Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
Low Sensitivity
GGoovveerrnnmmeenntt ooff OOnnttaarriioo PPuubblliicc KKeeyy IInnffrraassttrruuccttuurree ((GGOO--PPKKII))
RReeggiissttrraattiioonn AAuutthhoorriittiieess ((RRAAss)) AAnndd
LLooccaall RReeggiissttrraattiioonn AAuutthhoorriittiieess ((LLRRAAss))
OOPPEERRAATTIINNGG PPRROOCCEEDDUURREESS
Prepared by: Corporate Security Office of the Corporate Chief Strategist
GO-PKI RA/LRA Operating Procedures
Table Of Contents
1 PURPOSE.............................................................................................................................4
2 BACKGROUND ..................................................................................................................4
3 THE GO-PKI TRUST MODEL.........................................................................................4
3.1 LEVELS OF ASSURANCE (LOA).......................................................................................5
4 DOMAINS ............................................................................................................................5
4.1 OPS DOMAIN..................................................................................................................5 4.2 PROGRAM DOMAINS .......................................................................................................6
5 GOVERNANCE OF GO-PKI ............................................................................................6
5.1 PROCESS FOR DETERMINING USE OF PKI........................................................................7
6 REGISTRATION AUTHORITIES ...................................................................................7
6.1 REGISTRATION AUTHORITY (RA) FUNCTIONS................................................................8 6.2 CORPORATE RA FOR THE OPS DOMAIN .........................................................................9 6.3 PROGRAM SPECIFIC RAS.................................................................................................9 6.4 ESTABLISHING A PROGRAM SPECIFIC RA .....................................................................10
7 LRA NETWORKS.............................................................................................................11
7.1 LRA'S WITHIN THE OPS DOMAIN................................................................................12 7.2 EXTERNAL LRAS (EXTERNAL TO THE OPS DOMAIN) ..................................................12 7.3 ESTABLISHING A LOCAL REGISTRATION AUTHORITY (LRA)........................................12 7.4 LRA ACCOUNTABILITY, ROLE DISTINCTION & RESPONSIBILITIES ..............................13 7.5 DOCUMENTATION CRITERIA FOR RAS AND LRAS ........................................................16
8 VERIFICATION PROCEDURES FOR AUDITING PURPOSES ..............................19
9 AUTHENTICATING INFORMATION .........................................................................19
10 SECRET QUESTIONS AND ANSWERS...................................................................19
11 SECURE STORAGE AND DOCUMENT RETENTION .........................................20
12 SUBSCRIBER REGISTRATION – MEDIUM LEVEL OF ASSURANCE............21
12.1 ACCEPTABLE SUBSCRIBER IDENTIFICATION..................................................................22
13 REGISTERING SUBSCRIBERS OUTSIDE CANADA ...........................................25
14 COMMUNICATION OF ACTIVATION CODES ....................................................26
April 2005 2
15 PROFILE RECOVERY/PASSWORD RESET ..........................................................26
GO-PKI RA/LRA Operating Procedures 16 CERTIFICATE REVOCATION .................................................................................27
16.1 REVOKING A GO-PKI CERTIFICATE .............................................................................27
17 SUBSCRIBER INFORMATION CHANGE...............................................................28
18 DEVICE/APPLICATION CERTIFICATES..............................................................28
19 MANDATORY ENHANCED RELIABILITY CLEARANCE FOR GO-PKI........29
19.1 MANDATORY COMPONENTS OF THE ENHANCED RELIABILITY CLEARANCE..................30
20 GLOSSARY OF TERMS..............................................................................................31
April 2005 3
GO-PKI RA/LRA Operating Procedures
1 PURPOSE
This document describes the governance for the GO-PKI registration process, the requirements for establishing registration authorities, and the operating procedures to be followed when registering subscribers within and outside the OPS.
2 BACKGROUND
The Government of Ontario is committed to delivering on-line government services in a manner that will provide security and privacy protection along with efficient service delivery. The services provided by the Government of Ontario Public Key Infrastructure (GO-PKI) contribute to the establishment of a trusted electronic environment for on-line service delivery. The clients of GO-PKI services include critical GO programs and services with sensitive applications and data that are accessed by GO employees and contractors, and by service partners in the public and private sectors.
Public key cryptography involves the issuance of pairs of cryptographic keys to individuals as a digital identity and for encryption. Each key pair consists of a private key that the individual must keep protected and a public key that is made available for use by others. Most PKI implementations, including GO-PKI, issue two pairs of private/public keys to registered individuals (i.e. subscribers), as follows:
Signature/verification keys – The subscriber uses his/her private signature key to digitally sign documents or communications, and to present an electronic identity to other parties via a network. The other parties use the corresponding verification key to verify the digital signature or electronic identity (i.e. identity authentication).
Encryption/decryption keys – Individuals can encrypt a document or communication using their intended recipient’s public encryption key. Only the intended recipient can decrypt such a communication or document using their private decryption key.
Subscribers must keep their private signature key and private decryption key secure. The infrastructure needed to securely manage and use these keys is called Public Key Infrastructure (PKI).
April 2005 4
3 THE GO-PKI TRUST MODEL
When Programs use GO-PKI, they are placing their trust in the GO-PKI Trust Model. This trust is built on a strong governance structure, formal roles and responsibilities, technology, and comprehensive policies and procedures that are in place for GO-PKI services. Any compromise of the Trust Model can result in serious repercussions that can destroy the effectiveness and reputation of the GO-PKI implementation. The ongoing vigilance of everyone involved in GO-PKI is essential to the maintenance of the Trust Model. The Government must be in a position to demonstrate that all components of the Trust Model are in place.
GO-PKI RA/LRA Operating Procedures
This document sets out the requirements for a key component of the Trust Model i.e. a rigorous, secure and consistent process for registering GO-PKI subscribers. A strong registration process provides assurance that the identities of individuals are verified before PKI certificates are issued. Third parties can then use the certificates to authenticate the identity of individuals in an electronic environment e.g. the Internet.
3.1 Levels of Assurance (LOA)
PKI Certificate Policies normally define requirements for the issuance and maintenance of PKI certificates at different levels of assurance (LOA). The GO-PKI Certificate Policy (CP) outlines the requirements for three levels of assurance: basic, medium and high. Higher levels require larger investments in the different components of the PKI. The LOA required for a given system will depend on the security risks that must be addressed by the organization.
The GO-PKI Policy Management Authority (PMA) established that medium LOA would be the standard for deployments of GO-PKI. As a result, this document only outlines the processes required for issuing medium level of assurance certificates. Key requirements include: • Face-to-face verification of identity when registering subscribers, Registration
Authorities (RA), and Local Registration Authorities (LRA) using items from the lists of Acceptable Identification.
• Separate methods of distributing the Authorization Codes and Reference Numbers.
If a program area's TRA recommends that either a basic or high LOA be used, then the program area includes a request for an exemption from the standard in its presentation to the PMA. This review will consider whether: • Any liability issues have been identified, assessed, and addressed, • Registration and authentication processes are appropriate to the proposed level of
assurance, and • Appropriate security measures are either planned or already in place to protect the
registration process.
4 DOMAINS
The GO-PKI Concept of Operations uses the concept of domains to illustrate how limitations are placed on the scope of access to program information and/or services. Each domain requires a separate registration model to ensure that privacy is protected and to address their unique organizational and geographic challenges.
