Upload
others
View
5
Download
0
Embed Size (px)
Citation preview
Certification Practice Statement CPS_PCS_01
Version 3.1
“Postecert Certificati Server” Certification Service
Date 07/07/09
Postecom S.p.A. Page 1 of 26
PosteItalianeGroup
“Postecert Certificati Server”
Certification Service
(Certification Practice Statement)
Certification Practice Statement CPS_PCS_01
Version 3.1
“Postecert Certificati Server” Certification Service
Date 07/07/09
Postecom S.p.A. Page 2 of 26
PosteItalianeGroup
Version no. Page no. Reason for revision Date
1.0 Approval 21/05/2002
1.1 10, 23 Redefinition of organizational aspects 01/07/2002
1.2 23, 24 Update of Attachment 2 03/10/2002
2.0 All Complete redefinition of the CPS after a review of the process of dispensing the service.
25/11/2002
3.0 1, 5, 6, 8, 9, 11, 21, 22
Update relative to the use of the new CA certificate 22/02/2005
3.1 23,24 Inserted Certificate Revocation List Distribution Point
Modified URL of CPS 07/07/2009
Version no. Drafted Verification Approval Date
3.1 Giuseppe La Rosa Assunta Alfano Roberto Ugolini 07/07/2009
Certification Practice Statement CPS_PCS_01
Version 3.1
“Postecert Certificati Server” Certification Service
Date 07/07/09
Postecom S.p.A. Page 3 of 26
PosteItalianeGroup
INTRODUCTION...........................................................................................................................5
CONTEXT ....................................................................................................................................5 IDENTIFICATION OF THE DOCUMENT .............................................................................................5 TABLE OF ACRONYMS AND ABBREVIATIONS..................................................................................6 COMMUNITY AND APPLICABILITY ..................................................................................................6
Certification Authority (CA) ....................................................................................................6 Registration Authority (RA) ....................................................................................................7 Requester ..............................................................................................................................7 User .......................................................................................................................................8 Types of Certificates ..............................................................................................................8
FOR ADDITIONAL INFORMATION....................................................................................................8 Telephone Support ................................................................................................................8 Internet Service......................................................................................................................8
GENERAL SERVICE CONDITIONS ............................................................................................9
OBLIGATIONS ..............................................................................................................................9 The CA's Obligations .............................................................................................................9 Requester's Obligations .........................................................................................................9
THE CA'S LIABILITY ...................................................................................................................10 To the Requester .................................................................................................................10
PUBLICATION AND DIRECTORY...................................................................................................10 Information about the CA .....................................................................................................10 Certificates and CRLs ..........................................................................................................12
APPLICABLE LAW AND COMPETENT JURISDICTION ......................................................................12
OPERATING PROCESSES .......................................................................................................13
GENERATION OF THE CERTIFICATION REQUEST..........................................................................13 REGISTRATION OF THE REQUESTER...........................................................................................13 PAYMENT METHODS..................................................................................................................14 VERIFICATION OF THE INFORMATION ..........................................................................................14 GENERATION OF THE CERTIFICATE ............................................................................................15 PUBLICATION OF THE CERTIFICATE ............................................................................................15 ACCEPTANCE OF THE CERTIFICATE............................................................................................15
Certification Practice Statement CPS_PCS_01
Version 3.1
“Postecert Certificati Server” Certification Service
Date 07/07/09
Postecom S.p.A. Page 4 of 26
PosteItalianeGroup
INSTALLATION OF THE CERTIFICATE ...........................................................................................15 CHANGES IN REGISTRATION INFORMATION.................................................................................15 REVOCATION OF THE CERTIFICATE.............................................................................................16
Circumstances for Revocation .............................................................................................16 Revocation Requests from the Requester ...........................................................................16 Revocation Requests from the CA.......................................................................................16
RENEWAL OF CERTIFICATES ......................................................................................................17 MANAGEMENT OF THE ARCHIVES ...............................................................................................17 SERVICE LEVELS .......................................................................................................................17 DAMAGE AND DISASTER RECOVERY...........................................................................................17
SECURITY FEATURES..............................................................................................................19
PHYSICAL PROTECTION OF THE PREMISES .................................................................................19 CERTIFICATION SYSTEM SECURITY ............................................................................................19 SECURITY OF THE CRYPTOGRAPHIC MODULE.............................................................................20 SECURITY OF THE PROCESSORS................................................................................................20 NETWORK SECURITY .................................................................................................................20
PROFILE OF THE CERTIFICATES ...........................................................................................22
ATTACHMENT 1 ........................................................................................................................25
Certification Practice Statement CPS_PCS_01
Version 3.1
“Postecert Certificati Server” Certification Service
Date 07/07/09
Postecom S.p.A. Page 5 of 26
PosteItalianeGroup
Introduction
Context
The SSL (Secure Sockets Layer) protocol has become the de facto standard for the security of
communications between a web server and a browser. The protocol uses public key
cryptographic technologies and provides the following security functions:
Confidentiality of the message
Integrity of the message
Authentication of the web server
(optional) Authentication of the browser
The protocol is structured to make its services transparent to the end-user. To establish an SSL
communication, at least the web server must have a pair of cryptographic keys and the
certificate of its public key must be available.
