“Postecert Certificati Server” Certification Servicepostecert.poste.it/postashqiptare/docs/CPS_PCS_01_3.1.pdf · Version 3.1 “Postecert Certificati Server” Certification Service

Certification Practice Statement CPS_PCS_01

Version 3.1

“Postecert Certificati Server” Certification Service

Date 07/07/09

Postecom S.p.A. Page 1 of 26

PosteItalianeGroup

“Postecert Certificati Server”

Certification Service

(Certification Practice Statement)


Version 3.1


Date 07/07/09


PosteItalianeGroup

Version no. Page no. Reason for revision Date

1.0 Approval 21/05/2002

1.1 10, 23 Redefinition of organizational aspects 01/07/2002

1.2 23, 24 Update of Attachment 2 03/10/2002

2.0 All Complete redefinition of the CPS after a review of the process of dispensing the service.

25/11/2002

3.0 1, 5, 6, 8, 9, 11, 21, 22

Update relative to the use of the new CA certificate 22/02/2005

3.1 23,24 Inserted Certificate Revocation List Distribution Point

Modified URL of CPS 07/07/2009

Version no. Drafted Verification Approval Date

3.1 Giuseppe La Rosa Assunta Alfano Roberto Ugolini 07/07/2009


Version 3.1


Date 07/07/09


PosteItalianeGroup

INTRODUCTION...........................................................................................................................5

CONTEXT ....................................................................................................................................5 IDENTIFICATION OF THE DOCUMENT .............................................................................................5 TABLE OF ACRONYMS AND ABBREVIATIONS..................................................................................6 COMMUNITY AND APPLICABILITY ..................................................................................................6

Certification Authority (CA) ....................................................................................................6 Registration Authority (RA) ....................................................................................................7 Requester ..............................................................................................................................7 User .......................................................................................................................................8 Types of Certificates ..............................................................................................................8

FOR ADDITIONAL INFORMATION....................................................................................................8 Telephone Support ................................................................................................................8 Internet Service......................................................................................................................8

GENERAL SERVICE CONDITIONS ............................................................................................9

OBLIGATIONS ..............................................................................................................................9 The CA's Obligations .............................................................................................................9 Requester's Obligations .........................................................................................................9

THE CA'S LIABILITY ...................................................................................................................10 To the Requester .................................................................................................................10

PUBLICATION AND DIRECTORY...................................................................................................10 Information about the CA .....................................................................................................10 Certificates and CRLs ..........................................................................................................12

APPLICABLE LAW AND COMPETENT JURISDICTION ......................................................................12

OPERATING PROCESSES .......................................................................................................13

GENERATION OF THE CERTIFICATION REQUEST..........................................................................13 REGISTRATION OF THE REQUESTER...........................................................................................13 PAYMENT METHODS..................................................................................................................14 VERIFICATION OF THE INFORMATION ..........................................................................................14 GENERATION OF THE CERTIFICATE ............................................................................................15 PUBLICATION OF THE CERTIFICATE ............................................................................................15 ACCEPTANCE OF THE CERTIFICATE............................................................................................15


Version 3.1


Date 07/07/09


PosteItalianeGroup

INSTALLATION OF THE CERTIFICATE ...........................................................................................15 CHANGES IN REGISTRATION INFORMATION.................................................................................15 REVOCATION OF THE CERTIFICATE.............................................................................................16

Circumstances for Revocation .............................................................................................16 Revocation Requests from the Requester ...........................................................................16 Revocation Requests from the CA.......................................................................................16

RENEWAL OF CERTIFICATES ......................................................................................................17 MANAGEMENT OF THE ARCHIVES ...............................................................................................17 SERVICE LEVELS .......................................................................................................................17 DAMAGE AND DISASTER RECOVERY...........................................................................................17

SECURITY FEATURES..............................................................................................................19

PHYSICAL PROTECTION OF THE PREMISES .................................................................................19 CERTIFICATION SYSTEM SECURITY ............................................................................................19 SECURITY OF THE CRYPTOGRAPHIC MODULE.............................................................................20 SECURITY OF THE PROCESSORS................................................................................................20 NETWORK SECURITY .................................................................................................................20

