0001-DPC-GRC DPC Digital Signature Certificate Service...DIGITAL SIGNATURE CERTIFICATE SERVICE Code: 0001-DPC-GRC Date: March 2018 Version 4 Approved by: GRC Director Elaborated DOPE,

Certification Practice Statement (CPS)

Digital Signature Certificate Service

Code: 0001-DPC-GRC

Date: March 2018

Version: 4

Approved by: Government risk and compliance Director

CPS DIGITAL SIGNATURE CERTIFICATE SERVICE

Code: 0001-DPC-GRC

Date: March 2018

Version 4

Approved by: GRC Director

Elaborated DOPE, DTI. DJUR y GRC

Page Page 2 of 68

PUBLIC CONTROLLED COPY

Avoid using obsolete documents. The latest approved version can be found on the Certicámara website.

Table of Contents 1 Introduction ........................................................................................................................................................................................... 7

1.1 Certi fication Practice Statement................................................................................................................................................... 7 1.2 Sociedad Cameral de Certi ficación Digi tal Certicámara S.A ......................................................................................................... 7 1.3 Protection of Intellectual Property Rights .................................................................................................................................... 7 1.4 References..................................................................................................................................................................................... 8 1.5 Participants and Structure of the Digi tal Certification System ..................................................................................................... 8

1.5.1 Root Certi ficate Authori ty CA................................................................................................................................................... 8 1.5.2 Holders of Certificates .............................................................................................................................................................. 8 1.5.3 Subordinate Certificate Authori ties ......................................................................................................................................... 9 1.5.4 Relying Party............................................................................................................................................................................. 9 1.5.5 Competent Third Part............................................................................................................................................................... 9 1.5.6 Applicant................................................................................................................................................................................... 9 1.5.7 Subscriber ................................................................................................................................................................................. 9 1.5.8 Regis tration Enti ties ............................................................................................................................................................... 10

1.6 Provision of the Digi tal Certificate to subscribers through a logistics operator......................................................................... 10 1.6.1 Coverage................................................................................................................................................................................. 10 1.6.2 Delivery time and management............................................................................................................................................. 10

1.7 Permitted uses for the Root Certi ficate from the certification body and digi tal certi ficates in genera l ................................... 11 1.7.1 General rules applicable to digi tal certi ficates issued by Certicámara .................................................................................. 11 1.7.2 Prohibi ted Uses ...................................................................................................................................................................... 13

1.8 Management policies of the root certi ficate authori ty CA......................................................................................................... 13 1.8.1 Administrative Organization Speci fications ........................................................................................................................... 13 1.8.2 Contact Person ....................................................................................................................................................................... 13

1.9 Defini tions ................................................................................................................................................................................... 14 1.9.1 Digi tal Certi ficates .................................................................................................................................................................. 14 1.9.2 Digi tal Certi fication Entities.................................................................................................................................................... 14 1.9.3 Root Certi fication Authori ty from Certicámara ..................................................................................................................... 14

2 CA release of information and certificate reposi tories ....................................................................................................................... 15 2.1 Reposi tories ................................................................................................................................................................................ 15 2.2 Publication .................................................................................................................................................................................. 16 2.3 Frequency of Publication ............................................................................................................................................................ 16

2.3.1 Root Certi ficate CA ................................................................................................................................................................. 16 2.3.2 Certi ficate revocation list (CRL) .............................................................................................................................................. 16 2.3.3 Certi ficate Status Protocol OCSP ............................................................................................................................................ 17 2.3.4 Certi fication Practice Statement ............................................................................................................................................ 17

2.4 Access control on the certi ficate reposi tory ............................................................................................................................... 17 3 Identification and authentication ........................................................................................................................................................ 17

3.1 Naming ........................................................................................................................................................................................ 17 3.1.1 Types of names....................................................................................................................................................................... 17 3.1.2 Need for names to be meaningful ......................................................................................................................................... 18 3.1.3 Interpreting name forms ........................................................................................................................................................ 18 3.1.4 Uniqueness of names ............................................................................................................................................................. 18 3.1.5 Resolution of conflicts regarding names................................................................................................................................ 18

3.2 Ini tial identi ty validation ............................................................................................................................................................. 18 3.2.1 Method to prove possession of private key........................................................................................................................... 18 3.2.2 Authentication of organization and individual identi ty ......................................................................................................... 18 3.2.3 Verification of the powers of representation ........................................................................................................................ 19

3.3 Identification and authentication for re - key requests............................................................................................................... 19 3.3.1 Identification and authentication of routine renewal request .............................................................................................. 19 3.3.2 Identification and authentication of key renewal requests after revocation - uncompromised key ................................... 19

3.4 Identification and authentication of key renewal requests ....................................................................................................... 19 4 Certi ficate Li fecycle .............................................................................................................................................................................. 19

4.1 Certi ficate Application ................................................................................................................................................................ 19


Code: 0001-DPC-GRC

Date: March 2018

Version 4



Page Page 3 of 68



4.2 Rejection of the digi tal certi ficate application............................................................................................................................ 21 4.3 Issuance of the Certificate .......................................................................................................................................................... 21

4.3.1 CA Proceedings during the issuance of the certificate .......................................................................................................... 21 4.3.2 Noti fication to the applicant by the Subordinate CA about the issuance of the certificate ................................................. 22 4.3.3 - Acceptance of certi ficates - Form in which the certi ficate is accepted ............................................................................... 22 4.3.4 Publication of the certi ficate by the CA ................................................................................................................................. 22 4.3.5 Noti fication of the issuance of the certi ficate by the CA to other Authori ties ...................................................................... 22

4.4 Use of the key pair and the suscriptor’s certi ficate .................................................................................................................... 22 4.4.1 Use of the private key of the certi ficate by the SUBORDINATE ENTITY ................................................................................ 22 4.4.2 Use of the public key and certificate by thi rd parties in good faith....................................................................................... 22

4.5 Re-key services of private keys and adminis tration of keys ....................................................................................................... 23 4.6 Renewal of certi ficate with change of key.................................................................................................................................. 23

4.6.1 Causes for the renewal of a certi ficate .................................................................................................................................. 23 4.6.2 Enti ty or subscriber that can request the renewal of the certi ficate .................................................................................... 23 4.6.3 Application procedure for the renewal of a certificate ......................................................................................................... 23 4.6.4 Noti fication of the issuance of a new certi ficate to a subscriber .......................................................................................... 23 4.6.5 Publication of the certi ficate renewed by the CA .................................................................................................................. 23 4.6.6 Noti fication of the issuance of the certi ficate by the CA to other enti ties ............................................................................ 24

4.7 Modification of certificates......................................................................................................................................................... 24 4.8 Revocation (Cancellation) of digi tal certificates ......................................................................................................................... 24

4.8.1 Revocation Scenarios ............................................................................................................................................................. 24 4.8.2 Consequences of the revocation............................................................................................................................................ 25 4.8.3 Revocation procedure ............................................................................................................................................................ 26 4.8.4 Revocation .............................................................................................................................................................................. 26 4.8.5 Revocation of the digital certificate by the user .................................................................................................................... 27 4.8.6 Communication and Publication of the revocation ............................................................................................................... 27

4.9 Verification services for the status of the certi ficate ................................................................................................................. 27 4.9.1 Operational Characteris tics .................................................................................................................................................... 27 4.9.2 Service Availability.................................................................................................................................................................. 28 4.9.3 Additional characteris tics ....................................................................................................................................................... 28

4.10 Termination of the subscription ................................................................................................................................................. 28 4.11 Custody and key recovery ........................................................................................................................................................... 28

4.11.1 Custody practices and policies and key recovery.............................................................................................................. 28 5 Physical securi ty, management and operational controls................................................................................................................... 29

5.1 Physical securi ty controls............................................................................................................................................................ 29 5.1.1 Location and construction...................................................................................................................................................... 29 5.1.2 Physical access........................................................................................................................................................................ 29 5.1.3 Power supply and air conditioning......................................................................................................................................... 29 5.1.4 Water exposure ...................................................................................................................................................................... 30 5.1.5 Fire protection and prevention .............................................................................................................................................. 30 5.1.6 Storage systems...................................................................................................................................................................... 30 5.1.7 Waste disposal........................................................................................................................................................................ 30 5.1.8 Backup Storage....................................................................................................................................................................... 30

5.2 Functional controls ..................................................................................................................................................................... 31 5.2.1 Roles of trust .......................................................................................................................................................................... 31 5.2.2 Number of people required per task ..................................................................................................................................... 32 5.2.3 Identification and authentication for each role ..................................................................................................................... 32

5.3 Personal securi ty controls........................................................................................................................................................... 33 5.3.1 Background, qualification, experience and accreditation requirements . ............................................................................. 33 5.3.2 Training requirements............................................................................................................................................................ 33 5.3.3 Requirements and frequency of the training update of Certicamara ................................................................................... 33 5.3.4 Frequency and sequence of rotation of tasks of Certicámara............................................................................................... 34 5.3.5 Penalties for unauthorized actions ........................................................................................................................................ 34 5.3.6 Documentation provided to the s taff of Certicámara. .......................................................................................................... 34


Code: 0001-DPC-GRC

Date: March 2018

Version 4



Page Page 4 of 68



5.4 Securi ty control procedure ......................................................................................................................................................... 34 5.4.1 Types of events recorded ....................................................................................................................................................... 34 5.4.2 Analysis of log records............................................................................................................................................................ 36 5.4.3 Retention period for audit logs .............................................................................................................................................. 36 5.4.4 Audit information collection system ...................................................................................................................................... 36 5.4.5 Noti fication to the subject originating the event................................................................................................................... 36 5.4.6 Vulnerabili ty analysis.............................................................................................................................................................. 37

5.5 Record archival and events recorded ......................................................................................................................................... 37 5.5.1 Type of information and events recorded ............................................................................................................................. 37 5.5.2 Retention period for the file .................................................................................................................................................. 37 5.5.3 File protection ........................................................................................................................................................................ 38 5.5.4 File backup procedures .......................................................................................................................................................... 38 5.5.5 Procedures for obtaining and veri fying filed information ..................................................................................................... 38

5.6 Key change .................................................................................................................................................................................. 38 5.7 Recovery in case of disaster........................................................................................................................................................ 38

5.7.1 Incident and vulnerability management procedures............................................................................................................. 38 5.7.2 Alteration of hardware, software and / or data resources.................................................................................................... 39 5.7.3 Proceeding after the private key of an authori ty has been compromised............................................................................ 39 5.7.4 Safety of the facili ties after a natural disaster or any other disaster .................................................................................... 40

5.8 Cessation of activi ty .................................................................................................................................................................... 40 6 Technical safety controls ..................................................................................................................................................................... 40

6.1 Generation and installation of key pair ...................................................................................................................................... 40 6.1.1 Generating the key pair.......................................................................................................................................................... 40 6.1.2 Delivery of the private key to the subordinate enti ty............................................................................................................ 41 6.1.3 Delivery of the public key to the subordinate enti ty ............................................................................................................. 41 6.1.4 Availability of the public key .................................................................................................................................................. 41 6.1.5 Size of the keys ....................................................................................................................................................................... 41 6.1.6 Parameters for generating the public key and quality verification ....................................................................................... 41 6.1.7 Hardware/Software for key generation ................................................................................................................................. 41 6.1.8 Generation of the key pair for the subscribers ...................................................................................................................... 42

6.2 Protection of the private key ...................................................................................................................................................... 42 6.2.1 Standards for cryptographic modules.................................................................................................................................... 42 6.2.2 Control "n" of "m" of the private key..................................................................................................................................... 43 6.2.3 Custody of the private key ..................................................................................................................................................... 43 6.2.4 Backup of the private key....................................................................................................................................................... 43 6.2.5 File of the private key ............................................................................................................................................................. 43 6.2.6 Inserting the private key in the cryptographic module ......................................................................................................... 43 6.2.7 Method for activating the private key ................................................................................................................................... 43 6.2.8 Method for deactivating the private key ............................................................................................................................... 43 6.2.9 Method for destroying the private key .................................................................................................................................. 44 6.2.10 Loss of validi ty of encryption systems............................................................................................................................... 44 6.2.11 Ranking of the cryptographic module............................................................................................................................... 44

6.3 Other aspects of key pair management...................................................................................................................................... 44 6.3.1 Public key file.......................................................................................................................................................................... 44 6.3.2 Operating periods of the certificates and period of use for the key pair .............................................................................. 45

6.4 Activation data ............................................................................................................................................................................ 45 6.4.1 Generation and installation of activation data ...................................................................................................................... 45 6.4.2 Activation data protection ..................................................................................................................................................... 45

6.5 Securi ty controls while handling personal computers ............................................................................................................... 45 6.5.1 Specific technical requirements ............................................................................................................................................. 45 6.5.2 Computer securi ty ratings of Certicámara ............................................................................................................................. 45

6.6 Safety controls of the life cycle ................................................................................................................................................... 45 6.6.1 Systems development controls .............................................................................................................................................. 45 6.6.2 Securi ty management controls .............................................................................................................................................. 46


Code: 0001-DPC-GRC

Date: March 2018

Version 4



Page Page 5 of 68



6.6.3 Life cycle safety ratings .......................................................................................................................................................... 46 6.7 Network securi ty controls........................................................................................................................................................... 46 6.8 Engineering controls of cryptographic modules......................................................................................................................... 46

7 Standards ............................................................................................................................................................................................. 46 7.1 Certi ficate Profile ........................................................................................................................................................................ 46

7.1.1 Version number ...................................................................................................................................................................... 46 7.1.2 Certi ficate extensions............................................................................................................................................................. 47 7.1.3 Algori thm Object Identifiers (OID) ......................................................................................................................................... 47 7.1.4 Name formats......................................................................................................................................................................... 48 7.1.5 Restrictions of names ............................................................................................................................................................. 48 7.1.6 Object Identifier (OID) of the certification policy .................................................................................................................. 48

7.2 Profile of the CRL and CRL with cri tical extension ...................................................................................................................... 48 7.2.1 Version number ...................................................................................................................................................................... 48 7.2.2 CRL Extensions........................................................................................................................................................................ 48

7.3 On-l ine protocol service for the s tatus of OCSP certi ficates for va l idi ty verification of digital certificates issued to subscri bers. 48

7.3.1 Specification ........................................................................................................................................................................... 48 7.3.2 Version.................................................................................................................................................................................... 48 7.3.3 Provision of the service by Certicámara S.A. and Extensions ................................................................................................ 49

8 Compliance audit ................................................................................................................................................................................. 49 8.1 Frequency of compliance controls for each entity ..................................................................................................................... 49 8.2 Auditors....................................................................................................................................................................................... 49 8.3 Relationship between the auditor and the audited enti ty ......................................................................................................... 49 8.4 Topics covered by the compliance control ................................................................................................................................. 49 8.5 Actions to be taken in case of a deficiency................................................................................................................................. 50 8.6 Informing the results................................................................................................................................................................... 50 8.7 Last audit report.......................................................................................................................................................................... 50

9 Digi tal certificates issued by Certicámara............................................................................................................................................ 50 9.1 Certi ficate of Representation of the Company / Enti ty .............................................................................................................. 50 9.2 Certi ficate of Belonging to a Company / Enti ty .......................................................................................................................... 51 9.3 Certi ficate for Certified Professionals ......................................................................................................................................... 52 9.4 Certi ficate for Civil Servant Holder ............................................................................................................................................. 53 9.5 Digi tal Certi ficate for Natural Persons ........................................................................................................................................ 53 9.6 Digi tal Certi ficate for Legal Enti ty (enti ty-company) .................................................................................................................. 54 9.7 Certi ficate for time s tamp........................................................................................................................................................... 55

10 Issuance of digi tal certi ficates for special projects .............................................................................................................................. 55 11 Rates..................................................................................................................................................................................................... 55

11.1 Reimbursement Policies for Subscribers .................................................................................................................................... 56 12 Obligations of the Participants ............................................................................................................................................................ 56

12.1 Obligations of Certicámara ......................................................................................................................................................... 56 12.2 Obligations and conditions of the subscriber ............................................................................................................................. 58 12.3 Obligations of the relying party .................................................................................................................................................. 60

12.3.1 Reliability of signatures and digi tal certi ficates ................................................................................................................ 61 12.3.2 Reliability of digi tal signatures .......................................................................................................................................... 61 12.3.3 Reliability of the digi tal certi ficate .................................................................................................................................... 61

12.4 Obligations of External Approval Enti ties ................................................................................................................................... 62 13 Responsibility of the participants ........................................................................................................................................................ 62

13.1 Responsibility of Certicámara ..................................................................................................................................................... 62 13.2 Responsibility of the subscriber.................................................................................................................................................. 63 13.3 Responsibility of the relying party .............................................................................................................................................. 64

14 Guarantees offered by Certicámara for fulfilling its obligations ......................................................................................................... 64 15 Confidentiality policy ........................................................................................................................................................................... 64

15.1 Confidential information............................................................................................................................................................. 64 15.2 Non-confidential information ..................................................................................................................................................... 65


Code: 0001-DPC-GRC

Date: March 2018

Version 4



Page Page 6 of 68



16 Headquarter ......................................................................................................................................................................................... 65 17 Peti tions , complaints, claims, request and suggestions PQRSS........................................................................................................... 65 18 Dispute resolution procedures ............................................................................................................................................................ 66 19 Intellectual Property ............................................................................................................................................................................ 67 20 Acronyms ............................................................................................................................................................................................. 67 21 References............................................................................................................................................................................................ 67


Code: 0001-DPC-GRC

Date: March 2018

Version 4



Page Page 7 of 68



1 Introduction

1.1 Certification Practice Statement

This document provides the Certification Practice Statement (CPS) that establishes the rules and general conditions of the certification services provided by the Sociedad Cameral de Certificación Digital Certicámara S.A. with its root certificate valid until May 24, 2031 1:39:46 p.m. whose serial number is identified wi th the hexadecimal number 43 1c 28 c6 74 0f ed

25 57 44 9f f2 fd 0e 5e 14, in relation to the information management for the process of verification and issuance of digital certificates, the applicable conditions by type of product and / or service, issuan ce, use, revocation, security policies, technical controls, information mechanisms, dissemination, Customer Service Director, among others.

The root certificate will be used exclusively for the issuance of certifica tes of subordinate certificate authorities and list of certificates of revoked subordinate intermediate authorities, the subordinate CAs will in turn issue the final entity certificates, which will be used by the clients of the digital certificate service of Certicámara.

The CPS is addressed to all those natural or legal persons, applicants, subscribers, in general to users of digital certificates and third parties who trust them as legal and probative evidence, or in the scope they are implemented, in compliance with Law 527 of 1999, Decree Law 019 of 2012 and Decree 1074 of 2015 that compiles Decree 333 of 2014.

