Government of Ontario · Given that technology, policies and business rules must remain intrinsically bound to one another in a PKI rollout, PKI governance must be flexible, responsive

Low Sensitivity

GGoovveerrnnmmeenntt ooff OOnnttaarriioo PPuubblliicc KKeeyy IInnffrraassttrruuccttuurree ((GGOO--PPKKII))

RReeggiissttrraattiioonn AAuutthhoorriittiieess ((RRAAss)) AAnndd

LLooccaall RReeggiissttrraattiioonn AAuutthhoorriittiieess ((LLRRAAss))

OOPPEERRAATTIINNGG PPRROOCCEEDDUURREESS

Prepared by: Corporate Security Office of the Corporate Chief Strategist

GO-PKI RA/LRA Operating Procedures

Table Of Contents

1 PURPOSE.............................................................................................................................4

2 BACKGROUND ..................................................................................................................4

3 THE GO-PKI TRUST MODEL.........................................................................................4

3.1 LEVELS OF ASSURANCE (LOA).......................................................................................5

4 DOMAINS ............................................................................................................................5

4.1 OPS DOMAIN..................................................................................................................5 4.2 PROGRAM DOMAINS .......................................................................................................6

5 GOVERNANCE OF GO-PKI ............................................................................................6

5.1 PROCESS FOR DETERMINING USE OF PKI........................................................................7

6 REGISTRATION AUTHORITIES ...................................................................................7

6.1 REGISTRATION AUTHORITY (RA) FUNCTIONS................................................................8 6.2 CORPORATE RA FOR THE OPS DOMAIN .........................................................................9 6.3 PROGRAM SPECIFIC RAS.................................................................................................9 6.4 ESTABLISHING A PROGRAM SPECIFIC RA .....................................................................10

7 LRA NETWORKS.............................................................................................................11

7.1 LRA'S WITHIN THE OPS DOMAIN................................................................................12 7.2 EXTERNAL LRAS (EXTERNAL TO THE OPS DOMAIN) ..................................................12 7.3 ESTABLISHING A LOCAL REGISTRATION AUTHORITY (LRA)........................................12 7.4 LRA ACCOUNTABILITY, ROLE DISTINCTION & RESPONSIBILITIES ..............................13 7.5 DOCUMENTATION CRITERIA FOR RAS AND LRAS ........................................................16

8 VERIFICATION PROCEDURES FOR AUDITING PURPOSES ..............................19

9 AUTHENTICATING INFORMATION .........................................................................19

10 SECRET QUESTIONS AND ANSWERS...................................................................19

11 SECURE STORAGE AND DOCUMENT RETENTION .........................................20

12 SUBSCRIBER REGISTRATION – MEDIUM LEVEL OF ASSURANCE............21

12.1 ACCEPTABLE SUBSCRIBER IDENTIFICATION..................................................................22

13 REGISTERING SUBSCRIBERS OUTSIDE CANADA ...........................................25

14 COMMUNICATION OF ACTIVATION CODES ....................................................26

April 2005 2

15 PROFILE RECOVERY/PASSWORD RESET ..........................................................26

GO-PKI RA/LRA Operating Procedures 16 CERTIFICATE REVOCATION .................................................................................27

16.1 REVOKING A GO-PKI CERTIFICATE .............................................................................27

17 SUBSCRIBER INFORMATION CHANGE...............................................................28

18 DEVICE/APPLICATION CERTIFICATES..............................................................28

19 MANDATORY ENHANCED RELIABILITY CLEARANCE FOR GO-PKI........29

19.1 MANDATORY COMPONENTS OF THE ENHANCED RELIABILITY CLEARANCE..................30

20 GLOSSARY OF TERMS..............................................................................................31

April 2005 3


1 PURPOSE

This document describes the governance for the GO-PKI registration process, the requirements for establishing registration authorities, and the operating procedures to be followed when registering subscribers within and outside the OPS.

2 BACKGROUND

The Government of Ontario is committed to delivering on-line government services in a manner that will provide security and privacy protection along with efficient service delivery. The services provided by the Government of Ontario Public Key Infrastructure (GO-PKI) contribute to the establishment of a trusted electronic environment for on-line service delivery. The clients of GO-PKI services include critical GO programs and services with sensitive applications and data that are accessed by GO employees and contractors, and by service partners in the public and private sectors.

Public key cryptography involves the issuance of pairs of cryptographic keys to individuals as a digital identity and for encryption. Each key pair consists of a private key that the individual must keep protected and a public key that is made available for use by others. Most PKI implementations, including GO-PKI, issue two pairs of private/public keys to registered individuals (i.e. subscribers), as follows:

Signature/verification keys – The subscriber uses his/her private signature key to digitally sign documents or communications, and to present an electronic identity to other parties via a network. The other parties use the corresponding verification key to verify the digital signature or electronic identity (i.e. identity authentication).

Encryption/decryption keys – Individuals can encrypt a document or communication using their intended recipient’s public encryption key. Only the intended recipient can decrypt such a communication or document using their private decryption key.

Subscribers must keep their private signature key and private decryption key secure. The infrastructure needed to securely manage and use these keys is called Public Key Infrastructure (PKI).

April 2005 4

3 THE GO-PKI TRUST MODEL

When Programs use GO-PKI, they are placing their trust in the GO-PKI Trust Model. This trust is built on a strong governance structure, formal roles and responsibilities, technology, and comprehensive policies and procedures that are in place for GO-PKI services. Any compromise of the Trust Model can result in serious repercussions that can destroy the effectiveness and reputation of the GO-PKI implementation. The ongoing vigilance of everyone involved in GO-PKI is essential to the maintenance of the Trust Model. The Government must be in a position to demonstrate that all components of the Trust Model are in place.


This document sets out the requirements for a key component of the Trust Model i.e. a rigorous, secure and consistent process for registering GO-PKI subscribers. A strong registration process provides assurance that the identities of individuals are verified before PKI certificates are issued. Third parties can then use the certificates to authenticate the identity of individuals in an electronic environment e.g. the Internet.

3.1 Levels of Assurance (LOA)

PKI Certificate Policies normally define requirements for the issuance and maintenance of PKI certificates at different levels of assurance (LOA). The GO-PKI Certificate Policy (CP) outlines the requirements for three levels of assurance: basic, medium and high. Higher levels require larger investments in the different components of the PKI. The LOA required for a given system will depend on the security risks that must be addressed by the organization.

The GO-PKI Policy Management Authority (PMA) established that medium LOA would be the standard for deployments of GO-PKI. As a result, this document only outlines the processes required for issuing medium level of assurance certificates. Key requirements include: • Face-to-face verification of identity when registering subscribers, Registration

Authorities (RA), and Local Registration Authorities (LRA) using items from the lists of Acceptable Identification.

• Separate methods of distributing the Authorization Codes and Reference Numbers.

If a program area's TRA recommends that either a basic or high LOA be used, then the program area includes a request for an exemption from the standard in its presentation to the PMA. This review will consider whether: • Any liability issues have been identified, assessed, and addressed, • Registration and authentication processes are appropriate to the proposed level of

assurance, and • Appropriate security measures are either planned or already in place to protect the

registration process.

4 DOMAINS

The GO-PKI Concept of Operations uses the concept of domains to illustrate how limitations are placed on the scope of access to program information and/or services. Each domain requires a separate registration model to ensure that privacy is protected and to address their unique organizational and geographic challenges.