PROFILE OF THE CERTIFICATES ...........................................................................................22

ATTACHMENT 1 ........................................................................................................................25


Version 3.1


Date 07/07/09


PosteItalianeGroup

Introduction

Context

The SSL (Secure Sockets Layer) protocol has become the de facto standard for the security of

communications between a web server and a browser. The protocol uses public key

cryptographic technologies and provides the following security functions:

Confidentiality of the message

Integrity of the message

Authentication of the web server

(optional) Authentication of the browser

The protocol is structured to make its services transparent to the end-user. To establish an SSL

communication, at least the web server must have a pair of cryptographic keys and the

certificate of its public key must be available.

The degree of trustworthiness that a browser user can attribute to the web server's public key

certificate, and thus to the association between the public key and the "identity" of the web

server, depends on a set of factors that, as a whole, must contribute to providing trust in the

reliability of the information.

A description of these factors is contained in the Certification Practice Statement (CPS), which

is a document that includes the set of operating rules used by a Certification Authority (CA) in

issuing certificates. The CPS is “a statement of the practices which a certification authority

employs in issuing certificates” (definition taken from the Digital Signature Guidelines of the

American Bar Association). The information in certificates is defined by the policy, a set of rules

that indicate the applicability of the certificate to a well-defined community of users and/or

classes of applications with common security requirements.

Each new version of the CPS cancels and replaces the preceding versions, which nevertheless

remain applicable to certificates issued during the period of validity and until their expiration.

Identification of the Document

This document is Postecom's CPS (Certification Practice Statement) for issuing certificates as

part of its web server certification service and takes the name of:

“Postecert Certificati Server" Certification Service.

The CPS is identified by its version number, which is 3.1. The corresponding electronic file is

identified by the name “CPS_PCS_01” and can be consulted remotely at the Internet address:

http://postecert.poste.it.

This CPS is referenced by the following OIDs (Object Identifier Number):


Version 3.1


Date 07/07/09


PosteItalianeGroup

1.3.76.11.1.1.3.1 – Web Server Certification Certificate: “Postecert Certificati Server” and,

beginning 23 February 2005, “Postecom CS2”

1.3.76.11.1.1.4.1 – Public Key Certificates for Web Servers

Table of Acronyms and Abbreviations

CA Certification Authority

CN Common Name

CPS Certification Practice Statement

CRL Certificate Revocation List

CSR Certificate Signing Request

DN Distinguished Name

ITSEC Information Technology Security Evaluation Criteria

PKI Public Key Infrastructure

RA Registration Authority

RSA Rivest-Shamir-Adleman

SSL Secure Sockets Layer

TCSEC Trusted Computer System Evaluation Criteria

Community and Applicability

Certification Authority (CA)

For the dispensing of public key certificates intended to satisfy Internet security needs,

Postecom uses a CA that allows the recognition of certificates issued to end-users with the

most used browsers (i.e. Internet Explorer and Netscape Navigator).

As of 23 February 2005, Postecom uses a new certification key for dispensing web server

certificates called “Postecom CS2.” The new CA key with which individual web server

certificates are issued is signed using the GTE CyberTrust Global Root Certificate, which is

inserted in the list of accredited certificates present, by now, in the most common browsers for

a sufficiently long time to guarantee the diffusion of this list to almost the totality of browsers

currently in use. This allows making a site protected by a certificate issued by Postecom

transparent to an end-user surfing the Internet by making a web page accessible in a secure

connection automatically recognizable by the browsers. This characteristic is also maintained

unaltered for the entire period of validity of the web server certificates issued with the preceding

“Postecert Certificati Server” CA key.


Version 3.1


Date 07/07/09


PosteItalianeGroup

Web server certificates issued by Postecom allow a secure 128-bit connection to be

established. To activate this function following the diffusion of the use of strong authentication,

it may be necessary to update one's browser/operating system by installing a patch made

available by Microsoft.

Registration Authority (RA)

The function of verifying the documentation provided by the Requester is performed by the

Certification Authority Operations Center of the Messaging, Certification Authority and

eGovernment Business Unit of Postecom S.p.A.