The updating and/or modification of the Certification Practice Statement will be carried out through the procedure specified for these cases, which is based on the fact that any change or adaptation to the document must be reviewed and

analyzed by the following areas: Operations, Tic and Legal, the final approval is in charge of the Director of Government Risk and Compliance of Certicámara SA. This must be formalized through a change committee minute. The Government, Risk and Compliance Director (GRC) is responsible for requesting to the WEB and Multimedia Analyst the publication of the new version on the website: https://web.certicamara.com/marco-legal/declaracion-de-practicas-de-certificacion/

1.2 Sociedad Cameral de Certificación Digital Certicámara S.A

The Sociedad Cameral de Certificación Digital Certicámara S.A., identified with TIN. 830084433-7, hereinafter Certicámara, is a public stock corporation constituted by the chambers of commerce of the country aimed at providing digital certificate

services. Certicámara is an Open Digital Certification Entity of Business nature, whose main purpose is to provide the necessary tools so that entrepreneurs and other Internet users in the country can conduct Electronic Busi nesses with Legal Security.

Certicámara is located in the city of Bogotá, and it is registered in the Mercantile Register under registration number No. 1079279, and accredited before the National Accreditation Body of Colombia ONAC (by its Spanish acronym) under

accreditation certificate number 16-ECD-002. Likewise, the official directory of accreditations for digital certification entities is available at: http://www.onac.org.co/modulos/contenido/default.asp?idmodulo=599.

1.3 Protection of Intellectual Property Rights

The following provision establishes that all the information provided in the Certification Practice Statement -CPS- belongs exclusively to the Sociedad Cameral de Certificación Digital Certicámara S.A, therefore it reserves all the Rights related to the intellectual property of this document (CPS), including information, techniques, models, internal policies, processes and

procedures, in accordance with national and international regulations related to the subject.

https://web.certicamara.com/marco-legal/declaracion-de-practicas-de-certificacion/

http://www.onac.org.co/modulos/contenido/default.asp?idmodulo=599


Code: 0001-DPC-GRC

Date: March 2018

Version 4



Page Page 8 of 68



1.4 References

Decree-Law 019 of 2012 article "Article 161. Activities of certification entities . Article 30 of Law 527 of 1999 shall read as follows:" Article 30. Activities of certification entities. The certification entities accredited by the National Accreditation Body of Colombia to provide their services in the country, may carry out, among others, the following activities: 9.Any other

activity related to the creation, use or use of di gital and electronic signatures". This Certification Practice Statement is issued considering the following recommendations:

a. NTC-ISO 16175-1. Information and documentation. Principles and functional requirements for records in electronic office environments. Part 1: General information and Statement of principles.

b. TTC-ISO 16175-2. Information and documentation. Principles and functional requir ements for records in electronic

office environment. Part 2: guidelines and functional requirements for digital record management systems. c. ISO-16175-3. Information and documentation. Principles and functional requirements for records in electronic

office environments. Part 3: Guidelines and functional requirements for records in business systems. d. ISO 22957. Document management. Analysis, selection and implementation of electronic document, management

systems (EDMS). e. AIIM/ARMA TR48. Revised Frameworks for Integration of EDMS & Systems.

1.5 Participants and Structure of the Digital Certification System

The following are the participants of the Digital Certification System of Certicámara

1.5.1 Root Certificate Authority CA

The Root CA is the Certification Authority source of the digital certification hierarchy.

This element of Certicámara is responsible for the issuance of digita l certificates accrediting its issuance platform. The data structure is as follows:

Root Certificate Field Root Certificate Value

Root CA key 4096 bits

V3 Version

Serial

Certificate unique identifier. Less than 32 hexadecimal characters .

Certificate signature algorithm

SHA256withRSAEncryption

1.5.2 Holders of Certificates

The certificates issued by the root CA are held by the root CA itself, and by Certicámara S.A.


Code: 0001-DPC-GRC

Date: March 2018

Version 4



Page Page 9 of 68



1.5.3 Subordinate Certificate Authorities

In the Colombian legal framework, these are derived from the hierarchy of the Root CA, where the Root CA is required to

sign their certificate so that they in turn, issue certificates to the final subscribers following the chain of trust from the root point of Certicámara, as an open certification entity accredited by ONAC.

What is stated in the CPS applies for all CAs belonging to the public key infrastructure of Certicámara, in accordance with the general requirements established by the legal framework described in the section on regulatory references. The structure for the certificate data for the subordinate authorities is as follows:

Field of Root CA Certificate

Public key of the SUBORDINATE ENTITY 2048 bits

V3 Version

Serial

Certificate Unique Identifier

Less than 32 hexadecimal characters

Certificate signature algorithm SHA256withRSAEncryption

Issuer Information

CN

Root Certification Authority of the certification chain

1.5.4 Relying Party

Person who receives, makes use of, or trusts in any way in the digital certificates of Certicámara and that is therefore legally bound by the terms of this Certification Practice Statement.

1.5.5 Competent Third Part

Natural or legal person, who is considered suitable and who may be in charge, in a safe and reliable manner for the subscriber, the procedure for the generation of public and private keys. Guaranteeing the security that no one other than the subscriber wil l know these keys, in accordance with the terms established in this Certification Practice Statement and following at all times, the instructions of Certicámara, fulfi l l ing the requirements of the internal and external audits that

guarantee the assurance of this mechanism, however the generation of the key pair of the subscribers is responsibil ity of the CA software.

1.5.6 Applicant

Natural or legal person requesting the issuance of a digital certificate in their own name, or of third parties, or in the name and legal representation of a legal entity.

1.5.7 Subscriber

Natural or legal person that appears in the digital certificate as the holder thereof, as derived from the Certification Practice established for each of them.


Code: 0001-DPC-GRC

Date: March 2018

Version 4



Page Page 10 of 68



1.5.8 Registration Entities

Offices designated by Certicámara to receive applications, validation of information and approval of digital certificates

issuance, complying with the provisions set out in the Colombian legal norms in force for certifi cation authorities, Certification Practice Statements and parameters established in the WebTrust principles.

The local registration authority is located in the city of Bogotá, the person in charge of the central registration authority sends the information to the registration authority server of the PKI for processing and issuing digital certificates.

1.6 Provision of the Digital Certificate to subscribers through a logistics operator

1.6.1 Coverage

The delivery of the digital certificates will be conducted in accordance with the coverage matrix of the door to door delivery service of the logistics operator having an existing contract with Certicámara to carry out this task or by direct delivery by

the responsible of the logistics area of Certicámara, complying with the security requirements necessary to ensure that the delivery is personal and that confidentiality of the private key of the subscriber's certificate is maintained at all times. The digital certificates will be sent through the logis tics operator to the address registered in the application form or may

be picked up directly at the offices of Certicámara Bogotá, Cali or Bucaramanga, previous information of the applicant. For destinations not including door-to-door delivery in the form of personal delivery, Certicámara will contact the applicant to agree on the point of service of the logistics operator, where the applicant or a third party authorized can pick up the digital certificate.

Delivery requirements

The delivery is made in any of the events prior identification of the applicant; if the personal delivery of the digital certificate is not possible, the applicant must authorize a third party to receive it through an authorization letter signed by the applicant, attaching a copy of the identification document of the applicant and the authorized third party. The logistic operator's guide will serve as evidence of the acknowledgment of receipt of the digital signature certificate. In cases where

there is a coordinator in charge of the digital certificate management on behalf of the hiring entity, this person will be able to receive and distribute the certificates previous validation of Certicámara S.A. For the delivery of the empty device (Token) no prior authorization of the applicant is required to be delivered to a third

party.

1.6.2 Delivery time and management

In the urban areas and main cities, the delivery time from the issuance of the certificate to the delivery to the applicant will be approximately two (2) business days; in cases where the applicant and the authorized third party are not located, said term may be five (5) business days.

At national level and intermediate cities, the delivery time from the issuance of the certificate to the delivery to the applicant will be approximately three (3) business days , in cases where the applicant and the authorized third party are not located, said term may be eight (8) business days.

For special locations, the delivery time from the issuance of the certificate to the delivery to the appl icant will be approximately four (4) business days; in cases where the applicant and the authorized third party are not located, said term may be of nine (9) business days.


Code: 0001-DPC-GRC

Date: March 2018

Version 4



Page Page 11 of 68



In cases where the delivery of the certificate is not possible due to a cause associated with the subscriber, Certicámara and / or the logistics operator will contact the appli cant via e-mail or telephone three times to coordinate the delivery process,

if no response is received with the delivery date or collection of the digital signature certificate, Certicámara will keep them stored for a period of two (2) months from the date of issuance, once this term has expired and no response has been received from the subscriber, Certicámara will proceed with the revocation and cancellation of the process in the Products and Services Requests System SSPS (by its acronym in Spanish). If the applicant requires the issuance of the digital signature

certificate, the application process must be initiated in accordance with the provi sions of this CPS "Request for Certificates". Downloading the certificate directly by the subscriber

In the framework of contractual agreements or in the case of digital certificates renewal, subscribers will carry out the generation and download of the digital certificate directly, using the technological mechanisms provided by the issuance platform of Certicámara. These processes may also be conducted when no cryptographic storage device provided by

Certicámara is required, or when the token is preferred to carry out the process personally.

1.7 Permitted uses for the Root Certificate from the certification body and digital certificates in general

The root digital certificate can only be used for the identification of the root certification authority itself and for the

distribution of its public key safely. The use of certificates issued by the root CA will be l imited to digital certificates signature and the corresponding revocation certificate l ists signature.

1.7.1 General rules applicable to digital certificates issued by Certicámara

a) The subscriber is only entitled to give the digital certificates the uses specified in the contract with Certicámara on an individual basis or those uses permitted in this Certification Practice Statement. The contract entered into with the subscriber may limit the scope of the uses, depending on the environment in which the digital certificate is being used, or on the special characteristics of the project being developed. Any other use that is given will be

considered a violation of this Certification Practice Statement and will constitute a cause of revocation of the digital certificate and termination of the contract with the subscriber, without prejudice to the criminal or civil proceedings that may arise.

b) The subscriber acknowledges and accepts that the products and s ervices advertised are provided “As Is”

individually, that the digital certificates mainly certify the identity of the natural person listed as the subscriber of the service, that there is no implicit information that involves services or additional provisions to those expressly

mentioned and that the use thereunder is their exclusive responsibil ity.

c) The use of the digital certificate and the data messages that are digitally signed thereof, including e-money transactions, regardless the amount, are the FULL responsibil ity of the corresponding subscriber and, therefore,

Certicámara has no responsibil ity whatsoever for the verification or public faith of the signed data messages, since it is not aware nor has legal obligation to be aware of the digitally signed messages or the amount of the transactions made with the digital certificate in e-transactions systems of third parties. In general, as an entity of

Open Digital Certification and Trusted Third Party Certicámara is not accountable for the use made by the subscriber regarding the certificates and digital signatures, therefore there are no applicable financial l imits in this regard.

d) Any relying party of the digital certificate must:

o Verify the reliability of the digital signature of the subscriber, as well as that of Certicámara and any other appearing in the digital certificates, as set out in this Certification Practice Statement.


Code: 0001-DPC-GRC

Date: March 2018

Version 4



Page Page 12 of 68



o Verify that the digital certificate intended to entrust is not registered in the database of revoked digital certificates that Certicámara has for that purpose, and that it is published on the website of Certicámara.

o Define accurately the digitally signed data in the message received.

The public key contained in a digital certificate is a technical resource that can be used as a means to ENCODE or ENCRYPT

the data messages that are sent, in such a way that only the holder of the private key can DECRYPT said message and access the information. If the private key is lost or destroyed, the information that has been ENCRYPTED with the public key cannot be deciphered. The SUBSCRIBER and the RELYING PARTY acknowledge and accept that the use of the subscriber's public key

to ENCRYPT documents is their exclusive responsibility, and that they will lose all the information that is ENCRYPTED if the private key is lost or destroyed. Certicámara does not assume any responsibility in this regard.

e) If during the validity period, part or all of the information contained in the digital certificate loses relevance or

validity, the subscriber must initiate the revocation procedure in accordance with the provisions of the Revocation of digital certificates section of this Certification Practice Statement.

f) The digital certificates must be used as they are provided by Certicámara according to the Certification policies.

g) Digital certificates must be retained indefinitely in the database, regardless their status.

h) Digital certificates can be used for the following purposes:

o Identification: The subscriber of the digital certificate can be identified as a natural person and may link it to a quality or condition verified by the certification entity while issuing the digital certificate, proving

access to the private key associated with the public key included in the digital certificate.

o Integrity: The use of the Public Key Infrastructure enables a relying party to verify that a received data

message has not been altered during the sending and receiving process or at any other time.

o Non repudiation: After all the procedure requirements of the Digital Certification System have been met, the person who receives a data message digitally signed and backed by a digital certificate, guarantees

that the subscriber sends said data message without refusing.

Additionally, if so provided by the subscriber, the digital certificate may be used to achieve the following attribute:

o Confidentiality: The public key of the subscriber can be used to encrypt all the sent documents, preventing third parties from access ing the communications transmitted through open electronic communications. THE USE OF THE PUBLIC KEY BY THE SUBSCRIBER TO ENCRYPT THE INFORMATION, SHOULD IN ALL CASES,

BE ADJUSTED TO THE COLOMBIAN LEGAL REQUIREMENTS OR ANY OTHER COUNTRY OF THE WORLD WHERE THE DIGITAL CERTIFICATION SYSTEM IS USED REGARDING INFORMATION ENCRYPTION TECHNOLOGIES. Although its use for data encryption is feasible, Certicámara is not responsible for this activity, because, for security reasons, the certification body does not keep a copy of the Subscriber's

private key. Therefore, the recovery of the encrypted data in case of loss of the private key by the Subscriber or the Third Party entrusted, will not be guaranteed, in any case, under its own responsibility.

i) The use and adaptation of the digital certificates to the subscriber's needs corresponds exc lusively to the

subscriber, thus Certicámara does not assume any responsibil ity. Therefore if any duty of information regarding any use of the digital certificate must be done by the relying parties, this duty is the sole responsibil ity of the subscriber.


Code: 0001-DPC-GRC

Date: March 2018

Version 4



Page Page 13 of 68



1.7.2 Prohibited Uses

a) Digital certificates may not be used by any person and under no circumstances for i l legal purposes or operations

under any legal regime in the world, particularly but not exclusively those that require a state authorization to be performed.

b) It is absolutely forbidden any use of digital certificates that is against the Colombian law, to international agreements signed by the Colombian state, to supranational norms, to good customs, to sound business practices, and to all norms contained in this Certification Practice Statement, in the Certification Practice and in the contracts that are signed between Certicámara and the Subscriber.

c) The use of digital certificates and the Digital Certification System as a control system for high-risk activities or for

error-proof systems is prohibited, including, but not l imited to, the following:

o Navigation systems of land, air or maritime transport.

o Air traffic control systems.

o Weapons control systems.

d) Digital certificates cannot be used in any system whose failure could cause the death or injury of people, or cause serious damage to the environment.

e) The hardware of the digital certificate provided by Certicámara (if applicable) can only be used within the context

of the Digital Certification System. No information other than that expressly authorized by Certicámara may be incorporated into the hardware provided by Certicámara, nor being used outside the Digital Certification System.

1.8 Management policies of the root certificate authority CA

1.8.1 Administrative Organization Specifications

Name: Sociedad Cameral de Certificación Digital Certicámara S.A.

E-mail: [email protected]

Address: Carrera 7 Nº 26-20 Floors 18 and 19 Seguros Tequendama Building

Phone number: (057 1) 3790300 – 7442727 – Toll free number 018000181531

Website: www.certicamara.com

1.8.2 Contact Person

Name: HECTOR JOSÉ GARCÍA SANTIAGO – CEO


Address: Carrera 7 Nº 26-20 Floor 18 Seguros Tequendama Building Bogotá (Colombia).

Phone number: (057 1) 3790300 Ext. 1207

Website: www.certicamara.com

mailto:[email protected]

http://www.certicamara.com/




Code: 0001-DPC-GRC

Date: March 2018

Version 4



Page Page 14 of 68



1.9 Definitions

1.9.1 Digital Certificates

The digital certificates are digital fi les in which Certicámara issues certain statements regarding the identity of the subscriber of the service, based on the information provided by the subscriber and based on own verification procedures.

A digital certificate contains the essential information, allowing people who receive it through electronic means, to know the identity of the sender thereof. All digital certificates issued by Certicámara are digitally signed by Certicámara. The persons receiving the certificates can be assured that it has not been altered and that Certicámara has issued it.

1.9.2 Digital Certification Entities

The Digital Certification Entities are TRUSTED THIRD PARTIES that provide digital certificate services, through a Digital

Certification System. The digital certificate services provide security to the communications carried out in open networks, such as the Internet, by issuing digital certificates to users with information about the person they are communicating with. To issue digital certificates, the Digital Certification Entities use the Public Key Infrastructure (PKI), which is the set of

technological elements that, through the us e of a pair of cryptographic keys, one private owned by the subscriber of the service and a public that is included in the digital certificate, allow to:

o Identify the recipient of a message.

o Prevent third parties from seeing the messages sent through electronic means.

o Prevent a third party from altering the information that is sent through electronic means.

o Prevent the subscriber of the digital certificate service from denying that he sent an electronic message after being

sent.

1.9.3 Root Certification Authority from Certicámara

The Root Certification Authority (CA) is the Root Certification Authority of the Publ ic Key Infrastructure of Certicámara whose main function is to issue digital certificates to its digital certification platform. A digital certificate is an electronic document that associates the identity of a subject (entity, individual, device, etc.) with its corresponding public key and one or mor e

attributes. The specific case of a root certificate corresponds to a certificate that no superior trusted entity digitally signs as a root, that is, it has a self-signed certificate, and from that moment the trust chain begins. This self-signed process makes the Root Certificate fields comply with internationa l and applicable standards guaranteeing interoperability.

Then the Root CA has a self-signed certificate with its private key to sign the public key certificates of the certification platform of Certicámara, which in turn use their private keys to sign the certificates of the final subscribers, so that the whole hierarchy is covered by the Root CA Trust.

Digital certificates of public key are generated according to standard X.509 version 3 (1996). The X.509 is the fundamental standard that defines the structure of the public key certificate. The X.509 is the Telecommunication standardization sector

of the International Telecommunications Union ITU) and the standard certificate form of the International Organization for Standardization, (ISO). The general architecture of Certicámara digital certification is as follows: The hierarchical architecture starts from the Root,

anchor of the digital certification chain of trust, called the Root Certification Authority (CA). There is no other CA that is allowed to sign the Root CA certificate. This is the only case, in which the Root CA creates a self-signed certificate by itself.