April 2005 5

4.1 OPS Domain

For GO-PKI, all employees and contractors working within the Ontario Government are considered to be in the same domain i.e. the OPS Domain. A single Registration Model serves the needs of the entire OPS Domain. This does not give members in this domain any additional authorization to access applications or information i.e. Government


programs are responsible for controlling such access.

4.2 Program Domains

A program domain is a term used to describe the entities delivering a particular government program, the information that is collected under that program, and the relationship with the clients of the program. Program domains often involve staff in broader public sector (BPS) organizations and sometimes employees in private sector service partners. This may involve access to a Ministry application by the staff in the external organizations. For example, the Ministry of Community and Social Services (MCSS) has a social services program delivered by staff in municipalities who require access to an MCSS application.

5 GOVERNANCE OF GO-PKI

Ontario has placed significant emphasis on establishing PKI governance frameworks within the context of government-wide security and business requirements. The PKI Governance model is the vehicle for defining the framework. The model addresses the broad objectives of maintenance of trust and inter-operability with other jurisdictions across Canada, including the Federal Government. Given that technology, policies and business rules must remain intrinsically bound to one another in a PKI rollout, PKI governance must be flexible, responsive and constantly in-step with the technology evolution and with broader Government wide organizational structures and Government of Ontario IM/IT structures.

The governance of the GO-PKI utilizes three distinct governance roles:

a) The Policy Management Authority (PMA) is responsible for:

• GO-PKI policy governing the creation and operation of the GO-PKI CA and RAs, • any inter-operability agreements with PKIs operated by other organizations, and • the approval of new uses of GO-PKI and any registration model developed by a

program area to issue GO-PKI certificates.

b) The Certification Authority (CA) which is operated by Corporate Security is responsible for:

• the day-to-day technical operation of the GO-PKI, • the issuance of GO-PKI certificates to individuals that have been duly registered.

April 2005 6

c) A Registration Authority (RA) is appointed by the PMA for each domain. The responsibilities of an RA are described below.


5.1 Process for Determining Use of PKI

As Government programs implement electronic service delivery (ESD) projects, they need to assess the security and privacy risks that are inherent in the new modes of delivery. These risks may include Government liability associated with the protection of sensitive and/or personal information. To understand their security and privacy risks, programs need to complete an Information Classification1 to determine the sensitivity of their information before completing a Privacy Impact Assessment (PIA)2 and a Threat / Risk Assessment (TRA)3. The Information Classification Operating Procedures state that high sensitivity electronic information must be encrypted for transmissions and while in storage. Encryption is also recommended for transmissions of medium sensitivity information depending on the risks involved as determined by a TRA. If the recommendations developed by these assessments include the use of PKI in their application, the program area needs to present a business case to the GO-PKI PMA for approval. As the governing body for GO-PKI, the PMA has final approval of the use of PKI and how it is implemented. Government programs can use PKI technologies with their systems to ensure the confidentiality, privacy and integrity of personal information. They can also acquire several general services with GO-PKI protection, as follows:

• Secure email services, • File and folder encryption (usually for laptops containing sensitive information),

and • VPN access to an application within the government network.

6 REGISTRATION AUTHORITIES

A Registration Authority (RA) is responsible for: • The development of a registration model which must be approved by the PMA, • The lifecycle management for GO-PKI certificates (e.g. password recoveries, transfers

and revocations), and • The creation and management of a network of trusted Local Registration Authorities

(LRA) including the authentication and authorization of individual LRAs.

An RA can delegate part of his/her responsibilities to a Head LRA e.g. building and managing the LRA network (this will happen where the RA is an ADM, CIO etc). Depending on geographical or organizational considerations, it may be appropriate to have

1 Operating Procedures for completing an Information Classification are available at:

http://intra.security.gov.on.ca/resources/default.asp 2 Guidelines on the completion of a Privacy Impact Assessment are available at:

http://www.gov.on.ca/MBS/english/fip/pia/

April 2005 7

3 Guidelines on the completion of a Threat/Risk Assessment are available at: http://intra.security.gov.on.ca/resources/default.asp


multiple Head LRAs. These Head LRAs can then nominate and authenticate LRAs for their part of the LRA network.

6.1 Registration Authority (RA) Functions

RAs are governed by: • The Policy Management Authority (PMA). • The Certificate Policy (CP) • The RA/LRA Operating Procedures, and • RA Subscriber Agreement and Schedule of Responsibilities. The following are the tasks performed by the Registration Authority under the GO-PKI initiative to enable issuance and management of certificates:

April 2005 8

Responsibilities

• Ensures that the registration process under their control complies with

the GO-PKI Operating Procedures and the GO-PKI Certificate Policy • Ensure all LRA's have successfully passed an enhanced reliability

clearance (see section 19) • Authenticate and authorize nominated LRAs in the manner set out in the

RA/LRA Operating Procedures or in a manner approved by the PMA • Ensure the LRAs are informed of their respective responsibilities and

receive proper training • Accept certificate change, certificate revocation and key recovery

requests, key renewal and termination for LRAs within their domain • Ensure that measures are in place to secure transmission of LRA

information to the CA • Provide authorization codes to the LRA for on-line key exchange and

certificate creation • Ensure that measures are in place for LRAs to protect activation codes

provided to them by the CA for communication to subscribers • Maintain the confidentiality of LRA identification information in

accordance with FIPPA/MFIPPA • Protect the hardware and software components used in the performance

of their RA function in accordance with this policy and practices of the CA

• Perform periodic compliance audits on the LRAs in their domain • Keep up-to-date with the current RA/LRA Operating Procedures.

RA Processes

The RA may undertake to authenticate and authorize registration, revocation and/or recovery of: • An LRA within the same domain • A Subscriber within the same domain • A device certificate for a device owner within the same domain NB: If the RA requires key recovery or revocation on their own certificate, they must request the CA to perform these functions for them.


Use of GO-PKI Profile

If the RA has operational registration duties then they must have their GO-PKI profile stored on an approved hardware token.

Key Suspension

Key suspension of the RA is permitted.

Certificate Revocation

The PMA must be informed if an operational RA's certificate needed to be revoked.

Key Recovery

Key recovery for the RA is permitted using the Entrust module for Key Recovery

Changing Distinguished Name

Changing the RA distinguished name is permitted where the RA has: • undergone a change of name; or • moved from one domain to another. And they have completed the Change of DN Request form.

Key Rollover

The RA's key rollover is transparent and happens automatically.

Key Validity Period

On issuance, an operational RA certificate expiry period will be set at 12 months.

6.2 Corporate RA for the OPS Domain

The PMA assigned the role of Corporate RA to the Ontario Shared Services (OSS). The Corporate RA has responsibility for the LRAs within the OPS (the Corporate LRA Network) and the registration process that they perform. This domain includes the Government’s agencies, boards and commissions.

April 2005 9

6.3 Program Specific RAs

Program Domains require a Program RA when non-OPS LRAs are needed to register external subscribers who are in the Program Domain. Typically this involves staff in BPS organizations or employees in private sector service partners who require access to a Program application or service. A Program RA should be a senior Program Manager (i.e. ADM or Director level) responsible for the Government business unit that requires GO-PKI to secure interaction with external subscribers. Only senior management of a program, the Certification Authority or the Corporate RA may nominate a Program RA for approval by the PMA. The Program RA is accountable for the registration model and the network of non-OPS LRAs in their Program Domain. The model must meet the policy specifications set out for GO-PKI and must be approved by the PMA.


