappropriateexpertise,andisfamiliarwithsecurityprocedures.AnypersoninaTrustedRole is informed of his responsibility through its job description and/or procedures related to system security andpersonnelcontrol.

All personnel in Trusted Roles are free from any interests that may affect their impartiality regarding NAMIRIALoperations.

5.3.2 BackgroundCheckProceduresForallpersonnelseekingtobecomepersonnelinTrustedRoles,theverificationofidentityisperformedthroughthepersonal (physical) presence of such personnel before the personnel in Trusted Roles can perform the NAMIRIALoperational or security functions. Furthermore, officially recognised documents of identification e.g., ID card orpassportsarechecked.Suitabilityisfurtherconfirmedthroughbackgroundcheckingprocedures.

Backgroundverificationchecksarecarriedoutin accordancewithrelevantlaws,regulationsandprinciples ofethics.Thechecksareproportional tothebusiness requirements, theclassification oftheinformation tobeaccessed, andthe perceived risks. These checks are conducted on all candidates for employment and on contracted partnersdirectlyperforming theTrustServiceprovidingoperationswithaccess toproduction data.

5.3.3 TrainingRequirementsThe employeesof NAMIRIAL have receivedadequatetrainingand have all the necessaryexperienceforcarryingout the duties specified in the employment contract and job description before they performany operationalorsecurity functions.

NAMIRIAL ensures that all personnel performing managerial duties with respect to the operation of theNAMIRIALreceive comprehensive awareness training in:

- security principles andrules inNAMIRIAL;

- NAMIRIALinternal regulations andprocesses;

- duties theyareexpected toperform.

5.3.4 RetrainingFrequencyandRequirementsTherequirements ofthisNAMIRIALPS5.3.3willbekeptcurrenttoaccommodate changes intheNAMIRIALsystem.Refreshertrainingwill be conductedas required,andthe NAMIRIALis testingsecurityawarenessof allpersonnelatleastonceayear.




5.3.5 JobRotationFrequencyandSequenceNorotationused.

5.3.6 SanctionsforUnauthorizedActionsTheNAMIRIALadoptsandfurtherimplementtheorganizational,managementandcontrolmodelincompliancewiththeItalianLegislativeDecree231/2001asmorepreciselydescribedhereafter.

Italian Legislative Decree n. 231 of 8 June 2001introduced the administrative liability of legal entities and theirrespectivebodiesforspecifictypesofcriminaloffencesprovidedundertheItalianCriminalCode(suchasthecrimesagainsttheItalianpublicauthorities,corporatecrimes,marketabuseetc.)andcommittedandprosecutableinItalybysubjectshavingthefunctionsofrepresenting,administeringordirectingthe legalentityoroneof itsadministrativeunits having a financial and functional autonomy or by part of their "staff' in the interest or to the benefit of thecompany.

Inintroducingtheserulesoncorporateliability,thedecreeprovides,however,foraspecificformofexemptionfromliability if the company proves to have adopted and effectively implemented an appropriateOrganizational,ManagementandControlModel(hereinafterthe"Model")inordertopreventsuchcrimesandthattheresponsibilityforsupervising the functioningandtheobservanceof theModeland forupdating it isbeingentrustedtoaspecificbody("SupervisoryCommittee")ofthelegalentityprovidedwithautonomouspowersofinitiativeandcontrol.

On1stSeptember2008theCompanyadoptedtheModelservingtopreventtheperpetrationofcrimesfallingwithinthescopeofDecree231/2001.TheadoptedModel,however,goesbeyondthemereapplicationoftheprovisionsofLegislativeDecree231/2001and,byimplementingfundamentalprinciplesoftheCodeofEthics,providesaparadigmfortheconductofallthosewhoactintheCompany'snameandonitsbehalf.

Asresulttheemployeesaresubjecttodisciplinary actionsandmeasures uptoandincludingtermination andwillbecommensurate withthefrequencyandseverityoftheunauthorisedactions.

5.3.7 IndependentContractorRequirementsTheNAMIRIALdoesnotuseindependent contractors inTrustedRoles.

5.3.8 DocumentationSuppliedtoPersonnelThe NAMIRIAL gives its personnel (including persons in Trusted Roles) the requisite training and otherdocumentation needed toperform their jobresponsibilities competently andsatisfactorily.

5.4 Audit loggingprocedures

5.4.1 TypesofeventsrecordedNAMIRIALensuresthatthefollowingeventsarerecorded:

- systemeventsfromthedifferentcomponentsofthePKI(serverstart,net-workaccess,...);- technicaleventsfromthePKIsoftwares;- functionaleventsfromthePKIsoftwares(certificaterequest,validation,re-vocation...);- operationsincludingauthenticationactionfrompeoplewithatrustedrole.

TheNAMIRIALCAisanoff-lineCAwhicheventsarestoredinanexter-nalmediaaftereachoperations.Thismediaisstored in an environment with a sufficient security level. These journals allow to ensure the auditability and ac-countabilityoftheactions(timestamp,personname).

Non-computerizedeventrecordsaremadefor:

- productionsiteaccess;- maintenanceactionsandconfigurationchanges;- humanresourcechanges;- actionsonmediawithstoreconfidentialinformation.




5.4.2 Frequencyofprocessing logTheaudittrail,hereafterGdC(“GiornalediControllo”forItalianlaw),arealwaysauditedwhenanabnormaleventoccurs.

5.4.3 Retention period foraudit logTheGdCareexternalizedeverydayandstored in a storageserverinsideNAMIRIAL premises. TheyarekeptuntiltheexpirationofthelastcertificateissuedtheCA.

5.4.4 Protectionofaudit logTheGdCcanbeaccessedonlybyauthorizedpeopleof NAMIRIAL.Eachmodificationmustbeauthorized.

5.4.5 Audit logbackupproceduresAuditlogsarebackupsregularlyonDRsite.

5.4.6 Audit collectionsystemNAMIRIALauditcollectionsystemsareinternal.

5.4.7 NotificationtoEvent-CausingSubjectNostipulation.

5.4.8 VulnerabilityAssessmentsToproperlysecureNAMIRIAL'sinformationtechnologyassets,theinformationsecurity&riskteamassessthesecuritystanceperiodicallybyconductingregularvulnerabilityassessmentsatleasttwiceayearandpenetrationtestatleastonceayear.WiththeoutcomesoftheseactivitiesNAMIRIALcanapplysecurityfixesorothercompensatingcontrolstoimprovethesecurityoftheenvironments.