The degree of trustworthiness that a browser user can attribute to the web server's public key
certificate, and thus to the association between the public key and the "identity" of the web
server, depends on a set of factors that, as a whole, must contribute to providing trust in the
reliability of the information.
A description of these factors is contained in the Certification Practice Statement (CPS), which
is a document that includes the set of operating rules used by a Certification Authority (CA) in
issuing certificates. The CPS is “a statement of the practices which a certification authority
employs in issuing certificates” (definition taken from the Digital Signature Guidelines of the
American Bar Association). The information in certificates is defined by the policy, a set of rules
that indicate the applicability of the certificate to a well-defined community of users and/or
classes of applications with common security requirements.
Each new version of the CPS cancels and replaces the preceding versions, which nevertheless
remain applicable to certificates issued during the period of validity and until their expiration.
Identification of the Document
This document is Postecom's CPS (Certification Practice Statement) for issuing certificates as
part of its web server certification service and takes the name of:
“Postecert Certificati Server" Certification Service.
The CPS is identified by its version number, which is 3.1. The corresponding electronic file is
identified by the name “CPS_PCS_01” and can be consulted remotely at the Internet address:
http://postecert.poste.it.
This CPS is referenced by the following OIDs (Object Identifier Number):
Certification Practice Statement CPS_PCS_01
Version 3.1
“Postecert Certificati Server” Certification Service
Date 07/07/09
Postecom S.p.A. Page 6 of 26
PosteItalianeGroup
1.3.76.11.1.1.3.1 – Web Server Certification Certificate: “Postecert Certificati Server” and,
beginning 23 February 2005, “Postecom CS2”
1.3.76.11.1.1.4.1 – Public Key Certificates for Web Servers
Table of Acronyms and Abbreviations
CA Certification Authority
CN Common Name
CPS Certification Practice Statement
CRL Certificate Revocation List
CSR Certificate Signing Request
DN Distinguished Name
ITSEC Information Technology Security Evaluation Criteria
PKI Public Key Infrastructure
RA Registration Authority
RSA Rivest-Shamir-Adleman
SSL Secure Sockets Layer
TCSEC Trusted Computer System Evaluation Criteria
Community and Applicability
Certification Authority (CA)
For the dispensing of public key certificates intended to satisfy Internet security needs,
Postecom uses a CA that allows the recognition of certificates issued to end-users with the
most used browsers (i.e. Internet Explorer and Netscape Navigator).
As of 23 February 2005, Postecom uses a new certification key for dispensing web server
certificates called “Postecom CS2.” The new CA key with which individual web server
certificates are issued is signed using the GTE CyberTrust Global Root Certificate, which is
inserted in the list of accredited certificates present, by now, in the most common browsers for
a sufficiently long time to guarantee the diffusion of this list to almost the totality of browsers
currently in use. This allows making a site protected by a certificate issued by Postecom
transparent to an end-user surfing the Internet by making a web page accessible in a secure
connection automatically recognizable by the browsers. This characteristic is also maintained
unaltered for the entire period of validity of the web server certificates issued with the preceding
“Postecert Certificati Server” CA key.
Certification Practice Statement CPS_PCS_01
Version 3.1
“Postecert Certificati Server” Certification Service
Date 07/07/09
Postecom S.p.A. Page 7 of 26
PosteItalianeGroup
Web server certificates issued by Postecom allow a secure 128-bit connection to be
established. To activate this function following the diffusion of the use of strong authentication,
it may be necessary to update one's browser/operating system by installing a patch made
available by Microsoft.
Registration Authority (RA)
The function of verifying the documentation provided by the Requester is performed by the
Certification Authority Operations Center of the Messaging, Certification Authority and
eGovernment Business Unit of Postecom S.p.A.