6.4 Establishing a Program Specific RA

When a Program area requires an RA, they should nominate the highest-ranking OPS employee directly accountable for the program area i.e. at the ADM or Director levels. The RA must be approved by the Policy Management Authority (PMA) and registered by the Certification Authority (CA). Under the governance rules set by the PMA for GO-PKI, the RA is accountable for adherence to the established PKI operating rules (including the program registration model), and this accountability cannot be delegated. Registration tasks associated with the RA can be delegated to a Head LRA. The following are the steps required to create a Registration Authority (RA):

April 2005 10

RA Nomination

An RA can only be nominated by: • Senior Management of a program • Corporate RA • Certification Authority (CA)

RA Approval

Only the PMA can approve the RA.

RA Authentication

RA authentication can only be performed by the Certification Authority (CA)

Security Clearance

RA's must have an enhanced reliability clearance (See Section 19)

RA Authentication Process

A Program RA shall be authenticated by: • Undertaking a face-to-face authentication process with the CA • Providing three identification documents which will consist of:

• two (2) Primary Identification Documents on which a current photo appears on one of them, and

• one (1) Secondary Identification Document • Details from the primary IDs must be documented e.g. driver's

license number • Secondary ID must be viewed to provide a cross-reference to the

name and possibly the address of the Subscriber, but the details from the secondary list are not to be recorded.


7 LRA NETWORKS

Each RA is responsible for the creation and management of a network of trusted Local Registration Authorities (LRA). The RA delegates the provision of day-to-day GO-PKI registration services to these LRAs. The number of LRAs in a domain will depend on the structure of the organization they represent and the geographical location of current and future subscribers. The RAs appoint the LRAs based on nominations from a senior manager (i.e. Director level) of the organizational unit requiring registration services.

An LRA network is hierarchical in nature to establish a tiered chain of trust starting with the PMA at the top down to GO-PKI subscribers who are registered by LRAs. This chain of trust is critical in establishing and maintaining the integrity of the service offered by GO-PKI. The Corporate and Program RAs must ensure that this chain of trust is maintained within their domains.

The following diagrams depict the hierarchical RA/LRA models for the OPS Domain and in sample Program Domains.

OPS Domain Program Domains

April 2005 11

Certificate Authority (Corporate Security)

Ontario Shared Services

(GO-PKI-Enabled Services)

Ministry (e.g. Community

Safety & Correctional Services)

Head Local Registration

Authority

Local Registration Authorities

Subscribers

Secretariat to PMA

(Corporate Security)

Corporate Registration Authority

(GO-PKI Contact Centre)

Policy Management

Authority

Ministry (e.g. Finance)


Authority


Subscribers

Ministry (e.g. Natural Resources)


Authority


Subscribers

Certificate Authority (Corporate Security)

Program with GO-PKI enabled

services (e.g. Ontario

Works)


Authority


Subscribers

Secretariat to PMA

(Corporate Security)

Policy Management

Authority

Program Registration

Authority


services (e.g. Justice)


Authority


Subscribers


Authority


services (e.g. Children’s Aid Societies)


Authority


Subscribers


Authority


7.1 LRA's Within The OPS Domain

An LRA is established in the OPS Domain, as follows:

• An SMG2/ITX2 level manager (nominator) within the program area using GO-PKI must nominate the LRA in writing to the Corporate RA (OSS). The nominator must be able to bind the LRA to the operational requirements of the program.

• All LRA's must undergo a face-to-face registration process and a level 3 security check to obtain an enhanced reliability clearance.

• All OPS LRA's will have a 'dotted line' relationship to the Corporate RA (OSS), for PKI registration-related activities.

Ministries may make arrangements to share LRAs. For example, an LRA can register an individual who works in another ministry in situations where several ministries maintain small offices in the same building.

7.2 External LRAs (External to the OPS Domain)

A Program RA can appoint External LRAs within external organizations that are part of a Program Domain. An authorized representative of the external organization employing the external LRA must accept the obligations placed on the LRA through their external LRA agreement. External LRA's are not authorized, authenticated, or managed by OSS. The Program RA is responsible for these functions with the support of the Head LRA and the CA. OSS can agree to perform password reset or recovery for external subscribers.

7.3 Establishing a Local Registration Authority (LRA)

Local Registration Authorities (LRAs) must: • be OPS employees or employees of external organizations that are part of a Program

Domain (i.e. BPS or service partners). External organizations must sign each of agreements for LRAs in their organization or an umbrella External Organization Agreement.

• not be employees attached to foreign organizations or jurisdictions, • be nominated by the Registration Authority or a Senior Manager (SMG2/ITX2) of

that Domain, and • be governed by the Certificate Policy (CP), the RA/LRA Operating Procedures, and

the Policy Management Authority (PMA).

The following are the steps required creating a Local Registration Authority (LRA) under the GO-PKI process:

April 2005 12

LRA Nomination

The LRA can only be nominated by: • Corporate Registration Authority; or


• The RA or Senior Manager of an area within the Program Domain that the LRA will operate in.

LRA Authentication Procedures for Medium Level of Assurance

The LRA shall be authenticated by one of the following individuals: • An existing LRA within the OPS Domain • An existing LRA within a Program Domain e.g. municipalities using

GO-PKI services, • Certification Authority of GO-PKI In the following manner by: • Undertaking a face to face authentication process • Providing three pieces of identification (originals only) consisting of

two (2) Primary Identification Documents and one (1) Secondary Identification Document

• A current photo must appear on at least one of the documents used for Primary identification

• Original documents must be viewed and details recorded for the primary documents only

In addition, LRAs must undergo a level 3 security check to obtain an enhanced reliability clearance (see section 19).

7.4 LRA Accountability, Role Distinction & Responsibilities

Under the structure of GO-PKI, the RA or Senior Manager (SMG2/ITX2) must nominate LRA's in their program area. LRA's must be authenticated using the criteria outlined for them and this must include a photo ID. An individual cannot be nominated to act as LRA if they do not have the appropriate identity documentation.

Within the GO-PKI framework, there are LRA's with different roles that have been defined to meet the requirements of the program areas they support:

Authenticating LRAs whose primary responsibility is authenticating the identity of subscribers face-to-face before forwarding requests for the creation of certificates; and

Operational LRAs who, in addition to the above, carry out specific operational responsibilities relating to life-cycle management of certificates e.g. revocation of certificates, profile/password recovery.

In addition, an RA may delegate their responsibility for the management and training of the LRA network to a designated LRA(s) in their organization. Such LRAs may have access to the additional GO-PKI functionality (e.g. management reports).

In the case of the OPS Domain, LRAs in the OSS Contact Centre have been organized to:

April 2005 13

Support the initial registration process (i.e. receive and check requests from Authenticating LRAs, capture authenticating information, forward requests to CA


Agent in Corporate Security4, communicate activation data to subscribers);

Provide Help desk services (Operational LRAs) e.g. password recovery, certificate revocation; and

Support the Corporate RA in fulfilling RA responsibilities with regard to training and management of the LRAs across the OPS.

