Certificate Policy
Land Registry
Version 4.0 10/09/2009
Contents
1 Background 5
2 Scope 6
3 References 6
4 Definitions 7
5 General approach – policy and contract responsibilities 9
5.1 Background 9
5.2 Certificate Policy and Certification Practice Statement 9
5.2.1 Purpose 9
5.2.2 Level of specificity 10
5.2.3 Approach 10
6 Introduction to the Certificate Policies for Land Registry 10
6.1 Overview 10
6.2 Identification 11
6.3 Policy changes
11
6.4 Conformance 11
6.5 Contact details 11
7 Obligations and liability 12
7.1 Certification Authority obligations 12
7.2 Subscriber obligations 12
7.3 Relying Party obligations 12
7.4 Certification Authority liability 13
8 Annex A – Registered Land Registry Certificate Policies 14 9 Annex B – Requirements on Certification Authority Practice
for Land Registry Local Signing Certificate Policy 15
9.1 Subscriber obligations 15
9.1.1 Key usage 16
9.2 Certification Practice Statement 16
9.3 Key Management Life Cycle 16
9.3.1 Generation of Certification Authority Keys 16 9.3.2 Certification Authority Key storage, backup and
recovery 17
9.3.3 Certification Authority Public Key distribution 17
9.3.4 Key Escrow 17
9.3.5 Certification Authority Key usage 17 9.3.6 End of Certification Authority Key life cycle 17 9.3.7 Life cycle management of cryptographic hardware
used to sign Certificates 18
9.3.8 CA provided Subject Key management services 18 9.3.9 Hardware Key storage device preparation 18
9.4 Certificate Management life cycle 19
9.4.1 Subject registration 19
9.4.2 Certificate renewal, re-key and update 20
9.4.3 Certificate generation 20
9.4.4 Dissemination of terms and conditions 21
9.4.5 Certificate dissemination 21
9.4.6 Certificate revocation and suspension 22
9.5 Management and operation 23
9.5.1 Security management 23
9.5.2 Asset classification and management 23
9.5.3 Personnel security 23
9.5.4 Physical and environmental security 24
9.5.5 Operations management 25
9.5.6 System access management 26
9.5.7 Trustworthy systems deployment and maintenance 26 9.5.8 Business continuity management and incident
handling 26
9.5.9 Certification Authority termination 27
9.5.10 Compliance with legal requirements and Land
Registry’s policies and practices 28
9.5.11 Recording of information concerning Certificates 28
9.6 Organisational 29
10 Annex C – Requirements on Certification Authority Practice
for Land Registry Central Signing Certificate Policy 30 10.1 Deviation from the original policy 30
10.1.1 Key Escrow 30
10.1.2 Certificate Authority Provided Subject Key
Management Services 31
11 Annex D – Requirements on Certification Authority Practice
for Land Registry Individual Authentication Certificate Policy 32 11.1 Deviation from the original policy 32
11.1.1 Subscriber obligations 32
11.1.2 Key usage 33
12 Annex E – Requirements on Certification Authority Practice
for Land Registry Device Authentication Certificate Policy 34 12.1 Deviation from the original policy 34
12.1.1 Subscriber obligations 34
12.1.2 Key usage 35
12.1.3 CA Provided Subscriber Key Management Services 35 12.1.4 Hardware Key Storage Device Preparation 35
12.1.5 Subject registration 35
1. Background
Public Key Infrastructure (PKI) has been widely accepted by the market and governments worldwide as an important electronic business enabler. PKI can ensure, in a cost-effective manner, the confidentiality and integrity of digital data, as well as guarantee the identities of communicating or transacting entities or
persons. Confidentiality is achieved through encryption, whereas identification and integrity are achieved through digital signatures.
These critical internet trust techniques are supported by Certificates issued by a Certification Authority. Such Certificates “bind” a person or legal entity to a cryptographic key that is published within a relevant community. This Public Key corresponds in a unique manner to another key, which for PKI to work must be kept strictly confidential (the Private Key). Digital signatures are created by using the Private Key of the sender, while confidentiality is achieved by use of the Public Key of the receiver.
For users of PKI to have confidence in the Certificates that identify their counterparts in for example web transactions, they need to have confidence that the Certification Authority has properly established procedures and protective measures in order to
minimise the operational and financial threats and risks associated with PKI. This document specifies the policy requirements on the operation and management of Land Registry and their customers to give users this confidence in relation to the Land Registry E-services.
2. Scope
This document specifies policy requirements relating to Land Registry Certification Authority. It defines policy requirements on the operation and management of its Certification Authority issuing Certificates such that Subjects certified by the Certification Authority and Relying Parties may have confidence in the reliability of the Certificate.
Subscribers and Relying Parties should consult the Land Registry Certification Practice Statement to obtain further details of precisely how this Certificate Policy is implemented by Land Registry for a particular class of Certificate.
3. References
The following documents contain provisions which, through references in this text indicated by [n], constitute provisions of the present document.
References are either specific (identified by date of publication, edition number, version number, etcetera) or non-specific.
For a specific reference, subsequent revisions do not apply.
For a non-specific reference, the latest version applies.
1. Directive 1999/93/EC of the European Parliament and of the Council of 13 December 1999 on a Community framework for electronic signatures.