Requester
The certification service is performed by Postecom S.p.A. for private or public organizations
who are the legitimate owners of duly registered Internet domains and able to provide official
documentation providing their identity or enrollment in public registries or the regulatory,
administrative or contractual source of the Requester's powers. The Requester must fulfill the
phases of registering for the service, as described in paragraph Registration of the Requester
by identifying, from among its employees, the Organization's Responsible, as the person who
functions as the interface between the Requester and Postecom SpA and who will
communicate, using the methods indicated in this CPS, the name of the Server Responsible
who will be assigned from time to time to generating a pair of keys and a Certification Signing
Request (or “CSR”).
Certificate
Present in the certificate lists
of the most commonly used
browsers
The CA Certificate is signed
by CyberTrust Global Root
GTE
CyberTrust
Global Root
Postecom CS2
Certificates
Server
The certificates issued are
recognized inside the most
commonly used browsers
Certification Practice Statement CPS_PCS_01
Version 3.1
“Postecert Certificati Server” Certification Service
Date 07/07/09
Postecom S.p.A. Page 8 of 26
PosteItalianeGroup
User
This is the third party who establishes an SSL communication with the certified web server
using its own browser.
Types of Certificates
This CPS refers only to the issuing and management of web server certificates in the context of
secure SSL communications.
For Additional Information
Telephone Support
Telephone support is available at 803160, Monday through Friday (from 09:00 to 20:00) and
Saturday (from 09:00 to 15:00).
Internet Service
For additional information about this CPS or the service, address inquiries to the following e-
mail address:
Certification Practice Statement CPS_PCS_01
Version 3.1
“Postecert Certificati Server” Certification Service
Date 07/07/09
Postecom S.p.A. Page 9 of 26
PosteItalianeGroup
General Service Conditions This section governs the contractual relationship between Postecom and the Requester of a
web server certificate. In addition to the present CPS, the supply of the service is regulated by
current law and the Contract referred to in paragraph Registration of the Requester.
Before requesting the service, the Requester must read and approve the general service
conditions contained in the CPS by signing the Contract referred to in paragraph Registration of
the Requester.
Contracts entered into for the supply of web server certificates are subject to Italian law. In
providing its services, Postecom shall conform to the Privacy Law.
Obligations
The CA's Obligations
Postecom pledges to:
• Ensure the correctness of the documentation provided with the certification request as
described in the present CPS;
• Issue the certificate and make it public in conformity with the requirements described in this
CPS;
• Give timely notice of the revocation of certificates through publication in the Certificate
Revocation List (CRL).
Requester's Obligations
The Requester is obligated to:
• Provide truthful information and documentation during registration;
• Generate and preserve its private key in security, by adopting the necessary precautions to
avoid its damage, alteration or unauthorized use;
• Send the certification request using the methods indicated in this CPS;
• Install the digital certificate issued by Postecom on the basis of this CPS only on the web
server corresponding to the domain indicated on the said certificate (in the CommonName
field);
• Inform Postecom in a timely manner if the information in the issued certificate is no longer
valid, requesting the revocation of the certificate;
• Inform Postecom in a timely manner if it believes that the security of the web server on
which the certificate was installed may be compromised, requesting the revocation of the
certificate;
• Immediately remove the certificate for which revocation has been requested from the web
server;
• Provide safest custody for the "revocation code".
Certification Practice Statement CPS_PCS_01
Version 3.1
“Postecert Certificati Server” Certification Service
Date 07/07/09
Postecom S.p.A. Page 10 of 26
PosteItalianeGroup
The CA's Liability
To the Requester
The Certifier is not liable to the Requester, or third parties, for any damage, or any kind,
deriving from the failure to issue the certificate or the certificate's improper use. In any case, the
liability of Postecom SpA to the Requester, or third parties, is limited to the amount of the
certification charge, except in those cases in which article 1229 of the Italian Civil Code does
not allow such a limitation.
Publication and Directory
Information about the CA
As of 23 February 2005, Postecom is using a new CA certificate called “Postecom CS2,” which
replaces the previous certificate, “Postecert Certificati Server”.
For the entire period of validity of the web server certificates issued in conformity with this CPS,
Postecom pledges to publish at least the following information on its web site,
postecert.poste.it:
The CA certificates that issue the web server certificates;
The present CPS.