Requester

The certification service is performed by Postecom S.p.A. for private or public organizations

who are the legitimate owners of duly registered Internet domains and able to provide official

documentation providing their identity or enrollment in public registries or the regulatory,

administrative or contractual source of the Requester's powers. The Requester must fulfill the

phases of registering for the service, as described in paragraph Registration of the Requester

by identifying, from among its employees, the Organization's Responsible, as the person who

functions as the interface between the Requester and Postecom SpA and who will

communicate, using the methods indicated in this CPS, the name of the Server Responsible

who will be assigned from time to time to generating a pair of keys and a Certification Signing

Request (or “CSR”).

Certificate

Present in the certificate lists

of the most commonly used

browsers

The CA Certificate is signed

by CyberTrust Global Root

GTE

CyberTrust

Global Root

Postecom CS2

Certificates

Server

The certificates issued are

recognized inside the most

commonly used browsers


Version 3.1


Date 07/07/09


PosteItalianeGroup

User

This is the third party who establishes an SSL communication with the certified web server

using its own browser.

Types of Certificates

This CPS refers only to the issuing and management of web server certificates in the context of

secure SSL communications.

For Additional Information

Telephone Support

Telephone support is available at 803160, Monday through Friday (from 09:00 to 20:00) and

Saturday (from 09:00 to 15:00).

Internet Service

For additional information about this CPS or the service, address inquiries to the following e-

mail address:

[email protected]


Version 3.1


Date 07/07/09


PosteItalianeGroup

General Service Conditions This section governs the contractual relationship between Postecom and the Requester of a

web server certificate. In addition to the present CPS, the supply of the service is regulated by

current law and the Contract referred to in paragraph Registration of the Requester.

Before requesting the service, the Requester must read and approve the general service

conditions contained in the CPS by signing the Contract referred to in paragraph Registration of

the Requester.

Contracts entered into for the supply of web server certificates are subject to Italian law. In

providing its services, Postecom shall conform to the Privacy Law.

Obligations

The CA's Obligations

Postecom pledges to:

• Ensure the correctness of the documentation provided with the certification request as

described in the present CPS;

• Issue the certificate and make it public in conformity with the requirements described in this

CPS;

• Give timely notice of the revocation of certificates through publication in the Certificate

Revocation List (CRL).

Requester's Obligations

The Requester is obligated to:

• Provide truthful information and documentation during registration;

• Generate and preserve its private key in security, by adopting the necessary precautions to

avoid its damage, alteration or unauthorized use;

• Send the certification request using the methods indicated in this CPS;

• Install the digital certificate issued by Postecom on the basis of this CPS only on the web

server corresponding to the domain indicated on the said certificate (in the CommonName

field);

• Inform Postecom in a timely manner if the information in the issued certificate is no longer

valid, requesting the revocation of the certificate;

• Inform Postecom in a timely manner if it believes that the security of the web server on

which the certificate was installed may be compromised, requesting the revocation of the

certificate;

• Immediately remove the certificate for which revocation has been requested from the web

server;

• Provide safest custody for the "revocation code".


Version 3.1


Date 07/07/09


PosteItalianeGroup

The CA's Liability

To the Requester

The Certifier is not liable to the Requester, or third parties, for any damage, or any kind,

deriving from the failure to issue the certificate or the certificate's improper use. In any case, the

liability of Postecom SpA to the Requester, or third parties, is limited to the amount of the

certification charge, except in those cases in which article 1229 of the Italian Civil Code does

not allow such a limitation.

Publication and Directory

Information about the CA

As of 23 February 2005, Postecom is using a new CA certificate called “Postecom CS2,” which

replaces the previous certificate, “Postecert Certificati Server”.

For the entire period of validity of the web server certificates issued in conformity with this CPS,

Postecom pledges to publish at least the following information on its web site,

postecert.poste.it:

The CA certificates that issue the web server certificates;

The present CPS.