Thetechniquesusedduringthesecurityassessmentsaimtocoverarangeofmethodologiesandattacktechniquesasbroadaspossibleinordertoidentifyalltheplausiblecyberrisks.Forthispurposeareusedautomatedscanningtoolsaswellasmanualtechniques.

5.5 RecordsArchival

5.5.1 TypesofRecordsArchivedSpecified inrelevant service-based Policyand/orPractice Statement.

5.5.2 RetentionPeriodforArchiveTheretention period forarchive isdescribed inclause5.4.3ofthisNAMIRIALPS.

5.5.3 ProtectionofArchiveRegardless of their storage media, archives are protected in integrity, and are only accessible by authorizedpersonnel. The media holding the archivedata and the applications required to process the archivedata aremaintained toensure thatthearchivedatacanbeaccessed forthetimeperiod required.

5.5.4 ArchiveBackupProceduresNotapplicable.

5.5.5 RequirementsforTime-StampingofRecordsDatabase entries contain accurate time anddate information. The time-stamps arenot cryptography-based.

5.5.6 ArchiveCollectionSystem(InternalorExternal)The NAMIRIAL uses an internal archive collection system. LRA-s may use external archive collection system forphysical archive records.




5.5.7 ProcedurestoObtainandVerifyArchiveInformationOnly authorised personnel inTrusted Roles areallowed access tothearchive.Thearchives(paperandelectronic)canberetrievedinatmosttwoworkingdays.ThesearchivesarekeptandmanagedbyNAMIRIALpersonnel.

Recordsconcerningthe operationof servicesaremadeavailable tolegalauthorities and/orpersonswhose rightofaccess tothemarises fromthelaw.

5.6 KeyChangeoverSpecified inrelevant service-based Policyand/orPractice Statement.

5.7 CompromiseandDisasterRecovery

5.7.1 IncidentandCompromiseHandlingProceduresNAMIRIAL has implemented a business continuity p lan , which covers procedures of risk assessment, incidenthandling(includesaresponse toincidentsanddisasters), recoveryandrecoveryexercises.

NAMIRIAL carries out an annual risk assessmentof NAMIRIAL’s Trust Services to prevent possible danger to theavailability of NAMIRIAL’s operations and tominimise the risk of losing control of the Trust Services. The list ofsituations considered as emergency situations is determined by the risk assessment. The result of the riskassessment includesthe requirements for recoveryplans and recoverytestingscenarios.Therecovery plans andtesting scenarios includeatleastthefollowing threats:

- for NAMIRIAL CA and NAMIRIAL TSA, the private key used for the provisioning of the service iscompromisedorthere isaserious suspicion thereof;

- forNAMIRIALTSA,thelossofsynchronisation ofatime-stamping service clock.

The proceduresfor the handlingof informationsecurity incidents,emergencysituationsand criticalvulnerabilitiesaredocumented intheinternalNAMIRIAL’sIncidentReportingandManagement Procedure. Theobjectiveofthatregulation is the immediate response and recovery of availability and the continuous protection of NAMIRIALservices.

Recovery plansaretestedannually.

Intheeventofanemergency, NAMIRIALwillinformalltheSubscribers andRelyingParties immediately (oratleastwithin24 hoursof the crisis committee’sdecision)of the emergency situationand proposed solution throughpublic information communication channels.

NAMIRIALwillinformwithoutunduedelaybutinanyeventwithin24hoursafterhavingbecomeawareofit,theSupervisory Body and, where applicable, other relevant bodies as national CERT or Italian Data ProtectionAuthorityandpartnerssuchasAcrobatAdobe(forAATL)ofanybreachofsecurityor lossof integritythathasasignificantimpactontheTrustServiceprovidedoronthepersonaldatamaintainedtherein.

5.7.2 ComputingResources,Software,and/orDataareCorruptedThe event of the corruption of computer resources, software and data is handled according to the NAMIRIALinternalSecurityIncidentManagementPolicy.

5.7.3 EntityPrivateKeyCompromiseProceduresThecompromiseofakeyoftheCAwillleadtotheimmediaterevocationofallissuedcertificates.Insuchacase,thevariousparticipantswillbenotifiedthattheCRLmaynotnecessarilybefullytrusted.

5.7.4 BusinessContinuityCapabilitiesAfteraDisasterIn order to ensure the business continuity capabilities after a disaster NAMIRIAL organises periodically crisismanagement trainings. The NAMIRIAL Incident Reporting and Management Procedure defines how crisismanagementandcommunication takeplace inemergency situations.

There is an internal agreement about priorities for systems and services recovery after the emergency situationor/and service interruption. NAMIRIALmaintains necessary back-up copies and archives to able to restore data




after the emergencysituation.Backupsof the most critical information (e.g. keys andconfigurations) are keptoff-site insecure storage.

NAMIRIAL has dual data centres to ensure the availability of services. NAMIRIAL office and data centres areindependent of each other. In case of the emergency in data centres guidance’s, source codes and othernecessary materials are available from NAMIRIAL Office. In case of the emergency situation in NAMIRIAL officeservices indatacentreswillcontinue towork.

5.8 CATerminationTheTrustService isterminated:

- withadecision oftheNAMIRIALExecutiveManagementCommittee;

- withadecision oftheauthority exercising supervision overthesupplyoftheservice;

- withajudicialdecision;

- upontheliquidation ortermination oftheoperations ofNAMIRIAL.

NAMIRIAL ensures that potential disruptions to Subscribers and Relying Parties areminimised as a result ofthecessation ofNAMIRIAL's services, and inparticular, itensures thecontinued maintenance ofinformationrequiredtoverify thecorrectness ofTrustService Tokens.