2. ETSI TS 101 456: Policy requirements for issuing qualified certificates.
3. IETF RFC 3739: Internet X.509 Public Key Infrastructure: Qualified certificate profile. (Also ETSI TS 101 862).
4. IETF RFC 3647 (2003): Internet X.509 Public Key Infrastructure Certificate Policy and Certification Practices Framework.
5. Data Protection Act 1988.
6. ISO/IEC 9000: 2000 Quality Management Systems.
7. ISO/IEC 17799:2005: Information Technology – Security Techniques – Code of Practice for Information Security Management.
8. ISO/IEC 15408:2005 (parts 1 – 3): Information Technology – Security Techniques – Evaluation Criteria for IT Security.
9. FIPS PUB 140-2 (2001): Security Requirements for Cryptographic Modules.
10. CEN Workshop Agreement 14167-2: Security Requirements
for Trustworthy Systems Managing Certificates for Electronic
Signatures – Part 2: Cryptographic Module for CSP signing
operations with backup – Protection Profile (CMCSOB-PP).
11. CEN Workshop Agreement 14167-3: Security Requirements for Trustworthy Systems Managing Certificates for Electronic Signatures – Part 3: Cryptographic Module for CSP key generation services – Protection Profile (CMCKG-PP).
12. CEN Workshop Agreement 14167-4: Security Requirements for Trustworthy Systems Managing Certificates for Electronic Signatures – Part 2: Cryptographic Module for CSP signing operations – Protection Profile (CMCSO-PP).
13. IETF RFC 3280: Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile.
4. Definitions
Administrator: A person who controls the service operation of the CA.
Central Signing Service: Private Key storage and use under the End User’s sole control within a secure service operated by Land Registry.
Certificate Policy: A named set of rules that indicates the applicability of a Certificate to a particular community and/or class of application with common security requirements.
Certificate: The Public Key of an End User or Device, together with verifiable identity information, rendered unforgeable by encoding with the Private Key of the Certification Authority which issued it.
Certification Authority (CA): An entity trusted by one or more users to create and assign Certificates.
Certification Practice Statement: A statement of the practices that a Certification Authority uses in issuing Certificates.
Conveyancer: Any member, employee, officer or agent of a subscriber authorised under a current full Network Access Agreement.
Device: In these policies is used to include an internet server,
software or equipment used to initiate a virtual private network and functions in organisations authorised to sign software code.
Electronic Signature: Data in electronic form in, affixed to, or logically associated with, a data message, which may be used to identify the signatory in relation to the data message and indicate the signatory’s approval of the information contained in the data message.
End User: The person or legal entity having its Public Key and name certified by a Certification Authority in a Public Key Certificate.
Know Your Customer (KYC): The process of establishing a client’s
identity using appropriate documentary evidence (eg passport or
utility bill) to ensure compliance with the Proceeds of Crime Act 2002
and the Terrorism Act 2000 and the Money Laundering Regulations
2003. Guidance is provided by the FSA and the Law Society.
Key Pairs: Encryption keys used for signature purposes comprise a pair of large prime numbers that have a specific mathematical relationship such that if one is used to encrypt data only the other half of the pair can be used to decrypt the data.
Network: The electronic communications network provided in accordance with section 92 of the Land Registration Act 2002 and any components of it and the services provided by way of that network from time to time.
Private Key: One part of the Key Pair that is kept private to by the Subject. Used for creating the Electronic Signature.
Public Key: The other part of the Key Pair made public to any Relying Party in order to validate the Electronic Signature.
Registration Authority: The organisational entity responsible for the enrolment of subjects into the Certification Authority. It may be a different organisation to the Certification Authority, but is obliged to comply with the Certificate Policy.
Relying Party: The party in a transaction or communication which acts or may act in reliance on a Certificate and/or digital signatures verified using that Certificate.
Representative: The individual who accepts the Certificate associated with computer applications and Devices
1in the control of
Subscribers, and is responsible for the correct protection and use of the Private Key.
Subject: Entity identified in a Certificate as the rightful holder of the Private Key associated with the Public Key given in the Certificate.
The Subject may be an End User or Device.
Subscriber: Entity which subscribes with a Certification Authority on behalf of an End User or End Users to have one or more Public Keys and associated entities certified in the same number of Public Key Certificates. A Subscriber may also be the Subject or Representative.
Technical Manual: The document, including parts 1 and 2, which details the system and security requirements and other technical aspects of the Network and published from time to time by the Registrar. References to the Technical Manual mean the version as updated from time to time.
1 Eg firewalls, routers, in-line network encryptors, trusted servers, and other
5. General approach – policy and contract responsibilities
5.1 Background
The authority trusted by the users of the certification services to create and sign Certificates is called the Certification Authority. The Certification Authority has overall responsibility for the provision of these services and is identified in the Certificate as the issuer.
When a Certification Authority issues a Certificate it attests that it has established the name of the Subject by using defined processes based on the examination of defined external evidence. This
evidence concerns the certified entity’s name and its association with other information in the Certificate to achieve a targeted level of reliability and trust, and represents information and facts that the Certification Authority chooses to rely upon to make a correct attestation. The evidence collected and the method of examination may vary between different types of certification services, but all services must in the end rely on information that is outside the scope of the Certification Authority to challenge.