Code: 0001-DPC-GRC

Date: March 2018

Version 4



Page Page 15 of 68



2 CA release of information and certificate repositories

2.1 Repositories

The Certificates of the root CA, Subordinate CA and the certificate revocation list CRL will be available for consultation 365 days a year, 24 hours a day, 7 days a week. This service will be provided with a 99.9% availability agreement and in case of interruption due to force majeure, the service will be restored in the established time according to the availability

percentage.

a) For certificates of the Root CA and the SUBORDINATE ENTITY accredited:

o WEB: Root CA Certicámara S.A. http://www.certicamara.com/ac_offline_raiz_certicamara.crt

o Subordinate CA Certicámara S.A. http://www.certicamara.com/ac_online_subordinada_certicamara.crt SUB CA CERTICAMARA http://www.certicamara.com/ac_subordinada_online_certicamara_2014.crt

b) For the certificate revocation list (CRL):

o WEB:

Root CA Certicámara S.A. http://www.certicamara.com/repositoriorevocaciones/ac_raiz_certicamara.crl

o Subordinate CA Certicámara S.A.

http://www.certicamara.com/repositoriorevocaciones/ac_subordinada_certicamara.crl SUB CA CERTICAMARA

http://www.certicamara.com/repositoriorevocaciones/ac_subordinada_certicamara_2014.crl

o CRL with critical extension Root CA Certicámara S.A.

http://www.certicamara.com/repositoriorevocaciones/ac_raiz_certicamara_extension_critica.crl o Subordinate CA Certicámara S.A.

http://www.certicamara.com/repositoriorevocaciones/ac_subordinada_certicamara_con_extension_cri

tica.crl

SUB CA CERTICAMARA

o http://www.certicamara.com/repositoriorevocaciones/ac_subordinada_certicamara_con_extension_critica_2014.crl

c) For the CPS:

o WEB: https://web.certicamara.com/marco-legal/declaracion-de-practicas-de-certificacion/

d) For verification of revocation status of OCSP certificates

o WEB: http://ocsp.certicamara.com

http://www.certicamara.com/ac_offline_raiz_certicamara.crt

http://www.certicamara.com/ac_online_subordinada_certicamara.crt

http://www.certicamara.com/ac_subordinada_online_certicamara_2014.crt

http://www.certicamara.com/repositoriorevocaciones/ac_raiz_certicamara.crl

http://www.certicamara.com/repositoriorevocaciones/ac_subordinada_certicamara.crl

http://www.certicamara.com/repositoriorevocaciones/ac_subordinada_certicamara_2014.crl

http://www.certicamara.com/repositoriorevocaciones/ac_raiz_certicamara_extension_critica.crl

http://www.certicamara.com/repositoriorevocaciones/ac_subordinada_certicamara_con_extension_critica.crl

http://www.certicamara.com/repositoriorevocaciones/ac_subordinada_certicamara_con_extension_critica.crl

http://www.certicamara.com/repositoriorevocaciones/ac_subordinada_certicamara_con_extension_critica_2014.crl

http://www.certicamara.com/repositoriorevocaciones/ac_subordinada_certicamara_con_extension_critica_2014.crl


http://ocsp.certicamara.com/


Code: 0001-DPC-GRC

Date: March 2018

Version 4



Page Page 16 of 68



http://ocsp.certicamara.co

This URL allows the user to check the revocation status of a certificate, thus an OCSP Client must be available to comply with RFC2560. If the user does not have this OCSP Client, the complete Certificate Revocation List (CRL) must be downloaded.

The public repository of the root CA does not contain any confidential or private information.

2.2 Publication

It is mandatory for the Certification Entity to publish the information related to its practices, its certificates and the up dated

status of said certificates. The publications made by Certicámara, of all information classified as public, will be announced on its respective website as follows:

a) The Certificate Revocation List (CRL), is available in CRL V2 format, in the repository of the root CA.

b) The Certificate Policies in root CA certificates are available in the updated version of this document.

c) All versions of this document are public and are available on the website of the root CA https://web.certicamara.com/marco-legal/declaracion-de-practicas-de-certificacion/, in PDF format.

d) The public keys of the certificates issued by the subordinate CA are available in the public LDAP repository, in X.509

v3 format and through https://ar.certicamara.com:8443/Search/ which may be consulted through a search parameter.

e) The contact details of Certicámara are available at https://web.certicamara.com/contactenos/directorio-telefonico-de-sedes/

f) The operating manuals of the root CA and all the information relevant to the certificates issued are available at

https://web.certicamara.com/soporte-tecnico/manuales-de-soporte-tecnico/.

g) OCSP Certificate revocation status are available at http://ocsp.certicamara.com and http://ocsp.certicamara.co.

2.3 Frequency of Publication

2.3.1 Root Certificate CA

The publication of the certificate will be done prior to coming into effect through the website of Certicámara. The peri od of

validity is until Tuesday April 2, 2030 at 4:42:02 p.m.

2.3.2 Certificate revocation list (CRL)

Publication of the Certificate Revocation list of the Subordinate CA Certicámara S.A. (CRL) and SUB CA CERTICÁMARA (CRL) is done and valid for three (3) days:

Periodically:

o The publication shall be done maximum eight (8) hours after the last revocation, at any time of the day.

o If there are no revocations, the publication schedule will be done every day every hour

http://ocsp.certicamara.co/


https://ar.certicamara.com:8443/Search/

http://www.certicamara.com/certificadosemitidos/

https://web.certicamara.com/contactenos/directorio-telefonico-de-sedes/

https://web.certicamara.com/contactenos/directorio-telefonico-de-sedes/

https://web.certicamara.com/soporte-tecnico/manuales-de-soporte-tecnico/




Code: 0001-DPC-GRC

Date: March 2018

Version 4



Page Page 17 of 68



2.3.3 Certificate Status Protocol OCSP

The service is available on an ongoing basis for consultation via web and is automatically updated in the following cases:

o Whenever a digital certificate is revoked.

o Each time a private key is compromised

2.3.4 Certification Practice Statement

The Root CA will publish the new versions of this Document in the repository, immediately after the approval thereof.

2.4 Access control on the certificate repository

Access to the information published by the Root CA will only be for consultation and may not be modified by unauthorized persons. The public information will only be updated by the pers onnel in charge working in Certicámara.

In addition, the consultation of the CRL, the issued certi ficates, the OCSP server and CPS in its previous and updated versions is guaranteed.

3 Identification and authentication

3.1 Naming

3.1.1 Types of names

The Root CA only generates and signs certificates with name types according to the X. 500 standard. For the root CA:

The DN of the root CA is made up of the following attributes:

CN = CA Certicámara S.A.

O = Sociedad Cameral de Certificación Digital - Certicámara S.A.

C=CO

The alternate name (AN) of the root CA is made up of the following attributes:

CN = CA Certicámara S.A.

O = Sociedad Cameral de Certificación Digital - Certicámara S.A.

C=CO

The issuance of different types of certificates is set out in this policy. Each type of certificate will be identified by a unique OID (Object Identifier), included in the certificate as a policy identifier, within the X.509 v3. Any policy extension.

(OID policy 2.5.29.32.0)


Code: 0001-DPC-GRC

Date: March 2018

Version 4



Page Page 18 of 68



This certificate is generated by the first level Certification Entity for its identification, it is the self-signed root certificate of the public key infrastructure of Certicámara. The use of this certificate is framed in the activities of the root CA.

3.1.2 Need for names to be meaningful

The defined policies guarantee that the distinguished names (DN) of the certificates are sufficiently significant to l ink the public key with an identity.

3.1.3 Interpreting name forms

The rules used for the interpretation of the distinguished names in the issued certificates are described in ISO / IEC 9595 (X.500) Distinguished Name (DN). Additionally all issued certificates use UTF8 coding for all attributes, according to RFC 3280 ("Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile").

3.1.4 Uniqueness of names

The root CA defines the DN (Distinguished Name) field of the Certification Authority as unique and unambiguous. For this purpose, the name or corporate name of the certificate holder will be included as part of the DN, specifically in the CN fiel d. Therefore, the uniqueness is guaranteed by trusting the uniqueness of the mercantile names in the nationa l mercantile

registry.

3.1.5 Resolution of conflicts regarding names

Certicámara does not act as arbitrator or mediator, nor does it resolve any dispute regarding the ownership of the names

of persons or organizations, domain names, trademarks or commercial names, etc. Likewise, this body reserves the right to reject an application for a certificate due to name conflicts.

3.2 Initial identity validation

3.2.1 Method to prove possession of private key

The certification system implemented and used by Certicámara for the management of the life cycle of its certificates , automatically controls and guarantees the issuance of the signed certificate to the holder of the private key , corresponding

to the public key included in the request. This guarantee is achieved through the PKCS # 10 format including in the application itself, a digital signature of the same made with the private key corresponding to the public key of the certificate.

3.2.2 Authentication of organization and individual identity

The applicant shall submit the application for accreditation before Certicámara with the following requirements and information:

o Complete identification of the applicant.

o Identification documents issued by the competent authorities.

o Standard form of contract of the digital certificate services, subscribed by the applicant with hi s handwritten

signature or his digital signature issued by Certicámara.


Code: 0001-DPC-GRC

Date: March 2018

Version 4



Page Page 19 of 68



3.2.3 Verification of the powers of representation

The verification of the representation of the applicant before Certicámar a shall be done through RUE or the verification of

the legal documents, provided in the Colombian legislation, being qualified as legal representative. Certicámara will issue a credential to the legal representative to make the accreditation requests before Certicámara.

3.3 Identification and authentication for re- key requests

3.3.1 Identification and authentication of routine renewal request

Identification and authentication for certificate renewal must be done using the techniques for initial authentication and identification. This renewal method requires that the private key is neither expired nor revoked.

3.3.2 Identification and authentication of key renewal requests after revocation - uncompromised key

The identification and authentication policy for the renewal of a certificate after a revocation without uncompromised key

will be the same as for the initial registration. Additionally, the applicant must satisfactorily demonstrate to Certicámara that the previous causes of revocation no longer exist. Certicamara may discretionally deny the extraordinary renewal of a digital certificate.

3.4 Identification and authentication of key renewal requests

The identification policy for renewal applications may be the same as for the initial registration. The authentication policy

will accept renewal requests digitally signed by the certificate's subscriber or manually in the premises of Certicámara. Other identification policies may be defined by Certicámara as long as the possibil ity of identifying authentication is

guaranteed according to the Certification Practice Statement of Certicámara . The root CA or any of its entities can request the revocation of a certificate if they were aware or if there was suspicion of compromising the subscriber's private key, or any other fact recommended to undertake such action.

4 Certificate Lifecycle

During the life cycle of the digital certificate, the following status may apply:

a) Valid: status of the certificate that allows the subscriber to perform activities according to its operation, during the term acquired with a maximum of two (2) years.

b) Revoked: status by which its reliability period is terminated in advance, because of any of the causes established in

this Certification Practice Statement,

c) Expired: status in which the certificate complies with the validity period acquired by the subscriber.

4.1 Certificate Application

The application process can be carried out manually by contacting the offices of Certicámara, through the automated system

for requesting products and services at: https://solicitudes.certicamara.com/ssps/Solicitudes/AceptoLosTerminos.aspx ,

https://solicitudes.certicamara.com/ssps/Solicitudes/AceptoLosTerminos.aspx


Code: 0001-DPC-GRC

Date: March 2018

Version 4



Page Page 20 of 68



through any other electronic means of Certicámara, whether our web page or that of a third party, or within the development of a project.

Applications registered through the SSPS Products and Services Application System will be available on the page for a period of thirty (30) to forty-five (45) days for the user to fi le the corresponding documentation, if after this term the applications have not been completed, the system will cl ose them automatically. For applications in which Certicámara validates the payment but the client does not complete the required documentation after six months (6) will be denied. However, if the

client intends to continue with the process, it will proceed with the opening of the application and then with the generation of a new request to continue with the issuance process.

The supporting documentation delivered by the applicant to Certicámara will be stored in a physical fi le for 6 months and digitally for a period of 10 years. The information of the applicant will not be published by Certicamara unless the explici t consent of the subscriber is given.

“Users who make use of the product and service application system subscribe electronically by accepting the terms, the conditions of service, specified in this CPS and in the contract for the provision of digital certificate services.” Once the application has been approved by the certification systems of Certicámara, the applicant submits the necessary

guarantees to obtain accreditation as a subscriber of Certicámara in the chain of trust, and then becomes a subscriber. The subscriber's accreditation establishes that it operates in accordance with the policies and procedures set out by

Certicámara. Certicámara reserves the right to request additional documents to those that are required in the application form or photocopies when it deems necessary to verify the identity or any quality of the applicant, as well as to exempt all the

documentation when the identity of the applicant has been sufficiently verified by Certicámara by other means. Certicámara reserves the right to request that the photocopies of the documents required be authentic. Without any limitation, Certicámara may additionally request:

o Business credentials of the company.

o Business credentials of the applicant.

o Statement of employment

o Bank certifications.

o Valid driver's l icense.

o Judicial Certificate.

o Valid passport.

o Military ID Card

o Affil iation to the Social Healthcare Insurance Scheme.

o Affil iation to the Health Risk Administrator Company.

o Act of Appointment and / or Possession.


Code: 0001-DPC-GRC

Date: March 2018

Version 4



Page Page 21 of 68



o Certifications of Inspection, Surveillance and Control Authorities.

a) The request for a digital certificate service can be fi led at any of the following cities (Bogotá, Cali and Bucaramanga)

that Certicámara has for the provision of the service, or it can be made through the electronic or physical means of Certicámara.

b) Certicámara reserves the right to request additional requirements to those stipulated in the Certification Practice,

when it deems it necessary for the verification of the identity of the persons or for the proper compliance of the

digital certificate services.

c) Certicámara may consult databases of identity information provided by CIFIN and DATACREDITO or other private entities or the public sector in order to perform the identity validations necessary to issue the digital certificate to

the subscriber.

d) Certicámara reserves the right to deny the issuance of a digital certificate to an applicant, at its own discretion, so no liability can be demanded for this reason.

4.2 Rejection of the digital certificate application

If Certicámara decides to reject the digital certificate issuance application, the applicant will receive a written notification, to the physical address or e-mail address in the digital certificate service provision form, indicating the reasons for it.

In the event that the issues found are correctable, the applicant of the digital certificate will be granted a period of fifteen working days to carry out the correction, then the Registration Authority will proceed to confirm or revoke its final decision

in a written communication.

4.3 Issuance of the Certificate

After verifying and approving the requirements set out in the Colombian legislation and this CPS, the CA system will proceed to issue the certificate to the subscriber.

4.3.1 CA Proceedings during the issuance of the certificate

The issuance of the certificates implies authorization of the request by the Subordinate CA system. After the approval of the application, the certificates will be issued securely and will be made available to the SUBSCRIBER.

In the issuance of certificates the Subordinate CA:

Uses a certificate generation procedure linking safely the certificate to the registration information, including the

certified public key.

Protects the confidentiality and integrity of registration data

All certificates will start their validity at the time indicated in the certificate itself.


Code: 0001-DPC-GRC

Date: March 2018

Version 4



Page Page 22 of 68



The "not before" field will be used for this purpose. No certificate will be issued with a validity period that starts

before the current date. However, certificates whose validity period starts in the future or a date after the current one will be issued.

4.3.2 Notification to the applicant by the Subordinate CA about the issuance of the certificate

The SUBSCRIBER will know about the effective issuance of the certificate by means of a notification, by email or post mail sent by Certicámara. Likewise, the digital certificates iss ued are published on the Certicámara website.

4.3.3 - Acceptance of certificates - Form in which the certificate is accepted

The certificate is considered accepted by the subscriber once the process of signing the request for the certificate is completed by the Subordinate CA.

4.3.4 Publication of the certificate by the CA

Certicámara will provide various types of communication such as emails, written communications, LDAP repository, Web repository and those that it deems necessary to publish the acceptance of a certificate.

The registration authority server will enter the public keys of the digital certificates issued by the subordinate certificat ion authority in the LDAP directory structure (Lightweight directory access protocol) of the PKI, at the time the certificate is issued, unless there is a technical problem that prevents its publication, in which case the publication will occur within th e

next month after the issuance of the certificate according to the result of the technical analysis that has prevented its immediate publication.

4.3.5 Notification of the issuance of the certificate by the CA to other Authorities

Certicámara will notify the entities, government agencies and private companies about the iss uance of a certificate through the Certicámara website.

4.4 Use of the key pair and the suscriptor’s certificate

The use of the certificates issued by the root CA and the Subordinate CA are those provided for, in the Colombian legislation and its regulations.

Aditionally, from technical point of view, the key usage and the enhanced key usage, are defined as follows: Key usage: Digital Signature, Non-Repudiation, Key Encipherment, Data Encipherment, Key Agreement (f8)

Enhanced key usage:Client Authentication (1.3.6.1.5.5.7.3.2) Secure Email (1.3.6.1.5.5.7.3.4)

4.4.1 Use of the private key of the certificate by the SUBORDINATE ENTITY

The owner can only use the private key and the certificate for authorized uses in this CPS. Certicámara issues certific ates

with the fields of private key use, l imited to the signature of certificates and signature of CRL.

4.4.2 Use of the public key and certificate by third parties in good faith

Third parties in good faith can only place their trust in the certificates for what is established by this CPS and the regulations.

Third parties in good faith can perform public key operations in a satisfactory manner, relying on the certificate issued by the chain of trust. Likewise, they must assume the responsibil ity of verifying the status of the certificate using the means established in this CPS.


Code: 0001-DPC-GRC

Date: March 2018

Version 4



Page Page 23 of 68



4.5 Re-key services of private keys and administration of keys

Certicámara does not provide re-key services of private keys and key management of its subscribers.

4.6 Renewal of certificate with change of key

Certicámara notifies at least fifteen calendar days in advance to its subscribers the termination of the validity of its digital certificate. This notification can be made by email to the email address provided by the subscriber or by any oth er suitable

means of communication when Certicámara deems it appropriate. Those subscribers whose Digital Certificate is stored in a cryptographic device will be notified additionally by the device's driver software in order to check its validity at any time.

However, Certicámara is not required to guarantee the effectiveness of the notification regarding the termination of the validity of its certificate or to confirm the reception thereof, since it is the obligation of the Subscriber to be aware of the validity of its digital certificate and to advance the renewal proc edures before Certicámara prior the expiration of his certificate, considering that this request must complete the data verification process , payment reconciliation and approval

by Certicámara, a process that Certicámara will advance as established in the agreed service level agreements with the subscriber and depending on the quality and veracity of the information provided by the subscriber. It is important to note that Certicámara will notify the Subscriber through the email provided, in addition to the expiration

of the digital certificate, other processes or procedures such as maintenance or others, so the email address provided by the applicant is used in the process of issuing the digital Certificate, e-mail address that will be the responsibil ity of the subscriber, and therefore it is the obligation of the subscriber to fi l l out the address correctly in the application form of the

digital certificate, for the first time and in its renewal.