BeforeNAMIRIALterminates aTrustService thefollowing procedures willbeexecuted:

- NAMIRIAL informs the following of the termination: all Subscribers and other entities with which theNAMIRIAL has agreements or other forms of established relations. In addition, this information will bemadeavailable tootherRelyingParties;

- NAMIRIALmakes thebesteffort fordoing arrangements withotherTrust Service Provider totransfertheprovision ofservices foritsexisting customers;

- NAMIRIALdestroys the CA and TSU private keys, including backup copies orkeyswithdrawn fromuse insuchamanner thattheprivatekeyscannotberetrieved;

- NAMIRIAL reinitialises or destroys any hardware appliances related to this service depending on thesecurity regulations;

- NAMIRIALterminates authorisation ofallsubcontractors toactonbehalfofNAMIRIAL incarrying outanyfunctions relating totheprocess ofissuingTrustService Tokens forthisservice;

- NAMIRIAL maintains the documentation related to they supply of the Trust Service and informationneeded toverify the Trust Service Tokens ifNAMIRIAL isnot terminated according to the clause 5.4and5.5. In case NAMIRIAL will be terminated, NAMIRIAL hands over the aforementioned documentationrelated to the supply of the service and information needed to verify the Trust Service Tokens to theSupervisory Bodypursuant totheestablished procedure.

Incaseofcompromise theNAMIRIALwilladditionally:

- Indicate thatTrust Service Tokens andvalidity information issued using thisCAorTSUkeymaynolongerbevalid;

- Revoke anyCAandTSUcertificate thathasbeen issued forNAMIRIALwhenNAMIRIAL is informed ofthecompromise ofanotherCAorTSA.

Incaseofalgorithm compromise NAMIRIALwilladditionally:

- Schedule arevocation ofanyaffected TrustService Token.

Thenoticeoftermination ofNAMIRIAL’sTrustServicewillbepublished inthepublicmedia.

NAMIRIALdoesnotassume liability forany lossordamage sustained bytheuseroftheservice asaresultofsuchterminationprovidedthatNAMIRIALhasgiventhenoticeof terminationthroughpublicinformationcommunicationchannels atleastonemonth inadvance.

NAMIRIALhasanarrangement withaninsurer tocover thecosts tofulfiltheseminimum requirements incasetheTSPgoesbankrupt, orforotherreasons, isunable tocoverthecostsbyitself.




The requirements are applicable also in case of LRA-s termination. NAMIRIAL takes over the documentation andinformation related to the supply of the Trust Service and provides evidence of the operation for a timeperioddefined inrelevant service-based Policyand/orPractice Statement.

6 Technical securitycontrols

6.1 KeyPairGenerationandInstallationNAMIRIAL uses cryptographic keys for its Trust Services and follows industry best practices for key lifecyclemanagement, keylengthandalgorithms.

6.1.1 KeyPairGenerationThesigningkeysoftheNAMIRIALTrustServices arecreated inaccordance withtheinternalprocedure forCreatingtheNAMIRIALRootKey.

The Trust Service keypair generation and the private key storage occur in the HSM, which is used for providingkeys, thatarecertifiedatthelevelEAL4+oftheCommonCriteriaandqualifiedbytheANSSIatthehighestlevel.Theymeetthefollowingrequirements:

• EnsuringtheconfidentialityandtheintegrityoftheCAprivatesigningkeyduringalltheirlifecycle,aswellastheirsafedestructionattheendofthelifecycle;

• Beingabletoidentifyandauthenticateitsusers;• Limitingaccesstoitsservicesdependingontheuserandtherolehehasbeenassigned;• Being able to perform a set of tests to verify it is operating properly and enter a safe state if an error is

encountered;• AllowingthecreationofadigitalsignaturetosigncertificatesgeneratedbytheAC,whichdoesnotrevealthe

CAprivatekeysandcannotbeforgedwithouttheknowledgeoftheprivatekeys;• Creatingauditlogsforeverymodificationregardingsecurity;• If backup and restore of private keys is provided, ensuring the confidentiality and the integrity of the

backupeddataandrequireataminimumdualcontrolofbackupandrestoreoperations;• Detectingphysicaldisruptionattemptsandenterasafestatewhensuchanattemptisdetected.

TheHSMprotects thekeyfromexternal compromise andoperates inaphysically secureenvironment.

NAMIRIAL has documented procedure for conducting NAMIRIAL CA key pair generation for all CA’s. NAMIRIALproduces areportproving thattheceremonywascarriedoutinaccordancewiththestatedprocedureandthattheintegrity and confidentiality of the key pairwas ensured. Report is signed by the responsible for the certificationservice and the internal auditor. The procedures for key ceremony are documented in NAMIRIAL internalprocedures.

The SubscriberPrivate Key generationis specified in relevant service-basedPolicy and/or PracticeStatement.

6.1.2 PrivateKeyDeliverytoSubscriberSpecified inrelevant service-based Policyand/orPractice Statement.

6.1.3 PublicKeyDeliverytoCertificateIssuerSpecified inrelevant service-based Policyand/orPractice Statement.

6.1.4 CAPublicKeyDeliverytoRelyingPartiesAll NAMIRIAL Trust Services public keys are distributed in the form of X.509 certificates issued by the NAMIRIALCA. The primary distribution mechanism for the NAMIRIAL Trust Service certificates is via the NAMIRIALrepositoryathttps://docs.namirialtsp.com/certificates/.The NAMIRIAL takes obligation to provide the NAMIRIALTrust Service certificatestoTrustedListofItaly.

6.1.5 KeySizesSpecified inrelevant service-based Policyand/orPractice Statement.




6.1.6 PublicKeyParametersGenerationandQualityCheckingThekeygenerationmaterialusesparametersfulfillingthesecurityrequirementsofthealgorithmcorrespondingtothekeypair.Furtherdetailsarespecified inrelevant service-based Policyand/orPractice Statement.

6.1.7 KeyUsagePurposes(asperX.509v3KeyUsageField)Specified inrelevant service-based Policyand/orPractice Statement.

6.2 PrivateKeyProtectionandCryptographicModule

6.2.1 CryptographicModuleStandardsandControlsTheHSMusedbytheNAMIRIAL iscertified atthelevelEAL4+oftheCommonCriteriaandqualifiedbytheANSSIatthehighestlevel.

Cryptographicmodule standardsand controls for cryptographicdevices which carry the SubscriberPrivate Key isspecified inrelevant service-based Policyand/orPractice Statement.

6.2.2 PrivateKey(noutofm)Multi-PersonControlThe access to theNAMIRIALCA keys isdivided into sixparts (2outof6) that are secured bydifferent persons inTrustedRoles.Foractivation ofthesigning keyoftheNAMIRIALthepresence ofatleasttwoauthorized persons isrequired inaccordance withclause5.2.2ofthisPS.