April 2005 5
4.1 OPS Domain
For GO-PKI, all employees and contractors working within the Ontario Government are considered to be in the same domain i.e. the OPS Domain. A single Registration Model serves the needs of the entire OPS Domain. This does not give members in this domain any additional authorization to access applications or information i.e. Government
GO-PKI RA/LRA Operating Procedures
programs are responsible for controlling such access.
4.2 Program Domains
A program domain is a term used to describe the entities delivering a particular government program, the information that is collected under that program, and the relationship with the clients of the program. Program domains often involve staff in broader public sector (BPS) organizations and sometimes employees in private sector service partners. This may involve access to a Ministry application by the staff in the external organizations. For example, the Ministry of Community and Social Services (MCSS) has a social services program delivered by staff in municipalities who require access to an MCSS application.
5 GOVERNANCE OF GO-PKI
Ontario has placed significant emphasis on establishing PKI governance frameworks within the context of government-wide security and business requirements. The PKI Governance model is the vehicle for defining the framework. The model addresses the broad objectives of maintenance of trust and inter-operability with other jurisdictions across Canada, including the Federal Government. Given that technology, policies and business rules must remain intrinsically bound to one another in a PKI rollout, PKI governance must be flexible, responsive and constantly in-step with the technology evolution and with broader Government wide organizational structures and Government of Ontario IM/IT structures.
The governance of the GO-PKI utilizes three distinct governance roles:
a) The Policy Management Authority (PMA) is responsible for:
• GO-PKI policy governing the creation and operation of the GO-PKI CA and RAs, • any inter-operability agreements with PKIs operated by other organizations, and • the approval of new uses of GO-PKI and any registration model developed by a
program area to issue GO-PKI certificates.
b) The Certification Authority (CA) which is operated by Corporate Security is responsible for:
• the day-to-day technical operation of the GO-PKI, • the issuance of GO-PKI certificates to individuals that have been duly registered.
April 2005 6
c) A Registration Authority (RA) is appointed by the PMA for each domain. The responsibilities of an RA are described below.
GO-PKI RA/LRA Operating Procedures
5.1 Process for Determining Use of PKI
As Government programs implement electronic service delivery (ESD) projects, they need to assess the security and privacy risks that are inherent in the new modes of delivery. These risks may include Government liability associated with the protection of sensitive and/or personal information. To understand their security and privacy risks, programs need to complete an Information Classification1 to determine the sensitivity of their information before completing a Privacy Impact Assessment (PIA)2 and a Threat / Risk Assessment (TRA)3. The Information Classification Operating Procedures state that high sensitivity electronic information must be encrypted for transmissions and while in storage. Encryption is also recommended for transmissions of medium sensitivity information depending on the risks involved as determined by a TRA. If the recommendations developed by these assessments include the use of PKI in their application, the program area needs to present a business case to the GO-PKI PMA for approval. As the governing body for GO-PKI, the PMA has final approval of the use of PKI and how it is implemented. Government programs can use PKI technologies with their systems to ensure the confidentiality, privacy and integrity of personal information. They can also acquire several general services with GO-PKI protection, as follows:
• Secure email services, • File and folder encryption (usually for laptops containing sensitive information),
and • VPN access to an application within the government network.
6 REGISTRATION AUTHORITIES
A Registration Authority (RA) is responsible for: • The development of a registration model which must be approved by the PMA, • The lifecycle management for GO-PKI certificates (e.g. password recoveries, transfers
and revocations), and • The creation and management of a network of trusted Local Registration Authorities
(LRA) including the authentication and authorization of individual LRAs.
An RA can delegate part of his/her responsibilities to a Head LRA e.g. building and managing the LRA network (this will happen where the RA is an ADM, CIO etc). Depending on geographical or organizational considerations, it may be appropriate to have
1 Operating Procedures for completing an Information Classification are available at:
http://intra.security.gov.on.ca/resources/default.asp 2 Guidelines on the completion of a Privacy Impact Assessment are available at:
http://www.gov.on.ca/MBS/english/fip/pia/
April 2005 7
3 Guidelines on the completion of a Threat/Risk Assessment are available at: http://intra.security.gov.on.ca/resources/default.asp
GO-PKI RA/LRA Operating Procedures
multiple Head LRAs. These Head LRAs can then nominate and authenticate LRAs for their part of the LRA network.
6.1 Registration Authority (RA) Functions
RAs are governed by: • The Policy Management Authority (PMA). • The Certificate Policy (CP) • The RA/LRA Operating Procedures, and • RA Subscriber Agreement and Schedule of Responsibilities. The following are the tasks performed by the Registration Authority under the GO-PKI initiative to enable issuance and management of certificates:
April 2005 8
Responsibilities
• Ensures that the registration process under their control complies with
the GO-PKI Operating Procedures and the GO-PKI Certificate Policy • Ensure all LRA's have successfully passed an enhanced reliability
clearance (see section 19) • Authenticate and authorize nominated LRAs in the manner set out in the
RA/LRA Operating Procedures or in a manner approved by the PMA • Ensure the LRAs are informed of their respective responsibilities and
receive proper training • Accept certificate change, certificate revocation and key recovery
requests, key renewal and termination for LRAs within their domain • Ensure that measures are in place to secure transmission of LRA
information to the CA • Provide authorization codes to the LRA for on-line key exchange and
certificate creation • Ensure that measures are in place for LRAs to protect activation codes
provided to them by the CA for communication to subscribers • Maintain the confidentiality of LRA identification information in
accordance with FIPPA/MFIPPA • Protect the hardware and software components used in the performance
of their RA function in accordance with this policy and practices of the CA
• Perform periodic compliance audits on the LRAs in their domain • Keep up-to-date with the current RA/LRA Operating Procedures.
RA Processes
The RA may undertake to authenticate and authorize registration, revocation and/or recovery of: • An LRA within the same domain • A Subscriber within the same domain • A device certificate for a device owner within the same domain NB: If the RA requires key recovery or revocation on their own certificate, they must request the CA to perform these functions for them.
GO-PKI RA/LRA Operating Procedures
Use of GO-PKI Profile
If the RA has operational registration duties then they must have their GO-PKI profile stored on an approved hardware token.
Key Suspension
Key suspension of the RA is permitted.
Certificate Revocation
The PMA must be informed if an operational RA's certificate needed to be revoked.
Key Recovery
Key recovery for the RA is permitted using the Entrust module for Key Recovery
Changing Distinguished Name
Changing the RA distinguished name is permitted where the RA has: • undergone a change of name; or • moved from one domain to another. And they have completed the Change of DN Request form.
Key Rollover
The RA's key rollover is transparent and happens automatically.
Key Validity Period
On issuance, an operational RA certificate expiry period will be set at 12 months.
6.2 Corporate RA for the OPS Domain
The PMA assigned the role of Corporate RA to the Ontario Shared Services (OSS). The Corporate RA has responsibility for the LRAs within the OPS (the Corporate LRA Network) and the registration process that they perform. This domain includes the Government’s agencies, boards and commissions.
April 2005 9
6.3 Program Specific RAs
Program Domains require a Program RA when non-OPS LRAs are needed to register external subscribers who are in the Program Domain. Typically this involves staff in BPS organizations or employees in private sector service partners who require access to a Program application or service. A Program RA should be a senior Program Manager (i.e. ADM or Director level) responsible for the Government business unit that requires GO-PKI to secure interaction with external subscribers. Only senior management of a program, the Certification Authority or the Corporate RA may nominate a Program RA for approval by the PMA. The Program RA is accountable for the registration model and the network of non-OPS LRAs in their Program Domain. The model must meet the policy specifications set out for GO-PKI and must be approved by the PMA.