4.6.1 Causes for the renewal of a certificate

Renewal of certificates by subscribers are due to expiration.

4.6.2 Entity or subscriber that can request the renewal of the certificate

The entities or subscribers are authorized to request the renewal of a certificate with the key change if:

The service is about to expire and the subscriber intends to continue using a digital certificate that certifies the

conditions that were approved in the digital certificate.

4.6.3 Application procedure for the renewal of a certificate

The subscriber must comply once again with the accreditation process to request the renewal of a certificate. For this reason, the application procedure for the renewal of a certificate is the same as the accreditation procedure. Except that the requested documents shall not be enclosed, unless they are no longer valid (if applicable).

4.6.4 Notification of the issuance of a new certificate to a subscriber

Certicámara will notify the subscriber of the effective issuance of a new certificate by means of an email to the same issued

by the Certicámara renewal system.

4.6.5 Publication of the certificate renewed by the CA

Certicámara will provide different types of communication such as emails, written communications, LDAP repository, Web repository, and those that it deems relevant to publish the renewal of a certificate.


Code: 0001-DPC-GRC

Date: March 2018

Version 4



Page Page 24 of 68



4.6.6 Notification of the issuance of the certificate by the CA to other entities

Certicámara will notify the entities, government agencies and private companies of the renewal of a certificate through the

Certicámara website.

4.7 Modification of certificates

During the life cycle of a certificate, the modification of the fields will not be made in the root CA and in the Subordinate CA. If a change in the data of the issued certificate is required, it will be necessary to revoke the certificate and issue a new one with the corresponding modifications.

4.8 Revocation (Cancellation) of digital certificates

The revocation of a digital certificate is the mechanism by which its reliability period is terminated in advance in the

presence of any of the causes set out in this Certification Practice Statement, leading to the loss of trust thereof.

4.8.1 Revocation Scenarios

4.8.1.1 Voluntary revocation of the subscriber.

The subscriber may voluntarily request to Certicámara the revocation of the digital certificate issued, in which case Certicámara will proceed to the revocation procedure of the digital certificate.

4.8.1.2 Other revocation scenarios

Certicámara will revoke the digital certificate if any of the following events has occurred:

a) Having compromised the security for any reason, mode, situation or circumstance.

b) Having compromised the subscriber's private key for any reason or circumstance.

c) The private key has been exposed or is in danger of being misused.

d) Due to death or incapacity of the subscriber.

e) Due to the liquidation of the legal entity represented in the digital certificate.

f) Due to the update of the information included in the digital certificate.

g) After verifying that some information or fact included in the digital certificate is false, as well as the occurrence

of new facts causing the original data not to match to reality.

h) Having compromised the private key of Certicámara or its security system, thus affecting the reliability of the digital certificate, for any circumstance, including fortuitous ones.

i) Due to the cessation of activities of Certicámara, unless the issued digital certificates are transferred to

another Certification Entity.


Code: 0001-DPC-GRC

Date: March 2018

Version 4



Page Page 25 of 68



j) By judicial order or competent administrative entity.

k) Loss, disablement or compromise of the security of the hardware of the digital certificate that has been duly

notified to Certicámara.

l) After the termination of the subscription contract, in accordance with the grounds set out in the contract and in this Certification Practice Statement.

m) For any reason that reasonably leads to believe that the certification service has been compromised to the

extent that the reliability of the digital certificate is questioned.

n) The improper handling of the digital certificate by the subscriber.

o) Due to the breach by the subscriber or by the legal entity represented or to which is l inked through the Digital

Certificate Service contract provided by Certicámara.

p) Due to a past due payment report for not having paid the services provided by Certicámara.

q) When the delivery of the certificate is not possible due to a cause associated with the subscriber, Certicámara and / or the logistics operator, will contact the applicant via e-mail or telephone on three times to coordinate

the delivery process, if no prompt response is obtained with the date of delivery or collection of the digital signature certificate, Certicámara will keep them in custody for a period of two (2) months from the date of issuance, once this term has expired and without the subscriber having manifested, Certicámara will proceed with the revocation and cancellation of the process in the SSPS Products and Services Requests System. If the

applicant requires the issuance of the digital signature certificate, the application process must be initiated in accordance with the provisions of this CPS "Request for certificates".

r) For any other cause specified in this Certification Practice Statement.

CERTICÁMARA IS NOT REQUIRED TO INVESTIGATE OR REVIEW THE OCCURRENCE OF ANY OF THE REVOCATION CAUSES SET OUT IN THIS SECTION. CERTICÁMARA WILL START THE PROCEDURE FOR REVOCATING DIGITAL CERTIFICATES ONLY

ONCE BEING INFORMED OF THE OCCURRENCE OF ANY OF THEM. THE SUBSCRIBER AND THE RELYNG PARTY ARE REQUIRED TO INITIATE THE PROCEDURE OF REVOCATION OF THE DIGITAL

CERTIFICATE AS SOON AS THEY BECOME AWARE OF THE EXISTENCE OF ANY OF THESE ASSUMPTIONS. FAILURE TO COMPLY THIS OBLIGATION MAKES THEM RESPONSIBLE FOR THE DAMAGES CAUSED BY THIS OMISSION.

4.8.2 Consequences of the revocation

The consequence of the revocation of the digital certificate is the loss of reliability thereof, causing the permanent cessation of the operation of the digital certificate according to its own uses and, consequently, of the provision of digital certificate services.

The use of the digital certificate, the hardware of the digital certificate, or any other good or service provided by Certicámara to the subscriber is prohibited, once the digital certificate has been revoked.

The revocation of the digital certificate for cause attributable to Certicámara will originate the issuance of a new digital certificate on behalf of the subscriber for the term equivalent to the remaining term, to conclude the original period of


Code: 0001-DPC-GRC

Date: March 2018

Version 4



Page Page 26 of 68



validity of the revoked digital certificate, at the expense of Certicámara. In other cases, the cost of the new digital certificate will be at the expense of the subscriber.

Once the revocation procedure has been completed, the digital certificate will be published in the database of revoked digital certificates, to notify the relying parties that said digital certificate has been revoked.

4.8.3 Revocation procedure

4.8.3.1 Active legitimacy

The subscriber or any third party that is aware of the existence of any of the causes that give rise to the revocation, may inform Certicámara to evaluate it and proceed in accordance with the established procedure. The third party initiating a digital certificate revocation procedure will be solely responsible for the damages caused by such

revocation to the subscriber and third parties in good faith. In any case, Certicámara may initiate the revocation procedure of digital certificates, in any of the cases foreseen in the previous section.

The judicial or administrative authorities may, in those cases contemplated in the law, order Certicámara to revoke any digital certificate.

4.8.3.2 Receiving Revocation requests

The request for digital certificates revocation can be made by telephone by call ing the 7x24 service l ine, exclusive revocation

service: (1) 3790300 option 4 or any of the numbers available for this purpose, available in the Revocation of Digital Certificates section at https: //web.certicamara.com/soporte-tecnico/revocar-su-certificado-de-firma-digital/, or through the electronic means provided by Certicámara.

If the person disclosing a ground that gives rise to the revocation of the digital certificate is not the subscriber or if the latter

is unable to identify himself satisfactorily, or cannot prove in a reliable manner the existence of the ground of revocation, he must address himself personally to any of the offices of Certicámara during office hours, with proof of the existence of the respective grounds for revocation, notwithstanding that Certicámara has the measures set out for the security of the Digital Certification System. Once the request for revocation is received by post mail or email, attaching the scanned letter

of request for revocation and verifying the veracity of said request, the revocation of the certificate will be carried out, without grace periods for said revocations.

Telephone conversations held with the Call Center may be recorded by Certicámara for evidentiary purposes.

4.8.4 Revocation

If deemed necessary, Certicámara will carry out personally or through third parties the pertinent inquiries and procedures to verify the existence of the grounds for revocation being pleaded. Such procedures may include direct communication

with the subscriber and the physical presence of the third party who pleads the grounds for revocation. If the ground is proven, Certicámara will incorporate the digital certificate in the database of revoked digital certificates as a revoked digital certificate. Otherwise, the revocation process of the digital certificate will conclude. It is worth noting that

Certicámara does not offer the certificate suspension service to subscribers.


Code: 0001-DPC-GRC

Date: March 2018

Version 4



Page Page 27 of 68



Certicámara must inform the subscriber, within the next 24 hours, the suspension of the service or the revocation of the

certificate (s), in accordance with the current regulations. If the subscriber intends to obtain a new digital certificate, the digital certificate service provision form must be fi l led out again. This document may be sent physically, through regular mail or digitally via email, as long as the latter is digitally signed

by the legal representative of the applicant.

4.8.5 Revocation of the digital certificate by the user

The user of the digital certificate service may revoke the digital signature certificate associated to his name, by using the interface available for this purpose though Certicámara, an interface in which the identity of the user will be verified through the application of a test with information related to his credit and financial record.

The system will automatically send a notification to the user's email with the effective revocation of the digital signature certificate.

4.8.6 Communication and Publication of the revocation

The decision to revoke the digital certificate will be communicated by Certicámara to the subscriber by email or through the means deemed convenient for this purpose.

Certicámara will notify the Registration Entities, through email or any other means it deems appropriate, the list of revoked digital Certificates received for revocation.

The revocation of the digital certificate will begin to take effect from its publication by Certicámara in the database of revoked digital certificates, unless the ground of revocation is the cessation of activities of Certicámara, in which ca se, the loss of effectiveness will take place as soon as that circumstance occurs.

The old lists of revoked digital certificates CRL will remain stored in the database of the server of the certification authority and the backup copy of this database will be stored in magnetic media (tapes) allowing easy and safe recovery. Certicámara will store these databases containing historical l ists on tapes , and will deposit them for custody at the offices of Certicámara,

for consultation up to ten years , subsequent to the loss of validity of the root certificate of the certification authority. When a person or entity needs to check an old CRL, they can request information through the National Toll Free: 018000181531 or send a communication with an email address to the following addresses:

Address: Carrera 7 Nº 26-20 Floors 18 and 19 Seguros Tequendama Building - Bogotá, Colombia. Email address: [email protected]

Certicámara will attend the request by sending the required CRL by email.

4.9 Verification services for the status of the certificate

4.9.1 Operational Characteristics

For the val idation of the digital certificates, several validation service providers are available to provide information on the status of the certificates issued by the certification hierarchy. It is an online validation service (Validation Authority, VA) that implements the Online Certificate Status Protocol following RFC 2560. By using this protocol, the current status of an

electronic certificate is determined without requiring the CRLs.


Code: 0001-DPC-GRC

Date: March 2018

Version 4



Page Page 28 of 68



An OCSP client sends a request on the status of the certificate to the VA, which, after consulting its Database, offers a

response on the status of the certificate via HTTP through http://ocsp.certicamara.com and http://ocsp.certicamara.co. The CRL fi les corresponding to each CA published on the Certicámara website will also be available in the following URLs:

- http://www.certicamara.com/repositoriorevocaciones/ac_subordinada_certicamara.crl?crl=crl

- http://www.certicamara.com/repositoriorevocaciones/ac_subordinada_certicamara_con_extension_critica.crl?c

rl=crl

- http://www.certicamara.com/repositoriorevocaciones/ac_subordinada_certicamara_2014.crl?crl=crl

- http://www.certicamara.com/repositoriorevocaciones/ac_subordinada_certicamara_con_extension_critica_201

4.crl?crl=crl

4.9.2 Service Availability

The verification service is available 24 hours a day, every day of the year.

4.9.3 Additional characteristics

The Online Validation Service is available at http://ocsp.certicamara.com and http://ocsp.certicamara.co, it is the

responsibil ity of the third party in good faith to have an OCSP Client that complies with RFC 2560.

4.10 Termination of the subscription

The termination of the subscription of a certificate occurs in the following cases:

o Revocation of the certificate for any of the grounds of revocation.

o Expiration of the validity of the certificate.

4.11 Custody and key recovery

4.11.1 Custody practices and policies and key recovery

The private key of the root CA is guarded by an HSM cryptographic device. To access the private key repository, the limit threshold scheme (k, n) of Shamir is used in both software and cryptographic devices.



http://www.certicamara.com/repositoriorevocaciones/ac_subordinada_certicamara.crl?crl=crl

http://www.certicamara.com/repositoriorevocaciones/ac_subordinada_certicamara_con_extension_critica.crl?crl=crl

http://www.certicamara.com/repositoriorevocaciones/ac_subordinada_certicamara_con_extension_critica.crl?crl=crl

http://www.certicamara.com/repositoriorevocaciones/ac_subordinada_certicamara_2014.crl?crl=crl

http://www.certicamara.com/repositoriorevocaciones/ac_subordinada_certicamara_con_extension_critica_2014.crl?crl=crl

http://www.certicamara.com/repositoriorevocaciones/ac_subordinada_certicamara_con_extension_critica_2014.crl?crl=crl




Code: 0001-DPC-GRC

Date: March 2018

Version 4



Page Page 29 of 68



5 Physical security, management and operational controls

5.1 Physical security controls

5.1.1 Location and construction

All critical operations of the root CA and the Subordinate CA are physically protected with all the necessary security

measures for the most critical elements and monitored 24 hours a day, 7 days a week. These systems are separated from others of Certicámara, so that only authorized personnel have access to them. The Data Processing Centers of the root CA and the Subordinate CA meet the following physical requirements:

To avoid possible damage, the installations are far from smoke exits.

No windows inside the room.

Closed TV circuit in critical areas or restricted access.

Access control based on proximity card, PIN and biometrics.

Fire protection and prevention systems: detectors, fire extinguishers, training of personnel to act against fires, etc.

5.1.2 Physical access

The physical access to the facil ities of the Root CA and the Subordinate C, are protected by various access controls, so that

only authorized personnel have access . The access controls, zones and processes are defined in the security policies of the root CA and Subordinate CA. These controls are based on the identification of level 2 with smart card, level 3 of biometric footprint, with per manent

closed TV circuit to record all accesses to the facil ities, archiving them from time to time. The systems of the root CA will be physically separated from other systems of Certicámara so that only authorized personnel

have access, and the independence of the other computer systems is guaranteed.

5.1.3 Power supply and air conditioning

The premises where the equipment is located have the necessary power and ventilation conditions to avoid power failures

or other electrical anomalies in the electrical systems. Equipment wiring is protected to prevent interception or damage and special measures have been taken to avoid

information losses caused by the interruption in the flow of electrical supply, connecting the most critical components to UPS to ensure a continuous supply of electrical power, with sufficient power to maintain the electrical network during the events of controlled shutdown of the system and to protect the equipment against electrical fluctuations resulting in damage.

The air conditioning systems keep the rooms of the equipment with the conditions of humidity and temperature suitable for their correct operation and maintenance


Code: 0001-DPC-GRC

Date: March 2018

Version 4



Page Page 30 of 68



5.1.4 Water exposure

The installation of the Root CA and Subordinate CA is protected to avoid exposures to water, through humidity detectors,

flooding and other safety mechanisms appropriate to the environment.

5.1.5 Fire protection and prevention

The installation of the Root CA and Subordinate CA has intell igent detection and extinction system. It is made up of:

o Smart control panel.

o ECARO 25 suppression system protecting the ozone layer not polluting the environment.

o Extension nozzles on the roof.

o Detectors of fires in the ceil ing and false ceil ing.

o Pre-alarm system. Activate fire detectors to detect, control and locate the event. If two fire detectors are activated simultaneously, the system proceeds to discharge the gas after thirty seconds of the alarm

activation.

o Manual activation of gas cylinder. When the automatic activation of the cylinder fails, it has a properly identified lever.

o It has a button to perform ECARO 25 gas discharge, in case of system failure.

5.1.6 Storage systems

The information related to the infrastructure of the root CA and Subordinate CA is stored securely in fireproof cabinets and safes, according to the classification of the information contained therein.

These storage systems are located in unequal entities to eliminate risks associated with a single location. The Root CA and Subordinate CA, have internal and external storage places.

5.1.7 Waste disposal

The Root CA and the Subordinate CA maintain review mechanisms of all disposable materials wher e information is stored

(diskettes, paper, fi lms, etc.) ensuring the are checked before their elimination or reuse, in order to verify if they contain sensitive information being physically destroyed, unless they can be reused as a means of support, in whi ch case the information is safely removed.

5.1.8 Backup Storage

All backup copies are stored in entities distant from the Root CA and Subordinate CA. These dependencies are protected by means and security mechanisms, attached to good international security pra ctices.

The total security copies include databases, applications, transaction fi les and logs of your KeyOne and SSPS system which will be kept by Certicámara for three months.


Code: 0001-DPC-GRC

Date: March 2018

Version 4



Page Page 31 of 68



5.2 Functional controls

5.2.1 Roles of trust

The Root CA and Subordinate CA have a staff that due to their responsibil ities are subject to special control procedures because their activity is essential for the proper functioning of the Certicámara S.A digital certification entity: The roles of trust are:

Responsible for the private key of the Root Certification Authority and Subordinate CA.

Responsible for the protection of the private key of the root CA and the Subordinate CA. To achieve this protection,

administrators must use a smart card as a strong authentication method. This authentication process is necessary for the activation and deactivation of the private key.

Infrastructure Administrator: Responsible for the definition of management keys of the HSM, its custody, configuration and start-up. In charge of configuring the access to the HSM by the applications, of the initialization of the PKCS # 11 token, of assisting in the tasks of exporting and importing the cryptographic material, etc. Also accountable for performing the corresponding support of the HSM.

User Registration: Exclusively responsible for the functions related to the issue, processing and revocation of digital certificates. These procedures are performed on the Registry application using the authentication and authorization controls of the system. Additional ly, they may suspend certificates, after receiving the request of the Directory and any other extraordinary activity with due authorization. The Authority Revocation Lists (ARL) are issued and published

manually by the ICT Director or in his absence by the internal support staff in the URL corresponding to the CPS specified in the certificates issued for subordinate certification authorities with the periodicity established in the CPS (1 year for the ARL) and must collaborate with the Auditors in everything that is required to verify the publication.

ICT Director: Responsible for performing all tasks related to the installation, configuration and maintenance of the Certicámara system. Responsible for the operation of the systems that make up the system of the root CA and Subordinate CA, hardware and software base. The responsibil ity of this profile includes, among others, the administration of the database system, the information repository (OCSP, LDAP, Web, Active Directory, etc.) and

operating systems. Accountable for ensuring the provision of services with the appropriate level of quality and reliability, depending on the degree of criticality thereof. Responsible for the correct execution of the Copy Policy, and in particular, to maintain enough information to efficiently restore any of the systems. Accountable for carrying out or delegate in a controlled manner local backup copies.