6.2.3 PrivateKeyEscrowPrivatekeysarenotescrowed.

6.2.4 PrivateKeyBackupCAprivatekeysarebackupedforrecoverypurposes,outsideofHSMs,andconfidentialityandintegritycontrolsareguaranteedbytheHSMitself.AllprivatekeybackupsoftheCAarestoredinsideabackupstorage.

Thecertification keysoftheNAMIRIALcanbeusedonlywhentheyareactivated.

For activation of the certification key of the NAMIRIAL the presence of at least two authorised persons isrequired asexplained inclause6.2.2 inthisNAMIRIALPS.

6.2.5 PrivateKeyArchivalNAMIRIALwillnotarchive theNAMIRIALCAprivate keysafter ithasexpired.AllcopiesoftheNAMIRIALCAprivatekeysaredestroyed aftertheirexpiryorrevocation sothatfurtheruseorderivation thereof isimpossible.

6.2.6 PrivateKeyTransferIntoorFromaCryptographicModuleAll NAMIRIAL CA keys are generated by and in the a cryptographic module. The NAMIRIAL generates CA keypairs intheHSMinwhich thekeyswillbeused.

6.2.7 PrivateKeyStorageonCryptographicModuleTheHSMusedbyNAMIRIALguaranteethroughtheencryptionofCAPrivate Keysthatthekeyscanbedecipheredandusedonlyonthecryptographicmodulewhichhasgeneratedthem.

6.2.8 MethodofActivatingPrivateKeyThe NAMIRIAL CA private keys are activated according to the specifications of the cryptographic modulemanufacturer. For activation of the certification key of the NAMIRIAL the presence of at least two authorisedpersons isrequired asexplained inclause6.2.2ofthisNAMIRIALPS.

MethodofactivatingSubscriberPrivateKeyisspecifiedinrelevantservice-based Policyand/orPracticeStatement.

6.2.9 MethodofDeactivatingPrivateKeyTheprivatekeyisdeactivatedwhentheHSMstops.




6.2.10 MethodofDestroyingPrivateKeyMethod of the destroying NAMIRIAL CA private keys and internal control mechanisms depend from the optionsavailable tospecific secure cryptographic module.Whenakeyisdestroyed,theCAensuresthatallcorrespondingbackupcopiesarealsodestroyed.

6.2.11 CryptographicModuleRatingRefertotheclause6.2.1ofthisNAMIRIALPS.

6.3 OtherAspectsofKeyPairManagement

6.3.1 PublicKeyArchivalTheCApublickeysarearchivedindefinitelyaftertheexpiryofthecorrespondingCAcertificate.

6.3.2 CertificateOperationalPeriodsandKeyPairUsagePeriodsThe operational period ofacertificate ends upon revocation. The operational period forkey pairs is thesameasthe operationalperiodfor the certificates,exceptthat they may continueto be usedforsignatureverification.

In addition, the NAMIRIAL stops issuing new certificates at an appropriate date prior to the expiration of theCA's certificatesuch that no Subscribercertificateexpires after the expirationof the CA certificate.

If an algorithm or the appropriate key length offers no sufficient security during the validity period of thecertificate, the concerned certificate will be revoked and a new certificate application will be initiated. Theapplicability ofcryptographic algorithmsandparameters isconstantly supervisedbytheNAMIRIALmanagement.

ForSubscribercertificates, thevalidityperiodisdefinedinrelevantservice-based Policyand/orPracticeStatement.

6.4 ActivationData

6.4.1 ActivationDataGenerationandInstallationThe NAMIRIAL CA private key activation data generation and installation is performed according to the usermanualofHSM.

The Subscriber'sPrivate Key PINs generation and installationis specified in relevant service-basedPolicy and/orPractice Statement.

6.4.2 ActivationDataProtectionHSMiskeptinsecurearea andonlyauthorized personnel inTrustedRolescanaccess toit.

TheSubscriber'sPrivateKeyPINsprotectionis specifiedin relevantservice-basedPolicyand/orPractice Statement.

6.4.3 OtherAspectsofActivationDataSpecified inrelevant service-based Policyand/orPractice Statement.

6.5 ComputerSecurityControls

6.5.1 SpecificComputerSecurityTechnicalRequirementsThe NAMIRIAL ensures that the certification system components are secure and correctly operated, with anacceptable riskoffailure.

The NAMIRIAL certification services system components are managed in accordance with defined changemanagement procedures. These procedures include system testing in an isolated test environment and therequirement that change must be approved by the Security Officer. The approval is documented for furtherreference.

All critical software components of theNAMIRIAL are installed andupdated from trusted sources only. Therearealso internal procedures toprotect theintegrity ofcertification service components against viruses,malicious andunauthorised software.




Allcriticalsystemsarehardenedfollowinginternalad-hochardeningproceduresissuedbytheinformationsecurityteam.

All media containing production environment software and data, audit, archive, or backup information arestored within the NAMIRIAL with appropriate physical and logical access controls designed to limit access toauthorised personnel and protect such media from accidental damage (e.g., water, fire, and electromagnetic).Media containingSensitive Informationare securelydisposedof when no longer required. All removable mediaareusedonlyfortheintendedperiodoftheuser(eitherbytimeorbynumberofuses).

NAMIRIALhasnodefined capacitymanagement process. Theperformance ofNAMIRIALservices and ITsystems ismonitored byServiceManagers andchanges aredonewhennecessary according tointernalchange managementprocedure.

Incident response andvulnerabilitymanagement procedures aredocumented inaninternaldocument.Monitoringsystem detects and alarms of abnormal system activities that indicate potential security violation, includingintrusion intothenetwork.

Paper documents and materials with Sensitive Information are shredded before disposal. Media usedto collectortransmit Sensitive Information arerendered unreadable beforedisposal.

TheNAMIRIALsecurityoperationsinclude:operationalproceduresandresponsibilities,securesystemsplanningandacceptance, protection frommalicious software, backups, network management, activemonitoring of audit logseventanalysisandfollow-up,mediahandlingandsecurity,dataandsoftwareexchange.

NAMIRIAL’spersonnel areauthenticated beforeusingcriticalapplications related totheservices.

User accounts are created for personnel in specific roles that need access to the system in question.Allusersmust log inwith theirpersonal account, andadministrative commands areonlyavailable withexplicit permission.File system permissions and other features availablein the operating system security model are used topreventany other use. User accounts are removedas soon as possible when the role change dictates. Access rules areauditedannually.