GO-PKI RA/LRA Operating Procedures
6.4 Establishing a Program Specific RA
When a Program area requires an RA, they should nominate the highest-ranking OPS employee directly accountable for the program area i.e. at the ADM or Director levels. The RA must be approved by the Policy Management Authority (PMA) and registered by the Certification Authority (CA). Under the governance rules set by the PMA for GO-PKI, the RA is accountable for adherence to the established PKI operating rules (including the program registration model), and this accountability cannot be delegated. Registration tasks associated with the RA can be delegated to a Head LRA. The following are the steps required to create a Registration Authority (RA):
April 2005 10
RA Nomination
An RA can only be nominated by: • Senior Management of a program • Corporate RA • Certification Authority (CA)
RA Approval
Only the PMA can approve the RA.
RA Authentication
RA authentication can only be performed by the Certification Authority (CA)
Security Clearance
RA's must have an enhanced reliability clearance (See Section 19)
RA Authentication Process
A Program RA shall be authenticated by: • Undertaking a face-to-face authentication process with the CA • Providing three identification documents which will consist of:
• two (2) Primary Identification Documents on which a current photo appears on one of them, and
• one (1) Secondary Identification Document • Details from the primary IDs must be documented e.g. driver's
license number • Secondary ID must be viewed to provide a cross-reference to the
name and possibly the address of the Subscriber, but the details from the secondary list are not to be recorded.
GO-PKI RA/LRA Operating Procedures
7 LRA NETWORKS
Each RA is responsible for the creation and management of a network of trusted Local Registration Authorities (LRA). The RA delegates the provision of day-to-day GO-PKI registration services to these LRAs. The number of LRAs in a domain will depend on the structure of the organization they represent and the geographical location of current and future subscribers. The RAs appoint the LRAs based on nominations from a senior manager (i.e. Director level) of the organizational unit requiring registration services.
An LRA network is hierarchical in nature to establish a tiered chain of trust starting with the PMA at the top down to GO-PKI subscribers who are registered by LRAs. This chain of trust is critical in establishing and maintaining the integrity of the service offered by GO-PKI. The Corporate and Program RAs must ensure that this chain of trust is maintained within their domains.
The following diagrams depict the hierarchical RA/LRA models for the OPS Domain and in sample Program Domains.
OPS Domain Program Domains
April 2005 11
Certificate Authority (Corporate Security)
Ontario Shared Services
(GO-PKI-Enabled Services)
Ministry (e.g. Community
Safety & Correctional Services)
Head Local Registration
Authority
Local Registration Authorities
Subscribers
Secretariat to PMA
(Corporate Security)
Corporate Registration Authority
(GO-PKI Contact Centre)
Policy Management
Authority
Ministry (e.g. Finance)
Head Local Registration
Authority
Local Registration Authorities
Subscribers
Ministry (e.g. Natural Resources)
Head Local Registration
Authority
Local Registration Authorities
Subscribers
Certificate Authority (Corporate Security)
Program with GO-PKI enabled
services (e.g. Ontario
Works)
Head Local Registration
Authority
Local Registration Authorities
Subscribers
Secretariat to PMA
(Corporate Security)
Policy Management
Authority
Program Registration
Authority
Program with GO-PKI enabled
services (e.g. Justice)
Head Local Registration
Authority
Local Registration Authorities
Subscribers
Program Registration
Authority
Program with GO-PKI enabled
services (e.g. Children’s Aid Societies)
Head Local Registration
Authority
Local Registration Authorities
Subscribers
Program Registration
Authority
GO-PKI RA/LRA Operating Procedures
7.1 LRA's Within The OPS Domain
An LRA is established in the OPS Domain, as follows:
• An SMG2/ITX2 level manager (nominator) within the program area using GO-PKI must nominate the LRA in writing to the Corporate RA (OSS). The nominator must be able to bind the LRA to the operational requirements of the program.
• All LRA's must undergo a face-to-face registration process and a level 3 security check to obtain an enhanced reliability clearance.
• All OPS LRA's will have a 'dotted line' relationship to the Corporate RA (OSS), for PKI registration-related activities.
Ministries may make arrangements to share LRAs. For example, an LRA can register an individual who works in another ministry in situations where several ministries maintain small offices in the same building.
7.2 External LRAs (External to the OPS Domain)
A Program RA can appoint External LRAs within external organizations that are part of a Program Domain. An authorized representative of the external organization employing the external LRA must accept the obligations placed on the LRA through their external LRA agreement. External LRA's are not authorized, authenticated, or managed by OSS. The Program RA is responsible for these functions with the support of the Head LRA and the CA. OSS can agree to perform password reset or recovery for external subscribers.
7.3 Establishing a Local Registration Authority (LRA)
Local Registration Authorities (LRAs) must: • be OPS employees or employees of external organizations that are part of a Program
Domain (i.e. BPS or service partners). External organizations must sign each of agreements for LRAs in their organization or an umbrella External Organization Agreement.
• not be employees attached to foreign organizations or jurisdictions, • be nominated by the Registration Authority or a Senior Manager (SMG2/ITX2) of
that Domain, and • be governed by the Certificate Policy (CP), the RA/LRA Operating Procedures, and
the Policy Management Authority (PMA).
The following are the steps required creating a Local Registration Authority (LRA) under the GO-PKI process:
April 2005 12
LRA Nomination
The LRA can only be nominated by: • Corporate Registration Authority; or
GO-PKI RA/LRA Operating Procedures
• The RA or Senior Manager of an area within the Program Domain that the LRA will operate in.
LRA Authentication Procedures for Medium Level of Assurance
The LRA shall be authenticated by one of the following individuals: • An existing LRA within the OPS Domain • An existing LRA within a Program Domain e.g. municipalities using
GO-PKI services, • Certification Authority of GO-PKI In the following manner by: • Undertaking a face to face authentication process • Providing three pieces of identification (originals only) consisting of
two (2) Primary Identification Documents and one (1) Secondary Identification Document
• A current photo must appear on at least one of the documents used for Primary identification
• Original documents must be viewed and details recorded for the primary documents only
In addition, LRAs must undergo a level 3 security check to obtain an enhanced reliability clearance (see section 19).
7.4 LRA Accountability, Role Distinction & Responsibilities
Under the structure of GO-PKI, the RA or Senior Manager (SMG2/ITX2) must nominate LRA's in their program area. LRA's must be authenticated using the criteria outlined for them and this must include a photo ID. An individual cannot be nominated to act as LRA if they do not have the appropriate identity documentation.
Within the GO-PKI framework, there are LRA's with different roles that have been defined to meet the requirements of the program areas they support:
Authenticating LRAs whose primary responsibility is authenticating the identity of subscribers face-to-face before forwarding requests for the creation of certificates; and
Operational LRAs who, in addition to the above, carry out specific operational responsibilities relating to life-cycle management of certificates e.g. revocation of certificates, profile/password recovery.
In addition, an RA may delegate their responsibility for the management and training of the LRA network to a designated LRA(s) in their organization. Such LRAs may have access to the additional GO-PKI functionality (e.g. management reports).
In the case of the OPS Domain, LRAs in the OSS Contact Centre have been organized to:
April 2005 13
Support the initial registration process (i.e. receive and check requests from Authenticating LRAs, capture authenticating information, forward requests to CA
GO-PKI RA/LRA Operating Procedures
Agent in Corporate Security4, communicate activation data to subscribers);
Provide Help desk services (Operational LRAs) e.g. password recovery, certificate revocation; and
Support the Corporate RA in fulfilling RA responsibilities with regard to training and management of the LRAs across the OPS.