Government, Risk and Compliance Director (GRC): Responsible for complying with and enforce the security policies of the root CA and Subordinate CA, and must take care of any aspect related to security: physical , applications, network, etc. Responsible for managing the perimeter protection systems and in particular the managemen t of firewall rules.

Accountable for the installation, configuration and management of intrusion detection systems (IDS) and the too ls associated with them. Responsible for solving or causing the security incidents produced to be resolved, to eliminate detected vulnerabilities, etc. Accountable for the management and control of the physical security systems of the CPS, the access control systems, the environmental conditioning systems and the power supply. Responsible for explaining

the security mechanisms to the personnel involved, to raise awareness among all the personnel of the root CA and the Subordinate CA, and to enforce the security rules and policies. The GRC must establish the schedule for the execution of vulnerability analysis, trials and tests of the continuity of the service plans and audits of the information systems. The

GRC must collaborate with the Auditors i n everything that is required by them.

Responsibilities


Code: 0001-DPC-GRC

Date: March 2018

Version 4



Page Page 32 of 68



Verify the existence of all the documentation of the production cycle requir ed and listed.

Check the coherence of the documentation with the procedures, inventoried assets, etc.

Check the tracking of incidents and events.

Check the protection of systems: exploitation of vulnerabilities, access logs, users, etc.

Check alarms and physical security elements.

Verify knowledge of the procedures by the personnel involved.

Authorized to consult fi les, traces and audit logs of the entities of the PKI.

5.2.2 Number of people required per task

As a security measure, the responsibil ities are shared among the different roles and people, so that the negligent or willful

attitude of any of them does not seriously affect the activity of Certicámara as Root CA or Subordinate CA. The number of people required per task will be distributed as follows:

Responsible for the key pair of the root CA and Subordinate CA:

Those responsible for the management smart cards that have control over the Security Word are:

ICT Director

Operations Director

Government, Risk and Compliance Director (GRC)

o Those responsible for operating smart cards for key access and activation are:

Infrastructure Manager

ICT Director

Note: The management and operation smart cards are guarded by the Information Security Director in a safe.

5.2.3 Identification and authentication for each role

The users in charge of each of the roles described in the previous sections are authenticated through the use of strong cryptography. This authentication is carried out using digital certificates protected by means of smart cards. Authentication is complemented by the corresponding authorizations to access certain information assets of the

Certicámara system.


Code: 0001-DPC-GRC

Date: March 2018

Version 4



Page Page 33 of 68



5.3 Personal security controls

5.3.1 Background, qualification, experience and accreditation requirements.

The Staff performing activities in the facil ities or system of the root CA and Subordinate CA must have the qualification and experience in environments of provision of certificate services. Additionally, the personnel must comply with the s ecurity requirements of the organization and have:

Notions and experience in digital certification environments.

Basic education on security in information systems.

Specific training for their role.

Academic degree or equivalent industry experience.

5.3.2 Training requirements

The staff of Certicámara must be subject to a specific training plan for the development of their roles within the institution.

The training plan includes the following aspects:

Training in the basic legal aspects related to the provision of certification services.

Awareness about physical, logical and technical security.

Services provided by the Certification Authority.

Software and hardware operation for each specific role.

Basic concepts of PKI.

Certification Practice Statement.

Management of incidents.

Security procedures for each specific role.

Operation and administration procedures for each specific role.

Procedures for the recovery of the operation in case of disasters.

5.3.3 Requirements and frequency of the training update of Certicamara

Induction will be expected for the staff in the face of technological changes in the environment, introduction of new tools or modification of operating procedures.


Code: 0001-DPC-GRC

Date: March 2018

Version 4



Page Page 34 of 68



In addition, training sessions will be held before changes in the Certification Practice Statement or other documents relevant to the operation, administration and / or management of the root CA and Subordinate CA.

5.3.4 Frequency and sequence of rotation of tasks of Certicámara.

Certicámara implements work rotations among the different roles in order to increase security and ensure the contingency

of the activity in case of the absence of any of the workers.

5.3.5 Penalties for unauthorized actions

The practices of the staff of Certicámara define the sanctioning procedure for employees who fail to comply with them, specifying the penalties for carrying out an unauthorized action, the unauthorized use of the authority or the unauthorized use of the systems. In any case if Certicámara suspects that employees are carrying out an unauthorized action, their access permit will be suspended automatically, with the possibil ity of being dismissed from the company.

5.3.6 Documentation provided to the staff of Certicámara.

Certicámara has an ISO 9001: 2008 Quality Management System and ISO 27001: 2013 information security that provides its

employees with all the documentation and good information security practices necessary for the proper performance of their tasks. The documentation include:

Certification Practice Statement

Manuals for the Operation, administration, installation and use of tools for the root CA and Subordinate CA.

Safety rules and plans

Emergency procedures

Privacy Policy

Information Security Policy

Organizational chart and roles of the staff

5.4 Security control procedure

5.4.1 Types of events recorded

The Root CA and the Subordinate CA store electronic records of events (logs) related to their activity as a certification entity.

These records are stored, automatically and in other cases in paper format or other means. These fi les are available to the Government, Risk and Compliance Director (GRC) when necessary.

Each event record includes data relating to:

Date and time of the event


Code: 0001-DPC-GRC

Date: March 2018

Version 4



Page Page 35 of 68



Serial number or sequence of entry in the record

Identification of the staff that recorded the event according to their role

The events recorded by the Root CA and the Subordinate CA are the following:

System events:

o Operating System Installation o Installation of the Root CA and Subordinate CA application o Installation of cryptographic hardware security modules (HSM) o Change of cryptographic hardware security module (HSM)

o Elimination of cryptographic module o Attempts to access the Root CA and Subordinate CA

Configuration of changes to the Root CA and Subordinate CA team, specifically:

o Hardware o Software

o Operating System o Users o Security profiles

o Administrator Privileges o Audits

Physical access:

o Staff access to the data center o Staff access to the system

o Knowledge or suspicion of violation of physical security

Unexpected anomalies:

o Failure to check the integrity of the software o Attacks to the network (confirmed or suspected)

o Network Failures o Equipment Failures o Power failures o Breaches of the Certification Practice

o Restarting the Operating System

Activities of the Root CA and Subordinate CA operators:

o Account management o Backup copies of the databases o Storage of databases

o File manipulation o Sending documents or fi les to the directory o Access to databases

o Signature of the tables used in the application o Improper use of private keys o Actions taken in response to any request o Loading the smart card with certificates


Code: 0001-DPC-GRC

Date: March 2018

Version 4



Page Page 36 of 68



o Sending the keys to the cryptographic module o Those related to the life cycle management of certificates and CRLs.

5.4.2 Analysis of log records

Certicámara has a log analysis tool, which automatically sends alerts to the TIC'S area, aimed at validating and correcting

the possible failures or alerts if required. However, in the case of extraordinary events , the extraction of logs leads to audit trails for later review.

5.4.3 Retention period for audit logs

The Information Security area will keep the logs generated by system, security and application for a maximum of

three years.

The log monitoring software additionally saves all records in a database, which are part of the scope of the Backup

Copies procedure.

5.4.4 Audit information collection system

The information collection system is executed by: operating systems, processes in the application of the root CA and Subordinate CA, and by the staff in charge. Therefore, this system is a combination of automatic processes.

The characteristics of this system include the following:

Allowing to verify the integrity of the database.

Ensuring non-repudiation by the authors of the operations performed on the data. This is done through electronic

signatures.

Saving a historical data update record, that is, stores successive versions of each record resulting from different

operations performed on it.

The following table is a summary of the possible dangers to which a database may be exposed and that can be

detected with integrity tests:

o Insertion or fraudulent alteration of a session record.

o Fraudulent suppression of intermediate sessions. o Insertion, alteration or fraudulent suppression of a historical record. o Insertion, alteration or fraudulent suppression of the registration of a query table.

5.4.5 Notification to the subject originating the event

Each time an event is audited, the System Administrator informs in advance to the author of the event. However, when an

operator is aware of an event that may be subject to an audit, he must immediately inform the Government, Risk and Compliance Director (GRC) so that it may proceed according to the severity of the event.


Code: 0001-DPC-GRC

Date: March 2018

Version 4



Page Page 37 of 68



5.4.6 Vulnerability analysis

A vulnerability analysis should be performed at least once a year. It is the responsibil ity of the coordinators of the analysis

teams to inform the directory of Certicámara, through the Information Security Director, of any problem exposed in the vulnerability analysis.

5.5 Record archival and events recorded

5.5.1 Type of information and events recorded

Regarding the life cycle of the Root CA and Subordinate CA keys:

o Generation of the Root CA and Subordinate CA keys o Installation of cryptographic keys and their consequences

o Key backup o Key storage o Recovery of cryptographic keys

o Key lodge o Use of the keys o Destruction of keys o Custody of keys and devices or any other key support

Related to the life cycle of the certificates :

o Receipt of applications for certificates o Submission of public keys for certification o Distribution of public keys

Related to the life cycle of cryptographic devices (HSM):

o Reception of Devices

o Entry or transfer to the storage place o Use of devices o Uninstall ing devices

o Designation of the device for service or repair o Withdrawal of devices

Others

o CPS Update o Modifications of contractual obligations

o Confidentiality agreements o Audit traces o Accesses and modifications of the documentation requested by the auditors. o Agreements signed by Certicámara

o Access authorization to information systems.

5.5.2 Retention period for the file

The information traces provided by the subscribers are kept for a period of two years.


Code: 0001-DPC-GRC

Date: March 2018

Version 4



Page Page 38 of 68



5.5.3 File protection

The defined security measures are designed to protect the unauthorized access fi les (internal or external), so that only

certain people can view, modify or delete the fi les. The fi les are stored in safe places, with all the security measures necessary to protect them from natural factors .

5.5.4 File backup procedures

Two daily copies of the fi les that make up the fi les to be retained are made. A copy is made locally and stored in a secure location within the main data center of the Subordinate CA, which complies with the environmental and physical safety

conditions. The second copy of the data is done in an encrypted and remote way, it is stored in the Alternate Data Center, located in a building different from the main headquarters of the Subordinate CA. The procedures are described in the policy document

and procedures of the root CA and Subordinate CA.

5.5.5 Procedures for obtaining and verifying filed information

The recorded events are protected by cryptographic techniques, so that nobody but the visualization and event management applications themselves have access to them. Only authorized personnel have access to physical fi les of media and computer fi les, to carry out integrity checks of or any other kind.

This verification must be carried out by the Information and Compliance Security Department, which must have access to the verification and integrity control tools of the PKI event records . Automatic checks of the integrity of electronic fi les (backups), are made in time of their generation and an incidence is created in the case of errors or unforeseen behavior.

5.6 Key change

The keys of the certificates issued by Root CA will cease to be valid at the same time as your self-certified certificate. Once the Root CA has expired, a new self-signed key pair will be generated to create the new root certificate. Certicámara will

notify the external auditor and / or control entity and / or accreditation body according to the regulations in force at the time of making the password change, in order to determine the technical, procedural and legal conditions applicable for this procedure before its execution, to guarantee that compliance with the regulations applicable to the process from the safety point of view will be complied. To this end, Certicámara will present the document Pre Ceremonia de cambio de

clave, which will be drafted and adjusted for presentation in advance of the proposed date for the key change. The key change is not a recurring operation of a Certification authority and must be planned in accordance with the technical and regulatory conditions in force. The next key change is proposed to be carried out in the year 2030, unless a force majeure situation at the technical or regulatory level is identified.

5.7 Recovery in case of disaster

The notification requirements and the recovery procedures in case of compromising the private key or because of disasters

are the following:

5.7.1 Incident and vulnerability management procedures

Certicámara has defined the procedure for Incident Management that aims to resolve any incident that causes an interruption in the service in the fastest and most efficient way possible, thus the necessary resources have been provided.


Code: 0001-DPC-GRC

Date: March 2018

Version 4



Page Page 39 of 68



Likewise, the methodology for the (critical) analysis of vulnerabilities on information assets has been defined, allowing to reduce risks caused by exploitation of techni cal vulnerabilities by (internal and / or external) personnel not authorized for

that purpose. Likewise, identifying and dealing with threats that may affect the confidentiality, availability and integrity of the information assets exposed to the Internet.

a. Business continuity

Certicámara has set out and tested the Business Continuity Plan that defines the actions to be taken, resources to be used and personnel to be involved in the event of an intentional or accidental event that disables or degrades the resources and

certification services provided by the Root CA or the Subordinate CA. The Business Continuity Plan includes the following aspects:

• Redundancy of the most critical components.

• The start-up of an alternative backup center, which has been set up by Certicámara at a distance of approximately

40 kilometers from its main operation center.

• The complete and periodic check-up of backup services.

In the event that the security of the provision of signature verification services of any of its certification authorities is affected, Certicámara will inform all known third parties in good faith about the unavailability of signed certificates and

revocation lists. The service will be restored as soon as possible, according to the magnitude and impact of the incident that triggers the business continuity plan. Access to the list of revoked certificates must be restored to a term not exceeding 6 hours, since this service affects the operation of systems requiring digital signature, the other services that affect the request, issuance and distribution of digital certificates will a maximum recovery time of 72 hours.

The plan guarantees that Certicámara may keep providing essential services for the production of certificates in the presence of disasters, after identifying, evaluating, managing and minimizing any type of risk.

5.7.2 Alteration of hardware, software and / or data resources

The Root CA and Subordinate CA have a business continuity plan of activities that allow you to continue operating if the

hardware, software and / or data are altered (but not destroyed). Certicámara updates this plan from time to time in order to ensure its validity at all times.

The plan includes the necessary procedures to guarantee the continuity of the activity during the period of time elapsed between the disaster and the restoration of the original situation (giving priority to the publication of the CRLs).

5.7.3 Proceeding after the private key of an authority has been compromised

The business continuity plan of Certicámara considers the compromise or suspicion of its private key as a disaster and will be treated as a major incident in the continuity of the provision of digital certificate services


Code: 0001-DPC-GRC

Date: March 2018

Version 4



Page Page 40 of 68



5.7.4 Safety of the facilities after a natural disaster or any other disaster

The Root CA and the Subordinate CA have external locations to keep the backup copies stored, to minimize the effects in

the event of a natural or other disaster on the primary facil ities.

5.8 Cessation of activity

In the event that Certicámara must, for any reason, cease its activities, the following shall be done:

a) Begin right away the procedure to authorize the cessation of activities before the Superintendence of Industry and Commerce and the National Accreditation Body of Colombia ONAC (by its acronym in Spanish) at least 30 days before the effective cessation of the activity.

b) Communicate the termination by sending an email addressed to all subscribers whose digital certificates remain

valid and the publication of an advertisement in two newspapers of wide national circulation. The mentioned communication will be carried out at least 30 days before the effective cessation of the activity.

c) Whenever possible, try to make agreements with third parties to transmit all their obligations and rights within the certification system with the intention of continuing the service. If subrogation occurs, to which the subscriber

expressly consents, this Certification Practice Statement will continue to be the document that establishes the relationships between the parties until a new document is defined in writing.

d) In the event that the transfer of rights and obligations to another entity is not carried out, proceed to the revocation

of all the digital certificates once the two month period has elapsed after the communication.

e) Compensate adequately those Subscribers who request it, when their Certificates are revoked prior to the expected term of validity, agreeing as the maximum limit for the compensation, the actual cost of the service, discounting pro rata the cost for the days elapsed from the beginning of the contract until the resolution date.

f) Any other obligation established by law.

g) Certicámara will send a work plan to the control and surveillance agencies for their respective approval, once such approval is confirmed, it will proceed with its execution.

6 Technical safety controls

6.1 Generation and installation of key pair

6.1.1 Generating the key pair

The Root CA generates the key pair (Public and Private) using a cryptographic hardware device (HSM) that complies with the requirements established in a secure device protection profile of electronic signature of standardized certification authority, according to FIPS 140-2 Level 3 or higher security level, and the creation of keys for the CA uses a pseudo random

number generation algorithm. The procedure for generating the keys for the subordinates accredited before Certicámara is identical, in its own HSM.


Code: 0001-DPC-GRC

Date: March 2018

Version 4



Page Page 41 of 68



6.1.2 Delivery of the private key to the subordinate entity

The SUBORDINATE ENTITY is responsible for the generation of its key pair and therefore responsible for its safekeeping and

custody.

6.1.3 Delivery of the public key to the subordinate entity

The public keys generated under the control of the SUBORDINAT ENTITY are sent to Certicámara as part of an accreditation request. This request is made in PKCS # 10 format, digitally signed with the private key correspond ing to the public key requested to certify.

6.1.4 Availability of the public key

The public key of the root CA will be available at http://www.certicamara.com/ac_offline_raiz_certicamara_2016.crt 24 hours a day, 7 days a week continuously, unless a scheduled maintenance is notified.

6.1.5 Size of the keys

The cryptographic algorithm used by the Root CA to sign certificates is SHA256withRSA.

The length of the key with the RSA algorithm of the Root CA is 4096 bits, and those of the SUBORDINATE ENTITIES can be 2048 bits.

6.1.6 Parameters for generating the public key and quality verification

The root CA must generate its key pairs according to RFC 3280 and PKCS # 1. The key generation algorithm is the RSA. Quality verification is carried out in accordance with the special report of ETSI SR

002 176, which indicates the quality of the electronic signature algorithms. The algorithms and signature parameters used by the root CA for the signature of electronic certificates and lists of revoked certificates are the following:

• Signature algorithm: RSA

• Parameters of the signature algorithm: Module Length = 4096/2048

• Key Generation Algorithm: rsagen1

• Fill ing method: emsa-pkcs1-v1_5

• Summary of cryptographic functions: SHA-256

6.1.7 Hardware/Software for key generation

http://www.certicamara.com/ac_offline_raiz_certicamara_2016.crt


Code: 0001-DPC-GRC

Date: March 2018

Version 4



Page Page 42 of 68



The Root CA generates its key pair using a cryptographic hardware module (HSM). Authentication against the HSM requires at least 2 out of 3 operators. This procedure follows the K scheme of N, with the non-persistent mode of the cryptographic

device. In this mode it is necessary to guarantee the physical connection of the last set of cards in the HSM reader, to open the private key of the Root CA.