6.5.2 ComputerSecurityRatingNAMIRIALusesstandard computer systems.

6.6 LifeCycleTechnicalControls

6.6.1 SystemDevelopmentControlsAn analysis of security requirements is carried out at the design and requirements specification stage of anysystems development project undertaken by the NAMIRIAL; or an analysis is carried out on behalf of theNAMIRIALtoensurethatsecurityisbuiltintotheInformationTechnology'ssystems.

The software will beapprovedbytheServiceManagersandwill originate from atrusted source. Newversions ofsoftware are tested in a testing environment of the appropriate service and their deployment is conductedaccording todocumented changemanagement procedures.

6.6.2 SecurityManagementControlsMeasuresare implemented inthe informationsystemoftheNAMIRIAL, includingallworkstationsforguaranteeingthe integrity of software and configurations, as well as for detecting fraudulent software and restricting itsspread.Onlythesoftware directlyusedforperforming thetasks isused intheinformation system.

6.6.3 LifeCycleSecurityControlsTheNAMIRIALpolicies andassets for information security are reviewedat planned intervals,or should significantchangesoccur,theyarereviewedtoensuretheircontinuingsuitability,adequacyandeffectiveness.

The configurations of the NAMIRIAL systems are regularly checked for changes that violate the NAMIRIALsecurity policies. A review of configurations of the issuing systems, security support systems, and front-end/internal-support systemsoccursatleastonaweeklybasis.TheSecurityOfficerapproves changesthathaveanimpactonthelevelsecurityprovided.TheNAMIRIALhasprocedures forensuring thatsecurity patches areappliedto the certification system withina reasonabletime periodafter they becomeavailable,but not later than six




months following theavailability of the security patch. The reasons for not applying any security patches will bedocumented.

The NAMIRIAL manages the registration of information assets and classifies all information assets into securityclasses according to the results of the regular security analysis consistent with the risk assessment. AllNAMIRIALpolicies and assets related to information security will be reviewed internally at planned intervals, or shouldsignificantchangesoccur,theywillbereviewedtoensuretheircontinuing suitability,adequacyandeffectiveness.

6.7 NetworkSecurityControlsThe NAMIRIAL network is divided into zones by security requirements. Communication between the zones isrestricted. Onlytheprotocols needed fortheNAMIRIALservices areallowed through thefirewalls.

Thefront-end systemsareinaDMZprotected byafirewallandTLSoffloadservers.Actualsecurity-critical servicesand corresponding HSMs run in a secure zone that is separated by dedicated firewallandhasnodirect Internetaccess.

The root CA is in ahigh security zone and is air-gapped from all the other networks. The NAMIRIAL systemsareconfigured with only these accounts, applications, services, protocols, and ports that are used in the TrustServiceoperations.

TheNAMIRIALensures thatonlypersonnel inTrustedRoleshaveaccess toasecure zoneandahighsecurity zone.

The cabling and active equipment alongwith their configuration in theNAMIRIAL internal network areprotectedbyphysical andorganisational measures.

TheNAMIRIAL operates multiple data centres in separate sites for redundancy. Communication between sites iscryptographically secured.

Alldatacentresareconsidered tobeinacommon internal securenetwork carrying theDMZandsecurezone.ThetransferofSensitiveInformationoutsidetheNAMIRIALinternalnetworkisencrypted.

The security of the NAMIRIAL internal network and external connections is constantly monitored to prevent allaccess toprotocols andservices notrequired fortheoperation oftheTrustServices.

The NAMIRIAL performes a vulnerability scan twice a year on public and private IP addresses identified byNAMIRIAL.

The NAMIRIAL undergoes a penetration test on the certification systems annually at the set up and after theinfrastructure orapplication upgrades ormodifications determined significant bytheNAMIRIAL.

TheNAMIRIAL records evidence that each vulnerability scan and penetration testwas performed by apersonorentity with the skills, tools, proficiency,code of ethics, and independencenecessary to provide areliable report.

6.8 Time-StampingNAMIRIAL is providing time-stamping service as qualifed Trust Service and is specified in Namirial S.p.A. Time-Stamping Authority Practice Statement [6].

TheNAMIRIALdoesnotusetime-stampinginrelationtocertificationservice.Databaseentriescontainaccurate timeand date information.The time information is not cryptographic-based.The maximumallowed time varianceinall parts of the certification system is 1 second. This is guaranteed by an internal Reference Clock service,according to which the chronologies of all parts of the certification system are synchronised. The ReferenceClock uses GPS (Global Positioning System) as a primarytime source which determines preciseness of the timeintheNAMIRIAL’ssystem.

7 Certificate,CRL,andOCSPProfiles

7.1 CertificateProfileSpecified inrelevant service-based Policyand/orPractice Statement.




7.2 CRLProfileSpecified inrelevant service-based Policyand/orPractice Statement.

7.3 OCSPProfileSpecified inrelevant service-based Policyand/orPractice Statement.

8 Complianceauditandotherassessments

8.1 FrequencyorcircumstancesofassessmentTwokindsofcomplianceauditaremade:

- aninternalauditperformedatleastonceayearo byanexternalproviderspecializedinPKI;oro byaninternalauditor.

- aqualificationauditperformedbyanaccreditedorganizationatleastonceayear.

AnauditensuringcompliancetothisCPisperformed

- atleastonceayearforinternalaudit- duringannualrenewalofqualification,asrequestedbytheregulatoryproceeding.- aftereachmajormodification.

During the qualification process, a first compliance audit has been performed by an accredited organization asrequestedbytheregulatoryproceeding.

8.2 Identity/qualificationsofassessorThe assessor must act with rigor in order to ensure that policies, statements and services are properlyimplementedandtodetectthenon-complianceitemswhichmightjeopardizethesecurityoftheservice.

TheTSPcommitstohireassessorswithahighlevelofexpertiseinsystemsecurity,particularlyinthefieldoftheauditedcomponent.

8.3 Assessor’srelationshiptoassessedentityTheassessorisappointedbyNAMIRIAL,andisallowedtoauditthepracticesrulingthetargetcomponentoftheaudit.HemaybepartofNAMIRIALbutisindependantfromtheTSP.

8.4 TopicscoveredbyassessmentTheassessoroperatescomplianceauditsofthespecifiedcomponent,coveringtotallyorpartlytheimplementationof:

- theTSPPS;- theCPandCPS;- theTSAPS;- thecomponentsofthePKIandTSS.