Below, we provide the salient data for CA certificates dedicated to the service described in this
CPS:
Postecert Certificati Server
Date Value
Subject C = IT, O = Postecom s.p.a., OU = CA e Sicurezza, CN = Postecert
Certificati Server
Issuer C = US, O = GTE Corporation, CN = GTE CyberTrust Root
Period of Validity From 8 May 2002 to 23 February 2006
Postecom CS2
Date Value
Subject C = IT, O = Postecom S.p.A., OU = Servizi Certification Authority, CN =
Postecom CS2
Issuer C = US, O = GTE Corporation, OU = GTE CyberTrust Solutions, Inc., CN
= GTE CyberTrust Global Root
Period of Validity From 16 February 2005 to 17 February 2012
Certification Practice Statement CPS_PCS_01
Version 3.1
“Postecert Certificati Server” Certification Service
Date 07/07/09
Postecom S.p.A. Page 11 of 26
PosteItalianeGroup
Postecert Certificati Server Postecom CS2
Certification Practice Statement CPS_PCS_01
Version 3.1
“Postecert Certificati Server” Certification Service
Date 07/07/09
Postecom S.p.A. Page 12 of 26
PosteItalianeGroup
Certificates and CRLs
The X.509v3 certificates are published in an X.500 Directory Server whose address is available
on the web site postecert.poste.it. The directory is accessible using the LDAP v2 and v3
protocols.
The CRLs are published on a web server whose address is available on the Postecom web site
at this URL http://postecert.poste.it/postecomcs2/crl.crl.
The CRLs on the web server are updated when a certificate is revoked and, in any case, at
least once a day.
Applicable Law and Competent Jurisdiction
These General Conditions are governed by Italian law. For any disagreements that may arise
between the parties in relation to the dispositions of this CPS, the Court of Rome shall have
exclusive jurisdiction.
Certification Practice Statement CPS_PCS_01
Version 3.1
“Postecert Certificati Server” Certification Service
Date 07/07/09
Postecom S.p.A. Page 13 of 26
PosteItalianeGroup
Operating Processes
Generation of the Certification Request
The Requester is responsible for this process. The procedure below must be followed:
1) Generate the web server's private key/public key pair using suitable cryptographic
algorithms internal to the web server, allowed by the SSL protocol and supported by the
most common browsers.
At the time of the generation of the certification request (CSR), the Web Server Responsible
authorized by the Contract referred to in paragraph Registration of the Requester of this CPS
must adopt the necessary precautions for securely generating the web server's private key and
avoiding its disclosure or unauthorized use.
In particular, the CSR file shows the name of the web server to be certified (CommonName)
which must contain the Internet domain assigned to the requesting Organization.
Registration of the Requester
The Requester is responsible for this process. The procedure below must be followed:
1) Access the on-line certificate request section provided, entering, where requested, the
organizational, administrative and technical contacts for the requested web server
certificate. Before accessing the registration web pages, the Requester must have
generated, from the web server, the CSR file for which certification is being requested.
The required information includes a field called “revocation code” that will allow
authenticating revocation requests coming via telephone support;
2) Sign the completed Contract that will be sent to the e-mail address entered during the
data entry phase. The Contract identifies the Organization’s Responsible. An updated
copy of the Contract has been published on the site, postecert.poste.it. The subject
authorized to sign is the Legal Representative, or equivalent, for companies or
organizations not enrolled in the Chambers of Commerce yet qualified for requesting
the certificate.
3) The Server Responsible (communicated by the Organization’s Responsible) must sign
the Registration Form, a facsimile of which is provided in Attachment 1, sent to the e-
mail box indicated during the on-line registration phase;
4) Documentation to attach:
Photocopy of a valid identity document for the person signing the Contract. It may
be:
an Identity Card (front and back)
Drivers License
Passport
Certification Practice Statement CPS_PCS_01
Version 3.1
“Postecert Certificati Server” Certification Service
Date 07/07/09
Postecom S.p.A. Page 14 of 26
PosteItalianeGroup
Another type of identification card so long as it contains a photograph
and stamp, issued by a government agency (front and back)
A document, on letterhead, signed by the Organization’s Responsible showing the
name of the Server Responsible appointed to make web server certification
requests and who has signed the Registration Form in the preceding point
Depending on the category the Organization belongs to, the following applicable
documentation:
A Chamber of Commerce abstract not more than 30 days old for
businesses enrolled in the Business Registry;
a certificate attesting to the assignment of a VAT number for
businesses not enrolled in the Business Registry;
a copy of the charter of incorporation for other private law entities;
originals of other documentation conferring powers on the person
appointed to make certification requests depending on the internal
organization of the structure he/she belongs to in the case of public
agencies and bodies.