The synchronization of the clocks of the CA and the RA is made based on the Legal Time of the Republic of Colombia 1 taken

directly from the reference standards of the National Institute of Metrology -INM, of Colombia, in accordance with the provisions of the article 14 of Decree 4175 of 2011, by which some functions of the Superintendence of Industry and Commerce were split and the National Institute of Metrology -INM was created, as of November 3, 2011 this last institution is in charge of maintaining, coordinating and disseminating the legal time of the Republic of Colombia, adopted by Decree

2707 of 1982. 2

6.1.8 Generation of the key pair for the subscribers

The algorithm used to generate the key pair of the subscribers is RSA not inferior to 2048 bits using a hash function security summary, the denominated SHA256. Subscribers use USB token hardware devices to generate their private key, which comply with the FIPS 140 Level 3 standard.

Purpose of using keys The certificates issued by the Root CA include the Keyusage extension to restrict the purpose of the public key of the certificate, indicating that the keys are only for:

o Certificate signatures

o CRL Signature CRL

6.2 Protection of the private key

The private key of the Root CA is protected by a security scheme generated by a cryptographic device. In order to maintain the protection of the private keys of the self-signed certificate, the private key is never deciphered outside the HSM. Backup copies keep the secret of the private key in the same way that the original pr ivate key is protected.

6.2.1 Standards for cryptographic modules

The HSM used by the Root CA to generate its keys is FIPS 140-2 Level 3 certified.

The public key has been stored in a signed electronic format, so that they are protected from electronic failures and / or problems with electrical power.

Therefore, the implementation of a CA involves the following tasks:

• Initialization of the status of the HSM module.

1 The legal time of the Republic of Colombia, according to Decree 2707 of 1982, corresponds to Coordinated Universal Time (UTC) reduced by 5 hours 2 The National Institute of Metrology, to comply with its functions, operates the time pattern of the Republic of Colombia based on the signal issued by the set of atomic clocks of Cesium 133 located in the facilities of the INM and which was designated as national time pattern by article 15 of resolution 41242 of 2013


Code: 0001-DPC-GRC

Date: March 2018

Version 4



Page Page 43 of 68



• Creation of administration and operator cards.

• Generation of the CA keys. Z <A

6.2.2 Control "n" of "m" of the private key

The private key of the Root CA is under multi -person control.

This is activated by the initialization of the CA software through a combination of CA operators, HSM administrators and OS users. This is the only method for activating this private key.

6.2.3 Custody of the private key

The private key of the root CA and Subordinate CA is housed in a cryptographic device. It complies with the requirements established in a secure device protection profile of electronic signature of standardized certification authority, in accordance

with FIPS 140-2 Level 3 security. The rest of the private keys of operators and administrators are contained in cryptographic smartcards held by the administrators of each entity, the private key of Certicámara is not held in trust by a third party.

6.2.4 Backup of the private key

Backup copies of private keys are made with additional cryptographic devices. The cloning of the cryptographic material of an HSM is only feasible with the collaboration of a minimum of three HSM administrators, HSM operators, a Systems Administrator and the custodians of the cryptographic material.

6.2.5 File of the private key

The backup copies of the private keys will be under custody in an encrypted form in the alternate computing center. Backu p

copies of private keys are made in safe fireproof fi les.

6.2.6 Inserting the private key in the cryptographic module

Private keys are created within the cryptographic module at the time it is initialized. Subsequently, the private key generated within the HSM is exported in encrypted form.

6.2.7 Method for activating the private key

The only activation method for the private key is the use of smart cards to distribute the access in different people and rol es. Explicitly the only combination to activate the private key requires two of three HSM administrators, three of eight HSM operators and one administrator of the application's Operating System.

6.2.8 Method for deactivating the private key

An administrator of the Operating System can proceed to the deactivation of the private key of the root CA and Subordinate

CA. After having been activated by the combination described in the previous section, the operator can proceed to the deactivation by stopping the application of the Certification Authority.


Code: 0001-DPC-GRC

Date: March 2018

Version 4



Page Page 44 of 68



6.2.9 Method for destroying the private key

The Root CA and the Subordinate CA will delete their private key when their expiration date expires or has been revoked. The destruction will be done using the commands established to physically delete the part in which the key was recorded from the memory of the HSM. The same will happen with your backup copies.

6.2.10 Loss of validity of encryption systems

The following table i l lustrates the time it would take to find the private key for different types of attackers with the curr ently

existing technology3:

RSA/DSA Individual Attacker

Small group Academic Network

Big company

Intelligence Agency

274 Weeks Days Hours Mill iseconds Microseconds

384 Centuries Decades Years Hours Seconds

512 Millennia Centuries Decades Days Minutes

768 Non-viable Non-viable Non-viable Centuries Centuries

2304 Non-viable Non-viable Non-viable Non-viable Millennia

The keys delivered by Certicámara to its subscribers are 2048-bit keys. As can be seen, with the technology and computational resources in the market, any attempt to decipher the private key of the subscribers would take centuries,

making it in practically impossible. Notwithstanding the foregoing, if any circumstance, such as the discovery of new technologies leads to an increase in the

vulnerability of the encryption systems of Certicámara, the necessary measures to return the reliability to the Digital Certification System, including those that are detailed in this Certification Practice Statement will be taken immediately by Certicámara.

6.2.11 Ranking of the cryptographic module

The cryptographic module used by both the root CA and the SUBORDINATE ENTITY must have the FIPS 140-2 level 3 certification.

6.3 Other aspects of key pair management

6.3.1 Public key file

The public key of the Root CA and Subordinate CA, is archived according to the standard format PKCS # 7, for a period of 20 years.

3 Taken from "Digital Certificates" by Jalal Feghhi, Peter Williams


Code: 0001-DPC-GRC

Date: March 2018

Version 4



Page Page 45 of 68



6.3.2 Operating periods of the certificates and period of use for the key pair

The key pair of the root CA will be valid until Saturday, May 24, 2031. On the other hand, the periods of operation of the

certificates will be ten years.

6.4 Activation data

6.4.1 Generation and installation of activation data

The activation data of the root CA and Subordinate CA must be generated and stored in smart cards. Protection is guaranteed by a PIN in possession of authorized personnel.

6.4.2 Activation data protection

Only the authorized personnel have access to the cryptographic cards with the ability to activate the private keys of CAs, as

well as the PINs necessary for their use. The personal access key (PIN) is confidential, personal and non-transferable and is the parameter that protects the private keys allowing the use of the certificates of root CA and Subordinate CA; therefore, safety regulations must be taken into

account for their safekeeping and use:

The PIN is confidential, personal and non-transferable.

It must be memorized but never written down in any physical or electronic document that you keep or transport

with your smart card.

The PIN must not be sent or disclosed to any person.

Operators and administrators must change the PIN when they suspect that it is known by another person.

It is recommended to change the PIN from time to time.

6.5 Security controls while handling personal computers

6.5.1 Specific technical requirements

In the 001-PO-SSI Information Security Policy document Certicámara has defined the technical security controls applicable to computer equipment. These controls refer to aspects such as the use of equipment, discretionary and mandatory access controls, audits, identification and authentication, labels, security and intrusion tests.

6.5.2 Computer security ratings of Certicámara

Certicámara runs certified products, by the E3 Level of the ITSEC standards.

6.6 Safety controls of the life cycle

6.6.1 Systems development controls

The security requirements for the development of systems for the root CA and the SUBORDINATE ENTITY are enforceable.

A security design analysis must be performed during the design phases and specification of new requirements for any component to be used in the applications of the root CA and Subordinate CA. The foregoing in order to ensure that the systems involved are safe.


Code: 0001-DPC-GRC

Date: March 2018

Version 4



Page Page 46 of 68



The technological infrastructure of the root CA and Subordinate CA must be equipped with clearly differentiated and

independent development and production environments. Change control procedures should be used for new versions and updates.

6.6.2 Security management controls

The configuration of the systems must be audited periodically and the growth for the need for resources must be monitored according to the demand

6.6.3 Life cycle safety ratings

Throughout the li fe cycle, security controls must be implemented to enable each phase of the root CA and Subordina te CA systems to be implemented and audited.

6.7 Network security controls

The technological infrastructure of the root CA and Subordinate CA has a network with all the necessary security mechanisms to guarantee a reliable and complete service. Firewalls or encrypted data exchange between networks are used to guarantee integrity. On the other hand, redundancy and high availability technologies are used to guarantee reliable

performance and high performance. Additionally, the infrastructure must be audited by internal and external persons of Certicámara from time to time.

6.8 Engineering controls of cryptographic modules

Root CA and Subordinate CA use hardware and software cryptographic modules commercially available developed by third parties. Root CA and Subordinate CA only use cryptographic modules with FIPS 140-2 Level 3 certification (nShield Solo 500, nShield Connect 1500, nShield Connect 6000).

7 Standards

7.1 Certificate Profile

The certificates of the root CA and the SUBORDINATE ENTITY are issued in accordance with the following standards:

• RFC 5280: Internet X.509 Public Key Infrastructure - Certificate and CRL Profile, may 2008.

• ITU-T Recommendation X.509 (2012): Information Technology – Open Systems Interconnection - The Directory:

Authentication Framework

• ETSI TS 101 862 V1.3.3 (2006-01): Qualified Certificate Profile, 2006

• RFC 3739: Internet X.509 Public Key Infrastructure – Qualified Certificate Profile, March 2004(prevailing in case

of conflict the TS 101 862)

7.1.1 Version number

Root CA and Subordinate CA support and issue X. 509 version 3 certificates.


Code: 0001-DPC-GRC

Date: March 2018

Version 4



Page Page 47 of 68



X.509 is a standard developed by the International Telecommunications Union (an international organization of the United Nations for the coordination of telecommunications network services between governments and companies) for Public Key

Infrastructures and digital certificates.

7.1.2 Certificate extensions

The extensions of the certificates of the Root CA and Subordinate CA allow to encode additional information in the certificates. The standard X.509 extensions define the following fields:

• Subject Key Identifier

• Authority Key Identifier

• Basic Constraints. Marked as a critic

• Certificate Policies. Marked as a critic

• KeyUsage. Marked as a critic

• CRL Distribution Point. Marked as a critic

• Subject Alternative Name. Marked as a critic

• Authority Information Access

The following are the fields of certificates that are issued to subs cribers:

• Date and time of signature

• Name of the document

• Subject

• Certification Entity

• Certificate Serial

• Thumbprint

• Certificate valid from

• Certificate valid until

7.1.3 Algorithm Object Identifiers (OID)

The OIDs of the cryptographic algorithms used by the Root CA are:


Code: 0001-DPC-GRC

Date: March 2018

Version 4



Page Page 48 of 68



• SHA256withRSAEncryption (1.2.840.113549.1.1.11)

7.1.4 Name formats

The Root CA certificate contains as DN, in X. 500 format the names of the issuer and certificate holder in the issuer and subject fields.

7.1.5 Restrictions of names

The names contained in the certificates are restricted to X.500 distinguished, unique and unambiguous names.

7.1.6 Object Identifier (OID) of the certification policy

The root CA has an OID assignment policy defined within its private numbering tree. The OID of the PCs of the root CAs is: 2.5.29.32.1

7.2 Profile of the CRL and CRL with critical extension

7.2.1 Version number

The Subordinate CA issued the CRLs with X. 509 v. 2 format.

7.2.2 CRL Extensions

The extensions of the CRLs issued by the Root CA are those defined by the IETF in its RFC 2459, namely:

• Authority Key Identifier

• CRL Number

• Issuing Distribution Point

7.3 On-line protocol service for the status of OCSP certificates for validity verification of digital certificates issued to

subscribers.

7.3.1 Specification

The validity status of a particular certificate issued to a subscriber can be verified by checking the list of revoked certificates

(.CRL) or by using the online status protocol of OCSP certificates, which is implemented as set forth in the RFC 6960.

7.3.2 Version

Version 1 of the OCSP protocol is used, as set forth in the RFC 6960.


Code: 0001-DPC-GRC

Date: March 2018

Version 4



Page Page 49 of 68



7.3.3 Provision of the service by Certicámara S.A. and Extensions

• Certicámara will have the validation service in the URLs: http://ocsp.certicamara.com and

http://ocsp.certicamara.co.

• The OCSP protocol provided by Certicámara supports the standard extensions set forth in RFC2459 and does not

offer the use of custom extensions.

8 Compliance audit

8.1 Frequency of compliance controls for each entity

The accreditation system of the root CA and Subordinate CA will be subject to a third-party audit on an annual basis, in accordance with the Audit program defined by Certicámara. In this way, the suitability of its operation and operability with the stipulations included in this CPS is ensured.

In addition, Certicámara will carry out internal audits at its own discretion or at any time, due to a suspicion of breach of a security measure or compromise of the codes.

Each year an external audit will be carried out to evaluate the degree of compliance with the WebTrust principles and criteria for AICPA / CICA digital Certification Authorities.

8.2 Auditors

The auditor will be selected at the time of each audit. Any company or person hired to perform a security audit on root CA or SUBORDINATE ENTITIES must comply with the

following requirements:

Proven experience in security audits in PKI, information security and risk-based audit processes.

Independence at the organizational level of the root CA authority, in the case of external audi ts.

8.3 Relationship between the auditor and the audited entity

The relationship between the auditor and the audited entity will be strictly l imited to the processes and information required for the audit. Therefore, the audited party (root CA or the SUBORDINATE ENTITY) shall not have any relationship, current or planned, financial, legal, or any other kind that could lead to a conflict of interest with the auditor. In the case of inter nal

auditors, these may not have a functional relationship with the area subject to the audi t.

8.4 Topics covered by the compliance control

All the technical, functional and organizational requirements are subject to audit:

The used CPS




Code: 0001-DPC-GRC

Date: March 2018

Version 4



Page Page 50 of 68



Information Security Policy.

Administration of the Root CA and Subordinate CA.

Confidentiality considerations.

Physical security.

Backup Model.

Business Continuity Plan.

Operating Staff.

8.5 Actions to be taken in case of a deficiency

The identification of any anomaly in the audit will lead to the immediate correction of corrective measures to be solved in

the shortest possible time. In the case of a serious deficiency, Certicámara may determine the temporary suspension of the operations of the root CA or the Subordinate CA until the deficiencies are corrected, the revocation of the entity's certificate, changes in personnel,

etc.

8.6 Informing the results

The auditor will communicate the results of the audit to the General Management of Certicámara and to those responsible

for the different areas in which nonconformities are detected.

8.7 Last audit report

In compliance with the Specific Accreditation Criteria (CEA for its acronym in Spanish) 4-1.10 published on the web page of

ONAC., as an open digital certification entity Certicámara conducts an annual audit for the validation of the WebTrust seal for Authorities of the Web trust program of AICPA / CICA.

The text of the last audit report is available at https://cert.webtrust.org/ViewSeal?id=2120.

9 Digital certificates issued by Certicámara

In order to address the different needs that arise in the context of the growing use of information technologies and

Communications, Certicámara issues various types of digital certificates.

9.1 Certificate of Representation of the Company / Entity

Issued to national or foreigners who have been fully identified before Certicámara with valid and current identity documents issued by the competent authority of the Republic of Colombia, or with equivalent documents issued by the competent authority of any Foreign State, l inking them with the status of the legal representative of a legal entity or State Entity.

https://cert.webtrust.org/ViewSeal?id=2120


Code: 0001-DPC-GRC

Date: March 2018

Version 4



Page Page 51 of 68



The Certificates of Representation of the Company/Entity certify the identity of a natural person linking it with the legal representation of a legal entity, a State Entity, or as a natural person trader in the scope of their professional or commerc ial

activity. The Certificates of Representation of the Company/Entity have as subscriber both the natural person acting on behalf and legal representation of a legal entity, as well as the legal entity represented, which also appears on the digital certificate.

Requirements for its issuance:

The applicant must fi l l out the form for the provision of digital certificate services for the Certificate

of Representation of the Company/Entity type, attaching the following documents:

- Photocopy of ID: For Colombian citizens of legal age, a copy of the citizenship card, for minors, an identity

card (in this case, the permit issued by the labor ministry must be attached). For foreigners, passport or alien registration card of the subscriber.

- Photocopy of the certificate of existence and legal representation with a validity no longer than

30 days, showing the link with the company or equivalent document.

If the entity you represent is not private, attach a document that establishes your appointment as legal representative.

9.2 Certificate of Belonging to a Company / Entity

Issued to national or foreigners who have been fully identified before Certicámara with valid and current identity documents issued by the competent authority of the Republic of Colombia, or with equivalent documents issued by the competent authority of any Foreign State, and allows to identify it as a natural person linking it as belonging to a certain business

organization or State entity, but without having the lega l representation of the same or the power to legally bind it. The subscribers of this type of digital certificates are: 1) The natural person who is able to accredit sufficient proof, in the judgment of Certicámara, that there is a legal, labor or other relationship with the legal entity or entity of the State that will

appear in the digital certificate. 2) The legal entity that appears on the digital certificate.

Requirements for its issuance The applicant must fi l l out the form for the provision of digital certificate services for the Certificate of

Belonging to a Company / Entity type, attaching the following documents: - Photocopy of ID:


Code: 0001-DPC-GRC

Date: March 2018

Version 4



Page Page 52 of 68



For Colombian citizens of legal age, a copy of the citizenship card, for minors, an identity


- Certificate issued by the Legal Representative of the company or the Human Resources Manager or whoever acts as such, indicating the employment relationship or the relationship that the subscriber has with the company.

- For the case of the tax auditor, certificate issued by the Legal Representative of the company or the Human Resources Manager or whoever acts as such, indicating the employment relationship or the relationship that the subscriber has with the company and / or certificate of existence and

legal representation where the relationship with the company is established.

9.3 Certificate for Certified Professionals

Issued to national or foreigners who have been fully identified before Certicámara with valid and current identity documents

issued by the competent authority of the Republic of Colombia, or with equivalent documents issued by the competent authority of any Foreign State, identifying it as a natural person linking i t to obtain a professional title duly recognized in the Republic of Colombia or in a Foreign State, and who have obtained the corresponding registration, l icense, tuition or

professional card required for the exercise of their profession in the Republic of Colo mbia or in a Foreign State. The subscribers of this type of digital certificates are natural persons who are able to accredit sufficient proof, in the judgment of Certicámara, that they have obtained a professional title duly recognized in the Republic of Colombia or in a

Foreign State, and that they have obtained the corresponding registration, l icense, tuition or professional card required for the exercise of their profession in the Republic of Colombia or in a Foreign State.

The Certificate for Certified Professionals does not guarantee the quality, suitability of the subscriber's professional practice.

Requirements for its issuance The applicant must fi l l out the form for the provision of digital certificate services for the Certificate

for Certified Professional type, attaching the following documents: - Photocopy of ID:



- Photocopy of Professional Card, professional registration, certification of registration, tuition or

l icense granted by the entity or competent authority. (Where applicable) or authentic copy of the Diploma or Degree Certificate.


