DPWN PKI CP - DHL

DPWN PKI Project Unclassified

DPWN PKI Project

Certificate Policy for DPWN Version 1.0

DPWN PKI Project Robert Sieber, DP ITS 1/39


Document InformationAuthor(s)/person(s) in charge

Robert Sieber, DP ITS

Name Certificate Policy for DPWN

Repository

Template Certificate Policy and Certification Practice Statement

Reviewed by PKI Board

Review date 2006-11-20

Approved by PKI Board

Approval date 2006-11-20

Actual state Final

Change LogVersion Date What was changed Editor0.1 2005-08-16 First draft Robert Sieber0.2 2005-08-25 1st review Müller-Hipper0.3 2005-08-29 2nd review Robert Sieber0.4 2005-08-29 3rd review Lisa Anders0.5 2005-10-04 Team review confcall 5th October Robert Sieber0.6 2006-01-30 Updated chapter 9 and 10 Tomas Novak0.7 2006-04-17 Team review Tomas Novak0.8 2006-06-20 Lutz’s comments added Tomas Novak1.0 2006-11-20 PKI Board approval. Lutz Mueller-Hipper

Distribution ListName Function Address, e-mailDPWN PKI Project Distribution of

DPWN-PKI project information

[email protected]

List of abbreviations and definitions

All abbreviations and definitions that are used are contained in the “DPWN PKI Glossary”. This document can be found at https://keyserver.dpwn.net/pks/glossary.



Table of Contents

1 Introduction ............................................................................................................................ 8

1.1 Overview .................................................................................................................... 8

1.2 Document Name and Identification ............................................................................ 9

1.3 PKI Participants .......................................................................................................... 9

1.3.1 DPWN Root CA ......................................................................................... 9

1.3.2 DPWN Intermediate CAs .......................................................................... 10

1.3.3 DPWN Issuing CAs ................................................................................... 10

1.3.4 DPWN RAs ............................................................................................... 10

1.3.5 Subscribers ............................................................................................... 10

1.3.6 Relying Parties .......................................................................................... 11

1.3.7 Other Participants ..................................................................................... 11

1.4 Certificate Usage ...................................................................................................... 11

1.5 Policy Administration ................................................................................................ 12

2 Publication and Repository ................................................................................................ 13

3 Identification and Authentication ....................................................................................... 14

3.1 Naming ..................................................................................................................... 14

3.2 Initial Identity Validation ............................................................................................ 15

3.3 Identification and Authentication for Re-Key Requests ............................................. 15

3.4 Identification and Authentication for Revocation Requests ....................................... 15

4 Certificate Life Cycle Operational Requirements ............................................................. 16

4.1 Certificate Applications ............................................................................................. 16

4.2 Certificate Application Processing ............................................................................ 16

4.3 Certificate Issuance .................................................................................................. 17

4.4 Certificate Acceptance .............................................................................................. 17

4.5 Key Pair and Certificate Usage ................................................................................ 17

4.5.1 Subscriber ................................................................................................. 17

4.5.2 Relying Party ............................................................................................ 19

4.6 Certificate Renewal .................................................................................................. 20



4.7 Certificate Re-Key .................................................................................................... 20

4.8 Certificate Modification ............................................................................................. 20

4.9 Certificate Revocation and Suspension .................................................................... 21

4.10 Certificate Status Service ....................................................................................... 21

4.11 End of Subscription ................................................................................................ 22

4.12 Key Backup and Recovery ..................................................................................... 22

5 Management, Operational and Physical Controls ............................................................ 23

5.1 Physical Security Controls ........................................................................................ 23

5.2 Procedural Controls .................................................................................................. 23

5.3 Personnel Security Controls ..................................................................................... 24

5.4 Audit Logging Procedures ........................................................................................ 25

5.5 Records Archival ...................................................................................................... 26

5.6 Key Changeover ....................................................................................................... 26

5.7 Compromise and Disaster Recovery ........................................................................ 26

5.8 CA or RA Termination .............................................................................................. 26

6 Technical Security Controls ............................................................................................... 28