LRA responsibilities are as follows:

Common Responsibilities for all Authenticating LRA's

• All LRA's must have an enhanced reliability clearance (See Section 19)

• Undertake functions specified by the CA in accordance with the these procedures • Authenticate Subscribers in the manner set out in the RA/LRA Operating Procedures or in

a manner approved by the PMA • Verify and record Subscriber identification information face-to-face and securely forward

the original Subscriber Agreement with the subscriber’s signature for processing • Maintain the confidentiality of Subscriber identification information in accordance with

FIPPA/MFIPPA • Protect the hardware and software components used in the performance of their LRA

function in accordance with this policy and practices of the CA • Secure transmission of registration information to the RA in a way that can be

authenticated • Authenticate the identity of additional LRAs within their domain as per these procedures • Keep up-to-date with the current RA/LRA Operating Procedures and their role and

responsibilities under the procedures. Additional Responsibilities for Operational LRA's: (LRAs performing duties relating to life-cycle management of certificates)

• Perform duties using their GO-PKI profile stored on an approved hardware token • Protect activation codes transmitted by a CA until sent to a Subscriber • Inform the CA of the dates upon which Subscribers obtain their activation codes • Process requests such as certificate revocation, certificate recovery • Undertake annual compliance audits on their services

April 2005 14

4 The responsibilities of the CA Agent in Corporate Security include the issuance of GO-PKI certificates, which involves the creation of activation data that is securely communicated to new subscribers so they can create their certificate profile.


LRA Processes

The LRA shall undertake to authenticate and authorize: • Registration for a Subscriber within their domain • Registration of additional LRAs within their domain • Name changes for a Subscriber within their domain • Device registration for a device owner within their domain • Key recovery for LRA's within their domain • Key recovery for a Subscriber within their domain • Device key recovery for a device owner within their domain • Certificate revocation for LRA's in their domain • Certificate revocation for a Subscriber within their domain • Device certificate revocation for a device owner within their domain NB: If the LRA requires key recovery or revocation on their own certificate, they must request the RA in their domain, or the CA, to perform these functions for them.

Use of GO-PKI Profile

The GO-PKI profiles for Operational LRAs must be stored on an approved hardware token.

Key Suspension

Key suspension of LRA's is permitted.

Certificate Revocation

The LRAs certificate may be revoked only at the request of the LRA, RA or Senior Management of a program area.

Key Recovery

Key recovery of the LRA is permitted for those using the Entrust module for Key Recovery.

Changing Distinguished Name

Changing the LRA distinguished name is permitted where: • The LRA has undergone a change of name; • The LRA has moved from one domain to another.

Key Rollover

LRA key rollover is permitted and happens automatically and transparently.

Key Validity Period

On issuance, the LRA's operational certificate expiry period will be set at 12 months.

April 2005 15


7.5 Documentation Criteria for RAs and LRAs

Accuracy in the identification of the person who is to fulfill the role of the RA or LRA is essential to ensure the Trust Model for the GO-PKI. For that reason, the items that can be used as personal identification for RA or LRA registration are limited to those items that have a rigorous registration process. This would include Federal or Provincial government issued identification that contains a picture as primary identification e.g.: current Ontario Driver’s license or a valid license from another province, current passports (Canadian or foreign).

Any nominee registering to perform the function of RA or LRA at a medium level of assurance (Province of Ontario standard) is required to present, in person, documentation that meets the standard for acceptable ID. Primary identification will be documented on the RA/LRA Subscriber Agreement e.g., driver's license number. Secondary identification will be viewed but not documented other than to reference the type of document viewed.

Criteria for Acceptable Identification for RAs and LRAs:

• Primary identification must have been issued by a government organization where there is a standardized process of registration that took place to obtain the identification.

• Every nominee for a Medium Level of Assurance domain must present three pieces of identification, two primary and one secondary

• One of the primary pieces must contain a government issued photo on it e.g.: a driver's license, passport.

• One of the primary identification documents can reflect an earlier legal name if the document for the name change is also presented (e.g. marriage certificate). In this case, the name change document can be used as the secondary identification document.

• Health Cards and Social Insurance Cards cannot be requested nor the number recorded for PKI identification purposes due to legislation and privacy issues. However, if the nominee chooses to show these pieces of identification, the LRA should treat them as secondary ID documents (the numbers are not recorded).

• The same piece of identification cannot be used twice. • Most secondary documentation should simply be viewed to confirm the name and

likely the address of the individual because many of the documents eligible for presentation:

- Contain personal information that should not be recorded by the Certification Authority; and

- Do not have a document ID on them that can be recorded instead of the personal information.

April 2005 16

• Where a nominee LRA will be performing the function of LRA within the private sector e.g.: law clerks in law firms, assistants in a Doctor’s office, then they can present a letter signed by their employer authorizing the CA to establish that individual as their LRA. In this case, the individual should present their own


primary identification to authenticate themselves, but as secondary identification they could present the letter from the employer, and the employers business registration license (where applicable). The CA must make a phone call to the nominee's boss to verify they have sent that individual in to be registered as their LRA.

The following lists of primary and secondary identification below provide some guidance to the program area on what constitutes acceptable identification.

RA/LRA Primary Identification:

Acceptable RA/LRA Primary Identification 1. Current driver’s license showing the LRA’s full name and address on the individual’s

application (including graduated driver’s license). 2. Canadian Birth Certificate5

3. Current Canadian passport or a valid passport from another country

4. Certificate of Canadian Citizenship or Certificate of Naturalization (paper document or

plastic card but excludes commemorative issue). 5. Permanent Resident Card (Maple Leaf Card) – must be renewed every five years if

individual does not become a Canadian citizen. 6. Certificate of Indian or Metis Status Card (Federal Government Issued only).

7. Current document of identity issued by a government ministry or agency with vigorous

registration process, an identification number and potentially a security clearance process (considered on a case by case basis). E.g.: OPP or RCMP Security Check, etc.

8. CANPASS – A Remote Area Border Crossing permit allows the bearer to cross the border into Canada at certain remote areas without reporting to a port of entry, as long as imported goods are declared.

9. NEXUS – A cross-border express pass for low risk travelers who have passed a stringent Canadian and American security check including a fingerprint biometrics, photograph, and personal interview with immigration officials. In order to maintain this pass, the individual must re-apply every two years.

10. Firearm Registration License.

5 Federal government change effective November 26, 2001, only the following identity documents will be accepted as proof of Canadian citizenship for people born in Quebec.

• A birth certificate issued after January 1, 1994 by the Directeur de l'état civil in the province of Quebec. • A Certificate of Canadian Citizenship.

April 2005 17

http://www.etatcivil.gouv.qc.ca/


RA/LRA Secondary Identification:

Secondary identification provides additional evidence of the individual's identity and current address (e.g. payment of utility bills, mortgage, bank statement). These documents often provide some evidence of community involvement. They must be dated and from a trustworthy source, and where possible, include the address of the individual.