Code: 0001-DPC-GRC

Date: March 2018

Version 4



Page Page 53 of 68



9.4 Certificate for Civil Servant Holder

Issued to national or foreigners who have been fully identified before Certicámara with valid and current identity documents

issued by the competent authority of the Republic of Colombia, or with equivalent documents issued by the competent authority of any Foreign State, allowing it to be identified as a natural person and linking it as a public official belonging to a State entity in the Republic of Colombia.

The subscribers of this type of digital certificates are natural persons who are able to accredit sufficient proof, in the judgment of Certicámara, that they have obtained the appointment or are legal holders of the position of notary, consul, judge of the republic, magistrate, registrar or public servant in the Republic of Colombia and that are in exercise of it.

The Certificate for Civil Servant Holder does not guarantee the quality, suitability or effective fulfi l lment of the functions in charge of its holder. Certicámara does not guarantee that the subscriber of the Certificate for Civil Servant Holder has been

subject to disciplinary, administrative, criminal or any other kind of sanctions in the Republic of Colombia or abroad. For the issuance of Certificate for Civil Servant Holder, Certicámara considers the documentation submitted and the statements made by the subscriber. As long as the law or the applicable norms do not establish otherwise, the request for Issuance of the Certificate for Civil Servant Holder is not mandatory for the Public Function Holders. The issuance of the Certificate for

Civil Servant Holder does not l imit the subscriber to request other digital certificates.

Requirements for its issuance

The applicant must complete the form for the provision of digital certificate services for the

Certificate for Civil Servant Holder type, attaching the following documents:

- Photocopy of ID:



- Document of appointment, possession, credential and / or certification issued by the nominating

or inspection, monitoring and control entity, or equivalent document certifying the employment

relationship or provision of the service between the applicant and the public entity

- In the cases that are required, Certicámara may request the document that certifies the legal constitution of the entity, in which the applicant provides his services.

9.5 Digital Certificate for Natural Persons

Issued to national or foreigners who have been fully identified before Certicámara with valid and current identity documents issued by the competent authority of the Republic of Colombia, or with equivalent documents issued by the competent authority of any Foreign State.

The Certificates for Natural Persons have as a subscriber the natural person acting in his own name, who in the judgment of Certicámara, sufficiently accredits his identity by submitting the documentation that proves it .



Code: 0001-DPC-GRC

Date: March 2018

Version 4



Page Page 54 of 68



The applicant must fi l l out the form for the provision of digital certificate services for Digital certificate

for Natural Persons type attaching the following documents:

- Photocopy of the Unique Tax Registry – RUT (by its acronym in Spanish) - Photocopy of ID:



9.6 Digital Certificate for Legal Entity (entity-company)

The Digital Signature Certificate for Legal Entity (Entity - Company) is a type of Digital Certificate that identifies a legal entity of public or private law, State entity or legal entity registered in the commercial registry of the Chambers of Commerce, having the right to use a certain information system that will be programmed to sign in an automated or manual way in the

name of that legal entity. Likewise, the natural person acting as legal representative of the legal entity will have the status of subscriber. Ensuring compliance with the following conditions together and simultaneously:

That a specific legal entity has been identified as such and has requested the service through its legal

representative, and that legal entity may program an information system to digitally sign data messages, in bulk or individually through electronic media, legally binding.

In accordance with current regulations and applicable to this case, the Digital Signature Certif icate of the Legal Entity (Entity - Company), issued by Certicámara, contemplates the following characteristics:

Compliance with the standards set by the Superintendency of Industry and Commerce (X509V3);

Compliance with the conditions set out in article 28 of Law 527 of 1999, since there is no loss of uniqueness of the

signature; nor loss of exclusive control, because the Subscribing User undertakes - in accordance with this CPS - to

restrict access to the private key;

Exclusive control refers to a person, - natural or legal, in accordance with the law - and if the Digital Signature

Certificate of Legal Entity (Entity - Company) is located in the machine of the entity, and the legal person to whom it is issued is the one who controls the signature exclusively;

In any case - from the CPS and from the current Colombian regulations – it is the responsibil ity of the subscriber to

keep the keys;

Because of the foregoing, a Digital Signature Certificate of Legal Entity (Entity - Company) issued by Certicámara,

derives the attributes of digital certification: Authenticity, Integrity and Non-repudiation.


The applicant must fi l l in the form for the provision of digital certificate services for the Digital Certificate

for Legal Entity, type attaching the following documents:


Code: 0001-DPC-GRC

Date: March 2018

Version 4



Page Page 55 of 68



- Photocopy of the identity document of the legal representative and technical contact:



- Photocopy of the certificate of existence and legal representation with a validity no longer than

30 days, showing the link with the company or equivalent document.

If the entity you represent is not private, attach a document that establishes your appointment as legal representative.

9.7 Certificate for time stamp.

The certificate for time stamp is a type of Digital Certificate for internal use that i dentifies a stamping authority which is part

of a Digital Certification entity. The time stamp service is a data message digitally signed by a Certification Entity used to verify that this has not changed in

a period that begins on the date and time when the chronological stamp service is provided an d ends on the date on which the signature of the data message generated by the certification entity loses validity. The above refers to the fact that the chronological stamp has a validity associated with the validity of the digital signature of the service provider. The conditions of service are described in detail in the CPS chronological stamp at http://www.certicamara.com/dpc/time-stamping-

authority/GER-PO-006-DPC-Declaracion-de-practicas-de -certification-service-of-stamping-chronological-TSA-time-stamping-authority-Certicamara-April-2013.pdf. The certificate for time stamp is issued with the same validity of the Subordinate CA and its renewal will be given whenever

changes are required in the stamp authority certification, which will be evaluated by the Certicámara security committee.

10 Issuance of digital certificates for special projects

For special projects that Certicámara S.A. may enter into with third parties within the framework of an agreement of commercial and technical conditions where the details on prices, issue format, download method, validity and procedures

in general will be determined. The contractual agreement will be formalized between Certicámara and the contractor, in order to ensure compliance with the provisions of the Certification Practice Statement in force at the time of signing the contractual agreement. Additionally, they may establish verification responsibil ities and production processes of the digital

certificates guaranteeing the current legal framework as established by Col ombian law and based on the needs of the client according to the implementation of the mechanism of digital certificates implemented in the contracting system.

11 Rates

The value determined by Certicámara for the digital signature certificates is established according to the contractual conditions agreed with the applicants of the digital certificate service and will be properly calculated and settled by the product and service application system published by Certicámara on its website for the use of the applicants. In the absence of a current contractual agreement that establishes a special price condition, the base price of all digital signature certificates

will be TWO HUNDRED AND FIFTY SIX THOUSAND COLOMBIAN PESOS ($ 256,000.00 plus VAT), for each year of validity of the service, said year of validity shall be paid in advance annually unless the applicant establishes to pay more than one annuity or another early term.

http://www.certicamara.com/dpc/time-stamping-authority/GER-PO-006-DPC-Declaracion-de-practicas-de%20-certification-service-of-stamping-chronological-TSA-time-stamping-authority-Certicamara-April-2013.pdf




Code: 0001-DPC-GRC

Date: March 2018

Version 4



Page Page 56 of 68



Applicants will have the possibil ity of obtaining the applicable rates through the following link

https://solicitudes.certicamara.com/ssps/Soli citudes/AceptoLosTerminos.aspx, where depending on the data entered by the applicant and according to the project and / or agreement to which they belong, the respective rate will be settled. For this purpose, they may access the Product and Service Request System through the Certicámara website,

www.certicamara.com to generate the application form and the corresponding Order Form and start the acquisition process.

The value for replacing the PJEE digital signature certificate will be ONE HUNDRED AND EIGHTY FOUR THOUSAND COLOMBIAN PESOS ($ 184,000 PLUS VAT) for the other types of certificates will be EIGHTY NINE THOUSAND COLOMBIAN PESOS ($ 89,000.00 plus VAT) for the generated replacements in token and SIXTY THOUSAND COLOMBIAN PESOS ($ 60,000.00 plus VAT) for centralized signatures, this for cases assumed by the subscriber.

11.1 Reimbursement Policies for Subscribers

The subscribers of digital certificates may request a refund in the following cases:

When a deposit is made for a value greater than that established: in this case the administrative and

financial management carries out the necessary validations to confirm the additional payment, in the event that the validation is successful, the respective reimbursement will be made to the entity or person who has made such request.

When a digital certificate is requested and does not apply to the subscriber: the Operations Directorate

carries out verification of the digital certificates issued to the subscriber and if the result of this validation confirms that the digital signature certificate is not required, the administrative and financial management is authorized to proceed with the reimbursement.

12 Obligations of the Participants

12.1 Obligations of Certicámara

Certicámara has the following obligations while providing the services:

a) Implement and maintain security systems that are reasonable for the service provided and in general the

infrastructure necessary for the provis ion of the Digital Certificate service.

b) Comply with the Certification Practice Statement (CPS) and with the agreements made with subscribers.

c) Inform the subscriber of the characteristics while providing the service, the limits of responsibil ity, and the obligations assumed as participant of the digital certification process. In particular, Certicámara must inform the subscriber or the third parties requesting it, about the time and computer resources required to validate the digital

signature that is made with the certificates signed and issued to its subscribers.

d) Verify directly or through the Registration Entities duly accredited before the Certicámara, the information defined in this Certification Practice Statement as verifiable for the issuance of digital certificates.

e) Refrain from accessing or storing the subscriber's private key.




Code: 0001-DPC-GRC

Date: March 2018

Version 4



Page Page 57 of 68



f) Maintaining the custody of the hardware of the digital certificate until the effective delivery of the same to the subscriber (if applicable).

g) Allow and facil itate the performance of audits by the ONAC.

h) Issue digital certificates in accordance with the provisions of the procedure section for the issuance of digital certificates of this Certification Practice Statement, and the specifications agreed upon by the subscriber in the subscription contract.

i) Publish the digital certificates issued and keep the Record of Issued Certificates.

j) Inform the ONAC of the occurrence of any event established in the Certification Practice Statement that compromises the provision of the service.

k) Inform the ONAC of the introduction of new requirements or changes in the PKI infrastructure that may affect the provision of the service.

l) Notify the subscriber of any change in the status of his digital certificate, explaining the reasons for the decisions made in accordance with the provis ions of the Certification Practice Statement.

m) Maintain the control and confidentiality of your private key and establish reasonable ass urance that it is not divulged or compromised.

n) Procure dil igently the permanent and uninterrupted provision of digital certificate services.

o) Allow the access of subscribers, relying parties and third parties to this Certification Practice Statement and to the

repository of the Certification Entity.

p) Update the Database of revoked digital certificates in the terms established in this Certification Practice Statement and post notices and publications established by law.

q) Revoke the digital certificates that are required in accordance with the provisions of section 4.7 of this Certification Practice Statement.

r) Inform the subscriber, within 24 hours of the suspension of the service or revocation of his / her digital certificate (s), according to the current regulations.

s) Remove the administrators or representatives that are involved in the grounds established in letter c of article 29 of Law 527 of 1999.

t) Customer service l ine available for subscribers and third parties for queries and prompt request for revocation of

certificates by subscribers.

u) Provide the information required by the competent administrative or judicial entities in relation to digital signatures and digital certificates issued and in general on any data message that is under its custody and administration.


Code: 0001-DPC-GRC

Date: March 2018

Version 4



Page Page 58 of 68



v) Preserve the documentation that supports digital certificates issued whether physically or electronically, for the term provided in the law for the roles of traders and take the necessary measures to guarantee the relevant

integrity and confidentiality.

w) Address the requests, complaints and claims made by the subscribers, in accordance with the provisions of this Certification Practice Statement.

x) Provide the information given by the subscriber according to the provisions set out in the Certification Application

section of this Certification Practice Statement.

y) Comply with the Specific Accreditation Criteria (CEA by its acronym in Spanish) 4-1.10 published on the ONAC website.

z) Inform about the security measures that subscribers of digital signatures and certificates must consider for the use of these mechanisms.

aa) Certicámara will provide the digital certificate service to any applicant that meets the requirements established in this CPS and current legal standards without any discrimination, however Certicámara may decline the request for

digital certification to the applicant or subscriber when there is evidence of participation in i l legal activities.

bb) Comply with the provisions of Statutory Law 1581 of 2012 on the Protection of Personal Data and its implementi ng regulations, the personal data provided will be treated according to the procedures that Certicámara S.A. has

defined for that purpose and with the purpose of issuing a Digital Certificate service or services related to it.

cc) Notify the subscriber in advance about the subcontracting activities in order to give the opportunity to object in

accordance with the Colombian regulations in force, thus Certicámara has a system for receiving Petitions, complaints, claims, suggestions and PQRSS appeals on its website.

dd) The critical suppliers hired to provide the datacenter service comply with the minimum requirements established

in the document of Specific Accreditation Criteria (CEA by its acronym in English) 4-1.10 published on the ONAC website.

Compliance with al l or part of the obligations or procedures for the issuance of digital certificates or the general provis ion

of the digital certificate service may be carried out directly by Certicámara or through its Registration Entities. CERTICÁMARA DOES NOT HAVE ADDITIONAL OBLIGATIONS TO THOSE PROVIDED IN THIS SECTION, NOR SHALL IT BE

UNDERSTOOD THAT THERE ARE ANY IMPLIED OBLIGATIONS ADDITIONAL TO THOSE EXPRESSLY ENFORCED IN THIS CERTIFICATION PRACTICE STATEMENT.

12.2 Obligations and conditions of the subscriber

The subscriber has the following obligations before Certicámara and third parties:

a) Use the private key and digital certificate issued only for the purposes established, and in accordance with the

conditions established in the contract entered into individually and in this Certification Practice Statement, as well as in the digital certificate delivered. It will be the responsibil ity of the subscriber the improper use that he or third parties make of it.


Code: 0001-DPC-GRC

Date: March 2018

Version 4



Page Page 59 of 68



b) Use the private key and the digital certificate to sign data messages explaining to the relying parties how is being signed (either as a natural person or as a natural person linked to a certain quality at the time of issuing the digital

certificate), as long as the information system of the relying party does not verify the quality in which the subscriber is acting. The data message or electronic document that the subscriber signs with his digital certificate, will be the one that will determine the context of the quality in which the subscriber signs, and whether or not he is using the quality associated with the digital certificate (if applicable).

c) Ensure the custody of the private key and its hardware (if applicable) avoiding its loss, disclosure, modification or unauthorized use. In particular, regardless of the circumstance, the subscriber must refrain from writing the activation code or private keys in the physical format of the digital certificate, nor in any other document that the

subscriber keeps or carries or with the hardware.

d) Request the revocation of the digital certificate that has been delivered when any of the cases foreseen for the revocation of the digital certificates occur.

e) Refrain in all circumstances from disclosing the private key or the activation code of the digital certificate, as well

as refraining from delegating its use to third parties.

f) Guarantee that all the information contained in the digital certificate is true and notify Certicámara immediately if any incorrect or inaccurate information has been included or if, for a ny subsequent circumstance, the digital certificate information does not match reality. Also, you must immediately communicate the change or variation

in the data you provided to get the digital certificate, even if they were not included in the digital certificate itself.

g) Immediately inform Certicámara about any situation that may affect the reliability of the digital certificate, and initiate the revocation procedure of the digital certificate when necessary. In particular, you must immediately

notify the loss, theft or falsification of the hardware and any attempt to it, as well as the knowledge by other people of the activation code or private keys, requesting the revocation of the digital certificate in accordance with the procedure established in the Certification Practice Statement.

h) Destroying the hardware when required by Certicámara, when it has been replaced by another for the same

purposes or when the period of service of the digital certificate with Certicamara ends, in any case following the instructions of Certicámara.

i) Return the hardware of the digital certificate when required by Certicámara.

j) Respect the industrial and intellectual property rights of Certicámara and third parties in the application and in the use of digital certificates. Certicámara will not include information in the digital certificate that could constitute in the violation of the intellectual or indus trial property rights of Certicámara and of third parties.

k) Any other that derives from the law, the content of this Certification Practice Statement or the Certification

Practice.

l) Refrain from monitoring, altering, reverse engineering or interfering in any other way with the pr ovision of digital certificate services.

m) Refrain from using the digital certificate in situations that may cause a bad reputation and damages to Certicámara.


Code: 0001-DPC-GRC

Date: March 2018

Version 4



Page Page 60 of 68



n) Refrain from using all advertising material that contains any reference to the digital cer tificate service provided by Certicámara immediately after its suspension, cancellation or termination and undertake the actions requi red by

the digital certificate service and any other measure required.

o) Inform in media such as documents, brochures or advertisement about the digital certificate service emphasizing that it complies with the requirements speci fied in the digital certification policies.

p) Comply with the requirements established by the digital certificate service in relation to the use of trademarks in

the provision of services and consequently guarantee the trademark rights represented by Certicámara

q) The subscriber shall inform Certicámara S.A about the changes in its technological infrastructure that may affect the use of the digital certificate services issued by Certicámara S.A.

THE SUBSCRIBER MAY USE HIS CERTIFICATE TO: (I) IDENTIFY HIMSELF AS A NATURAL PERSON, OR (II) ASSOCIATE HIS PERSONAL IDENTIFICATION TO A SPECIFIC QUALITY VERIFIED BY CERTICÁMARA AT THE MOMENT OF ISSUING THE DIGITAL CERTIFICATE (IF APPLICABLE). THE USE OF THE DIGITAL CERTIFICATE IN ONE OR ANOTHER CASE WILL DEPEND

DIRECTLY ON THE CONTEXT IN WHICH THE DIGITAL CERTIFICATE IS BEING USED AND ON WHETHER THE INFORMATION SYSTEM OF THE RELYING PARTY IS ABLE OR NOT ABLE TO VERIFY THE IDENTIFICATION OF THE SUBSCRIBER. THE ELECTRONIC DOCUMENT OR DATA MESSAGE DIGITALLY SIGNED BY THE SUBSCRIBER WILL SET THE CONTEXT IN

WHICH THE SUBSCRIBER MAKES USE OF THE CERTIFICATE AND IF HE OR SHE USES OR NOT THE QUALITY ASSOCIATED TO THE DIGITAL CERTIFICATE.

IN THE EVENT THAT THE INFORMATION SYSTEM OF THE RELYING PARTY IS NOT ABLE TO VERIFY THE IDENTIFICATION OF THE SUBSCRIBER AND /OR ASSOCIATE IT OR LINK IT WITH A SPECIFIC QUALITY, IT IS THE EXCLUSIVE RESPONSIBILITY OF THE SUBSCRIBER TO INFORM THE RELYING PARTY HOW TO USE THE DIGITAL CERTIFICATE.