Below, we provide the salient data for CA certificates dedicated to the service described in this

CPS:

Postecert Certificati Server

Date Value

Subject C = IT, O = Postecom s.p.a., OU = CA e Sicurezza, CN = Postecert

Certificati Server

Issuer C = US, O = GTE Corporation, CN = GTE CyberTrust Root

Period of Validity From 8 May 2002 to 23 February 2006

Postecom CS2

Date Value

Subject C = IT, O = Postecom S.p.A., OU = Servizi Certification Authority, CN =

Postecom CS2

Issuer C = US, O = GTE Corporation, OU = GTE CyberTrust Solutions, Inc., CN

= GTE CyberTrust Global Root

Period of Validity From 16 February 2005 to 17 February 2012


Version 3.1


Date 07/07/09


PosteItalianeGroup

Postecert Certificati Server Postecom CS2


Version 3.1


Date 07/07/09


PosteItalianeGroup

Certificates and CRLs

The X.509v3 certificates are published in an X.500 Directory Server whose address is available

on the web site postecert.poste.it. The directory is accessible using the LDAP v2 and v3

protocols.

The CRLs are published on a web server whose address is available on the Postecom web site

at this URL http://postecert.poste.it/postecomcs2/crl.crl.

The CRLs on the web server are updated when a certificate is revoked and, in any case, at

least once a day.

Applicable Law and Competent Jurisdiction

These General Conditions are governed by Italian law. For any disagreements that may arise

between the parties in relation to the dispositions of this CPS, the Court of Rome shall have

exclusive jurisdiction.


Version 3.1


Date 07/07/09


PosteItalianeGroup

Operating Processes

Generation of the Certification Request

The Requester is responsible for this process. The procedure below must be followed:

1) Generate the web server's private key/public key pair using suitable cryptographic

algorithms internal to the web server, allowed by the SSL protocol and supported by the

most common browsers.

At the time of the generation of the certification request (CSR), the Web Server Responsible

authorized by the Contract referred to in paragraph Registration of the Requester of this CPS

must adopt the necessary precautions for securely generating the web server's private key and

avoiding its disclosure or unauthorized use.

In particular, the CSR file shows the name of the web server to be certified (CommonName)

which must contain the Internet domain assigned to the requesting Organization.

Registration of the Requester

The Requester is responsible for this process. The procedure below must be followed:

1) Access the on-line certificate request section provided, entering, where requested, the

organizational, administrative and technical contacts for the requested web server

certificate. Before accessing the registration web pages, the Requester must have

generated, from the web server, the CSR file for which certification is being requested.

The required information includes a field called “revocation code” that will allow

authenticating revocation requests coming via telephone support;

2) Sign the completed Contract that will be sent to the e-mail address entered during the

data entry phase. The Contract identifies the Organization’s Responsible. An updated

copy of the Contract has been published on the site, postecert.poste.it. The subject

authorized to sign is the Legal Representative, or equivalent, for companies or

organizations not enrolled in the Chambers of Commerce yet qualified for requesting

the certificate.

3) The Server Responsible (communicated by the Organization’s Responsible) must sign

the Registration Form, a facsimile of which is provided in Attachment 1, sent to the e-

mail box indicated during the on-line registration phase;

4) Documentation to attach:

Photocopy of a valid identity document for the person signing the Contract. It may

be:

an Identity Card (front and back)

Drivers License

Passport


Version 3.1


Date 07/07/09


PosteItalianeGroup

Another type of identification card so long as it contains a photograph

and stamp, issued by a government agency (front and back)

A document, on letterhead, signed by the Organization’s Responsible showing the

name of the Server Responsible appointed to make web server certification

requests and who has signed the Registration Form in the preceding point

Depending on the category the Organization belongs to, the following applicable

documentation:

A Chamber of Commerce abstract not more than 30 days old for

businesses enrolled in the Business Registry;

a certificate attesting to the assignment of a VAT number for

businesses not enrolled in the Business Registry;

a copy of the charter of incorporation for other private law entities;

originals of other documentation conferring powers on the person

appointed to make certification requests depending on the internal

organization of the structure he/she belongs to in the case of public

agencies and bodies.