The following items are acceptable as secondary identification. (View relevant data for name, and address confirmation only):

ACCEPTABLE RA/LRA SECONDARY IDENTIFICATION 1. Canadian Immigration Identification

card 12. Canada Pension Plan Statement of

Contributions 2. Certificate of Baptism

13. Ministry of Natural Resources Outdoors

Card 3. Certificate issued by a government

ministry or agency, e.g., Marriage, Divorce, Adoption

14. Current registration document from a professional organization e.g. physicians with College of Physicians and Surgeons of Ontario (CPSO), Professional Engineers Ontario (PEO)

4. Documents showing the registrations of a legal name change accompanied by evidence of use or prior name for the preceding 12 months

15. Ontario motor vehicle permit (plate portion/ and or vehicle portion)

5. BANK/ATM or credit card 6 showing the Subscriber’s full name (and signature where applicable)

16. Utility Bills

6. Account statements or bankbooks issued by financial institutions showing the Subscriber’s full name and address

17. Canadian Forces Identity Card

7. Insurance policy or renewal documents showing the Subscriber’s full name and address

18. Canadian Police Force Identification Card

8. Mortgage, Rental or Lease agreement 19. Judicial ID Card

9. Taxation assessment notices from Canada Customs and Revenue Agency

20. Current Employee ID card (Canadian or Foreign) that includes the employee’s name, photo, the issuing organization and date (either issued or expiry)

10. Property tax assessment notice

21. Union Card

11. Child Tax Benefit Statement 22. Payroll statement

April 2005 18

6 Bank or credit card numbers must not be recorded for secondary ID. They must be viewed only.

GO-PKI RA/LRA Operating Procedures 8 VERIFICATION PROCEDURES FOR AUDITING PURPOSES

To ensure that proper procedures have been followed in the registration process, auditors require that there be proof that the registration rules were followed. For this reason, the following verification steps must be performed: 1) CA must see and record appropriate identification on an RA Subscriber Agreement; 2) The RA must see and record appropriate identification on an LRA Subscriber

Agreement; 3) The LRA must see and record appropriate identification on a Subscriber Agreement; 4) If the LRA is authenticating another LRA, they must see and record the appropriate

identification on the LRA Subscriber Agreement 5) The originals of all Subscriber Agreements (including CA/RA/LRA) must be securely

stored at the RA's location. There is restricted access to this information to maintain both security and privacy of the information provided.

6) RA's and LRA's must not maintain photocopies of LRA Agreements or Subscriber Agreements without a memorandum of understanding and the approval of the PMA.

7) The CA/RA/LRA accepting identification from individuals presented as nominee LRA's within the legal or medical communities, must telephone the nominee's employer (nominator) to confirm they have sent that individual for registration.

9 AUTHENTICATING INFORMATION

Authenticating Information is used to verify the identity of remote subscribers in situations when their PKI certificates are not available for this purpose. The use of Authenticating Information is essential to protect subscribers’ digital identity and to maintain the GO-PKI Trust Model. LRAs in the OSS Contact Centre use Authenticating Information to verify an individual’s identity during a telephone call before: • Communicating activation data (i.e. authorization code or reference number) needed

by a new subscriber to create his/her PKI profile; and • Acting on a caller’s request to recover their PKI profile (resetting a forgotten

password) or to revoke their certificate. Subscribers registering for medium level of assurance certificates must provide at least three pieces of Authenticating Information as part of the registration process. The Authenticating Information must be sufficiently obscure (i.e. not easily guessed or readily obtained). In the case of OPS staff with basic level of assurance certificates, the OSS Contact Centre verifies an individual’s identity using authenticating information in their WIN employee file.

April 2005 19

10 SECRET QUESTIONS AND ANSWERS

With the introduction of Self-Admin Services, Secret Questions and Answers will be used to electronically verify the identify of subscribers before the recovery of their GO-PKI certificate.


At least three SQAs must be used to verify identity to a medium level of assurance. The selected questions and their answers must be stored securely and kept totally confidential (i.e. known only to the individual). In addition, the answers must be obscure (i.e. not readily guessed or researched). Rather than relying on individuals to think of suitable questions for their SQAs, they should be provided a list of standard questions from which they can select three. The standard questions must:

• have answers that are precise, 1-3 words and static (i.e. not subject to change); • have answers that will be entered consistently (these are like passwords); • be about something that most individuals can relate to regardless of their background; • not be about topics that are often shared in casual conversation e.g. children’s names; • have a wide range of answers (to minimize potential for guessing the answer); and • adhere to the rules of Workplace Discrimination and Harassment Prevention Policy. 7

11 SECURE STORAGE AND DOCUMENT RETENTION

Subscriber Agreements contain personal information therefore the originals must be securely stored according to the regulations under FIPPA at the RA secure site only [except where approved by the PMA to be secured elsewhere] 8

• Storage must be locked, secure, and access limited to those individuals within the RA network who are actively taking registration information.

• Individuals acting in registration positions are bound by FIPPA/MFIPPA requirements for confidentiality of personal information provided to them. They must not maintain separate copies of the original Subscriber Agreements nor maintain a separate database of the information on the Subscriber forms.

Subscriber Agreements must be stored according to the rules set by FIPPA/MFIPPA. They should be retained for one year after its last use, however seven years is recommended.

7 http://intra.hropenweb.gov.on.ca/hrpolicies/EO_pol.html

8 http://www.ipc.on.ca/english/acts/prov-act.htm#s2

April 2005 20

http://intra.hropenweb.gov.on.ca/hrpolicies/EO_pol.html


12 SUBSCRIBER REGISTRATION – MEDIUM LEVEL OF ASSURANCE

Different registration forms are used for internal and external subscribers who require a GO-PKI certificate at a medium level of assurance (LOA). These forms are available on the OPS I&IT Security web site9.

The registration process can be carried out using either manual registration forms or a web-based registration tool which can be accessed by authorized LRAs from anywhere within the GO-NET. Although registration information is captured and transmitted differently (i.e. paper versus electronic), the roles of the subscribers and LRAs are the same for both the manual and web-enabled registration processes. Completed GO-PKI subscriber forms are classified as medium sensitivity and must be protected accordingly. All information collected by an LRA is considered confidential and is governed by the Freedom of Information and Protection of Privacy Act (FIPPA) and its municipal counterpart MFIPPA. All steps of the registration process must be handled with the strictest security and confidentiality. Secure handling, storage and transmission of the data collected by the LRA are imperative.

Internal Subscribers

The Internal Subscriber Agreement is used for internal subscribers who are staff paid through the Government payroll i.e. permanent employees, secondees from the BPS, co-op students and staff in those agencies, boards and commissions that are paid through the Government payroll.

Most of the internal subscribers are automatically issued a basic LOA certificate through the HR process. Their manager will inform internal subscribers if they need to upgrade their GO-PKI certificate from basic to medium LOA by registering in person with an LRA. External Subscribers

The External Subscriber Agreement must be used for external subscribers i.e. individuals who require access to government systems and resources to carry out their responsibilities and are not directly paid via the Government payroll e.g. individuals hired through a temp agency, contractors, consultants, external vendors, service delivery partners and client organizations with special access. PKI certificates issued to external subscribers must have an expiry date that is no greater than the expiry date on the ministry’s contract with the vendor organization employing the external subscriber (up to a maximum of two years).

The OPS Manager responsible for the relationship with the external subscriber must sign the Agreement to authorize the request for their GO PKI certificate and the charge back for its issuance. An authorized representative of the vendor organization must also sign the Agreement to authorize the request and accept the obligations placed on the subscriber through their external subscriber agreement. The vendor organization may be offered the option of signing a single external organization agreement rather than multiple External Subscriber Agreements.