The responsibility of the Certification Authority is limited to the correct execution of its defined procedures which will include evidence collection and examination procedures that are defined to be part of its service. If an error is caused by false external evidence (such as a false ID-card) that was correctly collected and processed according to defined procedures, the Certification Authority has fulfilled its obligations and is not responsible for the error. However, the Certification Authority always maintains responsibility for processes defined to be part of its service for ensuring that the policy requirements imposed on the Certification Authority in this document are met; and for liability issues arising out of the issue and management of certificates. The Certification Authority may use other parties to provide services, and the distribution of responsibilities among these parties is contractually agreed between the Certification Authority and its subcontractors. In these cases it is also the responsibility of the Certification Authority to provide adequate instructions to Subscribers and Relying Parties and to provide the details required for the Subscribers or the Relying Parties to meet their obligations.
5.2 Certificate Policy and Certification Practice Statement 5.2.1 Purpose
In general, the purpose of the Certificate Policy (these are referenced by a policy identifier in a Certificate) states the rules on how the Certificate is to be issued, used and when it may be relied upon.
The Certification Practice Statement is a summary of the processes and procedures the Certification Authority will use in creating and maintaining the Certificate. The relationship between the Certificate Policy and Certification Practice Statement is similar in nature to the relationship of other business policies that state the requirements of the business, while operational units define the practices and procedures of how these policies are to be carried out.
If a Certification Authority is issuing Certificates against a number
of Certificate Policies, then the Certification Authority’s Certification
Practice Statement (only one is necessary) will state how the
Certification Authority implements the controls.
5.2.2 Level of specificity
A Certificate Policy is a less specific document than a Certification Practice Statement. A Certification Practice Statement is a more detailed description of business and operational practices of a Certification Authority in issuing and otherwise managing Certificates. The Certification Practice Statement of a Certification Authority enforces the rules established by entities prescribing a specific Certificate Policy. A Certification Practice Statement defines how a specific Certification Authority meets the technical, organisational and procedural requirements identified in a Certificate Policy.
5.2.3 Approach
The approach of a Certificate Policy is significantly different from that of a Certification Practice Statement. A Certificate Policy is defined independently of the details of the specific operating environment of a Certification Authority, whereas a Certification Practice Statement is tailored to the organisational structure, operating procedures, facilities, and computing environment of a Certification Authority. A Certificate Policy may be defined by the user of certification services, whereas the Certification Practice Statement is always defined by the provider.
The Certification Practice Statement relevant to the Land Registry Certification Authority will be incorporated into the Technical Manual.
6. Introduction to the Certificate Policies for Land Registry
6.1 Overview
Certificates issued by the Land Registry Certification Authority (hereafter referred to as the CA) in accordance with the current document include a Certificate Policy identifier that can be used by Relying Parties in determining the Certificate’s suitability and trustworthiness for a particular application.
Certificates for four types of use are defined by these policies.
1. Where End Users apply Electronic Signatures locally.
2. Where End Users apply Electronic Signatures centrally.
3. Where End Users have authentication needs.
4. Devices with software key storage.
The main body of this document describes the general requirements for issuing and managing Certificates. Annex B covers more specific details for issuing and managing Certificates for use where End Users are in possession of their cryptographic token and apply Electronic Signatures locally. Annex C describes the requirements for issuing and managing Certificates for use where End Users apply Electronic Signatures centrally under sole control. Annex D describes the requirements for issuing and managing Certificates for use by End Users with cryptographic tokens for authentication purposes.
Annex E describes the requirements for issuing and managing Certificates for use by Devices.
Sections 1 to 7 are common to all four policies, whereas the
requirements on the CA will differ according to the Certificate issued,
as defined in Annexes B to E.
6.2 Identification
The identifiers for the Certificate Policies specified in the current document are at Annex A.
6.3 Policy changes 6.3.1 Change procedures
The following aspects of these Certificate Policies can change without notification and without requiring a new object identifier to be allocated:
a. formatting and
b. correction of minor typographic errors.
The following aspects of this Certificate Policy can change with notification, but without requiring a new object identifier to be allocated:
c. any aspect that does not lower, and cannot be perceived to lower, the fundamental trust that can be placed in the Certificate.
The following aspects of this Certificate Policy cannot be changed unless a new object identifier is created:
d. any aspect that lowers, or could be perceived to lower, the fundamental trust that can be placed in the Certificate.
6.3.2 Publication and notification
An electronic copy of this document, duly signed by an authorised representative of the CA, is to be made available:
a. at the Land Registry website www.landregistry.gov.uk
b. via an email request to [email protected] 6.4 Conformance
The CA shall only use the identifier for the appropriate Certificate Policy as provided in 6.2 if:
• the CA claims conformance to the identified Certificate Policy and makes available on request the evidence to support the claim of conformance; or
• the CA has been certified to be conformant to the identified Certificate Policy.
6.5 Contact details
These Certificate Policies are published by:
Business Development Board HM Land Registry
Head Office
Lincoln’s Inn Fields London WC2A 3PH
Contact: [email protected]
7. Obligations and liability
7.1 Certification Authority obligations
The CA shall ensure that all requirements, as detailed in the relevant sections applicable to the policy issued, are implemented.