The Contract, Registration Form and the documentation referred to in point 4 can be sent

by:

regular mail to the following address: Postecom S.p.A., Direzione CA e Sicurezza,

Area Registrazione, Viale Europa 175, 00144 Rome. They may be preceded by a

fax to the following telephone number at Postecom S.p.A.: (+39) 06 59585049 or

(+39) 06 59585028;

e-mail: the Requester can digitally sign the required documents, so long as in

possession of a card with keys and certificates for the advanced electronic

signature, and send them by e-mail to the following address:

[email protected].

Payment Methods

To use the service, the Requester must pay the fee required for the certificate and relative

accessory services requested. For payment methods and conditions, please refer to the

general service conditions updated from time to time on the site, postecert.poste.it.

Verification of the Information

Upon receipt of the information, Postecom will:

Check the file with the certification request and verify its coherence with the information in

the Registration Form, Contract and attached paper documentation;

Verify the uniqueness of the X.500 Distinguished Name (DN) in the context of its issued

certificates;


Version 3.1


Date 07/07/09


PosteItalianeGroup

Check the attribution of the Internet domain for the web server to the company requesting

the certification;

Make a telephone check using a third-party database.

If all the checks are positive, the RA will send the file with the certification request to the CA,

authorizing the generation of the certificate.

The Certification Authority will then proceed to verification of the documentation, sending it only

after receipt of proof of payment thereof.

Postecom shall not issue the certificate if the information communicated is incorrect or

incomplete, based on the checks made.

Generation of the Certificate

Once the RA's approval is received, the CA will verify that the request's PKCS#10 format is

correct. If the required verification is positive, the CA will generate the certificate conforming to

the profile described in paragraph “Profile of the Certificates”. The DN will appear as the value

of the Certificate's subject field.

Should the checks not be positive, Postecom shall notify the Requester through the RA,

requesting the generation of a new certification request.

Publication of the Certificate

The certificate will be published in the X.500 Directory Server and sent by the RA to the e-mail

address of the Server's authorized Responsible.

Acceptance of the Certificate

Once the certificate is generated, it is sent to the e-mail address of the Server's Responsible

that appears in the Registration Form in Attachment 1 of the CPS. Should the Requester

discover any errors or defects in the certificate, he/she must inform Postecom immediately at

the e-mail address [email protected]. Otherwise, the Requester shall be considered to

have accepted the certificate.

By accepting the certificate, the Requester declares his acceptance of the terms and conditions

of the present CPS and the Contract referred to in paragraph Registration of the Requester.

Installation of the Certificate

The Requester may install the certificate on the web server upon receipt by following the

instructions for the specific product used.

Changes in Registration Information


Version 3.1


Date 07/07/09


PosteItalianeGroup

The Requester must notify Postecom, in a timely manner, of any changes to the information

discussed in paragraph Registration of the Requester. If the changes pertain to information in

the certificate, the Requester must also request its revocation.

Postecom reserves the right to revoke the Requester's certificate whenever the change of

registration information requires such.

Revocation of the Certificate

The revocation of a certificate is complete with its publication in the revocation list (CRL) signed

by the Certification Authority. The revoked certificate is no longer valid and the Requester must

immediately remove the relative certificate from the associated web server.

Circumstances for Revocation

Postecom will revoke the certificate upon the Requester's request, conforming to the methods

and terms prescribed in the present CPS.

The Certification Authority may revoke the certificate on its own initiative under precise

conditions such as discovering use that does not comply with the present CPS.

Revocation Requests from the Requester

The Requester must request the revocation of the certificate in the following circumstances:

In the case where he/she wishes to terminate the contractual relationship with Postecom;

if the information in the certificate issued is no longer valid;

if he/she believes that the security of the web server on which the certificate was installed

has been compromised.

This latter circumstance must be promptly detected and communicated; in any case, Postecom

assumes no liability for the improper use of the private key associated with the certified public

key.

To request revocation, the Requester must send a fax on letterhead, and suitably signed, to the

number +39 06 59585049 or +39 06 59585028, explicitly requesting the revocation of the web

server certificate with at least the Requester's company name and the name of the web server

(the value in the field Name of the Web Server to be certified in Attachment 1) to be revoked.