6.1 Key Pair Generation and Installation ........................................................................ 28

6.2 Private Key Protection and Cryptographic Module Engineering Controls ................. 29

6.3 Other Aspects of Key Pair Management .................................................................. 29

6.4 Activation Data ......................................................................................................... 30

6.5 Computer Security Controls ..................................................................................... 30

6.6 Network Security Controls ........................................................................................ 30

6.7 Time Stamping ......................................................................................................... 30

7 Certificate and CRL Profiles ............................................................................................... 31

7.1 Certificate Profile ...................................................................................................... 31

7.2 CRL Profile ............................................................................................................... 31

7.3 OCSP Profile ............................................................................................................ 31

8 Compliance Audit and Other Assessment ........................................................................ 32

8.1 Frequency or circumstances of assessment ............................................................ 32



8.2 Identity/qualifications of assessor ............................................................................. 32

8.3 Assessor's Relationship to Assessed Entity ............................................................. 32

8.4 Topics Covered by Assessment ............................................................................... 32

8.5 Actions Taken as a Result of Deficiency .................................................................. 32

8.6 Communications of Results ...................................................................................... 33

9 Other Business and Legal Matters ..................................................................................... 34

9.1 Fees ......................................................................................................................... 34

9.1.1 Certificate issuance or renewal fees ......................................................... 34

9.1.2 Certificate access fees .............................................................................. 34

9.1.3 Revocation or status information access fees ........................................... 34

9.1.4 Fees for other services ............................................................................. 34

9.1.5 Refund policy ............................................................................................ 34

9.2 Financial Responsibilities ......................................................................................... 34

9.2.1 Insurance coverage ................................................................................. 34

9.2.2 Other assets ............................................................................................ 34

9.2.3 Insurance or warranty coverage for end-entities ...................................... 35

9.3 Confidentiality of Business Information ..................................................................... 35

9.3.1 Scope of confidential information .............................................................. 35

9.3.2 Information not within the scope of confidential information ...................... 35

9.3.3 Responsibility to protect confidential information ...................................... 35

9.4 Privacy and Personal Information ............................................................................. 35

9.4.1 Privacy plan .............................................................................................. 36

9.4.2 Information treated as private ................................................................... 36

9.4.3 Information not deemed private ................................................................ 36

9.4.4 Responsibility to protect private information ............................................. 36

9.4.5 Notice and consent to use private information .......................................... 36

9.4.6 Disclosure pursuant to judicial or administrative process .......................... 36

9.4.7 Other information disclosure circumstances ............................................. 36

9.5 Intellectual Property Rights ....................................................................................... 36

9.6 Representations and Warranties .............................................................................. 37



9.7 Disclaimers of Warranties ......................................................................................... 37

9.8 Limitations of Liability ............................................................................................... 37

9.9 Indemnities ............................................................................................................... 37

9.10 Term and Termination ............................................................................................ 38

9.11 Individual Notices and Communications with Participants ...................................... 38

9.12 Amendments .......................................................................................................... 38

9.12.1 Procedure for amendment ...................................................................... 38

9.12.2 Notification mechanism and period ......................................................... 38

9.12.3 Circumstances under which OID must be changed ................................ 38

9.13 Dispute Resolution Procedures .............................................................................. 38

9.14 Governing Law ....................................................................................................... 38

9.15 Compliance with Applicable Law ............................................................................ 39

9.16 Miscellaneous Provisions ....................................................................................... 39

9.17 Other Provisions ..................................................................................................... 39



Sequential List of Tables and Figures:

Figure 1 - DPWN Three-tier PKI Hierarchy............................................................................. 9



1 Introduction

Deutsche Post World Net (DPWN) is the world's leading logistics group. Its integrated Deutsche Post,

DHL and Postbank companies offer tailored, customer-focused solutions for the management and

transport of goods, information and payments through a global network combined with local expertise.

Deutsche Post World Net is also the leading provider of Dialog Marketing services, with a unique

portfolio of efficient outsourcing and system solutions for the mail business. Some 380,000 employees in

more than 220 countries and territories worldwide generated revenue of EUR 43 billion ($58 billion) in

2004.