April 2005 21

9 http://intra.security.gov.on.ca/securitybranch/pki-services.asp


12.1 Acceptable Subscriber Identification

Any client registering for a PKI Certificate at a medium level of assurance (the standard for the Ontario Government) is required to present, in person, documentation that meets a standard set out in Acceptable Subscriber Identification. Registration procedures for programs whose PIA and TRA recommend a level of assurance other than medium will be reviewed individually as part of their presentation to the PMA. Subscribers must present two pieces of identification during registration that consists of:

A primary identification document with a document number and photo that was issued by a government organization using a standardized process of registration; and

An acceptable secondary identification document. The name and address information on the primary and secondary documents is compared for consistency and the number on the primary document is recorded. A primary identification document with an earlier legal name can be used if the document for the name change is also presented (e.g. marriage certificate). The separate secondary document must reflect the subscriber’s current legal name. Information on secondary documentation is not recorded because many of the eligible documents: contain personal information that should not be recorded by an LRA; and do not include a document number that can be recorded instead of personal

information.

April 2005 22

In the event that the client does not have a primary piece of identification with a photo, he/she must present three pieces of approved identification that includes at least one primary piece plus a secondary with a photo. Health Cards and Social Insurance Cards (Canadian or foreign equivalent) cannot be requested due to legislation and privacy issues, however, if the nominee chooses to show these pieces of identification, then you cannot refuse to view them. In this case they would be treated as secondary ID that are viewed but the numbers are not recorded. Lists of acceptable primary and secondary identification are outlined below to provide guidance to program areas. There may be other pieces of acceptable ID that fall within the criteria. A second primary document may be used in place of a document from the secondary list.


Subscriber Primary Identification Subscribers may use the following documents for the purposes of primary identification:

Acceptable Subscriber Primary Identification 1. Current driver's license showing the Subscriber's full name and address on the

individual’s application (including graduated driver’s license).

2. Canadian Birth Certificate 10

3. Current Canadian passport or a valid passport from another country

4. Certificate of Canadian Citizenship or Certificate of Naturalization (paper document or

plastic card but excludes commemorative issue).

5. Permanent Resident Card (i.e. Maple Leaf Card) – must be renewed every five years if individual does not become a Canadian citizen.

6. Certificate of Indian or Metis Status Band Card (Federal Government Issued only).

7. Current document of identity issued by a government ministry or agency with vigorous registration process, an identification number and potentially a security clearance process (considered on a case by case basis). E.g.: OPP or RCMP Security Check, etc.

8. CANPASS – A Remote Area Border Crossing permit allows the bearer to cross the border into Canada at certain remote areas without reporting to a port of entry, as long as imported goods are declared.

9. Nexus- A cross-border express pass available to low risk individuals who have passed a stringent Canadian and American security check including a fingerprint biometrics, photograph, and a personal interview with immigration officials. In order to maintain this pass, the individual must re-apply every two years.

10. Firearm Registration License.

11. Foreign clients may present their country's Citizen Identification card where these exist e.g., Mexico, Europe11.

10 Federal government change effective November 26, 2001, only the following identity documents will be accepted as proof of Canadian citizenship for people born in Quebec.

• A birth certificate issued after January 1, 1994 by the Directeur de l'état civil in the province of Quebec. • A Certificate of Citizenship.

April 2005 23

11 GO-PKI is currently not issuing certificates to foreign subscribers.

http://www.etatcivil.gouv.qc.ca/


Subscriber Secondary Identification

The following are examples of acceptable secondary identification that can be viewed to provide additional identification for the Subscriber presenting them for authentication.

SECONDARY SUBSCRIBER IDENTIFICATION 1. Old Age Security card 15.

Ministry of Natural Resources Outdoors Card

2. Canadian Immigration documents issued (without a photo): - Immigration Identification card - Immigration Visa and Record of Landing - Confirmation of Permanent Residence - Permanent Resident Visa - Work Permit - Temporary Resident Permit

16. Current registration document from a professional organization e.g. physicians with College of Physicians and Surgeons of Ontario (CPSO), Professional Engineers Ontario (PEO), etc.

3. Certificate of Baptism

17. Judicial ID Card

4. Certificate issued by a government ministry or agency, e.g., Marriage, Divorce, Adoption

18. Business Registration License showing the name of subscriber (e.g. business owner) and address of the business

5. Documents showing the registrations of a legal name change accompanied by evidence of use or prior name for the preceding 12 months.

19. Ontario motor vehicle permit (plate portion/ and or vehicle portion)

6. BANK/ATM or credit card12 showing the Subscriber’s full name (and signature where applicable)

20. Canadian Police Force Identification Card

7. Account statements or bankbooks issued by financial institutions showing the Subscriber’s full name and address.

21. Canadian Armed Forces Identification Card

8. Insurance Policy or Renewal document with subscriber’s full name and address

22. Current Employee ID card (Canadian or foreign) that includes the employee’s name, photo, the issuing organization and date (either issued or expiry).

9. Mortgage, Rental or Lease agreement

23. Union Card

10. Taxation assessment notices from Canada Customs and Revenue Agency

24. Payroll Statement

11. Property tax assessment notice

25. Student Identification Card

12. Child Tax Benefit Statement

26. BYID Card (formerly Age of Majority Card)

13. Canada Pension Plan Statement of Contributions

27. CNIB Photo Registration Card – acceptable for subscribers only

14. Utility Bills

April 2005 24

12 Bank or credit card numbers must not be recorded for secondary ID. They must be viewed only.


April 2005 25

13 REGISTERING SUBSCRIBERS OUTSIDE CANADA

At times, ministries/programs need to have GO-PKI certificates issued to individuals outside Canada (e.g. contractors outside Canada who need remote access to the OPS network to complete their work). A ministry/program with such a need must assess the risks associated with extending access to individuals in foreign jurisdictions, and ensure that access controls are in place to limit their access to the specific applications and information authorized by the ministry/program.

The requirements for the registration of individuals outside Canada parallel those for subscribers inside Canada. There is an additional requirement that the individual provide proof of a working relationship with the Ontario Government (e.g. contract). Before any GO-PKI certificates are issued in a foreign jurisdiction, the Corporate Security Branch will consult with the Federal Government on Canadian and the local laws governing cryptography for that jurisdiction.

Identification Documents

The Corporate RA has the lead role in obtaining PMA approval for document equivalency for identification documents outside Canada. Document equivalency will depend on both the document and the process for its issuance.

When PKI certificates need to be issued in a foreign jurisdiction, the Corporate RA will work with the ministry/program involved and the Corporate Security Branch to develop a list of primary and secondary identification documents that parallels the list for Canada (e.g. birth certificate, drivers license, passport, citizenship certificate). The list will be tailored to reflect differences in local identification documents (e.g. national ID card).

Ministries must retain the services of a Notary Public in the foreign jurisdiction to confirm the validity of identification documents.

Establishing LRAs in a Foreign Jurisdiction

Ministries that need to register individuals in a foreign jurisdiction must develop an LRA network in consultation with the RA and the Corporate Security Branch, and present it to the PMA for approval. The approach taken to establish LRAs in a foreign jurisdiction will vary depending on the nature of the working relationship between the ministry and the foreign organization. For example, ministry staff who routinely travel to meetings with the foreign organization, could be appointed and trained as LRAs to register the appropriate foreign individuals face-to-face.

Subscriber Agreement for Foreign Jurisdictions

The External Subscriber Agreement must be used when issuing GO-PKI certificates to individuals in foreign jurisdictions. The ministry/program must consult with their Legal area to review the enforceability of the External Subscriber Agreement with the foreign jurisdiction in mind.