Priortoeveryaudit,theassessorswillprovidetheTSPDirectorwithalistofcomponentsandprocedurestheywishtoaudit,andwillsubsequentlypreparethedetailedauditprogram.

8.5 ActionstakenasaresultofdeficiencyFollowingthecomplianceaudit,theassessmentteamgivestheTSPtheresultwhichcanbe“success”,“failure”or“tobeconfirmed”.

Incaseoffailure,theassessmentteamdeliversrecommendationstotheTSP.TheTSPthendecideswhichactionstoperform.




Incaseofresult“tobeconfirmed”,theassessmentteamidentifiesthenon-compliancesandprioritizesthem.TheTSP then schedules the correction of these non-compliances. A validation audit then checks for their effectivecorrections.

Incaseofsuccess,theTSPconfirmsthattheauditedcomponentcomplieswiththerequirementsoftheCP.

8.6 CommunicationofresultsThe audit results are made available to the Executive Management Committee of NAMIRIAL and to thequalificationorganisminchargeofthequalificationoftheTSP.

9 Otherbusinessandlegalmatters

9.1 Fees

9.1.1 CertificateIssuanceorRenewalFeesSpecified inrelevant service-based Policyand/orPractice Statement.

9.1.2 CertificateAccessFeesNotapplicable.

9.1.3 RevocationorStatusInformationAccessFeesSpecified inrelevant service-based Policyand/orPractice Statement.

9.1.4 FeesforOtherServicesFeesforservices arespecified inNAMIRIAL’sprice listorintheSubscriber’s orRelyingParty’sagreement.

9.1.5 RefundPolicyNAMIRIALhandles refund requests case-by-case.

9.2 FinancialResponsibility

9.2.1 InsuranceCoverageInaccordance withtherelevant legislation, NAMIRIALpublishes thetermsofthecompulsory insurance policyonitswebsitehttps://docs.namirialtsp.com/insurance/.

9.2.2 OtherAssetsAccording torelevant agreements NAMIRIALmaygivesomeadditionalwarranties.

9.2.3 InsuranceorWarrantyCoverageforEnd-EntitiesRefertoclause9.2.1ofthisNAMIRIALPS.

9.3 ConfidentialityofBusinessInformation

9.3.1 ScopeofConfidentialInformationAll information that has become known while providing services and that is not intended for publication (e.g.information that had been known to NAMIRIAL because of operating and providing Trust Services) isconfidential. Subscriberhasarighttogetinformation fromNAMIRIALabouthim/herself according tolegalacts.

9.3.2 InformationNotWithintheScopeofConfidentialInformationAny information not listed as confidential or intended for internal use is public information. Informationconsidered public inNAMIRIALislisted inclause2.2ofthisNAMIRIALPS.




Additionally, non-personalised statistical data about NAMIRIAL’s services is also considered public information.NAMIRIALmaypublishnon-personalised statistical dataabout itsservices.

9.3.3 ResponsibilitytoProtectConfidentialInformationNAMIRIAL secures confidential information and information intended for internal use from compromise andrefrains fromdisclosing ittothirdpartiesbyimplementing different security controls.

Disclosure or forwarding of confidentialinformationto a third party is permitted only with the writtenconsentofthelegalpossessoroftheinformationonthebasisofacourtorderorinothercasesprovidedbylaw.

9.4 PrivacyofPersonalInformation

9.4.1 PersonalDataProtectionPrinciplesNAMIRIALtakesallthenecessarymeasuressothatpersonaldataareprotectedandstoredconfidentiallyaccordingtotheItaliandataprotectioncode(LegislativeDecreeno.196/2003).

9.4.2 PersonalInformationProcessedbyNAMIRIALThescopeofpersonalinformationprocessedbyNAMIRIALisdescribedinhttps://docs.namirialtsp.com/privacy/.

9.4.3 ResponsibilitytoProtectPrivateInformationNAMIRIALensures protection ofpersonal information byimplementing security controls asdescribed inchapter5ofthisNAMIRIALPS.

9.4.4 NoticeandConsenttoUsePrivateInformationThe exacttermsunderwhichthe subscribergrantsNAMIRIAL his/hernoticeand consentto use his/herpersonalinformation aredescribed inhttps://docs.namirialtsp.com/privacy/.

9.4.5 DisclosurePursuanttoJudicialorAdministrativeProcessThe circumstances underwhich NAMIRIALmaydisclose the subscriber’s personal information tothirdpartiesaredescribed inhttps://docs.namirialtsp.com/privacy/.

9.4.6 OtherInformationDisclosureCircumstancesThe circumstances underwhich NAMIRIALmaydisclose the subscriber’s personal information tothirdpartiesaredescribed inhttps://docs.namirialtsp.com/privacy/.

9.5 IntellectualPropertyRightsThe products operated to provide the PKI belong toNAMIRIAL. Any use or reproduction, total or partial, of theseelementsand/orinformationwithin,byanymeans,isstrictlyprohibitedandisaforgerypunished,unlessNAMIRIALhaspreviouslygivenitswrittenagreement.

9.6 RepresentationsandWarranties

9.6.1 TrustServiceProviderRepresentationsandWarrantiesNAMIRIAL is party to the mutual agreementsand obligationsbetweenthe TSP, Subscribers,and RelyingParties.ThisNAMIRIALPSandservice-based Practice Statements areintegralpartsoftheseagreements.

NAMIRIAL:

- provideitsservicesconsistentwiththerequirementsandtheproceduresdefinedinthisNAMIRIALPSandservice-basedpoliciesandpracticestatements;

- comply with eIDAS regulation [1] and related legal acts defined in this NAMIRIAL PS and service-basedpoliciesandpracticestatements;




- publishitsNAMIRIALPSandservice-basedpoliciesandpracticestatementsandguaranteetheiravailabilityinapublicdatacommunicationsnetwork;

- publish andmeet its claims in terms and conditions for subscribers and guarantee their availability andaccessinapublicdatacommunicationsnetwork;

- maintainconfidentialityoftheinformationwhichhascometoitsknowledgeinthecourseofsupplyingtheserviceandisnotsubjecttopublication;

- keepaccountoftheTrustServiceTokensissuedbyitandtheirvalidityandensurepossibilitytocheckthevalidityofcertificates;

- informtheSupervisoryBodyofanychangestoapublickeyusedfortheprovisionTrustServices;