The CA has the responsibility for conformance with the procedures prescribed in the policy, regardless of its operational responsibilities in performing its functions. The CA shall also fulfil any additional obligations that are indicated in the Certificates either directly or incorporated by reference.
7.2 Subscriber obligations
The terms and conditions agreed with the Subscriber (see 9.4.4) shall include an obligation upon the Subscriber to address all the following obligations. If the Subject and Subscriber are different parties, the Subscriber shall make the Subject aware of those applicable obligations as listed below:
a. only use the Key Pairs for the purposes defined in Section 9, 10, 11 or 12 and in accordance with any other limitations that may be notified to the Subscriber
b. submit accurate and complete information to the CA during Subject registration in accordance with the requirements of the policy
c. exercise reasonable care to avoid unauthorised use of the Subject’s Private Key
d. notify the CA, without any unreasonable delay, if any of the following occur up to the end of the validity period indicated in the Certificate
– the Subject’s Private Key has been potentially or actually lost, stolen or compromised
– control over the Subject’s Private Key has been lost due to potential or actual compromise of activation data (eg PIN code) or other reasons and/or
– inaccuracy or changes to the Certificate content, as notified to the Subscriber.
e. ensure that if the Subscriber or Subject generates the Subject’s Key Pair, only the Subject holds the Private Key
f. ensure that Private Keys are generated within the hardware key storage device.
7.3 Relying Party obligations
The obligations of the Relying Party if it is to reasonably rely on a Certificate are to:
a. verify the validity, suspension or revocation status of the Certificate using current revocation status information as indicated to the Relying Party (see 9.4.6)
b. take account of any limitations on the usage of the Certificate indicated to the Relying Party, either in the Certificate, or in the terms and conditions supplied as required in 9.4.4 and 9.4.5 and c. take any other precautions prescribed in the Certification Practice
Statement.
7.4 Certification Authority liability
Certificates issued by the CA will be used primarily for signing
electronic dispositionary documents relating to registered land when permitted by law such as transfers or mortgages. Certificates can also be used to sign electronic contracts relating to registered land when permitted by law. Additional Certificates will be issued for End User and Device authentication purposes and for enabling secure communication channels. The liability taken by the CA, however, is limited to the correct application of procedures as declared in the Certification Practice Statement (as incorporated into the Technical Manual); these procedures relate to the issue and management of digital Certificates. Therefore any failure of transaction that utilises the digital Certificate is out of scope.
In essence the liability will include the correct identification of
Subjects according to the declared practices. If a transaction is found to be in error through the incorrect identification of the Subject through failing to follow the declared practices, then the
CA is liable. If however the Subject is incorrectly identified, but the error was within the documents used to support the Subject’s claim to an identity, then the CA shall not be liable.
The CA shall include any limitation of liability within the Certificate,
providing the relevant information within an easily accessible
statement both on its website and within the Certification Practice
Statement. The information above shall be available through a
durable (ie with integrity and availability over time) means of
communication, which may be transmitted electronically, and in
readily understandable language.
8. Annex A – Registered Land Registry Certificate Policies
The following Certificate Policies are defined within the Land Registry e-Security service.
Service Policy name Object
identifier
2Description
e-Security
Land Registry Local Signing.
{iso(1) member- body(2) GB(826) UK National registration (0) Land Registry(1359) policy (1) certificate- policy(1) 2}
Where End Users apply Electronic Signatures locally.
Land Registry Central Signing.
{iso(1) member- body(2) GB(826) UK National registration (0) Land Registry(1359) policy (1) certificate- policy(1) 3}
Where End Users apply Electronic Signatures centrally.
Land Registry Individual Authentication.
{iso(1) member- body(2) GB(826) UK National registration (0) Land Registry(1359) policy (1) certificate- policy(1) 4}
Electronic identity-based Authentication.
Land Registry Device
Authentication.
{iso(1) member- body(2) GB(826) UK National registration (0) Land Registry(1359) policy (1) certificate- policy(1) 5}
Device
authentication Certificate Policy.
2 See ISO/IEC 8824:1988 | CCITT X.208 Specification of Abstract Syntax Notation One (ASN.1), Annexes B to D for a definition.
9. Annex B – Requirements on
Certification Authority Practice for Land Registry Local Signing Certificate Policy
This Certificate Policy applies to all Conveyancers and their customers who wish to sign electronic dispositionary documents relating to registered land such as transfers or mortgages, and who wish to keep their Private Keys in their possession. It includes Land Registry signing acknowledgement of any data presented to the Network and authenticating documents and information issued by Land Registry.
The identifier for the Land Registry Local Signing Certificate Policy is:
Policy Identifier =1.2.826. 0.1359. 1.1.2
By including this object identifier in a Certificate, the CA claims conformance to the identified Land Registry Local Signing Certificate Policy.
The Certificates issued under this policy may be used to support Electronic Signatures which meet the requirements of the Directive [1] and English law, in connection with information services, transactions, agreements, exchange of valuable information and contracting for property and land transactions. The decision to accept the Certificate, however, is at the discretion of the Relying Party.
Certificates issued under this policy are primarily focused on the following main classes of security services:
– identification of originator
– creation of an Electronic Signature – integrity of data.
The Certificate Authority shall implement the controls that meet the requirements set out in this annex.
This Certificate Policy incorporates Sections 5, 6 and 7 of this document with the amendments and changes defined in this Annex.