12.3 Obligations of the relying party

The Digital Certification System of Certicámara includes the use of a set of elements integrated around the provision of a service to both subscribers and those who use and rely on digital certificates issued by Certicámara. When a third party

trusts a digital certificate, they accept to use this system in its entirety and therefore accept to abide by the rules established for it, which are contained essentially but not exclusively in this Certification Practice Statement. That third person becomes a participant of the Digital Certification System, as a relying party, and therefore assumes the obligations set forth below:

Verify the reliability of the digital signature and the digital certificate, especially checking that it is not in the

database of revoked digital certificates of Certicámara, available on the website of Certicámara or in the offices of Certicámara. The reliability of the digital signature and the digital certificate shall in all cases comply with the provisions of the Reliability section of digital certificates and signatures.

Accept and acknowledge the exclusive use of digital certificates in accordance with the provisions of the Use of

digital certificates section.

Being aware in detail and comply at all times with the Certification Practice Statement in the use of digital

signatures and digital certificates of Certicámara. In particular, the relying party must keep in mind and act at all times in accordance with the limitations of l iability and guarantees offered by Certicámara.


Code: 0001-DPC-GRC

Date: March 2018

Version 4



Page Page 61 of 68



Inform Certicámara of any irregularity or suspicion of the same that arises with the use of the Digital Certification

System.

Refrain from monitoring, altering, reverse engineering or interfering in any way with the pr ovision of digital

certificate services.

12.3.1 Reliability of signatures and digital certificates

The Digital Certification System of Certicámara is a system built on the basis of strict compliance with its policies and procedures. The trust built in its participants depends directly on their compliance. All participants shall cooperate to build

trust in the digital certification system, following at all times the established policies and procedures.

12.3.2 Reliability of digital signatures

Before being able to rely on a digital signature certified by Certicámara, the relying party is required to strictly follow the indications specified below:

1. The relying party shall determine the reliability of the digital certificate, as stipulated in the following section. 2. The relying party shall verify that the digital signature was created within the period of validity of the digital

certificate and that it is not revoked. 3. The relying party shall take into account all other policies and procedures that govern the activity of Certicámara

and that are specified in its Certification Practice Statement.

12.3.3 Reliability of the digital certificate

The relying party shall follow the indications l isted below if they intend to rely on a digital certificate issued by Certicámara:

The relying party shall verify that the digital certificate has not expired, in accordance with the effective date stated

therein.

The relying party shall verify that the digital certificate is not found in the database of revoked digital certificates of Certicámara that is published on the website of Certicamara. In any case, and without exception, it is forbidden

to determine the revocation status of a di gital certificate based on information different from that of the revoked digital certificate database.

The reliability of the digital certificate depends on it being digitally signed by Certicámara. The relying party can

verify the digital signature of Certicámara by verifying it with the root certificate, which contains the public key of

Certicámara, which is available on the website of Certicámara.

The use of a digital certificate by any participant in the Digital Certification System is subject to strict monitoring of the rules included in:

The contract signed with each subscri ber of the digital certificate service, which includes the general contracting

conditions of the digital certificate services of Certicámara S.A. whose clauses can be found in the application form (https://solicitudes.certicamara.com/ssps/Solicitudes/AceptoLosTerminos.aspx).

This Certification Practice Statement in relation to digital signatures issued through their digital certificates. The

relying party shall consider them whenever they intend to rely on a digital certificate.



Code: 0001-DPC-GRC

Date: March 2018

Version 4



Page Page 62 of 68



12.4 Obligations of External Approval Entities

The external approval entities are required to comply with the provisions established in this Certification Practice Statement

and the requirements of the current Colombian legal framework according to its function of approving the issuance of digital certificates. Any external approval entity must have a valid contract with Certicámara and must establish its responsibil ity on the mechanisms of identification and authentication of the requests, adjusting to what is established by the legal,

normative, procedural and technical frameworks defined by Certicámara and the entities that exercise control and surveillance over the operation of approval of applications for digital certificates. Certicámara shall establish the technological mechanisms that allow the external entity to communicate in a secure manner,

allowing the approval to be processed in an appropriate manner. Certicámara will determine if the external approval entity provides the levels of compliance, as established contractually,

without prejudice to the highest standards in force at legal, technical, operational and procedural levels for the approval process, which will be available for study and contrast in the management systems of Certicámara, which allow access according to their classification of confidentiality, and in any case they will be avai lable by the auditing and control bodies if required.

13 Responsibility of the participants

13.1 Responsibility of Certicámara

a) The obligations of Certicámara listed in the obligations s ection of Certicámara are of means and not of result. This means that Certicámara will use its knowledge and experience in the provis ion of the digital certificate service, and will respond professionally for the slight fault in its actions as a Digital Certification Entity. Certicámara cannot

assure that the certification activity has a certain result. Certicámara will only be accountable for those errors that, having occurred, could have been avoided due to its professional dil igence.

b) Damages caused or related to the non-execution or defective execution of the obligations by the subscriber, the

relying party or both, shall be borne by them, as well as any damage that may be caused by the improper use of the digital certificates or violations of its l imitations of use established in it, in the section of Use of digital certificates or in any other document regulated by the Digital Certification System.

c) Certicámara will not be accountable for damages caused by the breach of its obligations in cases of force majeure, fortuitous events or, in general, any circumstance over which Certicámara cannot have reasonable control, including but not l imited to the following: natural disasters, di sturbances of public order, power outages or phone

disruptions , computer viruses, deficiencies in telecommunications services (Internet, communication channels, etc.) or the compromise of the asymmetric keys arising from the unpredictable technological risk.

d) Regardless of the cause or origin of its responsibil ity, Certicá mara sets the amounts for the compensation of

damages caused by digital certificate issued, based on the provisions of the professional civil l iabil ity policy. Consequently, Certicámara will only compensate the people harmed by a digital certificate issued by it, regardless of the number of times it has been used or the number of people harmed by said uses. In the event that there are

several injured parties, the maximum compensable amount will be distributed pro rata among them. If the compensation has been distributed and new injured parties arise, they should be directed against the persons already compensated for the purpose of obtaining pro rata compensation.


Code: 0001-DPC-GRC

Date: March 2018

Version 4



Page Page 63 of 68



e) Certicámara will only be accountable for the damages caused by the use of the digital certi ficate services within the year following the expiration or revocation of the digital certificate. Certicámara does not offer any type of

guarantee that is not expressly stipulated in this Certification Practice Statement, nor will it respond for an event that is not expressly contemplated in this section.

f) In the event that the laws applicable to the digital certificate service establish the impossibil ity of l imiting l iability

in any of the aspects described herein or described in this Certification Practice Statement, these clauses will be given the broadest scope allowed by law regarding the limitation of the responsibil ity of Certicámara.

g) Certicámara S.A., as an Open Digital Certification Entity in the Colombian territory, may carry out the reciprocal certification process pursuant to the provisions of article 43 of Law 527 of 1999 and article 13 of Decree 333 of 2014, when a foreign Certification Entity requests Certicá mara S.A that its digital signature certificates are recognized under the same terms and conditions required in the Colombian legal system for the issuance o f

certificates by national certification entities. For this purpose, Certicámara S.A. has defined a Reciprocal Certification Procedure, which must be provided by those interested in carrying out said reciprocity. The foreign certification entity must comply with the Specific Accreditation Criteria in force at the time of advancing the aforementioned procedure.

h) Certicámara has identified, analyzed and evaluated the risks that may affect the objectivity and impartiality of the

provision of the digital certificate service. For this reason it is allowed to inform the actions taken in order to

minimize any situation that may put in risk the objectivity and impartiality of the provision of its services:

To prevent risks with misleading advertising, our WEB site (https://web.certicamara.com/productos -y-

servicios/) is designed to help our clients and / or subscribers to clearly identify that our products and / or

services are accredited before the national accreditation body (ONAC).

To prevent risks while hiring Datacenter services, our suppliers that provide this service are managed

(selected, hired and evaluated) according to the provisions of our supplier management procedure in order to ensure compliance with the admissible technical requirements defined in the specific accreditation criteria.

13.2 Responsibility of the subscriber

In accordance with the provisions of Article 40 of Law 527 of 1999, the subscriber will be responsible and agrees to indemnify

Certicámara and the relying parties of the damages that may be caused or may be incurred by the breach of any of its obligations, also assuming the legal expenses in which Certicámara could incur for this cause, including legal fees.

The custody of the hardware (smart card, token, hard disk, USB or other supplied by Certicámara or not) of the digital certificate is the sole responsibil ity of the subscriber. The subscriber will be the only responsible before the relying parties and before Certicámara for all the damages caused by

the falsehood, inaccuracy or insufficiency of the information delivered to Certicámara or to the Relying Party, regardless of the cause from which the false inaccurate or insufficient information has been delivered. The subscriber will assume the damages suffered as a result of fortuitous events or force majeure.

In the event that the information system of the relying party does not perform the verification automatically, it will be the sole responsibil ity of the subscriber to inform the relying party about the condition or quality in which the digital certifi cate

https://web.certicamara.com/productos-y-servicios/

https://web.certicamara.com/productos-y-servicios/


Code: 0001-DPC-GRC

Date: March 2018

Version 4



Page Page 64 of 68



is being used, and therefore Certicámara will not have any responsibil ity to the relying party, nor to third parties for information on the condition or quality in which the respective subscriber is using the digital certificate, as it derives directl y

from its context. The subscriber is solely responsible for the obligations arising from the operations or legal transactions carried out with the digital certificates, exonerating Certicámara from any responsibil ity thereof.

13.3 Responsibility of the relying party

In any case, the relying party will assume all the responsibil ity and risks arising from the acceptance of a digital certificate

without having previously verified its reliability, or without having followed the procedures established in this Certification Practice Statement, guaranteeing full indemnity of Certicámara for that matter. The relying party will assume the damages suffered as a result of fortuitous events or force majeure.

14 Guarantees offered by Certicámara for fulfilling its obligations

a) In accordance with the provisions of numeral 5 of article 7 and article 9 of Decree 333 of 2014, Certicámara has signed an insurance policy with an insurance company authorized in accordance with the Colombian legislation,

which covers the contractual and non-contractual damages of the subscribers and third parties in good faith exempt from fault arising from errors and omissions, or acts of bad faith of the administrators, legal representatives or employees of Certicámara in the development of their activities.

b) The general conditions of the policy are available at https://web.certicamara.com/garantias/p%C3%B3liza -de-responsabilidad-civil/, including updated information of the policy. Likewise, the civil responsibil ity policy is available through our contact form https://web.certicamara.com/contactenos/formulario-de-contacto/, by selecting the subject related to your query: CONSULTATION OF THE CIVIL RESPONSIBILITY POLICY.

15 Confidentiality policy

The Root CA and Subordinate CA undertake to protect all data to which they have access as a result of their activity as a certification entity.

However, Root CA and Subordinate CA reserve the right to disclose to employees and external or internal consultants, the confidential data necessary to perform their activities as Root CA and Subordinate CA. In this case the employees and/or consultants are informed about the confidentiality obligations.

These obligations do not apply if the information, classified as “confidential”, is required by the Courts or competent administrative bodies or imposed by law.

The confidential information of the subscriber of digital certificate services may be disclosed at the request of the latter, as the owner thereof.

15.1 Confidential information

The following information is regarded as confidential:

Private keys of the Root CA and Subordinate CA of Certicámara S.A.

https://web.certicamara.com/garantias/p%C3%B3liza-de-responsabilidad-civil/

https://web.certicamara.com/garantias/p%C3%B3liza-de-responsabilidad-civil/

https://web.certicamara.com/contactenos/formulario-de-contacto/


Code: 0001-DPC-GRC

Date: March 2018

Version 4



Page Page 65 of 68



Guide Document of the Key Generation Ceremony.

The information of the business provided by the suppliers and other persons with whom Certicámara has the duty

to keep secrecy, established in a legal or conventional manner.

Information resulting from consultations carried out at risk centers or other private entities or the public sector.

Labor information that contains the information related to the subscriber's salary.

All the information that is sent to Certicámara and that has been labeled as "Confidential" by the sender.

15.2 Non-confidential information

The following information is regarded as non-confidential:

The content of issued certificates

Certificate Revocation List (CRL)

The public key of the Root CA and Subordinate CA

The versions of the CPS

Note. All personal data of the subscriber related to the registration of certificates are treated according to the Personal Data Protection policy defined by Certicámara for this purpose and in compliance with the provisions of Statutory Law 1581 of

2012 "Protection of Personal Data."

16 Headquarter

Bogotá Address: Carrera 7 Nº 26-20 Floors 18 and 19 Positiva Building

Telephones: 3790300 – 7442727 E-mail: [email protected]

17 Petitions, complaints, claims, request and suggestions PQRSS

If you or anyone has any request, complaint, claim, suggestion and appeals against any of the services or activities of Certicámara, please contact our headquarters in Bogota, generate your request through our website or contact our onli ne customer service.

Address: Carrera 7 Nº 26-20 Floors 18 and 19 Seguros Tequendama Building


Responsible: Customer Service Director

Certicámara provides technical support through:




Code: 0001-DPC-GRC

Date: March 2018

Version 4



Page Page 66 of 68



Toll Free Line: 018000181531

Bogotá Support Line: 7442727 Option 2

The website www.certicamara.com provides:

Training videos and installation manuals

Online technical support

Technical support via email: [email protected]

Frequently asked questions

PQRSS system

If explanations are required about the application of the Certification Practice Statement (CPS) or any certification policy (CP) defined in this document for a specific digital certificate service, please direct your inquiry to [email protected].

18 Dispute resolution procedures

All differences arising between the parties entering into this contract, during its execution or for its interpretation, will be

resolved between the Holder of the Digital Certificate and Certicámara S.A. in the first instance, by means of conciliation, transaction or friendly discussion, for which the dissatisfied party will send a written communication duly substantiated to the other PARTY, who will evaluate the reasons for disagreement and send a response within five (5) business days to the date of receipt (it will be the responsibil ity of the party sending the communication to ensure that the other party receives

the communication taking into account parameters of security and integrity of the information). If fifteen (15) days pass after the aforementioned term and the difference(s) persist, this/these will be resol ved by an

Arbitration Court regardless of the nationality of the holder of the Digital Certificate that will be subject to the current regulations on the subject and will be governed especially by the following rules: a) The Court shall consist of one (1) arbitrator appointed by THE PARTIES by mutual agreement. If this is not possible, his

appointment will be delegated to the Director of the Arbitration and Conciliation Center of the Chamber of Commerce of Bogotá so that he or she may appoint him or her according to the regulations of said Center. When accepting his or her appointment, the arbitrator must express in writing to THE PARTIES his independence and impartiality to act as arbitrator of the dispute.

b) The arbitrator must be a Colombian lawyer, registered in the lists of arbitrators of the Arbitration and Conciliation Center of the Chamber of Commerce of Bogotá.

c) The internal organization of the Court shall be subject to the rules provided for this purpose by the Arbitration and Conciliation Center of the Chamber of Commerce of Bogotá, in matters not regulated in this clause.

d) The Court shall be in the city of Bogotá, at the Arbitration and Conciliation Center of the Chamber of Commerce of Bogotá. e) The Court shall decide by law and its judgment shall have the effect of res judicata of last resort and, consequently,

shall be final and binding on THE PARTIES. f) The costs incurred during the call of the Court will be borne by the expired PARTY.



Code: 0001-DPC-GRC

Date: March 2018

Version 4



Page Page 67 of 68



19 Intellectual Property

The subscriber must respect and comply with the regulations on intellectual property, which includes both industrial

property and Copyright. For this purpose, it will comply with the provisions of the Commercial Code, Decision 486 of 2000, Decision 351 of 1993 and other complementary rules to these matters.

20 Acronyms

o CA: Certification Authority o CC Common Criteria

o CP Certification Policies o CPS Certification Practice Statement o CRL or LCR Certificate Revocation List o ETSI European Telecommunications Standards Institute

o FBCA Federal Bridge Certification Authority o FIPS Federal Information Processing Standards o HSM Hardware Security Module o IEC International Electrotechnical Commission

o IETF Internet Engineering Task Force o IOFE Official electronic signature infrastructure o ISO International Organization for Standardization

o LDAP Lightweight Directory Access Protocol o OCSP Online Certificate Status Protocol o ONAC National Accreditation Agency of Colombia o OID Object Identifier

o PKCS Public-Key Cryptography Standards. o PKI Public Key Infrastructure o RFC Request for Comment

o RSA Rivest, Shamir and Adleman. o RUE Single Business and Social Registry of the Chamber of Commerce o SHA Secure Hash Algorithm o SSPS Application System for Products and Services

o URL Uniform Resource Locator

21 References

REFERENCES LINK

ANSI Directorio: http://www.ansi.org/

Common Criteria Directorio: http://www.commoncriteriaportal.org/

CWA http://www.cen.eu/cen/Sec tors/Sectors/ISSS/CWAdownload/Pages/Electronic%20Signatures.as

px

European Telecommunication

s Standards Institute - ETSI TS

Directorio: http://www.etsi.org/index.php

http://www.ansi.org/

http://www.etsi.org/index.php


Code: 0001-DPC-GRC

Date: March 2018

Version 4



Page Page 68 of 68



Federal Information Processing Standard

– FIPS

https://www.nist.gov/itl/popular-links/federal-information-processing-standards-fips

Internet X.509 Public Key Infrastructure Certificate Policy

and Certification Practices Framework, November 2003

Directorio: https://www.ietf.org/rfc/rfc3647.txt, archivo txt

Internet X.509

Public Key Infrastructure Certificate and

Certificate Revocation List (CRL) Profile. Mayo 2008

https://www.ietf.org/rfc/rfc5280.txt, archivo txt

ONAC - Specific

Accreditation Criteria for Digital Certification Entities CEA-4.1-10 Version

01 Technical Committee - Board of Directors,

Colombia Bogotá, August 2015

http://www.onac.org.co/modulos/contenido/default.asp?idmodulo=235

Request for

Comments – RFC

http://www.normes-internet.com/normes.php?rfc=rfc3647&lang=es

http://www.rfc-es.org/

http://www.rfc-editor.org/search/rfc_search.php

X.509 Internet Public Key

Infrastructure Online Certificate Status Protocol –

OCSP, June 2013

https://tools.ietf.org/html/rfc6960, archivo HTML

https://www.nist.gov/itl/popular-links/federal-information-processing-standards-fips

https://www.ietf.org/rfc/rfc3647.txt

https://www.ietf.org/rfc/rfc5280.txt

http://www.rfc-editor.org/search/rfc_search.php

https://tools.ietf.org/html/rfc6960

Documents

0001-DPC-GRC DPC Digital Signature Certificate Service...DIGITAL SIGNATURE CERTIFICATE SERVICE Code: 0001-DPC-GRC Date: March 2018 Version 4 Approved by: GRC Director Elaborated DOPE,