- withoutunduedelaybut inanyeventwithin24hours afterhavingbecomeawareof it, the SupervisoryBodyand,whereapplicable,otherrelevantbodiesasnationalCERTor ItalianDataProtectionAuthorityandpartners suchasAcrobatAdobe (forAATL)of anybreachof securityor lossof integrity thathas asignificantimpactontheTrustServiceprovidedoronthepersonaldatamaintainedtherein;

- where the breach of security or loss of integrity is likely to adversely affect a natural or legalperson towhom theTrusted Service hasbeen provided, notify thenatural or legal person ofthebreach ofsecurityorlossofintegritywithoutunduedelay;

- preserveallthedocumentation,recordsandlogsrelatedtoTrustServicesaccordingtotheclauses5.4and5.5;

- ensure a conformity assessment according to requirements and present the conclusion of conformityassessmentbodytotheSupervisoryBodytoensurecontinualstatusofTrustServicesintheTrustedList;

- hasthefinancialstabilityandresourcesrequiredtooperateinconformitywiththisNAMIRIALPS;

- publishthetermsofthecompulsoryinsurancepolicyandtheconclusionofconformityassessmentbodyorcertificateinapublicdatacommunicationsnetwork.

Anemployee ofNAMIRIALmaynothavebeenpunished foranintentional crime.

9.6.2 RARepresentationsandWarrantiesTheLRAshall:

- provide itsservices consistentwiththerequirements andtheprocedures defined inthecontractbetweenNAMIRIALandLRA,inthisNAMIRIALPSandservice-based Policies andPractice statements;

- provide itsemployees withnecessary training forsupplyofhigh-quality service;

- without undue delay after having become aware of it,will notify NAMIRIAL of any breach of securityorloss of integrity that has a significant impact on the Trust Service provided or on the personal datamaintained therein.

Anemployee ofLRAmaynothavebeenpunished foranintentional crime.

9.6.3 SubscriberRepresentationsandWarrantiesTheSubscriber shall:

- observethe requirementsprovidedby NAMIRIAL in this NAMIRIAL PS and the respectiveservice-basedpolicies and/orpractice statements;

- supply true andadequate information intheapplication for the services, and intheevent ofachangeinthe data submitted, he/she shall notify the correct data in accordance with the rules established in theservice-based policies andpractice statements;

- beaware of the fact thatNAMIRIALmay refuse toprovide the service if the Subscriber has intentionallypresented false, incorrect orincomplete information intheapplication fortheservice;

- besolely responsible forthemaintenance ofhis/her private keyandTrustService Tokens. TheSubscribershall use his/her private key and Trust Service Tokens in accordance with this NAMIRIAL PS, service-based practice statements andservice termsandconditions.




9.6.4 RelyingPartyRepresentationsandWarrantiesARelyingPartyshall:

- study the risks and liabilities related to the acceptance of Trust Service Tokens. The risks and liabilitieshavebeen setout inthisNAMIRIALPS, intheappropriate service-based policies andpracticestatementsandintheservice termsandconditions.

- verify the validity of Trust Service Tokens on the basis of validation services offered by NAMIRIALusing:

o publishedinformationonNAMIRIAL’swebsitehttps://docs.namirialtsp.com/or

o applicablevalidationserviceor

o oappropriatecryptographicinformation.

9.6.5 RepresentationsandWarrantiesofOtherParticipantsSpecified inrelevant service-based Policyand/orPractice Statement.

9.7 DisclaimersofWarrantiesNAMIRIAL:

- is liable for theperformanceofall itsobligationsspecified inclause9.6.1 to theextentprescribed by thelegislation oftheRepublic ofItaly;

- has compulsory insurance contracts,which cover all NAMIRIAL Trust Services to ensure compensation fordamagewhichiscausedasaresultofviolationoftheobligationsofNAMIRIAL.

NAMIRIALisnotliablefor:

- thesecrecyoftheprivatekeysoftheSubscribers,possiblemisuseofthecertificatesorinadequatechecksofthecertificatesorforthewrongdecisionsofaRelyingPartyoranyconsequencesduetoerrorsoromissioninTrustServiceTokenvalidationchecks;

- thenon-performanceof itsobligationsifsuchnon-performanceisduetofaultsorsecurityproblemsoftheSupervisoryBody,theItalianDataProtectionAuthority,TrustedListoranyotherpublicauthority;

- non-fulfilmentoftheobligationsarisingfromtheNAMIRIALPSifsuchnon-fulfilmentisoccasionedbyForceMajeure.

9.8 LimitationsofLiabilityThe upper limit of the liability for any claim is established in the referred policy available athttps://docs.namirialtsp.com/insurance/.

9.9 IndemnitiesIndemnities between theSubscriber andNAMIRIALareregulated inservicebasedTermsandConditions.

9.10 TermandTermination

9.10.1 TermRefertoclause2.2.1ofthisNAMIRIALPS.

9.10.2 TerminationThis NAMIRIAL PS and/or service-based Practice Statements remain in force until they are replaced by a newversionorwhentheyareterminated duetoTrustServiceorNAMIRIAL’stermination.

Upon NAMIRIAL’s termination, NAMIRIAL is obliged to ensure the protection of personal and confidentialinformation.




9.10.3 EffectofTerminationandSurvivalNAMIRIAL communicates the conditions and effect of this NAMIRIAL PS’s and/or service-based PracticeStatements termination via its public repository. The communication specifies which provisions survivetermination.

At a minimum,all responsibilitiesrelatedto protectingpersonalandconfidentialinformation,alsomaintenanceofpublic information of repository, NAMIRIAL archives for determined period and logs survive termination. AllSubscriber agreements remaineffective untilthecertificate isrevoked orexpired, evenifthisNAMIRIALPSand/orservice-based Practice Statements terminate.

Termination of this NAMIRIAL PS and/or service-based Practice Statements cannot be done before terminationactionsdescribed inclause5.8ofthisNAMIRIALPS.

9.11 IndividualNoticesandCommunicationswithParticipantsIn general, NAMIRIAL’s website http://www.namirialtsp.com will be used to make any type of notification andcommunication.Other meansof individualnoticesand communicationis specifiedin relevantservice-basedPolicyand/orPractice Statement.