LRA responsibilities are as follows:
Common Responsibilities for all Authenticating LRA's
• All LRA's must have an enhanced reliability clearance (See Section 19)
• Undertake functions specified by the CA in accordance with the these procedures • Authenticate Subscribers in the manner set out in the RA/LRA Operating Procedures or in
a manner approved by the PMA • Verify and record Subscriber identification information face-to-face and securely forward
the original Subscriber Agreement with the subscriber’s signature for processing • Maintain the confidentiality of Subscriber identification information in accordance with
FIPPA/MFIPPA • Protect the hardware and software components used in the performance of their LRA
function in accordance with this policy and practices of the CA • Secure transmission of registration information to the RA in a way that can be
authenticated • Authenticate the identity of additional LRAs within their domain as per these procedures • Keep up-to-date with the current RA/LRA Operating Procedures and their role and
responsibilities under the procedures. Additional Responsibilities for Operational LRA's: (LRAs performing duties relating to life-cycle management of certificates)
• Perform duties using their GO-PKI profile stored on an approved hardware token • Protect activation codes transmitted by a CA until sent to a Subscriber • Inform the CA of the dates upon which Subscribers obtain their activation codes • Process requests such as certificate revocation, certificate recovery • Undertake annual compliance audits on their services
April 2005 14
4 The responsibilities of the CA Agent in Corporate Security include the issuance of GO-PKI certificates, which involves the creation of activation data that is securely communicated to new subscribers so they can create their certificate profile.
GO-PKI RA/LRA Operating Procedures
LRA Processes
The LRA shall undertake to authenticate and authorize: • Registration for a Subscriber within their domain • Registration of additional LRAs within their domain • Name changes for a Subscriber within their domain • Device registration for a device owner within their domain • Key recovery for LRA's within their domain • Key recovery for a Subscriber within their domain • Device key recovery for a device owner within their domain • Certificate revocation for LRA's in their domain • Certificate revocation for a Subscriber within their domain • Device certificate revocation for a device owner within their domain NB: If the LRA requires key recovery or revocation on their own certificate, they must request the RA in their domain, or the CA, to perform these functions for them.
Use of GO-PKI Profile
The GO-PKI profiles for Operational LRAs must be stored on an approved hardware token.
Key Suspension
Key suspension of LRA's is permitted.
Certificate Revocation
The LRAs certificate may be revoked only at the request of the LRA, RA or Senior Management of a program area.
Key Recovery
Key recovery of the LRA is permitted for those using the Entrust module for Key Recovery.
Changing Distinguished Name
Changing the LRA distinguished name is permitted where: • The LRA has undergone a change of name; • The LRA has moved from one domain to another.
Key Rollover
LRA key rollover is permitted and happens automatically and transparently.
Key Validity Period
On issuance, the LRA's operational certificate expiry period will be set at 12 months.
April 2005 15
GO-PKI RA/LRA Operating Procedures
7.5 Documentation Criteria for RAs and LRAs
Accuracy in the identification of the person who is to fulfill the role of the RA or LRA is essential to ensure the Trust Model for the GO-PKI. For that reason, the items that can be used as personal identification for RA or LRA registration are limited to those items that have a rigorous registration process. This would include Federal or Provincial government issued identification that contains a picture as primary identification e.g.: current Ontario Driver’s license or a valid license from another province, current passports (Canadian or foreign).
Any nominee registering to perform the function of RA or LRA at a medium level of assurance (Province of Ontario standard) is required to present, in person, documentation that meets the standard for acceptable ID. Primary identification will be documented on the RA/LRA Subscriber Agreement e.g., driver's license number. Secondary identification will be viewed but not documented other than to reference the type of document viewed.
Criteria for Acceptable Identification for RAs and LRAs:
• Primary identification must have been issued by a government organization where there is a standardized process of registration that took place to obtain the identification.
• Every nominee for a Medium Level of Assurance domain must present three pieces of identification, two primary and one secondary
• One of the primary pieces must contain a government issued photo on it e.g.: a driver's license, passport.
• One of the primary identification documents can reflect an earlier legal name if the document for the name change is also presented (e.g. marriage certificate). In this case, the name change document can be used as the secondary identification document.
• Health Cards and Social Insurance Cards cannot be requested nor the number recorded for PKI identification purposes due to legislation and privacy issues. However, if the nominee chooses to show these pieces of identification, the LRA should treat them as secondary ID documents (the numbers are not recorded).
• The same piece of identification cannot be used twice. • Most secondary documentation should simply be viewed to confirm the name and
likely the address of the individual because many of the documents eligible for presentation:
- Contain personal information that should not be recorded by the Certification Authority; and
- Do not have a document ID on them that can be recorded instead of the personal information.
April 2005 16
• Where a nominee LRA will be performing the function of LRA within the private sector e.g.: law clerks in law firms, assistants in a Doctor’s office, then they can present a letter signed by their employer authorizing the CA to establish that individual as their LRA. In this case, the individual should present their own
GO-PKI RA/LRA Operating Procedures
primary identification to authenticate themselves, but as secondary identification they could present the letter from the employer, and the employers business registration license (where applicable). The CA must make a phone call to the nominee's boss to verify they have sent that individual in to be registered as their LRA.
The following lists of primary and secondary identification below provide some guidance to the program area on what constitutes acceptable identification.
RA/LRA Primary Identification:
Acceptable RA/LRA Primary Identification 1. Current driver’s license showing the LRA’s full name and address on the individual’s
application (including graduated driver’s license). 2. Canadian Birth Certificate5
3. Current Canadian passport or a valid passport from another country
4. Certificate of Canadian Citizenship or Certificate of Naturalization (paper document or
plastic card but excludes commemorative issue). 5. Permanent Resident Card (Maple Leaf Card) – must be renewed every five years if
individual does not become a Canadian citizen. 6. Certificate of Indian or Metis Status Card (Federal Government Issued only).
7. Current document of identity issued by a government ministry or agency with vigorous
registration process, an identification number and potentially a security clearance process (considered on a case by case basis). E.g.: OPP or RCMP Security Check, etc.
8. CANPASS – A Remote Area Border Crossing permit allows the bearer to cross the border into Canada at certain remote areas without reporting to a port of entry, as long as imported goods are declared.
9. NEXUS – A cross-border express pass for low risk travelers who have passed a stringent Canadian and American security check including a fingerprint biometrics, photograph, and personal interview with immigration officials. In order to maintain this pass, the individual must re-apply every two years.
10. Firearm Registration License.
5 Federal government change effective November 26, 2001, only the following identity documents will be accepted as proof of Canadian citizenship for people born in Quebec.
• A birth certificate issued after January 1, 1994 by the Directeur de l'état civil in the province of Quebec. • A Certificate of Canadian Citizenship.
April 2005 17
GO-PKI RA/LRA Operating Procedures
RA/LRA Secondary Identification:
Secondary identification provides additional evidence of the individual's identity and current address (e.g. payment of utility bills, mortgage, bank statement). These documents often provide some evidence of community involvement. They must be dated and from a trustworthy source, and where possible, include the address of the individual.