9.1 Subscriber obligations
The terms and conditions agreed with the Subscriber (see 9.4.4) shall include an obligation upon the Subscriber to address all the following obligations. If the Subject and Subscriber are different parties, the Subscriber shall make the Subject aware of those applicable obligations as listed below:
a. only use the Key Pairs for Electronic Signatures and in accordance with any other limitations that may be notified to the Subscriber and
b. sub-paragraphs b. to f. contained in 7.2 above.
9.1.1 Key usage
Certificates issued under this policy shall be used:
a. by Conveyancers and their customers who wish to sign dispositionary documents for registration at Land Registry, for example for transfer or mortgage of title between parties, to enable Electronic Signatures
b. by Land Registry for signing acknowledgement of data presented to the Network and/or
c. by Land Registry to authenticate documents and other such information issued by Land Registry.
The constraint is that the policy shall not cover any key usage other than non-repudiation as defined in [13].
9.2. Certification Practice Statement
The CA shall ensure that it has a Certification Practice Statement
3that identifies the practices and procedures used to address all the requirements identified in this policy, as considered necessary through its risk analysis.
In particular, the CA shall ensure that:
a. its Certification Practice Statement identifies the obligations of all external organisations supporting the relevant Land Registry services including the applicable policies and practices
b. details are made available of its Certification Practice Statement as necessary to assess conformance to the Certificate Policy c. the terms and conditions regarding use of the Certificate as
specified in 9.4.4 are disclosed to all Subscribers and potential Relying Parties
d. it has a management body with final authority and responsibility for approving the Certification Practice Statement
e. it has a defined review and maintenance process for its Certification Practice Statement
f. revisions to the Certification Practice Statement are made available to the auditors and to all appropriate Subscribers and Relying Parties as in b.
9.3 Key Management Life Cycle
9.3.1 Generation of Certification Authority Keys
The CA shall ensure that CA keys are generated in accordance with industry standards.
In particular, the CA shall ensure that:
a. generation of CA keys is undertaken in a physically secure environment (see 9.5.3) under, at least, dual control, and no greater number of personnel shall be authorised to carry out this function than required under the CA’s practices
b. generation of CA keys is carried out within a hardware key storage device which:
– meets the requirements identified in FIPS 140-2[9] Level3 or higher or
– meets the requirements identified in one of the following CEN Workshop Agreement 14167-2 [10], CWA 14167-3 [11] or CWA 14167-4 [12] or
– is a trustworthy system which is assured to EAL 4 or higher in accordance to ISO/IEC 15408 [8], or equivalent security criteria c. the selected key length and algorithm for CA signing key shall
be one which is recognised as being fit for purposes of qualified
4Certificates as issued by the CA.
3 This policy makes no requirement as to the structure of the Certification Practice Statement.
4 As defined by the Electronic Signatures Regulations 2002.
9.3.2 Certification Authority Key storage, backup and recovery The CA shall ensure that CA Private Keys remain confidential and maintain their integrity.
In particular, the CA shall ensure that:
a. its private signing key is held and used within a hardware key storage device which:
– meets the requirements identified in FIPS 140-2[9] Level3 or higher
– meets the requirements identified in one of the following CEN Workshop Agreement 14167-2 [10], CWA 14167-3 [11] or CWA 14167-4 [12] or
– is a trustworthy system which is assured to EAL 4 or higher in accordance to ISO/IEC 15408 [8], or equivalent security criteria
b. its private signing key is backed up, stored and recovered only by personnel in trusted roles using, at least, dual control in a physically secured environment (see 9.5.4). No more personnel shall be authorised to carry out this function than required under the CA’s practices
c. backup copies of the CA private signing keys are subject to the same or greater level of security controls as keys currently in use d. where the keys are stored in a dedicated key processing
hardware module, access controls are in place to ensure that the keys are not accessible outside the hardware module.
9.3.3 Certification Authority Public Key distribution
The CA shall ensure that the integrity of the CA Public Key and any associated parameters is maintained during its distribution to Relying Parties.
In particular, the CA shall ensure that its Public Key is made available to Relying Parties in a manner that assures the integrity of the CA Public Key and authenticates its origin.
9.3.4 Key Escrow
The CA shall not keep copies of Subject Private Keys.
9.3.5. Certification Authority Key usage
The CA shall ensure that CA signing keys are used only for appropriate activities related to the CA operation such as signing Certificates (as defined in 9.4.3) and signing Certificate Revocation Lists (CRL), within physically secure premises.
9.3.6 End of Certification Authority Key life cycle
The CA shall ensure that, at the end of their life cycle, all copies of the CA Private Keys are either:
a. destroyed such that the Private Keys cannot be retrieved or
archived in a manner such that they are protected against being put
back into use.
9.3.7 Life cycle management of cryptographic hardware used to sign Certificates
The CA shall ensure that:
a. cryptographic hardware used for Certificate signing is shipped in such a manner that is tamper-evident
b. cryptographic hardware used for Certificate signing is stored in such a way that is tamper-evident
c. the installation, activation, back-up and recovery of cryptographic hardware used for Certificate signing requires
a minimum of two trusted employees
d. Certificate signing cryptographic hardware is functioning correctly e. CA Private Keys stored on CA cryptographic hardware are destroyed
on device retirement.