This Certificate Policy (CP) applies to all Certification Authorities (CAs) and Registration Authorities

(RAs) within Deutsche Post World Net (DPWN). This CP comprises the sections included in the table of

contents as well as other documents published and publicly available in the DPWN repository at:

https://keyserver.dpwn.net/repository.

This CP complies with the formal requirements of IETF RFC 3647 regarding format and content. While

certain section titles are included according to the structure of RFC 3647, the associated topics may not

necessarily apply in the implementation of the DPWN PKI services. Such components are indicated with

“section not applicable”

In the case of the DPWN Root being publicly signed, then this CP has been formally reviewed for

compliance with the public signer of the DPWN Root CA.

1.1 Overview

This CP applies to all DPWN CAs and DPWN RAs. Also LRAs are affected by this document.


https://keyserver.dpwn.net/repository


DPITS

root tier

intermediate tier

issuing tier

DPWN SSL CA

DPITS DPITS

. . .

. . .

public CA

Figure 1 - DPWN Three-tier PKI Hierarchy

1.2 Document Name and Identification

This CP is securely made available on https://keyserver.dpwn.net/pks/cp-eng.html. This DPWN CP

utilizes the following OID: 1.3.6.1.4.1.5064.4.1.1

1.3 PKI Participants

This subcomponent describes the types of entities that fulfill any role within the DPWN PKI

implementation.

1.3.1 DPWN Root CA

DPWN Root is the highest Certification Authority level within the DPWN PKI deployment. This

Certification Authority allows DPWN entities to operate their own PKI related services in acceptance of

the DPWN certificate policy.

This CP applies to the DPWN entity management hierarchy and it is binding in part or in whole towards

all entities, which make use of any DPWN certification services.



DPWN operates a CRL (and eventually OSCP) service providing notice or knowledge to relying parties

associated with the revoked and/or suspended certificates. Also the download of public certificates is

provided to relying parties.

1.3.2 DPWN Intermediate CAs

Using an intermediate CA is mandatory for all subscribers to the DPWN Root CA. DPWN supports the

deployment of PKI services within each DPWN entity using an intermediate CA and at agreed upon, pre-

defined levels.

Every intermediate CA operates a CRL or OSCP service providing notice or knowledge to relying parties

associated with the revoked and/or suspended certificates.

1.3.3 DPWN Issuing CAs

Each DPWN entity (DPAG, DHL, DP-ITS) operates its own issuing CAs using this CP. Every issuing CA

must be a subordinated CA to the appropriate intermediate CA. A partition is also required between CAs

issuing certificates for users vs. devices. Additionally, it is mandatory that all certificate templates that

are used conform to this CP and the corresponding Certification Practice Statement (CPS).

It might be possible to operate company wide issuing CAs directly under the root CA or under a special

intermediate CA.

Every issuing CA operates a CRL or OSCP service providing notice or knowledge to relying parties

associated with the revoked and/or suspended certificates.

1.3.4 DPWN RAs

There is no need to operate any explicit RA. Authentication and identification procedures are described

later in this CP.

1.3.5 Subscribers

Subscribers of DPWN CAs on Root or intermediate levels may only be legal DPWN entities. There is no

support for natural persons. Natural persons are supported by the person-related issuing CAs.

Subscribers are parties that:

• apply for a certificate

• are identified in a certificate



• hold a private key corresponding to a public key that is listed in a subscriber certificate

1.3.6 Relying Parties

Relying parties are entities including natural persons (individuals) and/or legal persons (companies) that

rely on a certificate and/or digital signature that is verifiable with reference to a public key listed in a

subscriber’s certificate.

To verify the validity of a digital certificate that they receive, relying parties must always refer to the

DPWN CRL or OSCP prior to relying on information featured in a certificate.

1.3.7 Other Participants

Section not applicable

1.4 Certificate Usage

Certain limitations apply to the DPWN Root and/or intermediate CAs’ certificate usage.

The DPWN Root CA only issues certificates for setting up intermediate CAs or CAs used across the

group.

Certificates from the DPWN Root CA can only be used for issuing subordinated CA certificates. These

certificates are only allowed to setup DPWN intermediate CAs and CAs for usage across the group (e.g.

CAs for SSL certificates). To get a certificate from the DPWN Root CA, the entity has to be owned by

DPWN (at least 51%).