The following items are acceptable as secondary identification. (View relevant data for name, and address confirmation only):
ACCEPTABLE RA/LRA SECONDARY IDENTIFICATION 1. Canadian Immigration Identification
card 12. Canada Pension Plan Statement of
Contributions 2. Certificate of Baptism
13. Ministry of Natural Resources Outdoors
Card 3. Certificate issued by a government
ministry or agency, e.g., Marriage, Divorce, Adoption
14. Current registration document from a professional organization e.g. physicians with College of Physicians and Surgeons of Ontario (CPSO), Professional Engineers Ontario (PEO)
4. Documents showing the registrations of a legal name change accompanied by evidence of use or prior name for the preceding 12 months
15. Ontario motor vehicle permit (plate portion/ and or vehicle portion)
5. BANK/ATM or credit card 6 showing the Subscriber’s full name (and signature where applicable)
16. Utility Bills
6. Account statements or bankbooks issued by financial institutions showing the Subscriber’s full name and address
17. Canadian Forces Identity Card
7. Insurance policy or renewal documents showing the Subscriber’s full name and address
18. Canadian Police Force Identification Card
8. Mortgage, Rental or Lease agreement 19. Judicial ID Card
9. Taxation assessment notices from Canada Customs and Revenue Agency
20. Current Employee ID card (Canadian or Foreign) that includes the employee’s name, photo, the issuing organization and date (either issued or expiry)
10. Property tax assessment notice
21. Union Card
11. Child Tax Benefit Statement 22. Payroll statement
April 2005 18
6 Bank or credit card numbers must not be recorded for secondary ID. They must be viewed only.
GO-PKI RA/LRA Operating Procedures 8 VERIFICATION PROCEDURES FOR AUDITING PURPOSES
To ensure that proper procedures have been followed in the registration process, auditors require that there be proof that the registration rules were followed. For this reason, the following verification steps must be performed: 1) CA must see and record appropriate identification on an RA Subscriber Agreement; 2) The RA must see and record appropriate identification on an LRA Subscriber
Agreement; 3) The LRA must see and record appropriate identification on a Subscriber Agreement; 4) If the LRA is authenticating another LRA, they must see and record the appropriate
identification on the LRA Subscriber Agreement 5) The originals of all Subscriber Agreements (including CA/RA/LRA) must be securely
stored at the RA's location. There is restricted access to this information to maintain both security and privacy of the information provided.
6) RA's and LRA's must not maintain photocopies of LRA Agreements or Subscriber Agreements without a memorandum of understanding and the approval of the PMA.
7) The CA/RA/LRA accepting identification from individuals presented as nominee LRA's within the legal or medical communities, must telephone the nominee's employer (nominator) to confirm they have sent that individual for registration.
9 AUTHENTICATING INFORMATION
Authenticating Information is used to verify the identity of remote subscribers in situations when their PKI certificates are not available for this purpose. The use of Authenticating Information is essential to protect subscribers’ digital identity and to maintain the GO-PKI Trust Model. LRAs in the OSS Contact Centre use Authenticating Information to verify an individual’s identity during a telephone call before: • Communicating activation data (i.e. authorization code or reference number) needed
by a new subscriber to create his/her PKI profile; and • Acting on a caller’s request to recover their PKI profile (resetting a forgotten
password) or to revoke their certificate. Subscribers registering for medium level of assurance certificates must provide at least three pieces of Authenticating Information as part of the registration process. The Authenticating Information must be sufficiently obscure (i.e. not easily guessed or readily obtained). In the case of OPS staff with basic level of assurance certificates, the OSS Contact Centre verifies an individual’s identity using authenticating information in their WIN employee file.
April 2005 19
10 SECRET QUESTIONS AND ANSWERS
With the introduction of Self-Admin Services, Secret Questions and Answers will be used to electronically verify the identify of subscribers before the recovery of their GO-PKI certificate.
GO-PKI RA/LRA Operating Procedures
At least three SQAs must be used to verify identity to a medium level of assurance. The selected questions and their answers must be stored securely and kept totally confidential (i.e. known only to the individual). In addition, the answers must be obscure (i.e. not readily guessed or researched). Rather than relying on individuals to think of suitable questions for their SQAs, they should be provided a list of standard questions from which they can select three. The standard questions must:
• have answers that are precise, 1-3 words and static (i.e. not subject to change); • have answers that will be entered consistently (these are like passwords); • be about something that most individuals can relate to regardless of their background; • not be about topics that are often shared in casual conversation e.g. children’s names; • have a wide range of answers (to minimize potential for guessing the answer); and • adhere to the rules of Workplace Discrimination and Harassment Prevention Policy. 7
11 SECURE STORAGE AND DOCUMENT RETENTION
Subscriber Agreements contain personal information therefore the originals must be securely stored according to the regulations under FIPPA at the RA secure site only [except where approved by the PMA to be secured elsewhere] 8
• Storage must be locked, secure, and access limited to those individuals within the RA network who are actively taking registration information.
• Individuals acting in registration positions are bound by FIPPA/MFIPPA requirements for confidentiality of personal information provided to them. They must not maintain separate copies of the original Subscriber Agreements nor maintain a separate database of the information on the Subscriber forms.
Subscriber Agreements must be stored according to the rules set by FIPPA/MFIPPA. They should be retained for one year after its last use, however seven years is recommended.
7 http://intra.hropenweb.gov.on.ca/hrpolicies/EO_pol.html
8 http://www.ipc.on.ca/english/acts/prov-act.htm#s2
April 2005 20
GO-PKI RA/LRA Operating Procedures
12 SUBSCRIBER REGISTRATION – MEDIUM LEVEL OF ASSURANCE
Different registration forms are used for internal and external subscribers who require a GO-PKI certificate at a medium level of assurance (LOA). These forms are available on the OPS I&IT Security web site9.
The registration process can be carried out using either manual registration forms or a web-based registration tool which can be accessed by authorized LRAs from anywhere within the GO-NET. Although registration information is captured and transmitted differently (i.e. paper versus electronic), the roles of the subscribers and LRAs are the same for both the manual and web-enabled registration processes. Completed GO-PKI subscriber forms are classified as medium sensitivity and must be protected accordingly. All information collected by an LRA is considered confidential and is governed by the Freedom of Information and Protection of Privacy Act (FIPPA) and its municipal counterpart MFIPPA. All steps of the registration process must be handled with the strictest security and confidentiality. Secure handling, storage and transmission of the data collected by the LRA are imperative.
Internal Subscribers
The Internal Subscriber Agreement is used for internal subscribers who are staff paid through the Government payroll i.e. permanent employees, secondees from the BPS, co-op students and staff in those agencies, boards and commissions that are paid through the Government payroll.
Most of the internal subscribers are automatically issued a basic LOA certificate through the HR process. Their manager will inform internal subscribers if they need to upgrade their GO-PKI certificate from basic to medium LOA by registering in person with an LRA. External Subscribers
The External Subscriber Agreement must be used for external subscribers i.e. individuals who require access to government systems and resources to carry out their responsibilities and are not directly paid via the Government payroll e.g. individuals hired through a temp agency, contractors, consultants, external vendors, service delivery partners and client organizations with special access. PKI certificates issued to external subscribers must have an expiry date that is no greater than the expiry date on the ministry’s contract with the vendor organization employing the external subscriber (up to a maximum of two years).
The OPS Manager responsible for the relationship with the external subscriber must sign the Agreement to authorize the request for their GO PKI certificate and the charge back for its issuance. An authorized representative of the vendor organization must also sign the Agreement to authorize the request and accept the obligations placed on the subscriber through their external subscriber agreement. The vendor organization may be offered the option of signing a single external organization agreement rather than multiple External Subscriber Agreements.