9.3.8 CA provided Subject Key management services
The CA shall ensure that any Subject keys that it generates are generated securely and the privacy of the Subject’s Private Key is assured.
If the CA generates the Subject’s keys:
a. CA-generated Subject keys shall be generated using an algorithm recognised as being fit for purpose for this policy
b. CA-generated Subject keys shall be of a key length and for use with a Public Key algorithm which is recognised as being fit for the purposes of this policy
c. CA-generated Subject keys shall be generated and stored securely before delivery to the Subject
d. the Subject’s Private Key shall be delivered to the Subscriber in a manner such that the privacy of the key is not compromised and on delivery only the Subject has access to its Private Key.
9.3.9 Hardware Key storage device preparation
The CA shall ensure that if it issues to the Subject a hardware key storage device, this is carried out securely.
In particular, if the CA issues hardware key storage devices:
a. hardware key storage device preparation shall be securely controlled by the CA
b. hardware key storage devices shall be securely stored and distributed
c. hardware key storage deactivation and reactivation shall be securely controlled
d. where the hardware key storage device has associated user activation data (eg PIN code), the activation data shall be securely prepared and distributed separately from the hardware key storage device
5.
5 Separation may be achieved by ensuring distribution and delivery at
9.4 Certificate Management life cycle 9.4.1 Subject registration
The CA shall ensure that evidence of Subjects’ identification and accuracy of their names and associated data are either properly examined as part of the defined service or, where applicable, concluded through examination of attestations from appropriate and authorised sources, and that Subscriber Certificate requests are accurate, authorised and complete according to the collected evidence or attestation.
In particular, the CA shall ensure that:
a. before entering into a relationship with a Subscriber, the Subscriber is adequately informed through a formal agreement of the precise terms and conditions regarding use of the
Certificate as given in 9.4.4
b. if the End User is not the same as the Subscriber, the End User shall be informed of his/her obligations
c. the agreement at a above is communicated through a
durable (ie with integrity and availability over time) means of communication, which may be transmitted electronically, and in readily understandable language
d. it has collected – either by direct evidence or by an attestation from an appropriate and authorised source – that the name and, if applicable, any specific attributes of the person to which a Certificate is issued, has been verified by appropriate means in accordance with ‘Know Your Customer’ procedures, and that evidence of the name has been checked against a physical person either directly or indirectly using means providing assurance equivalent to physical presence, and that evidence may be in the form of either paper or electronic documentation
6,7e. where the Subject is a person acting on behalf of an
organisation, an attestation according to d has been collected from the organisation, which constitutes a declaration that evidence has been provided of the following:
– full name (including surname and given names) of the person – attributes of the Subject which may be used, to the extent
possible, to distinguish the person from others with the same name, such as date and place
8of birth or a nationally recognised identity number
– full name and legal status of the associated legal person or other organisational entity
– any relevant existing registration information (eg company registration) of the associated legal person or other
organisational entity
– evidence that the Subject is associated with the legal person or other organisational entity
– a physical address, or other attributes, provided by the Subject, which describe how the Subject may be contacted.
f. where the Subject is a person acting on their own behalf, evidence is provided of:
– full name (including surname and given names)
– attributes which may be used, to the extent possible, to distinguish the person from others with the same name, such as date and place of birth, or a nationally recognised identity number
g. all the information used to verify the Subject’s name, including any reference number on the documentation used for verification, and any limitations on its validity, is recorded
96 An example of evidence checked indirectly against a physical person is documentation presented for registration which was acquired as the result of an application requiring physical presence and shall be certified evidence such as a national ID card or passport.
7 The Certification Authority is liable as regards the accuracy “of all information contained in the Certificate”.
8 The place should be given in accordance to national conventions for registering births.
9 Copies of documents, appropriately countersigned (including by Electronic Signature), are suitable. The records should be securely stored as close as practicable to the location where the evidence is checked. Hence the use of an attestation in 9.4.1.d. if the location
h. the signed agreement with the Subscriber is recorded, including:
– Subscriber’s agreement to the Subscriber’s obligations as defined in Section 7.2
10,11,12– consent to the keeping of a record by the CA of information used in registration (see 9.5.11 h and i) and any subsequent revocation (see 9.5.11 j), and passing of this information to third parties under the same conditions as required by this policy in the case of the CA terminating its service
– whether, and under what conditions, the Subscriber requires and consents to the publication of its Certificate
– that the information held in the Certificate is correct
i. the records of evidence identified in d e and f above are retained for the period of time as indicated to the Subscriber within the precise terms and conditions (see a above) and as necessary for the purposes for providing evidence of certification in legal proceedings
j. the Certificate request process ensures that the Subject has possession of the Private Key associated with the Public Key presented for certification
k. the requirements of data protection legislation are complied with (including the use of pseudonyms if applicable) within its registration process.
9.4.2 Certificate renewal, re-key and update
The CA shall ensure that requests for Certificate renewal, re-key following revocation or prior to expiration, or update due to
change to the Subject’s attributes are complete, accurate and duly authorised.