Certificates from DPWN intermediate CAs can only be used for issuing subordinated CA certificates.

These certificates must only authorize the issuing CAs from the legal entity. There is no support for

issuing subordinated CA certificates for another entity’s issuing CA within DPWN. An entity is only

allowed to issue certificates for its own entity, except when the entity is a subsidiary (at least 51%) and

employs less than 250 people.

Certificates from DPWN issuing CAs can only be used to issue certificates to DPWN employees or

devices owned by DPWN or operated on behalf of DPWN. Under some circumstances it is allowed to

issue person-related certificates to contractors.



It is not required that certificates are used to sign any kind of document and/or communication pertaining

to any act of legal significance. Signed documents and/or communication are intended to be used to

verify that the content was not altered during storage or transmission.

1.5 Policy Administration

The DPWN PKI Board manages this CP. DPWN is responsible for the registration, maintenance and

interpretation of this CP.

Every entity that operates a CA within the DPWN PKI has to provide the following information within

each of its CPSs:

• CA contact information (a mail distribution group with at least two individuals; for DPWN Root

and Intermediate CAs DPWN PKI board is also included in the distribution group)

• Certificate type, validation procedures and usage

• reliance limits and liability limitations

• obligations of parties involved in the certificate life cycle

• certificate status-checking

• registration procedures

• CA, RA, LRA model

• Applicable agreements, Certificate

• privacy policy

• applicable law, complaints and dispute resolution

Any policy has to be approved by DPWN PKI Board and has to comply with the provisions of the DPWN

CPs. The DPWN PKI Board is represented by:

Deutsche Post AG

Martin Hagen

Hilpertstraße 31

64295 Darmstadt

Germany

Phone: +49 6151 908 6690

Fax: +49 6151 3909 16690

[email protected]



2 Publication and Repository

DPWN publishes information about the digital certificates it issues in online repositories. Information on

public keys can be found at https://keyserver.dpwn.net and ldap://keyserver.dpwn.net.

DPWN retains an online document repository where it makes certain disclosures about its practices,

procedures and the content of certain policies including its CPSs and CPs. The repository can be found

at https://keyserver.dpwn.net. DPWN refrains from making certain subcomponents and elements of such

documents publicly available, including certain security controls, procedures related with the functioning

of amongst other things its registration authorities, root signing procedures etc.

DPWN publishes digital certificate status information in frequent intervals as indicated by its CPS.

Certificate services participants are obliged to publish documents regarding certificate issuance, e.g.

CP, CPS, CRL and certificates, under the terms of this CP.


https://keyserver.dpwn.net/

https://keyserver.dpwn.net/


3 Identification and Authentication

This component describes the procedures used to authenticate an end-user certificate applicant’s

identity and/or other attributes to a CA or RA prior to certificate issuance. It also describes how parties

requesting a re-key or revocation are authenticated. This component also addresses naming practices,

including the recognition of trademark rights in certain names

3.1 Naming

To identify subscribers, DPWN follows certain naming and identification rules that include types of

names assigned to the subject, such as X.500 distinguished names, RFC-822 names, RFC-1034 DNS

names and X.400 names.

To identify a subscriber for Root and Intermediate CAs, DPWN follows the naming and identification

rules of X.500 distinguished names. When applying for a DPWN certificate, the applicant’s name must

meet the following criteria:

• Root CA: CN = DPWN Root CA R2 PSOU= R2O = Deutsche Post World Net

• Intermediate CA: CN = “entity name” Intermediate CA M2 PSOU = M2O = “entity name”O = Deutsche Post World Net

o for example: CN = DP AG Intermediate CA M2 PSOU = M2O = Deutsche Post AGO = Deutsche Post World Net

CN = DHL Intermediate CA M2 PSOU = M2O = DHLO = Deutsche Post World Net

CN = DP ITS Intermediate CA M2 PSOU = M2O = Deutsche Post ITSolutions GmbHO = Deutsche Post World Net

• Company-wide CAs: CN = DPWN “purpose” CA I2 PSOU = I2O = Deutsche Post World Net

o for example: CN = DPWN SSL CA I2 PS



OU = I2O = Deutsche Post World Net

Naming conventions for issuing CAs have to be published in every certificate template described in the

CA’s CPS. All naming conventions must meet the requirements of this CP.