April 2005 21
9 http://intra.security.gov.on.ca/securitybranch/pki-services.asp
GO-PKI RA/LRA Operating Procedures
12.1 Acceptable Subscriber Identification
Any client registering for a PKI Certificate at a medium level of assurance (the standard for the Ontario Government) is required to present, in person, documentation that meets a standard set out in Acceptable Subscriber Identification. Registration procedures for programs whose PIA and TRA recommend a level of assurance other than medium will be reviewed individually as part of their presentation to the PMA. Subscribers must present two pieces of identification during registration that consists of:
A primary identification document with a document number and photo that was issued by a government organization using a standardized process of registration; and
An acceptable secondary identification document. The name and address information on the primary and secondary documents is compared for consistency and the number on the primary document is recorded. A primary identification document with an earlier legal name can be used if the document for the name change is also presented (e.g. marriage certificate). The separate secondary document must reflect the subscriber’s current legal name. Information on secondary documentation is not recorded because many of the eligible documents: contain personal information that should not be recorded by an LRA; and do not include a document number that can be recorded instead of personal
information.
April 2005 22
In the event that the client does not have a primary piece of identification with a photo, he/she must present three pieces of approved identification that includes at least one primary piece plus a secondary with a photo. Health Cards and Social Insurance Cards (Canadian or foreign equivalent) cannot be requested due to legislation and privacy issues, however, if the nominee chooses to show these pieces of identification, then you cannot refuse to view them. In this case they would be treated as secondary ID that are viewed but the numbers are not recorded. Lists of acceptable primary and secondary identification are outlined below to provide guidance to program areas. There may be other pieces of acceptable ID that fall within the criteria. A second primary document may be used in place of a document from the secondary list.
GO-PKI RA/LRA Operating Procedures
Subscriber Primary Identification Subscribers may use the following documents for the purposes of primary identification:
Acceptable Subscriber Primary Identification 1. Current driver's license showing the Subscriber's full name and address on the
individual’s application (including graduated driver’s license).
2. Canadian Birth Certificate 10
3. Current Canadian passport or a valid passport from another country
4. Certificate of Canadian Citizenship or Certificate of Naturalization (paper document or
plastic card but excludes commemorative issue).
5. Permanent Resident Card (i.e. Maple Leaf Card) – must be renewed every five years if individual does not become a Canadian citizen.
6. Certificate of Indian or Metis Status Band Card (Federal Government Issued only).
7. Current document of identity issued by a government ministry or agency with vigorous registration process, an identification number and potentially a security clearance process (considered on a case by case basis). E.g.: OPP or RCMP Security Check, etc.
8. CANPASS – A Remote Area Border Crossing permit allows the bearer to cross the border into Canada at certain remote areas without reporting to a port of entry, as long as imported goods are declared.
9. Nexus- A cross-border express pass available to low risk individuals who have passed a stringent Canadian and American security check including a fingerprint biometrics, photograph, and a personal interview with immigration officials. In order to maintain this pass, the individual must re-apply every two years.
10. Firearm Registration License.
11. Foreign clients may present their country's Citizen Identification card where these exist e.g., Mexico, Europe11.
10 Federal government change effective November 26, 2001, only the following identity documents will be accepted as proof of Canadian citizenship for people born in Quebec.
• A birth certificate issued after January 1, 1994 by the Directeur de l'état civil in the province of Quebec. • A Certificate of Citizenship.
April 2005 23
11 GO-PKI is currently not issuing certificates to foreign subscribers.
GO-PKI RA/LRA Operating Procedures
Subscriber Secondary Identification
The following are examples of acceptable secondary identification that can be viewed to provide additional identification for the Subscriber presenting them for authentication.
SECONDARY SUBSCRIBER IDENTIFICATION 1. Old Age Security card 15.
Ministry of Natural Resources Outdoors Card
2. Canadian Immigration documents issued (without a photo): - Immigration Identification card - Immigration Visa and Record of Landing - Confirmation of Permanent Residence - Permanent Resident Visa - Work Permit - Temporary Resident Permit
16. Current registration document from a professional organization e.g. physicians with College of Physicians and Surgeons of Ontario (CPSO), Professional Engineers Ontario (PEO), etc.
3. Certificate of Baptism
17. Judicial ID Card
4. Certificate issued by a government ministry or agency, e.g., Marriage, Divorce, Adoption
18. Business Registration License showing the name of subscriber (e.g. business owner) and address of the business
5. Documents showing the registrations of a legal name change accompanied by evidence of use or prior name for the preceding 12 months.
19. Ontario motor vehicle permit (plate portion/ and or vehicle portion)
6. BANK/ATM or credit card12 showing the Subscriber’s full name (and signature where applicable)
20. Canadian Police Force Identification Card
7. Account statements or bankbooks issued by financial institutions showing the Subscriber’s full name and address.
21. Canadian Armed Forces Identification Card
8. Insurance Policy or Renewal document with subscriber’s full name and address
22. Current Employee ID card (Canadian or foreign) that includes the employee’s name, photo, the issuing organization and date (either issued or expiry).
9. Mortgage, Rental or Lease agreement
23. Union Card
10. Taxation assessment notices from Canada Customs and Revenue Agency
24. Payroll Statement
11. Property tax assessment notice
25. Student Identification Card
12. Child Tax Benefit Statement
26. BYID Card (formerly Age of Majority Card)
13. Canada Pension Plan Statement of Contributions
27. CNIB Photo Registration Card – acceptable for subscribers only
14. Utility Bills
April 2005 24
12 Bank or credit card numbers must not be recorded for secondary ID. They must be viewed only.
GO-PKI RA/LRA Operating Procedures
April 2005 25
13 REGISTERING SUBSCRIBERS OUTSIDE CANADA
At times, ministries/programs need to have GO-PKI certificates issued to individuals outside Canada (e.g. contractors outside Canada who need remote access to the OPS network to complete their work). A ministry/program with such a need must assess the risks associated with extending access to individuals in foreign jurisdictions, and ensure that access controls are in place to limit their access to the specific applications and information authorized by the ministry/program.
The requirements for the registration of individuals outside Canada parallel those for subscribers inside Canada. There is an additional requirement that the individual provide proof of a working relationship with the Ontario Government (e.g. contract). Before any GO-PKI certificates are issued in a foreign jurisdiction, the Corporate Security Branch will consult with the Federal Government on Canadian and the local laws governing cryptography for that jurisdiction.
Identification Documents
The Corporate RA has the lead role in obtaining PMA approval for document equivalency for identification documents outside Canada. Document equivalency will depend on both the document and the process for its issuance.
When PKI certificates need to be issued in a foreign jurisdiction, the Corporate RA will work with the ministry/program involved and the Corporate Security Branch to develop a list of primary and secondary identification documents that parallels the list for Canada (e.g. birth certificate, drivers license, passport, citizenship certificate). The list will be tailored to reflect differences in local identification documents (e.g. national ID card).
Ministries must retain the services of a Notary Public in the foreign jurisdiction to confirm the validity of identification documents.
Establishing LRAs in a Foreign Jurisdiction
Ministries that need to register individuals in a foreign jurisdiction must develop an LRA network in consultation with the RA and the Corporate Security Branch, and present it to the PMA for approval. The approach taken to establish LRAs in a foreign jurisdiction will vary depending on the nature of the working relationship between the ministry and the foreign organization. For example, ministry staff who routinely travel to meetings with the foreign organization, could be appointed and trained as LRAs to register the appropriate foreign individuals face-to-face.
Subscriber Agreement for Foreign Jurisdictions
The External Subscriber Agreement must be used when issuing GO-PKI certificates to individuals in foreign jurisdictions. The ministry/program must consult with their Legal area to review the enforceability of the External Subscriber Agreement with the foreign jurisdiction in mind.