PKI certificates issued outside Canada must be issued with an expiry date. The LRA must enter an expiry date on the Agreement that is no greater than the expiry date on the ministry’s contract with the foreign organization (up to a maximum of two years). If a contract expiry date is not available, PKI certificates will be created with a default expiry date of 6 months. The ministry can renew an expired certificate after confirming that it is still required.

14 COMMUNICATION OF ACTIVATION CODES

The issuance of a GO-PKI certificate involves the CA’s generation of an Authorization Code and Reference Number, which are used by the subscriber to activate his/her GO-PKI profile. The CA must use two separate channels of communication to provide these codes to the subscriber. A designated LRA may potentially be involved in the communication process.

The choice of the communication channels can vary depending on the subscriber group and their access to technology. The separate channels are selected from the following: • E-mail message sent to the Subscriber’s e-mail address; • Telephone call by an LRA who must first verify the subscriber’s identity using the

Authenticating Information captured during registration; • Interactive Voice Response (IVR) – Voice mail message left at telephone number

provided by the subscriber during registration; • Regular Mail or Courier delivery of an envelope to the Subscriber’s address; and • A secure web service (e.g. Self-Admin Services), which must first authenticate the

subscriber’s identity using authenticating information e.g. Secret Questions and Answers.

The communication to the subscriber must include instructions on how to activate their PKI certificate and on the need to activate their profile within the required timeframe i.e. within 5 days for basic level of assurance (LOA) and 2 days for medium LOA. Certificates at a high LOA are activated immediately since they are issued on a token.

April 2005 26

15 PROFILE RECOVERY/PASSWORD RESET

To facilitate key recovery, the GO-PKI CA backs up and retains a secure copy of each subscriber’s private decryption key, which is the key used by subscribers to open documents that are encrypted for them. A key recovery may only be requested by the subscriber, their sponsor (i.e. Program Manager) or a Canadian municipal, provincial or federal law enforcement entity based on a valid warrant. The subscriber must be informed if another authorized individual has requested the recovery of their private decryption key.

If a subscriber has forgotten their password to access their GO-PKI profile, which contains their keys, he/she can contact an Operational LRA to initiate the process to recover their private decryption key. When the recovery is completed, the subscriber will have a new GO-


PKI profile, which will contain their recovered private decryption key and a new private signature key.13

Subscribers have the option of carrying out a recovery via the Self-Admin Service, which is a secure web-based service that enables users to perform self-administration tasks such as password resets/profile recoveries. GO-PKI subscribers should be encouraged to use the Self-Admin Service since this reduces the number of calls to the help desk and enables subscribers to conveniently recover from a forgotten password during off-hours. To use this service, subscribers must set up their Secret Questions and Answers, which are used by the service to electronically verify their identity before acting on their request.

In the case of calls to the Help Desk, an Operational LRA logs the call and verifies the identity of the subscriber using Authenticating Information that was securely captured (Medium Level of Assurance) or personal information on the WIN system (OPS - Basic Level of Assurance). The Operational LRA then does the RA transaction to recover the subscriber’s profile.

For both recovery processes, the GO-PKI CA generates an Authorization Code and Reference number and transmits these to the Subscriber using two separate channels of communication (see Communication of Activation Codes).

16 CERTIFICATE REVOCATION

Subscriber GO-PKI certificates must be revoked in the event of: • Suspected key compromise; • Change in affiliation e.g. Subscriber leaves their job; • Breach of the GO-PKI agreement; • CA private signing key compromise (in this instance, CA will automatically revoke and

re-issue all valid certificates); • Non-payment of invoice (when issuing certificates outside of OPS/BPS); and • Organization bankruptcy or liquidation (certificates issued to third party organizations).

16.1 Revoking a GO-PKI Certificate

The revocation of a certificate may be requested only by: the subscriber; the sponsor (i.e. ministry/program); the CA; or the subscriber’s RA.

The identity of the originator of the request for revocation must be authenticated. All requests to revoke a GO-PKI Certificate must be made using the Certificate Revocation Request (CRR) form that is completed by an Operational LRA. When a bulk deletion of

April 2005 27

13 The CA does not back up or retain a copy of the subscriber’s private signature key, which is the key that forms the basis of the subscriber’s digital identity.


certificates is anticipated, a single authorization notice from the program to the RA in writing, listing all of the certificates to be removed, will be sufficient.

The LRA will immediately forward a secure e-mail message to the CA that has been digitally signed and encrypted upon completing a CRR. A request to revoke a certificate must be processed within 12 hours of receipt from the LRA.

Process for Revocation Due to Key Compromise (OPS Domain):

1) The Subscriber contacts an Operational LRA who must authenticate them using their Authenticating Information.

2) The Subscriber will advise the LRA on the situation and how their keys were compromised.

3) The LRA will send a digitally signed and encrypted request to the CA to revoke and recover the keys.

4) Activation codes for a new certificate will be provided to the Subscriber using two different distribution methods.

17 SUBSCRIBER INFORMATION CHANGE

Throughout the life of a subscriber's certificate, it is likely that changes will need to be made to their information. These changes could include but are not limited to: • a name change through marriage or divorce; • the subscriber may move from one branch to another within a Ministry or to another

Ministry so the domain they belong to may change; • if the certificate is issued to a device then, the device name could be changed; • the subscriber may wish to change their Authenticating Information.

When a Subscriber’s information has changed, an update of the revised information must be entered into the database, as follows:

1. A Subscriber informs an Operational LRA of a change to their information e.g. work location, name change, etc. The Subscriber must bring the documentation for a legal name change.

2. The DN Change Request form is completed. 3. The LRA will record the pertinent information, digitally sign and encrypt and send as

a secure e-mail message to the CA Agent. 4. The CA Agent will make the appropriate changes to the Subscriber’s information and

notify the LRA of the change.

April 2005 28

18 DEVICE/APPLICATION CERTIFICATES

Certificates sometimes need to be issued and assigned to devices and applications to enable encryption of communications and their authentication when they are accessed by other entities via a network. The request for such a certificate is made using a GO-PKI


Device/Application Certificate Agreement (the Agreement) which is on the OPS I&IT Security web site14.

The IT Operator who has ongoing responsibility for the day-to-day operation and integrity of the device or application is also responsible for the use and protection of its certificate. If a group of IT operations staff is involved, their manager must take over-all responsibility for the certificate and ensure that all group members are aware of their responsibilities including those outlined in the Agreement. The IT Operator/Manager must have a GO-PKI certificate at a medium level of assurance (LOA) and must sign the Agreement. The Cluster or Program manager who “owns” the device or application must also sign the Agreement.

The Agreement is forwarded to the GO-PKI CA for processing. A copy will be provided to Service Development in Corporate Security for review. Before issuing the device certificate, the CA must confirm that the IT Operator/ Manager has a medium LOA certificate and record his/her name, position and contact information. The CA must authenticate identity before communicating the activation data for the device certificate to the IT Operator/ Manager. The CA must also send a confirmation to the Cluster/Program manager that the device certificate was issued to the Operations area.

The device/application certificate must be issued with an expiry date 12 months in the future. The CA must notify the IT Operator/Manager one month in advance of the certificate’s expiry. The IT Operator/Manager is responsible for the renewal of the device/application certificate. When notified of a change in the IT Operator/Manager, the CA must update the record of the person responsible for the certificate.