The Contract, Registration Form and the documentation referred to in point 4 can be sent
by:
regular mail to the following address: Postecom S.p.A., Direzione CA e Sicurezza,
Area Registrazione, Viale Europa 175, 00144 Rome. They may be preceded by a
fax to the following telephone number at Postecom S.p.A.: (+39) 06 59585049 or
(+39) 06 59585028;
e-mail: the Requester can digitally sign the required documents, so long as in
possession of a card with keys and certificates for the advanced electronic
signature, and send them by e-mail to the following address:
Payment Methods
To use the service, the Requester must pay the fee required for the certificate and relative
accessory services requested. For payment methods and conditions, please refer to the
general service conditions updated from time to time on the site, postecert.poste.it.
Verification of the Information
Upon receipt of the information, Postecom will:
Check the file with the certification request and verify its coherence with the information in
the Registration Form, Contract and attached paper documentation;
Verify the uniqueness of the X.500 Distinguished Name (DN) in the context of its issued
certificates;
Certification Practice Statement CPS_PCS_01
Version 3.1
“Postecert Certificati Server” Certification Service
Date 07/07/09
Postecom S.p.A. Page 15 of 26
PosteItalianeGroup
Check the attribution of the Internet domain for the web server to the company requesting
the certification;
Make a telephone check using a third-party database.
If all the checks are positive, the RA will send the file with the certification request to the CA,
authorizing the generation of the certificate.
The Certification Authority will then proceed to verification of the documentation, sending it only
after receipt of proof of payment thereof.
Postecom shall not issue the certificate if the information communicated is incorrect or
incomplete, based on the checks made.
Generation of the Certificate
Once the RA's approval is received, the CA will verify that the request's PKCS#10 format is
correct. If the required verification is positive, the CA will generate the certificate conforming to
the profile described in paragraph “Profile of the Certificates”. The DN will appear as the value
of the Certificate's subject field.
Should the checks not be positive, Postecom shall notify the Requester through the RA,
requesting the generation of a new certification request.
Publication of the Certificate
The certificate will be published in the X.500 Directory Server and sent by the RA to the e-mail
address of the Server's authorized Responsible.
Acceptance of the Certificate
Once the certificate is generated, it is sent to the e-mail address of the Server's Responsible
that appears in the Registration Form in Attachment 1 of the CPS. Should the Requester
discover any errors or defects in the certificate, he/she must inform Postecom immediately at
the e-mail address [email protected]. Otherwise, the Requester shall be considered to
have accepted the certificate.
By accepting the certificate, the Requester declares his acceptance of the terms and conditions
of the present CPS and the Contract referred to in paragraph Registration of the Requester.
Installation of the Certificate
The Requester may install the certificate on the web server upon receipt by following the
instructions for the specific product used.
Changes in Registration Information
Certification Practice Statement CPS_PCS_01
Version 3.1
“Postecert Certificati Server” Certification Service
Date 07/07/09
Postecom S.p.A. Page 16 of 26
PosteItalianeGroup
The Requester must notify Postecom, in a timely manner, of any changes to the information
discussed in paragraph Registration of the Requester. If the changes pertain to information in
the certificate, the Requester must also request its revocation.
Postecom reserves the right to revoke the Requester's certificate whenever the change of
registration information requires such.
Revocation of the Certificate
The revocation of a certificate is complete with its publication in the revocation list (CRL) signed
by the Certification Authority. The revoked certificate is no longer valid and the Requester must
immediately remove the relative certificate from the associated web server.
Circumstances for Revocation
Postecom will revoke the certificate upon the Requester's request, conforming to the methods
and terms prescribed in the present CPS.
The Certification Authority may revoke the certificate on its own initiative under precise
conditions such as discovering use that does not comply with the present CPS.
Revocation Requests from the Requester
The Requester must request the revocation of the certificate in the following circumstances:
In the case where he/she wishes to terminate the contractual relationship with Postecom;
if the information in the certificate issued is no longer valid;
if he/she believes that the security of the web server on which the certificate was installed
has been compromised.
This latter circumstance must be promptly detected and communicated; in any case, Postecom
assumes no liability for the improper use of the private key associated with the certified public
key.
To request revocation, the Requester must send a fax on letterhead, and suitably signed, to the
number +39 06 59585049 or +39 06 59585028, explicitly requesting the revocation of the web
server certificate with at least the Requester's company name and the name of the web server
(the value in the field Name of the Web Server to be certified in Attachment 1) to be revoked.
Following the receipt of the fax, Postecom's Registration Area shall perform a telephone
verification in which the Requester will be asked to provide several required pieces of
information contained in the Registration Form, in paragraph “Registration of the Requester,” in
order to authenticate its revocation request.
The RA shall verify the revocation request and, if positive, will forward the request to the CA.
The revoked Certificate will be placed on the CRL (see Certificates and CRLs on page 12).
The revocation request service is available from Monday to Friday, from 08:30 to 18:00, Italian
holidays excluded.