GO-PKI RA/LRA Operating Procedures
PKI certificates issued outside Canada must be issued with an expiry date. The LRA must enter an expiry date on the Agreement that is no greater than the expiry date on the ministry’s contract with the foreign organization (up to a maximum of two years). If a contract expiry date is not available, PKI certificates will be created with a default expiry date of 6 months. The ministry can renew an expired certificate after confirming that it is still required.
14 COMMUNICATION OF ACTIVATION CODES
The issuance of a GO-PKI certificate involves the CA’s generation of an Authorization Code and Reference Number, which are used by the subscriber to activate his/her GO-PKI profile. The CA must use two separate channels of communication to provide these codes to the subscriber. A designated LRA may potentially be involved in the communication process.
The choice of the communication channels can vary depending on the subscriber group and their access to technology. The separate channels are selected from the following: • E-mail message sent to the Subscriber’s e-mail address; • Telephone call by an LRA who must first verify the subscriber’s identity using the
Authenticating Information captured during registration; • Interactive Voice Response (IVR) – Voice mail message left at telephone number
provided by the subscriber during registration; • Regular Mail or Courier delivery of an envelope to the Subscriber’s address; and • A secure web service (e.g. Self-Admin Services), which must first authenticate the
subscriber’s identity using authenticating information e.g. Secret Questions and Answers.
The communication to the subscriber must include instructions on how to activate their PKI certificate and on the need to activate their profile within the required timeframe i.e. within 5 days for basic level of assurance (LOA) and 2 days for medium LOA. Certificates at a high LOA are activated immediately since they are issued on a token.
April 2005 26
15 PROFILE RECOVERY/PASSWORD RESET
To facilitate key recovery, the GO-PKI CA backs up and retains a secure copy of each subscriber’s private decryption key, which is the key used by subscribers to open documents that are encrypted for them. A key recovery may only be requested by the subscriber, their sponsor (i.e. Program Manager) or a Canadian municipal, provincial or federal law enforcement entity based on a valid warrant. The subscriber must be informed if another authorized individual has requested the recovery of their private decryption key.
If a subscriber has forgotten their password to access their GO-PKI profile, which contains their keys, he/she can contact an Operational LRA to initiate the process to recover their private decryption key. When the recovery is completed, the subscriber will have a new GO-
GO-PKI RA/LRA Operating Procedures
PKI profile, which will contain their recovered private decryption key and a new private signature key.13
Subscribers have the option of carrying out a recovery via the Self-Admin Service, which is a secure web-based service that enables users to perform self-administration tasks such as password resets/profile recoveries. GO-PKI subscribers should be encouraged to use the Self-Admin Service since this reduces the number of calls to the help desk and enables subscribers to conveniently recover from a forgotten password during off-hours. To use this service, subscribers must set up their Secret Questions and Answers, which are used by the service to electronically verify their identity before acting on their request.
In the case of calls to the Help Desk, an Operational LRA logs the call and verifies the identity of the subscriber using Authenticating Information that was securely captured (Medium Level of Assurance) or personal information on the WIN system (OPS - Basic Level of Assurance). The Operational LRA then does the RA transaction to recover the subscriber’s profile.
For both recovery processes, the GO-PKI CA generates an Authorization Code and Reference number and transmits these to the Subscriber using two separate channels of communication (see Communication of Activation Codes).
16 CERTIFICATE REVOCATION
Subscriber GO-PKI certificates must be revoked in the event of: • Suspected key compromise; • Change in affiliation e.g. Subscriber leaves their job; • Breach of the GO-PKI agreement; • CA private signing key compromise (in this instance, CA will automatically revoke and
re-issue all valid certificates); • Non-payment of invoice (when issuing certificates outside of OPS/BPS); and • Organization bankruptcy or liquidation (certificates issued to third party organizations).
16.1 Revoking a GO-PKI Certificate
The revocation of a certificate may be requested only by: the subscriber; the sponsor (i.e. ministry/program); the CA; or the subscriber’s RA.
The identity of the originator of the request for revocation must be authenticated. All requests to revoke a GO-PKI Certificate must be made using the Certificate Revocation Request (CRR) form that is completed by an Operational LRA. When a bulk deletion of
April 2005 27
13 The CA does not back up or retain a copy of the subscriber’s private signature key, which is the key that forms the basis of the subscriber’s digital identity.
GO-PKI RA/LRA Operating Procedures
certificates is anticipated, a single authorization notice from the program to the RA in writing, listing all of the certificates to be removed, will be sufficient.
The LRA will immediately forward a secure e-mail message to the CA that has been digitally signed and encrypted upon completing a CRR. A request to revoke a certificate must be processed within 12 hours of receipt from the LRA.
Process for Revocation Due to Key Compromise (OPS Domain):
1) The Subscriber contacts an Operational LRA who must authenticate them using their Authenticating Information.
2) The Subscriber will advise the LRA on the situation and how their keys were compromised.
3) The LRA will send a digitally signed and encrypted request to the CA to revoke and recover the keys.
4) Activation codes for a new certificate will be provided to the Subscriber using two different distribution methods.
17 SUBSCRIBER INFORMATION CHANGE
Throughout the life of a subscriber's certificate, it is likely that changes will need to be made to their information. These changes could include but are not limited to: • a name change through marriage or divorce; • the subscriber may move from one branch to another within a Ministry or to another
Ministry so the domain they belong to may change; • if the certificate is issued to a device then, the device name could be changed; • the subscriber may wish to change their Authenticating Information.
When a Subscriber’s information has changed, an update of the revised information must be entered into the database, as follows:
1. A Subscriber informs an Operational LRA of a change to their information e.g. work location, name change, etc. The Subscriber must bring the documentation for a legal name change.
2. The DN Change Request form is completed. 3. The LRA will record the pertinent information, digitally sign and encrypt and send as
a secure e-mail message to the CA Agent. 4. The CA Agent will make the appropriate changes to the Subscriber’s information and
notify the LRA of the change.
April 2005 28
18 DEVICE/APPLICATION CERTIFICATES
Certificates sometimes need to be issued and assigned to devices and applications to enable encryption of communications and their authentication when they are accessed by other entities via a network. The request for such a certificate is made using a GO-PKI
GO-PKI RA/LRA Operating Procedures
Device/Application Certificate Agreement (the Agreement) which is on the OPS I&IT Security web site14.
The IT Operator who has ongoing responsibility for the day-to-day operation and integrity of the device or application is also responsible for the use and protection of its certificate. If a group of IT operations staff is involved, their manager must take over-all responsibility for the certificate and ensure that all group members are aware of their responsibilities including those outlined in the Agreement. The IT Operator/Manager must have a GO-PKI certificate at a medium level of assurance (LOA) and must sign the Agreement. The Cluster or Program manager who “owns” the device or application must also sign the Agreement.
The Agreement is forwarded to the GO-PKI CA for processing. A copy will be provided to Service Development in Corporate Security for review. Before issuing the device certificate, the CA must confirm that the IT Operator/ Manager has a medium LOA certificate and record his/her name, position and contact information. The CA must authenticate identity before communicating the activation data for the device certificate to the IT Operator/ Manager. The CA must also send a confirmation to the Cluster/Program manager that the device certificate was issued to the Operations area.
The device/application certificate must be issued with an expiry date 12 months in the future. The CA must notify the IT Operator/Manager one month in advance of the certificate’s expiry. The IT Operator/Manager is responsible for the renewal of the device/application certificate. When notified of a change in the IT Operator/Manager, the CA must update the record of the person responsible for the certificate.