9.12 Amendments

9.12.1 ProcedureforAmendmentRefertoclause1.5.4ofthisNAMIRIALPS.

9.12.2 NotificationMechanismandPeriodRefertoclause2.2.1ofthisNAMIRIALPS.

9.12.3 CircumstancesUnderWhichOIDMustbeChangedNotapplicable.

9.13 DisputeResolutionProvisionsAll disputes between the parties will be settled by negotiations. If the parties fail to reach and amicableagreement, thedisputewillberesolved atthecourtofthelocationofNAMIRIAL.

The other parties will be informed of any claim or compliant not later than 30 calendar days after thedetectionofthebasisoftheclaim,unlessotherwise provided bylaw.

TheSubscriber orotherpartycansubmit theirclaimorcomplaint onthefollowing email: [email protected].

9.14 GoverningLawThisNAMIRIALPSisgoverned bythejurisdictions oftheEuropean UnionandtheRepublic ofItaly.

9.15 CompliancewithApplicableLawNAMIRIAL ensures compliance with the legal requirements to meet all applicable statutory requirements forprotecting records fromloss,destruction andfalsification, andtherequirements ofthefollowing:

eIDAS - Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 onelectronic identification and trust services for electronic transactions in the internal market and repealingDirective 1999/93/EC [1];

- ItalianDataProtectionCode[7];

- relatedEuropean Standards:

o ETSIEN319401Electronic Signaturesand Infrastructures (ESI);GeneralPolicyRequirements for TrustServiceProviders [2];




o ETSIEN319411-1Electronic Signatures andInfrastructures (ESI);PolicyandSecurityrequirements forTrustServiceProviders issuingcertificates; Part1:Generalrequirements [9];

o ETSIEN319411-2 Electronic Signatures and Infrastructures (ESI); Policy andsecurityrequirementsforTrust Service Providers issuing certificates; Part 2: Policy requirements for certification authoritiesissuingqualified certificates [9];

- CA/BrowserForum,BaselineRequirementsCertificatePolicyfortheIssuanceandManagement ofPublicly-Trusted Certificates [3].

9.16 MiscellaneousProvisions

9.16.1 EntireAgreementNAMIRIAL contractually obligates each L RA and other participants to comply with this NAMIRIAL PS andapplicable industryguidelines.NAMIRIALalso requireseachpartyusing its productsandservices to enter intoanagreementthat delineatesthe termsassociatedwiththe productor service.If an agreementhasprovisions thatdiffer from thisNAMIRIAL PS, then the agreement with that party prevails, but solely with respect to that party.Thirdpartiesmaynotrelyonorbringaction toenforce suchagreement.

9.16.2 AssignmentAny entities operating under this NAMIRIAL PS may not assign their rights or obligationswithout the priorwritten consent of NAMIRIAL. Unless specified otherwise in a contract with a party, NAMIRIAL does not providenoticeofassignment.

9.16.3 SeverabilityIf any provision of this NAMIRIAL PS is held invalid or unenforceable by a competent court or tribunal, theremainder of the NAMIRIAL PS remains valid and enforceable. Each provision of this NAMIRIAL PS that providesforalimitationofliability,disclaimerofawarranty,oranexclusionofdamagesisseverableandindependent ofanyotherprovision.

9.16.4 Enforcement(Attorneys'FeesandWaiverofRights)NAMIRIAL may claim indemnificationand attorneys'fees from a party for damages,losses, and expensesrelatedto that party's conduct. NAMIRIAL’s failure to enforce a provision of this NAMIRIAL PS does not waiveNAMIRIAL’srighttoenforcethesameprovision laterorrighttoenforceanyotherprovisionofthisNAMIRIALPS.Tobeeffective,waiversmustbeinwritingandsignedbyNAMIRIAL.

9.16.5 ForceMajeureThe subject ofForce Majeure and other parties are responsiblefor any consequencescaused bycircumstancesbeyond his reasonable control, including but without limitation to war (whether declared or not), acts ofgovernment or the European Union, export or import prohibitions, breakdown or general unavailability oftransport,generalshortagesof energy,fire, explosions,accidents,strikes or otherconcerted actions ofworkmen,lockouts, sabotage, civilcommotion andriots.

Communication and performance in the case of Force Majeure are regulated between the parties with theagreements.

Non-fulfilment of the obligations arising from the NAMIRIAL PS and/or relevant service-related Policies and/orPracticeStatementsisnotconsideredaviolationifsuchnon-fulfilmentisoccasionedbyForceMajeure.Noneoftheparties shall claim damage orany other compensation from the other parties fordelaysornon-fulfilmentof thisNAMIRIALPSand/orrelevantservice-relatedPoliciesand/orPracticeStatements causedbyForceMajeure.

9.17 OtherProvisionsNotapplicable.




References

Numero Descrizione

[I] eIDAS -Regulation (EU)No910/2014 oftheEuropean Parliament andoftheCouncil of23July2014on electronicidentificationand trust servicesfor electronictransactionsin the internalmarketandrepealing Directive 1999/93/EC;

[II] ETSI EN 319 401 ElectronicSignaturesand Infrastructures(ESI); General Policy RequirementsforTrustServiceProviders;

[III] CA/BrowserForum, Baseline RequirementsCertificatePolicy for the Issuanceand ManagementofPublicly-TrustedCertificates,https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-1.3.3.pdf;

[IV] RFC 3647 –Request ForComments 3647, Internet X.509 Public Key Infrastructure, Certificate PolicyandCertification Practices Framework, https://www.ietf.org/rfc/rfc3647.txt;

[V] ISO/IEC 27001: 2013 Information technology -Security techniques -Information securitymanagementsystems –Requirements;

[VI] Namirial S.p.A. Time-Stamping Authority Practice Statement, published:https://docs.namirialtsp.com/tsaps/;

[VII] ItalianDataProtectionCode(LegislativeDecreeno.196/2003).

[VIII] DataProtectionDisclaimer(Privacy), published: https://docs.namirialtsp.com/privacy/;

[IX] ETSI EN319411-1 Electronic Signatures and Infrastructures (ESI); Policy andSecurity requirementsforTrustServiceProviders issuing certificates; Part1:General requirements;

[X] ETSI EN319411-2 Electronic Signatures and Infrastructures (ESI); Policy and security requirementsforTrustServiceProviders issuingcertificates; Part2:Policyrequirements forcertification authoritiesissuingqualified certificates.

Documents

Trust Services - Namirial Support · Each first-level chapter includes reference to the corresponding chapter in ETSI EN 319 401 [2]. 1.1 Overview NAMIRIAL operates a Public Key infrastructure