Following the receipt of the fax, Postecom's Registration Area shall perform a telephone

verification in which the Requester will be asked to provide several required pieces of

information contained in the Registration Form, in paragraph “Registration of the Requester,” in

order to authenticate its revocation request.

The RA shall verify the revocation request and, if positive, will forward the request to the CA.

The revoked Certificate will be placed on the CRL (see Certificates and CRLs on page 12).

The revocation request service is available from Monday to Friday, from 08:30 to 18:00, Italian

holidays excluded.

Revocation Requests from the CA


Version 3.1


Date 07/07/09


PosteItalianeGroup

Postecom may only revoke a Requester's certificate under the following circumstances:

certainty that information in the certificate has changed;

certainty of the certificate's improper use.

In either case, Postecom will inform the Requester after the revocation.

Renewal of Certificates

If the renewal request is made during the certificate's period of validity, the Requester may

send a declaration with which the Requester, under its own responsibility, confirms to the

Certification Authority that it continues to meet the requirements for the first issue of the

certificate. In addition, it must send a new renewal request (CSR) for the certificate in question

using the methods provided by the Certification Authority.

In addition to the expiration date (or after revocation, if necessary) it will not be possible to

renew. Rather, a new certificate must be generated in the manner required for first issue, as

provided for in paragraph “Generation of the Certification Request.”

Management of the Archives

Postecom keeps track of computer records relative to:

• Requests for the generation of certificates,

• Issuing of certificates,

• Revocation of certificates.

Postecom keeps the above-listed records for a maximum of two years from the expiration date

of the certificate.

A complete daily backup is made of all archives containing the above-listed records.

Postecom likewise preserves all paper documentation for a maximum of two years from the

expiration date of the certificate, except for the different periods required for fiscal

documentation.

Service Levels

The certificate is generated within 3 (three) working days from the receipt of the file with the

certification request and the information required in paragraph “Registration of the Requester.”

The certificate will be revoked within 4 (four) hours from receipt of the request, during the

period the service is available (from Monday to Friday, 08:30 a.m. to 6:00 p.m., Italian holidays

excluded).

Access to the Directory Server and CRLs is available 7 days a week, 24 hours a day, except for

scheduled maintenance.

Damage and Disaster Recovery


Version 3.1


Date 07/07/09


PosteItalianeGroup

All processors used to provide the certification service are covered by a maintenance contract

that guarantees service within 8 (eight) hours.

In the event of damage to programs or data, they will be restored from periodic backups.


Version 3.1


Date 07/07/09


PosteItalianeGroup

Security Features

Physical Protection of the Premises

The technological systems involved are located in a protected area with access allowed only to

Postecom employees and controlled through digital fingerprint recognition devices, Smart Card

readers and closed-circuit television. The area is located inside the Poste Italiane buildings in

Rome, Viale Europa, 175. Poste Italiane's buildings are protected and under surveillance 24

hours a day, 7 days a week, and include the permanent presence of Postal and

Communications Police.

Certification System Security

The certification activities management platform, which consists of various modules of the

Baltimore Technologies UniCERT software suite, offers the following security functions:

Identification and Authentication

Access to the platform's application modules is provided through user

identification. The authentication mechanism is also required for starting and

stopping the service linked to the application module.

Access Control

Access to the platform's application modules is provided through strong

authentication mechanisms. Access is only allowed to the modules after

verification of the correct entry of the passphrase.

Tracking

All the applications running inside the Certifier's certification system keep track of

the operations made in a database.

Text logs are kept that record information about start-up, stopping or alarms

relative to services linked to the application modules, as well as tracking

information for any configuration changes made to the services. Each record in the

logs is digitally signed.

Integrity and Non-Repudiation

Digital signature of the messages. All messages sent by single modules are digitally

signed.

Verification of the messages: the modules verify all messages they received to

ensure their integrity and authenticity.


Version 3.1


Date 07/07/09


PosteItalianeGroup

Archiving the data: all data and audit logs are recorded in the database for each

module. These records are digitally signed by the proprietary modules of the DB.