Revocation Requests from the CA
Certification Practice Statement CPS_PCS_01
Version 3.1
“Postecert Certificati Server” Certification Service
Date 07/07/09
Postecom S.p.A. Page 17 of 26
PosteItalianeGroup
Postecom may only revoke a Requester's certificate under the following circumstances:
certainty that information in the certificate has changed;
certainty of the certificate's improper use.
In either case, Postecom will inform the Requester after the revocation.
Renewal of Certificates
If the renewal request is made during the certificate's period of validity, the Requester may
send a declaration with which the Requester, under its own responsibility, confirms to the
Certification Authority that it continues to meet the requirements for the first issue of the
certificate. In addition, it must send a new renewal request (CSR) for the certificate in question
using the methods provided by the Certification Authority.
In addition to the expiration date (or after revocation, if necessary) it will not be possible to
renew. Rather, a new certificate must be generated in the manner required for first issue, as
provided for in paragraph “Generation of the Certification Request.”
Management of the Archives
Postecom keeps track of computer records relative to:
• Requests for the generation of certificates,
• Issuing of certificates,
• Revocation of certificates.
Postecom keeps the above-listed records for a maximum of two years from the expiration date
of the certificate.
A complete daily backup is made of all archives containing the above-listed records.
Postecom likewise preserves all paper documentation for a maximum of two years from the
expiration date of the certificate, except for the different periods required for fiscal
documentation.
Service Levels
The certificate is generated within 3 (three) working days from the receipt of the file with the
certification request and the information required in paragraph “Registration of the Requester.”
The certificate will be revoked within 4 (four) hours from receipt of the request, during the
period the service is available (from Monday to Friday, 08:30 a.m. to 6:00 p.m., Italian holidays
excluded).
Access to the Directory Server and CRLs is available 7 days a week, 24 hours a day, except for
scheduled maintenance.
Damage and Disaster Recovery
Certification Practice Statement CPS_PCS_01
Version 3.1
“Postecert Certificati Server” Certification Service
Date 07/07/09
Postecom S.p.A. Page 18 of 26
PosteItalianeGroup
All processors used to provide the certification service are covered by a maintenance contract
that guarantees service within 8 (eight) hours.
In the event of damage to programs or data, they will be restored from periodic backups.
Certification Practice Statement CPS_PCS_01
Version 3.1
“Postecert Certificati Server” Certification Service
Date 07/07/09
Postecom S.p.A. Page 19 of 26
PosteItalianeGroup
Security Features
Physical Protection of the Premises
The technological systems involved are located in a protected area with access allowed only to
Postecom employees and controlled through digital fingerprint recognition devices, Smart Card
readers and closed-circuit television. The area is located inside the Poste Italiane buildings in
Rome, Viale Europa, 175. Poste Italiane's buildings are protected and under surveillance 24
hours a day, 7 days a week, and include the permanent presence of Postal and
Communications Police.
Certification System Security
The certification activities management platform, which consists of various modules of the
Baltimore Technologies UniCERT software suite, offers the following security functions:
Identification and Authentication
Access to the platform's application modules is provided through user
identification. The authentication mechanism is also required for starting and
stopping the service linked to the application module.
Access Control
Access to the platform's application modules is provided through strong
authentication mechanisms. Access is only allowed to the modules after
verification of the correct entry of the passphrase.
Tracking
All the applications running inside the Certifier's certification system keep track of
the operations made in a database.
Text logs are kept that record information about start-up, stopping or alarms
relative to services linked to the application modules, as well as tracking
information for any configuration changes made to the services. Each record in the
logs is digitally signed.
Integrity and Non-Repudiation
Digital signature of the messages. All messages sent by single modules are digitally
signed.
Verification of the messages: the modules verify all messages they received to
ensure their integrity and authenticity.
Certification Practice Statement CPS_PCS_01
Version 3.1
“Postecert Certificati Server” Certification Service
Date 07/07/09
Postecom S.p.A. Page 20 of 26
PosteItalianeGroup
Archiving the data: all data and audit logs are recorded in the database for each
module. These records are digitally signed by the proprietary modules of the DB.
Each record has a unique identification number.
Communications
The modules communicate with each other using the PKIX protocol.
Security of the Cryptographic Module
Postecom uses the RSA (Rivest-Shamir-Adleman) algorithm for the generation of digital signatures.
All certificates issued by Postecom – beginning with certificates relative to certification keys, through to certificates relative to web server public keys – are signed using the RSA algorithm. The user must use the same RSA algorithm to generate its own pair of keys. The web server's public keys have a maximum length of 1024 bits, the certification keys are 2048 bits long.