13In particular, the CA shall ensure that:
a. the information used to verify the name and attributes of the Subject is still valid
b. if any of the CA terms and conditions have changed, these are communicated to the Subscriber and agreed to in accordance with 9.4.1 a, b and g
c. if any certified names or attributes have changed, or the previous Certificate has been revoked, the registration information is verified, recorded and agreed to by the Subscriber in accordance with 9.4.1 d to h
d. it only issues a new Certificate using the Subject’s previously certified Public Key if its cryptographic security is still sufficient for the new Certificate’s intended lifetime and no indications exist that the Subject’s Private Key has been compromised.
9.4.3 Certificate generation
The CA shall ensure that new, renewed and re-keyed Certificates are issued securely.
In particular, the CA shall ensure that:
a. the procedure of issuing the Certificate is securely linked to the associated registration, Certificate renewal or re-key, including the provision of any Subject generated Public Key
b. if it generates the Subject’s key, the procedure of issuing the Certificate is securely linked to the generation of the key pair by the CA
c. over time the uniqueness of the distinguished name assigned to the Subject within the domain of the CA is ensured (ie over the lifetime of the CA a distinguished name which has been used in an issued Certificate shall never be re-assigned to another entity)
10 The End User may agree to different aspects of this agreement during different stages of registration.
For example, agreement that the information held in the Certificate is correct may be carried out subsequent to other aspects of the agreement.
11 Other parties (eg the associated legal person) may be involved in establishing this agreement.
12 This agreement may be in electronic form.
13 The End User may, if the Certification Authority offers this service, request a Certificate renewal for example where relevant attributes presented to the Certification Authority for the Certificate have changed or when the Certificate
d. the confidentiality and integrity of registration data are
protected especially when exchanged with the Subject or between distributed CA system components.
9.4.4 Dissemination of terms and conditions
The CA shall ensure that the terms and conditions are made available to Subscribers, Subjects and Relying Parties.
In particular, the CA shall ensure that:
a. the terms and conditions regarding the use of the Certificate are made available to Subscribers, Subjects and Relying Parties, including:
– any limitations on Certificate use
– the Subscriber’s obligations as defined in 7.2
– information on how to verify the Certificate, including
requirements to check the revocation status of the Certificate, such that the Relying Party is considered to “reasonably rely”
on the Certificate (see 7.3) – limitations of liability
– the period of time registration information (see 9.4.1) is retained
– express consent for the use of personal data if present in the Certificate
– the period of time CA event logs (see 9.5.11) are retained – procedures for complaints and dispute settlement – the applicable legal system
– the information identified in a above is available through a durable (ie with integrity and availability over time) means of communication, which may be transmitted electronically, and in readily understandable language.
9.4.5 Certificate dissemination
The CA shall ensure that Certificates are made available as necessary to Subjects and Relying Parties.
In particular, the CA shall ensure that:
a. upon generation, the complete and accurate Certificate is available to the Subject for whom the Certificate is being issued b. Certificates are available for retrieval from the CA system in only
those cases for which the Subject’s consent has been obtained c. the terms and conditions regarding the use of the Certificate are
made available to Relying Parties (see 9.4.4)
d. the applicable terms and conditions are readily identifiable for a given Certificate
e. the information identified in c above is available for a minimum of 21 hours per day, seven days per week, and in case of failure, the CA shall make best endeavours to ensure that any unavailability of this information service is less than the maximum period of time as denoted in the Certification Practice Statement
f. the information identified in c above is publicly and
internationally available.
9.4.6 Certificate revocation and suspension
The CA shall ensure that Certificates are revoked in a timely manner based on authorised and validated Certificate revocation requests.
In particular, the CA shall ensure that:
a. as part of its Certification Practice Statement (see 9.2), the procedures for revocation of Certificates are documented, including:
– who may submit revocation reports and requests – how they may be submitted
– any requirements for confirmation of revocation reports and requests
– whether and for what reasons Certificates may be suspended – the mechanism used for distributing revocation status
information
– the maximum delay between receipt of a revocation request or report and the change to revocation status information being available to all Relying Parties, and this shall be at most one day
b. requests and reports relating to revocation (eg due to compromise of Subject’s Private Key, death of the Subject, violation of contractual obligations) are processed on receipt c. requests and reports relating to revocation are authenticated
and checked to be from an authorised source, if possible, and the method is to be documented in the CA’s practices d. a Certificate’s revocation status is set to ‘suspended’ whilst
the revocation is being confirmed, and the CA shall ensure that a Certificate is not kept suspended for longer than is necessary to confirm its status
14e. the Subscriber agrees to inform the Subject (or Representative where the Subject is a Device) of a revoked or suspended Certificate within a reasonable time and to their best effort of the change of status of its Certificate
15f. once a Certificate is definitively revoked (ie not suspended) it is not reinstated
g. where CRLs, including any variants (eg Delta CRLs), are used, these are published at least daily and
– every CRL shall state a time for next scheduled CRL issue – a new CRL may be published before the stated time of the
next CRL issue and
– the CRL shall be signed by the CA
h. revocation management services for processing of revocation requests from authorised revocation personnel are available 21 hours per day, seven days per week (hours as published on www.landregistry.gov.uk), and in case of failure, the CA shall make best endeavours to ensure that any unavailability of this information service is less than a maximum period of time as denoted in the Certification Practice Statement
i. revocation status information is available 21 hours per day, seven days per week (hours as published on www.landregistry.
gov.uk), and in case of failure, the CA shall make best
endeavours to ensure that any unavailability of this information service is less than a maximum period of time as denoted in the Certification Practice Statement
16j. the integrity and authenticity of the status information are protected
k. revocation status information is publicly and internationally available
l. revocation status information shall include information on the status of revoked Certificates at least until the Certificate expires.