DPWN does not issue anonymous or pseudonymous certificates to subscribers. Names assigned to

subscribers of a certificate are unique within the DPWN PKI domain. DPWN does not accept

trademarks, logos or otherwise copyrighted graphic or text material for inclusion in its certificates apart

from such material owned by DPWN.

3.2 Initial Identity Validation

The subscriber identified in the subject field must prove possession of the private key corresponding to

the public key being registered with DPWN PKI.

For issuing certificates, DPWN takes steps to identify the subscriber, including but not limited to:

• a physical appearance before a digital certificate is issued

• controlling documents such as identity cards, passport or drivers’ licenses

• controlling organizational documents like corporate identification badges or duly signed

authorization documents

3.3 Identification and Authentication for Re-Key Requests

All terms mentioned in 3.2 also apply for identification and authentication for re-key requests. If the re-

key request contains a new private key, then this request has to be digitally signed by the old key.

Re-key requests after revocation are handled the same as initial key requests.

3.4 Identification and Authentication for Revocation Requests

All terms mentioned in 3.2 also apply for identification and authentication for revocation requests. DPWN

requires the usage of an online authentication mechanism. Revocation requests for certificate authorities

have to be addressed to the DPWN PKI Board.



4 Certificate Life Cycle Operational Requirements

For all CAs and RAs there is a continuous obligation to inform DPWN Policy Managing Authority of all

changes in the information featured in a certificate during the operational period of such a certificate.

4.1 Certificate Applications

Certificate applicants have the responsibility of providing accurate information on their certificate

applications.

Subscribers undergo the following enrollment process:

• filling out an application form

• generating a key pair

• delivering the generated public key corresponding to a private key to DPWN

• demonstrating that the applicant has possession of the private key corresponding to the public

key

• accepting the subscriber agreement and/or CP

Applications for CAs or RAs can be submitted by legal representatives for the whole organization within

DPWN only. If the certificate applicant wants to establish an intermediate or issuing CA, then his CA

structure, set-up, configuration, policy and processes have to be initially audited.

4.2 Certificate Application Processing

After receiving an applicant’s application, the DPWN CA or RA may perform identification and

authentication procedures to validate the certificate application. The DPWN CA or RA either approves or

rejects the certificate application. Such approval or rejection does not necessarily have to be justified to

the applicant or any other party.

A DPWN CA or RA must act on and process a certificate application within:

• 10 business days for end user or device certificates

• 25 business days for requests concerning a new CA or RA



4.3 Certificate Issuance

Following the submission of a certificate application or a certificate renewal request, a DPWN CA or RA

approves or disapproves the submitted information. Following application and credentials approval of

the DPWN RA administrator, the DPWN CA issues the certificate.

4.4 Certificate Acceptance

An issued DPWN certificate is deemed to have been accepted by the subscriber (end user, device)

when any of the following conditions apply:

• acknowledgement of acceptance was made by sending an email to: [email protected]

• the certificate was used for the first time

• after a lapse of five days from issuance

Following conditions apply when the subscriber is a CA or RA:

• acknowledgement of acceptance by sending an email to: [email protected] and getting

response from DPWN PKI that this acceptance has been received

Any usage before acceptance of the certificate is prohibited for CA/RA certificates.

Any objection to accepting an issued certificate must explicitly be notified to the issuing authority. The

justification for the rejection including any fields in the certificate that contain erroneous information must

also be submitted.

DPWN posts issued certificates to an X.500, HTTP or LDAP repository,. It also reserves the right to

publish the certificates to any directory in DPWN if there is a need to do so.

4.5 Key Pair and Certificate Usage

The responsibilities relating to the use of keys and certificates include the following.