19 MANDATORY ENHANCED RELIABILITY CLEARANCE FOR GO-PKI

The Government of Ontario Public Key Infrastructure (GO PKI) has committed to delivering government services on-line in a manner that will provide security and privacy protection along with improved service delivery. PKI is a security tool that allows for the people registered (many of whom were previously unknown to each other) to conduct secure and confidential communication, transactions, and information exchange.

Any PKI implementation relies on a Trust Model as its foundation. This Trust Model consists not only of information technology security mechanisms, but also includes employing individuals in the positions who are trusted to perform sensitive functions or who have access to sensitive information. Any compromise of the Trust Model can harm the effectiveness of the PKI implementation.

In view of the level of trust that is placed in them, it’s essential that individuals must pass an enhanced reliability clearance in accord with section 19.1 prior to being approved for a position in the GO-PKI network. This is mandatory for OPS employees and Non-OPS staff delivering the service (e.g., contract, ASD): • All OPS staff/contractors in the Certification Authority (CA), • All Registration Authorities (can only be OPS staff) • OPS Local Registration Authorities, and

April 2005 29

14 http://intra.security.gov.on.ca/securitybranch/pki-services.asp


• All Directory Administrators OPS staff/contractors supporting GO-PKI.

19.1 Mandatory Components of the Enhanced Reliability Clearance

The clearance process is applied for an individual only with their full, informed and signed consent. The process needed to obtain the required clearance includes: • A Declaration for a criminal conviction for which a pardon has not been granted, • A Criminal Record Name Check, and • A check of the National Security Intelligence System.

April 2005 30

A fingerprint check may be required to confirm identity where there is an inconclusive match on the results of a criminal record name check.

These screening components map to the Federal Government's Public Key Infrastructure requirements for individuals staffing their PKI's. As the Federal Government and the Province of Ontario may be cross-certifying with each other, both must follow the same rules for authentication of individuals for their respective Public Key Infrastructures.


20 GLOSSARY OF TERMS

Activation Data — Consists of the authorization code and the reference number provided to the Subscriber. Application Owner — The owner of an application(s) within a Ministry program area (usually designated to the head of that area). Authorization Code (AuthCode) — A code (e.g. CMTJ-8VOR-VFNS) obtained from the Entrust Administrator that is required along with a reference number to create a new Entrust profile or to recover an existing profile. The authorization code can only be used once then it is no longer valid. CA Agent — see Entrust Administrator. CA Operations Manager — The person responsible within the Certification Authority for leading the operational management of security systems for PKI, and developing related policies, standards, and service delivery solutions. Certificate - The public key of an entity, together with some other information, rendered unforgeable by digitally signing it with the private key of the CA that issued it. The certificate format is in accordance with X.509 and RFC2459. Certification Practice Statement (CPS) — A statement of the practices that a certification authority employs in issuing keys and certificates. The CPS describes the equipment, policies, and procedures implemented by the CA to satisfy the specifications in the certificate policies it supports. Certification Authority (CA) — An authority trusted to issue and manage keys, certificates, CRLs and ARLs. Certificate Policy (CP) — A set of rules that indicate the applicability of keys and certificates to a particular community or class of applications with common security requirements. Certificate Revocation List (CRL) — A list of revoked certificates that is created and signed by the same CA that issued the certificates. A certificate is added to the list if it is revoked (e.g., because of suspected key compromise) and then removed from it when it reaches the end of the certificate’s validity period. In some circumstances, the CA may choose to split a CRL into a series of smaller CRLs.

April 2005 31

Corporate Registration Authority (CRA) — This role is assigned to Ontario Shared Services to operate and provide all GO-PKI registration services for corporate applications e.g., secure e-mail, file and folder encryption, VPN, along with WIN access for OPS employees on behalf of the Government of Ontario.

GO-PKI RA/LRA Operating Procedures Criminal Records Name Check (CRNC) — A check done by the OPP against the RA or LRA to determine whether a candidate has a criminal record for which a pardon has not been granted. Device — A workstation, laptop, server, or other IT hardware. Device Certificate – The PKI certificate issued for a device to enable its identity to be authenticated and its communications to be encrypted. Device Owner - Owner of the laptop, workstation, server or other IT hardware. Distinguished Name (DN) — A name appearing in a certificate that uniquely identifies the public key owner. A distinguished name is composed of the following components: common name, organization, country, e-mail (optional), phone (optional), organizational unit (optional), locality (optional), serial number. Entity - An autonomous element within a PKI, including a CA and RA. Entrust Administrator (CA Agent) — A trusted person who uses Entrust/Admin to administer the Entrust system. They use it to enable and disable users individually or in bulk, revoke user’s keys, initiate key recovery for users, create new encryption key pairs for users, disable and re-enable a user’s ability to sign files, and increase the maximum number of users in a CA domain. They can also review audit logs. Depending on the organizations security policy, the Administrator may also be able to change default user certificate lifetimes (and perhaps disable certificate updates) and default Encryption and Verification policies. They can also issue new CRLs. Key Recovery - To recover a Subscriber’s private decryption keys to the Subscriber’s newly created Digital Identity. Local Registration Authority (LRA) — A registration authority authorized by the Corporate RA to service a local community of Subscribers. Policy Management Authority (PMA) — Is the governance body of the GO-PKI. This group establishes policy and provides direction for the GO-PKI. The group consists of eleven senior decision-makers from the Ontario Government that each serve a two-year term on the PMA. The Chair of the PMA is the Corporate Chief Information Officer for the Government of Ontario. Public Key Infrastructure (PKI) — A structure of hardware, software, people, processes, and policies that employs digital signature and encryption using public and private key pairs to enable parties who were previously unknown to each other to establish trust relationships, and to conduct secure and confidential communication, transactions, and information exchange.

April 2005 32

Registration Authority (RA) — An entity that is responsible for identification and authentication of certificate subjects, but does not sign or issue certificates (i.e. the RA is


delegated certain tasks on behalf of a CA) Reference Number (REFNum) — A number (e.g. 91480165), obtained from the Entrust Administrator which is used along with an authorization code to create a new profile or to recover an existing profile. The reference number can only be used once and then it is no longer valid. Security Officer — The main role of a Security Officer is to set up and administer an organization’s security policy as it applies to Administrators and Subscribers. Security Officers can also add, enable, disable, and delete other Security Officers, Administrators, Directory Administrators, and Entrust users (although adding Subscribers is mainly an Administrator’s job). They can do this of users individually or in bulk. They can also increase the maximum number of users in a CA domain. Security Screening— An enhanced reliability security screening is mandatory for all staff employed in the GO-PKI Network. Staff nominated to work in positions within GO-PKI must successfully pass the screening before being employed in the position. This screening is composed of: • verification of personal data, education and professional qualification, employment data and

references through the regular staffing process; • a declaration concerning any conviction for a criminal offence for which a pardon has not

been granted, and • a criminal record name check15. Subscriber - A member of the GO-PKI domain. A party who is the subject of a certificate and who is capable of using, and is authorized to use, the private key, that corresponds to the public key in the certificate. Responsibilities and obligations of the Subscriber would be as required by the Certificate Policy and as described in the Subscriber Agreement.

April 2005 33

15 If there is a possible match that appears during a criminal record check, the RCMP will require a fingerprint check as well to confirm the individual’s identity.