At present, there is yet no cryptanalysis system capable of breaking keys of that length. Since the probability of breaking 1024 or 2048-bit keys may increase in the future, Postecom reserves the right to adjust the length of keys to future technology.
As regards the hash function, the function defined by the ISO/IEC 10118-3:1998 standard for
the generation of fingerprints will be used: Dedicated Hash-Function 3, corresponding to the
SHA-1 function.
Security of the Processors
The operating system of the computers used in certification activities, generating certificates
and managing the certificate registry, conforms, at least, to the specifications required for the
ITSEC F-C2/E2 class or the C2 class of the TCSEC standards.
The systems are configured in such a way as to reduce the risk of altering the configurations to
a minimum. Profiles with access rights are thus required for the normal use of the systems that
are not similar to the administrative ones.
Network Security
The network infrastructure requires a first line consisting of a firewall system, configured in high
reliability, which filters traffic from the Internet to the DMZ network, where the servers that must
be accessible from the Internet (such as the Directory Server and the web server that publishes
the CRLs) are located, and a second line that filters the traffic between the DMZ network and
the Secure LAN where the certification systems are installed.
The use of this technology offers the possibility of using NAT (Network Address Translation) to
“mask” internal IPs to the Internet, permits the interception of attempts to create service
Certification Practice Statement CPS_PCS_01
Version 3.1
“Postecert Certificati Server” Certification Service
Date 07/07/09
Postecom S.p.A. Page 21 of 26
PosteItalianeGroup
interruptions with DoS SYN flood attacks, set Anti-Spoofing rules and limit accesses to a span
of time definable in a granular manner. In order to analyze the packets traveling over the
network in real-time and, where suspicious activity is encountered, to activate the due
precautions (blocking IP addresses, interrupting connections, sending traps) and alarms, an
Intrusion Detection System is used based on a constantly-updated vulnerability database.
The services in the DMZ are provided with coverage 24 hours a day, 7 days a week, 365 days
a year, with a manned presence from Monday through Friday from 08:00 a.m. to 8:00 p.m. and
coverage in unmanned hours and holidays by a 2-level, on-call structure. A centralized
monitoring system signals alarms by sending SMSs and making telephone calls.
Certification Practice Statement CPS_PCS_01
Version 3.1
“Postecert Certificati Server” Certification Service
Date 07/07/09
Postecom S.p.A. Page 22 of 26
PosteItalianeGroup
Profile of the Certificates “Postecert Certificati Server”
Version Version 3
Serial Number 02 00 02 7c
Signature sha-1, RSA
Issuer Country: “US”
Organization :“GTE Corporation”
COMMON NAME: “GTE CyberTrust Root”
Validity From 8 May 2002 to 23 February 2006
Subject Country: “IT”
Organization: ”Postecom s.p.a.”
Organization Unit: “CA e Sicurezza”
COMMON NAME: “Postecert Certificati Server”
SubjectPublicKeyInfo 2048-bit public key
algorithm used: RSA
Extensions
Authority Key Identifier SHA-1 160 bit
Subject Key Identifier SHA-1 160 bit
KeyUsage (critical) Certificate Signing, CRL Signing
basicConstraints CA true
PathLenConstraint 1
The value of the OID is 1.3.76.11.1.1.3.1
“Postecom CS2” Certificate
Version Version 3
Serial Number 04 00 03 CCs
Signature sha-1, RSA
Issuer Country: “US”
Organization:” GTE Corporation”
Organization Unit:” GTE CyberTrust Solutions, Inc.”
COMMON NAME: “GTE CyberTrust Global Root”
Validity From 16 February 2005 to 17 February 2012
Subject Country: “IT”
Organization: “Postecom s.p.a.”
Organization Unit: “Servizi Certification Authority”
COMMON NAME: “Postecom CS2”
SubjectPublicKeyInfo 2048-bit public key
algorithm used: RSA
Extensions
Authority Key Identifier SHA-1 160 bit
Subject Key Identifier SHA-1 160 bit
Certification Practice Statement CPS_PCS_01
Version 3.1
“Postecert Certificati Server” Certification Service
Date 07/07/09
Postecom S.p.A. Page 23 of 26
PosteItalianeGroup
KeyUsage (critical) Certificate Signing, CRL Signing
basicConstraints CA true
PathLenConstraint 1
The value of the OID is 1.3.76.11.1.1.3.1
Web Server Certificate
The effective format of the certificate and the values for the attributes and extensions shall be
determined on the basis of the needs of the Requester's system.