4.5.1 Subscriber

Unless otherwise stated in this CP or in the CPS, subscribers are responsible for:

• having knowledge of and, if necessary, seeking training on using digital certificates and

certificate service technologies

• generating their private key pair securely, using a trustworthy system

• providing accurate information in their communications with DPWN PKI

• ensuring that the public key submitted to DPWN PKI corresponds to their own private key


mailto:[email protected]

mailto:[email protected]


• ensuring that the public key submitted to DPWN PKI is the correct one

• generating a new, secure key pair to be used in association with a certificate that they request

from DPWN PKI

• reading, understanding and agreeing to all terms and conditions in the DPWN CP and CPS and

associated policies published in the DPWN Repository

• refraining from tampering with a DPWN certificate

• using DPWN certificates in accordance with the DPWN CP and CPS

• notifying DPWN PKI of any changes to the submitted information

• ceasing to use a DPWN certificate for encryption and signing if any featured information

becomes invalid

• ceasing to use a DPWN certificate for encryption and signing when it becomes invalid

• removing server certificates from any applications and/or devices upon which they have been

installed when the certificates become invalid

• preventing the compromise, loss, disclosure, modification, or otherwise unauthorized use of

their private key

• using secure devices and products that provide appropriate protection to their keys

• refraining from submitting any material that contains statements that violate any law or the rights

of any party to DPWN PKI or any DPWN directory

• requesting the suspension or revocation of a certificate in the case of an occurrence that

materially affects the integrity of a DPWN certificate

Without other limiting subscriber obligations stated elsewhere in this CP, subscribers are liable for any

misrepresentations they make in certificates to third parties that reasonably rely on the representations

contained therein and have verified one or more digital signatures within the certificate.

Parties accessing the DPWN repository and web site, including subscribers and relying parties, agree

with the provisions of this CP and any other conditions of usage that DPWN may make available by

means of a subscriber agreement or a relying party agreement. Additionally parties demonstrate

acceptance of the conditions of CP usage by submitting a query regarding the status of a digital

certificate or by using or relying upon any such information or services provided. Using DPWN

repositories can:

• provide information as a result of the search for a digital certificate

• verify the status of digital signatures created with a private key corresponding to a public key

included in a certificate

• provide information published on the DPWN web site



It is the sole responsibility of the parties accessing information featured in the DPWN repositories and

web site to assess and rely on information featured therein. Parties acknowledge that they have

received adequate information to decide whether to rely upon any information provided in a certificate.

DPWN takes all steps necessary to update its records and directories concerning the status of the

certificates and to issue associated warnings.

4.5.2 Relying Party

A party relying on a DPWN certificate promises to:

• have knowledge on using digital certificates and certificate service technologies

• receive notice of the DPWN CP and associated conditions for relying parties

• verify a DPWN certificate by using a CRL (including the DPWN Root CRL) among others in

accordance with the certificate path validation procedure

• trust a DPWN certificate only if all information featured on such certificates can be verified as

being correct and updated

• rely on a DPWN certificate as may be reasonable under the circumstances

Parties (including subscribers and relying parties) accessing the DPWN Repository and web site agree

with the provisions of this CP and any other conditions of usage that DPWN may make available. Parties

demonstrate acceptance of the CP usage conditions by submitting a query regarding the status of a

digital certificate or by using or relying upon any such information or services provided.

Using DPWN repositories can:

• provide information as a result of the search for a digital certificate

• verify the status of digital signatures created with a private key corresponding to a public key

included in a certificate

• provide information published on the DPWN web site

It is the sole responsibility of the parties accessing information featured in the DPWN repositories and

web site to assess and rely on information featured therein. Parties acknowledge that they have

received adequate information in order to decide whether or not to rely upon any information provided in

a certificate. DPWN takes all steps necessary to update its records and directories concerning the status

of the certificates and issue associated warnings.



4.6 Certificate Renewal

Certificate renewal means the issuance of a new certificate to the subscriber without changing the

subscriber’s public key or any other information in the certificate (except the validity date).

Renewal is permitted from 30 days before certificate expiration date up until 30 days after the certificate

expiration date. For end-user subscriber certificates, the same public key can be used to issue a

certificate up to two (2) consecutive times in total, or for a total length of four (4) years for the same key

pair to be used. Beyond that time limit, the same key pair may not be used any longer.

The subscriber may directly request the certificate renewal from the subscriber interface. A DPWN RA or

CA does not automatically renew subscriber certificates unless they receive a subscriber request.