Each record has a unique identification number.

Communications

The modules communicate with each other using the PKIX protocol.

Security of the Cryptographic Module

Postecom uses the RSA (Rivest-Shamir-Adleman) algorithm for the generation of digital signatures.

All certificates issued by Postecom – beginning with certificates relative to certification keys, through to certificates relative to web server public keys – are signed using the RSA algorithm. The user must use the same RSA algorithm to generate its own pair of keys. The web server's public keys have a maximum length of 1024 bits, the certification keys are 2048 bits long.

At present, there is yet no cryptanalysis system capable of breaking keys of that length. Since the probability of breaking 1024 or 2048-bit keys may increase in the future, Postecom reserves the right to adjust the length of keys to future technology.

As regards the hash function, the function defined by the ISO/IEC 10118-3:1998 standard for

the generation of fingerprints will be used: Dedicated Hash-Function 3, corresponding to the

SHA-1 function.

Security of the Processors

The operating system of the computers used in certification activities, generating certificates

and managing the certificate registry, conforms, at least, to the specifications required for the

ITSEC F-C2/E2 class or the C2 class of the TCSEC standards.

The systems are configured in such a way as to reduce the risk of altering the configurations to

a minimum. Profiles with access rights are thus required for the normal use of the systems that

are not similar to the administrative ones.

Network Security

The network infrastructure requires a first line consisting of a firewall system, configured in high

reliability, which filters traffic from the Internet to the DMZ network, where the servers that must

be accessible from the Internet (such as the Directory Server and the web server that publishes

the CRLs) are located, and a second line that filters the traffic between the DMZ network and

the Secure LAN where the certification systems are installed.

The use of this technology offers the possibility of using NAT (Network Address Translation) to

“mask” internal IPs to the Internet, permits the interception of attempts to create service


Version 3.1


Date 07/07/09


PosteItalianeGroup

interruptions with DoS SYN flood attacks, set Anti-Spoofing rules and limit accesses to a span

of time definable in a granular manner. In order to analyze the packets traveling over the

network in real-time and, where suspicious activity is encountered, to activate the due

precautions (blocking IP addresses, interrupting connections, sending traps) and alarms, an

Intrusion Detection System is used based on a constantly-updated vulnerability database.

The services in the DMZ are provided with coverage 24 hours a day, 7 days a week, 365 days

a year, with a manned presence from Monday through Friday from 08:00 a.m. to 8:00 p.m. and

coverage in unmanned hours and holidays by a 2-level, on-call structure. A centralized

monitoring system signals alarms by sending SMSs and making telephone calls.


Version 3.1


Date 07/07/09


PosteItalianeGroup

Profile of the Certificates “Postecert Certificati Server”

Version Version 3

Serial Number 02 00 02 7c

Signature sha-1, RSA

Issuer Country: “US”

Organization :“GTE Corporation”

COMMON NAME: “GTE CyberTrust Root”

Validity From 8 May 2002 to 23 February 2006

Subject Country: “IT”

Organization: ”Postecom s.p.a.”

Organization Unit: “CA e Sicurezza”

COMMON NAME: “Postecert Certificati Server”

SubjectPublicKeyInfo 2048-bit public key

algorithm used: RSA

Extensions

Authority Key Identifier SHA-1 160 bit

Subject Key Identifier SHA-1 160 bit

KeyUsage (critical) Certificate Signing, CRL Signing

basicConstraints CA true

PathLenConstraint 1

The value of the OID is 1.3.76.11.1.1.3.1

“Postecom CS2” Certificate

Version Version 3

Serial Number 04 00 03 CCs


Issuer Country: “US”

Organization:” GTE Corporation”

Organization Unit:” GTE CyberTrust Solutions, Inc.”

COMMON NAME: “GTE CyberTrust Global Root”

Validity From 16 February 2005 to 17 February 2012


Organization: “Postecom s.p.a.”