14 Support for Certificate suspension is optional.
15 This may be done electronically.
16 Revocation status information may be provided, for example, using on-line Certificate status service or through distribution of CRLs through a repository.
9.5 Management and operation
The CA shall ensure that a risk assessment is carried out to evaluate operational risks and determine the necessary security requirements and operational procedures. The risk analysis shall be regularly reviewed and revised if necessary.
9.5.1 Security management
The CA shall ensure that administrative and management procedures are applied which are adequate and correspond to recognised standards.
In particular, the CA shall ensure that:
a. it retains liability towards Relying Parties for all aspects of the provision of certification services, even if some functions are outsourced, except liability for accuracy of underlying evidence and attestations according to 9.4.1 on which the CA reasonably relies as part of the service provision. Responsibilities of third parties shall be clearly defined by the CA and appropriate arrangements made to ensure that third parties are obliged to implement any controls required by the CA. The CA shall retain responsibility for the disclosure of relevant practices of all parties
b. it provides, through its management, direction on information security through Land Registry’s IT Security Committee (ITSC) that is responsible for defining the CA’s information security policy and for ensuring publication and communication of the policy to all employees of the CA who are affected by the policy c. it maintains a system (or systems) for quality and information security management appropriate for the certification services it is providing
d. it maintains at all times the information security infrastructure necessary to manage the security within the CA. Any changes that will affect the level of security provided shall be approved by the ITSC
17e. it documents, implements and maintains the security controls and operating procedures for CA facilities, systems and information assets providing the certification services
18f. the security of information is maintained when the responsibility for CA functions has been outsourced to another organisation or entity.
9.5.2 Asset classification and management
The CA shall ensure that assets and information related to Land Registry E-Security services receive an appropriate level of protection. In particular the CA shall maintain an inventory of all information assets and shall assign a classification of their protection requirements consistent with the risk analysis (9.2).
9.5.3 Personnel security
The CA shall ensure that personnel and hiring practices support the trustworthiness of the operation of Land Registry E-security services.
In particular, the CA shall ensure that:
a. it only employs or contracts personnel possessing the expert knowledge, experience and qualifications necessary for the offered services and which are appropriate to the job function b. security roles and responsibilities, as specified in the CA’s
security policy, are documented in job descriptions. Trusted roles, on which the security of the CA’s operation is dependent,
17 See ISO/IEC 17799-1 for guidance on information security management including information security infrastructure, management information security forum and information security policies.
18 This documentation (commonly called a system security policy) should identify all relevant targets, objects and potential threats related to the services provided and the safeguards required to avoid or limit the effects of those threats. It should describe the rules, directives and procedures regarding how the specified services and the associated security assurance are
c. its own and relevant subcontractors’ and customers’ staff (both temporary and permanent) have job descriptions defined from the view point of separation of duties and least privilege, determining position sensitivity based on the duties and access levels, background screening and employee training and awareness. Where appropriate, these job descriptions shall differentiate between general functions and functions specific to Land Registry E-security services. These job descriptions should include skills and experience requirements
d. staff exercise administrative and management procedures and processes that are adequate and that correspond to recognised standards
e. managerial staff are employed within CA functions who possess appropriate expertise in the field of CA services and familiarity with proper security procedures for personnel with security responsibilities
f. all its staff, and all its relevant subcontractors’ and customers’
staff in trusted roles, are free from conflicting interests that might prejudice the trustworthiness of the CA operations g. trusted roles include, but are not limited to, roles that involve
the following responsibilities:
– Security Officers: Overall responsibility for administering the implementation of the security practices. Additionally approve the generation, revocation, suspension and resumption of Land Registry ‘Security Administrator’
Certificates
– System Administrators: Authorised to install, configure and maintain the CA trustworthy systems for registration, Certificate generation, Subject Device provision and revocation management
– System Operators: Responsible for operating the CA trustworthy systems on a day-to-day basis. Authorised to perform system backup and recovery
– System Auditors: Authorised to view and maintain archives and audit logs of the CA trustworthy systems.
h. its staff, and all its relevant subcontractors’ and customers’ staff, are formally appointed to trusted roles by an appropriate senior management group such as the ITSC (9.5.1.b) above)
i. that no person is appointed to trusted roles who is known to have a conviction for a serious crime or other offence which may affect their suitability for the position
19. Staff shall not have access to the trusted functions until any necessary checks are completed.
9.5.4 Physical and environmental security
20The CA shall ensure that:
• physical access to its premises and equipment is limited to properly authorised individuals
• Certificate issuance facilities are protected from environmental hazards
• controls are implemented to avoid loss, damage or compromise of assets and interruption to business activities and
• controls are implemented to avoid compromise or theft of information and information processing facilities.
19 In some countries it may not be possible to obtain information on past convictions. However, the employer may be able to ask the candidate to provide such information and turn down an application in case of refusal.
20 See ISO/IEC 17799 [REF _
Ref159998961 \r \h 7] for guidance on