19 MANDATORY ENHANCED RELIABILITY CLEARANCE FOR GO-PKI
The Government of Ontario Public Key Infrastructure (GO PKI) has committed to delivering government services on-line in a manner that will provide security and privacy protection along with improved service delivery. PKI is a security tool that allows for the people registered (many of whom were previously unknown to each other) to conduct secure and confidential communication, transactions, and information exchange.
Any PKI implementation relies on a Trust Model as its foundation. This Trust Model consists not only of information technology security mechanisms, but also includes employing individuals in the positions who are trusted to perform sensitive functions or who have access to sensitive information. Any compromise of the Trust Model can harm the effectiveness of the PKI implementation.
In view of the level of trust that is placed in them, it’s essential that individuals must pass an enhanced reliability clearance in accord with section 19.1 prior to being approved for a position in the GO-PKI network. This is mandatory for OPS employees and Non-OPS staff delivering the service (e.g., contract, ASD): • All OPS staff/contractors in the Certification Authority (CA), • All Registration Authorities (can only be OPS staff) • OPS Local Registration Authorities, and
April 2005 29
14 http://intra.security.gov.on.ca/securitybranch/pki-services.asp
GO-PKI RA/LRA Operating Procedures
• All Directory Administrators OPS staff/contractors supporting GO-PKI.
19.1 Mandatory Components of the Enhanced Reliability Clearance
The clearance process is applied for an individual only with their full, informed and signed consent. The process needed to obtain the required clearance includes: • A Declaration for a criminal conviction for which a pardon has not been granted, • A Criminal Record Name Check, and • A check of the National Security Intelligence System.
April 2005 30
A fingerprint check may be required to confirm identity where there is an inconclusive match on the results of a criminal record name check.
These screening components map to the Federal Government's Public Key Infrastructure requirements for individuals staffing their PKI's. As the Federal Government and the Province of Ontario may be cross-certifying with each other, both must follow the same rules for authentication of individuals for their respective Public Key Infrastructures.
GO-PKI RA/LRA Operating Procedures
20 GLOSSARY OF TERMS
Activation Data — Consists of the authorization code and the reference number provided to the Subscriber. Application Owner — The owner of an application(s) within a Ministry program area (usually designated to the head of that area). Authorization Code (AuthCode) — A code (e.g. CMTJ-8VOR-VFNS) obtained from the Entrust Administrator that is required along with a reference number to create a new Entrust profile or to recover an existing profile. The authorization code can only be used once then it is no longer valid. CA Agent — see Entrust Administrator. CA Operations Manager — The person responsible within the Certification Authority for leading the operational management of security systems for PKI, and developing related policies, standards, and service delivery solutions. Certificate - The public key of an entity, together with some other information, rendered unforgeable by digitally signing it with the private key of the CA that issued it. The certificate format is in accordance with X.509 and RFC2459. Certification Practice Statement (CPS) — A statement of the practices that a certification authority employs in issuing keys and certificates. The CPS describes the equipment, policies, and procedures implemented by the CA to satisfy the specifications in the certificate policies it supports. Certification Authority (CA) — An authority trusted to issue and manage keys, certificates, CRLs and ARLs. Certificate Policy (CP) — A set of rules that indicate the applicability of keys and certificates to a particular community or class of applications with common security requirements. Certificate Revocation List (CRL) — A list of revoked certificates that is created and signed by the same CA that issued the certificates. A certificate is added to the list if it is revoked (e.g., because of suspected key compromise) and then removed from it when it reaches the end of the certificate’s validity period. In some circumstances, the CA may choose to split a CRL into a series of smaller CRLs.
April 2005 31
Corporate Registration Authority (CRA) — This role is assigned to Ontario Shared Services to operate and provide all GO-PKI registration services for corporate applications e.g., secure e-mail, file and folder encryption, VPN, along with WIN access for OPS employees on behalf of the Government of Ontario.
GO-PKI RA/LRA Operating Procedures Criminal Records Name Check (CRNC) — A check done by the OPP against the RA or LRA to determine whether a candidate has a criminal record for which a pardon has not been granted. Device — A workstation, laptop, server, or other IT hardware. Device Certificate – The PKI certificate issued for a device to enable its identity to be authenticated and its communications to be encrypted. Device Owner - Owner of the laptop, workstation, server or other IT hardware. Distinguished Name (DN) — A name appearing in a certificate that uniquely identifies the public key owner. A distinguished name is composed of the following components: common name, organization, country, e-mail (optional), phone (optional), organizational unit (optional), locality (optional), serial number. Entity - An autonomous element within a PKI, including a CA and RA. Entrust Administrator (CA Agent) — A trusted person who uses Entrust/Admin to administer the Entrust system. They use it to enable and disable users individually or in bulk, revoke user’s keys, initiate key recovery for users, create new encryption key pairs for users, disable and re-enable a user’s ability to sign files, and increase the maximum number of users in a CA domain. They can also review audit logs. Depending on the organizations security policy, the Administrator may also be able to change default user certificate lifetimes (and perhaps disable certificate updates) and default Encryption and Verification policies. They can also issue new CRLs. Key Recovery - To recover a Subscriber’s private decryption keys to the Subscriber’s newly created Digital Identity. Local Registration Authority (LRA) — A registration authority authorized by the Corporate RA to service a local community of Subscribers. Policy Management Authority (PMA) — Is the governance body of the GO-PKI. This group establishes policy and provides direction for the GO-PKI. The group consists of eleven senior decision-makers from the Ontario Government that each serve a two-year term on the PMA. The Chair of the PMA is the Corporate Chief Information Officer for the Government of Ontario. Public Key Infrastructure (PKI) — A structure of hardware, software, people, processes, and policies that employs digital signature and encryption using public and private key pairs to enable parties who were previously unknown to each other to establish trust relationships, and to conduct secure and confidential communication, transactions, and information exchange.
April 2005 32
Registration Authority (RA) — An entity that is responsible for identification and authentication of certificate subjects, but does not sign or issue certificates (i.e. the RA is
GO-PKI RA/LRA Operating Procedures
delegated certain tasks on behalf of a CA) Reference Number (REFNum) — A number (e.g. 91480165), obtained from the Entrust Administrator which is used along with an authorization code to create a new profile or to recover an existing profile. The reference number can only be used once and then it is no longer valid. Security Officer — The main role of a Security Officer is to set up and administer an organization’s security policy as it applies to Administrators and Subscribers. Security Officers can also add, enable, disable, and delete other Security Officers, Administrators, Directory Administrators, and Entrust users (although adding Subscribers is mainly an Administrator’s job). They can do this of users individually or in bulk. They can also increase the maximum number of users in a CA domain. Security Screening— An enhanced reliability security screening is mandatory for all staff employed in the GO-PKI Network. Staff nominated to work in positions within GO-PKI must successfully pass the screening before being employed in the position. This screening is composed of: • verification of personal data, education and professional qualification, employment data and
references through the regular staffing process; • a declaration concerning any conviction for a criminal offence for which a pardon has not
been granted, and • a criminal record name check15. Subscriber - A member of the GO-PKI domain. A party who is the subject of a certificate and who is capable of using, and is authorized to use, the private key, that corresponds to the public key in the certificate. Responsibilities and obligations of the Subscriber would be as required by the Certificate Policy and as described in the Subscriber Agreement.
April 2005 33
15 If there is a possible match that appears during a criminal record check, the RCMP will require a fingerprint check as well to confirm the individual’s identity.