Organization Unit: “Servizi Certification Authority”

COMMON NAME: “Postecom CS2”


algorithm used: RSA

Extensions




Version 3.1


Date 07/07/09


PosteItalianeGroup

KeyUsage (critical) Certificate Signing, CRL Signing

basicConstraints CA true

PathLenConstraint 1

The value of the OID is 1.3.76.11.1.1.3.1

Web Server Certificate

The effective format of the certificate and the values for the attributes and extensions shall be

determined on the basis of the needs of the Requester's system.

Web server certificates are valid for 1 (one) year. Below, by way of example, we show two

types of web server certificate profiles issued using the “Postecom CS2” CA certificate.

Profile of a Certificate for Microsoft IIS

Version Version 3

Serial Number Serial Number of the certificate


Issuer Country: “IT”

Organization: “Postecom s.p.a.”



Validity 1 year


Organization: “Organisation”

Organization Unit: “Unit name”

COMMON NAME: “web server domain name”


algorithm used: RSA

Extensions



Extended Key usage Microsoft Server Gated

Certificate policies Policy OID:

1.3.76.11.1.1.4.1

Policy URL:

http://postecert.poste.it/manualioperativi/

crlDistributionPoint http://postecert.poste.it/postecomcs2/crl.crl


Version 3.1


Date 07/07/09


PosteItalianeGroup

Profile of a certificate for Netscape Server

Version Version 3

Serial Number Serial Number of the certificate


Issuer Country: “IT”

Organization: “Postecom S.p.A.”



Validity 1 year


Organization: “Organisation”

Organization Unit: “Unit name”

COMMON NAME: “web server domain name”


algorithm used: RSA

Extensions



Extended Key usage Netscape Server Gated

Certificate policies Policy OID:

1.3.76.11.1.1.4.1

Policy URL:

http://postecert.poste.it/manualioperativi/

crlDistributionPoint http://postecert.poste.it/postecomcs2/crl.crl


Version 3.1


Date 07/07/09


PosteItalianeGroup

Attachment 1 Facsimile of the Registration Form, which must be signed by the Organization's Server

Responsible, as indicated in the CPS. The form is sent to the e-mail address specified by the

Requester, completed with the information entered at the time of on-line registration.

File Number1 _________

Information about the Server Responsible2 Value

First Name

Last Name

E-mail3

Company Name

Registered Office Address

City/Town

Postal code

Province

Telephone

Fax

Requesting Company Information Value

Legal Representative's First Name 4

Legal Representative's Last Name

Company Name

Registered Office Address

City/Town

Postal code

Province

VAT Number/Fiscal Code

Invoicing E-mail5

First Name of the Organization’s

Responsible6

Last Name of the Organization’s

Responsible

E-mail of the Organization’s Responsible7


Version 3.1


Date 07/07/09


PosteItalianeGroup

Web Server Information Value

Name of the Web Server to be certified8

Web Server's Organizational Division9

Type of Web Server10

Revocation Code11

1 The value with which the Registration Form is associated with the Contract signed by the

Legal Representative, or equivalent, as indicated in the CPS.

2 The Server Responsible is the operational person of reference, authorized by the

Organization’s Responsible, as indicated in the CPS.

3 The electronic mailbox to which the issued certificate is sent.

4 The Legal Representative or equivalent must be the same as indicted on the official

documentation transmitted.

5 The electronic mailbox to which the electronic invoice is to be sent, only if applicable.

6 The Organization’s Responsible must be the person shown in the official documentation

transmitted.

7 The electronic mailbox to which is sent the Contract that must be signed by the Legal

Representative or equivalent as indicated in the CPS, and the certificate issued.

8 The name of the web server is that listed as the Common Name (CN) in the subject field of

the certificate.

9 The Organizational Division of the web server is that which appears in the OU field certificate.

10 The type of web server (IIS, ePlanet, Apache, etc.).

11 The revocation code is used to verify telephone requests. It consists of 9 numbers uniquely

associated with the certificate requested.

Place and date ________________________

Signature of the Server Responsible

___________________________

Documents

“Postecert Certificati Server” Certification Servicepostecert.poste.it/postashqiptare/docs/CPS_PCS_01_3.1.pdf · Version 3.1 “Postecert Certificati Server” Certification Service