Web server certificates are valid for 1 (one) year. Below, by way of example, we show two
types of web server certificate profiles issued using the “Postecom CS2” CA certificate.
Profile of a Certificate for Microsoft IIS
Version Version 3
Serial Number Serial Number of the certificate
Signature sha-1, RSA
Issuer Country: “IT”
Organization: “Postecom s.p.a.”
Organization Unit: “Servizi Certification Authority”
COMMON NAME: “Postecom CS2”
Validity 1 year
Subject Country: “IT”
Organization: “Organisation”
Organization Unit: “Unit name”
COMMON NAME: “web server domain name”
SubjectPublicKeyInfo 1024-bit public key
algorithm used: RSA
Extensions
Authority Key Identifier SHA-1 160 bit
Subject Key Identifier SHA-1 160 bit
Extended Key usage Microsoft Server Gated
Certificate policies Policy OID:
1.3.76.11.1.1.4.1
Policy URL:
http://postecert.poste.it/manualioperativi/
crlDistributionPoint http://postecert.poste.it/postecomcs2/crl.crl
Certification Practice Statement CPS_PCS_01
Version 3.1
“Postecert Certificati Server” Certification Service
Date 07/07/09
Postecom S.p.A. Page 24 of 26
PosteItalianeGroup
Profile of a certificate for Netscape Server
Version Version 3
Serial Number Serial Number of the certificate
Signature sha-1, RSA
Issuer Country: “IT”
Organization: “Postecom S.p.A.”
Organization Unit: “Servizi Certification Authority”
COMMON NAME: “Postecom CS2”
Validity 1 year
Subject Country: “IT”
Organization: “Organisation”
Organization Unit: “Unit name”
COMMON NAME: “web server domain name”
SubjectPublicKeyInfo 1024-bit public key
algorithm used: RSA
Extensions
Authority Key Identifier SHA-1 160 bit
Subject Key Identifier SHA-1 160 bit
Extended Key usage Netscape Server Gated
Certificate policies Policy OID:
1.3.76.11.1.1.4.1
Policy URL:
http://postecert.poste.it/manualioperativi/
crlDistributionPoint http://postecert.poste.it/postecomcs2/crl.crl
Certification Practice Statement CPS_PCS_01
Version 3.1
“Postecert Certificati Server” Certification Service
Date 07/07/09
Postecom S.p.A. Page 25 of 26
PosteItalianeGroup
Attachment 1 Facsimile of the Registration Form, which must be signed by the Organization's Server
Responsible, as indicated in the CPS. The form is sent to the e-mail address specified by the
Requester, completed with the information entered at the time of on-line registration.
File Number1 _________
Information about the Server Responsible2 Value
First Name
Last Name
E-mail3
Company Name
Registered Office Address
City/Town
Postal code
Province
Telephone
Fax
Requesting Company Information Value
Legal Representative's First Name 4
Legal Representative's Last Name
Company Name
Registered Office Address
City/Town
Postal code
Province
VAT Number/Fiscal Code
Invoicing E-mail5
First Name of the Organization’s
Responsible6
Last Name of the Organization’s
Responsible
E-mail of the Organization’s Responsible7
Certification Practice Statement CPS_PCS_01
Version 3.1
“Postecert Certificati Server” Certification Service
Date 07/07/09
Postecom S.p.A. Page 26 of 26
PosteItalianeGroup
Web Server Information Value
Name of the Web Server to be certified8
Web Server's Organizational Division9
Type of Web Server10
Revocation Code11
1 The value with which the Registration Form is associated with the Contract signed by the
Legal Representative, or equivalent, as indicated in the CPS.
2 The Server Responsible is the operational person of reference, authorized by the
Organization’s Responsible, as indicated in the CPS.
3 The electronic mailbox to which the issued certificate is sent.
4 The Legal Representative or equivalent must be the same as indicted on the official
documentation transmitted.
5 The electronic mailbox to which the electronic invoice is to be sent, only if applicable.
6 The Organization’s Responsible must be the person shown in the official documentation
transmitted.
7 The electronic mailbox to which is sent the Contract that must be signed by the Legal
Representative or equivalent as indicated in the CPS, and the certificate issued.
8 The name of the web server is that listed as the Common Name (CN) in the subject field of
the certificate.
9 The Organizational Division of the web server is that which appears in the OU field certificate.
10 The type of web server (IIS, ePlanet, Apache, etc.).
11 The revocation code is used to verify telephone requests. It consists of 9 numbers uniquely
associated with the certificate requested.
Place and date ________________________
Signature of the Server Responsible
___________________________