The DPWN CA issues a new certificate following user authentication through a password or log in with a

certificate that is still valid.

The rest of the procedures remain the same as with the initial registration process including:

• notification of the new certificate to the subscriber

• constituting acceptance of the certificate

• publication of the certificate by the CA

• notification of certificate issuance by the CA to other entities

Renewal of CA/RA certificates on Root or Intermediate levels is prohibited. CA/RA has to apply for a

new certificate. The whole application and issuance processes have to be walked through.

4.7 Certificate Re-Key

A certificate re-key means the generation of a new key pair and application for the issuance of a new

certificate that certifies the new public key.

Section not applicable for DPWN PKI.

4.8 Certificate Modification

Certificate modification means the issuance of a new certificate due to changes in the information in the

certificate other than the subscriber’s public key.

Section not applicable for DPWN PKI.



4.9 Certificate Revocation and Suspension

Upon request from a DPWN CA/RA, DPWN suspends or revokes a digital certificate if:

• there has been a loss, theft, modification, unauthorized disclosure, or other compromise of the

private key of the certificate’s subject

• the certificate’s subject has breached a material obligation under this CP or the CPS

• the performance of a person’s obligations under this CP is delayed or prevented by a natural

disaster, computer or communications failure, or other cause beyond the person's reasonable

control, and as a result, another person’s information is materially threatened or compromised

• there has been a modification of the information contained in the certificate of the certificate’s

subject

A subscriber must contact a DPWN CA/RA at all times to request suspension or revocation. Such

contact can take place online or by non-digital channels. DPWN suspends or revokes a certificate

promptly after verifying the identity of the requesting party and confirming that the certificate has not

been issued in accordance with the procedures required by this CP and the CPS. Verification of the

identity can be done through information elements featured in the identification data the subscriber has

submitted to the DPWN CA/RA. The DPWN CA takes prompt action to revoke the certificate. Relying

parties must use online resources that DPWN makes available through its repository to check the status

of certificates on which they wish to rely. DPWN CRLs are updated on regular basis.

Suspension of DPWN certificates is supported. Request for suspension can be submitted by a

subscriber or a DPWN CA/RA. Suspension may last for as long as it is required to determine the

conditions that caused the request of suspension. Following evidence that such conditions did not allow

for a key compromise, a subscriber may request the re-activation of a certificate.

DPWN publishes notices of suspended or revoked certificates in the DPWN repository. DPWN may

publish its suspended or revoked certificates in its CRL and additionally, by any other means as it sees

fit. During suspension, or upon revocation of a certificate, the operational period of that certificate is

immediately considered terminated.

4.10 Certificate Status Service

DPWN PKI may make the certificate status checking services available.



4.11 End of Subscription

Subscriber subscriptions end when a certificate is revoked, expired or the service is terminated.

4.12 Key Backup and Recovery

All generated CA / RA keys must be stored within a HSM for recovery purposes. They must also be

archived for the lifetime of the CA plus maximum of two years on a permanent backup medium through

a trusted secure procedure.

There is no need to archive or backup keys used by devices within DPWN.

End user certificates have to be backed-up on an HSM for recovery purposes. They might be archived

as long as needed. The individual regulations are published in the CPS of the issuing CA. Public keys of

signing key pairs must be archived and published for a minimum of 15 years after the date of the last

issued certificate to approve signatures.

Signing keys need not be backed up or archived for any purpose.



5 Management, Operational and Physical Controls

This component describes non-technical security controls (physical, procedural and personnel controls)

used by the issuing CA to securely perform functions of key generation, subject authentication,

certificate issuance, certificate revocation, auditing and archiving.

5.1 Physical Security Controls

DPWN implements physical controls on its own premises including the following:

DPWN secure premises are located in an area appropriate for high security operations. There are

numbered zones and locked rooms, cages, safes, and cabinets. Physical access is restricted by

implementing mechanisms to control access from one area of the facility to another or access into high

-security zones, such as locating CA operations in a secure computer room physically monitored and

supported by security alarms and requiring movement from zone to zone to be accomplished using

token and access control lists.

Power and air conditioning operate with a high redundancy rate. Premises are protected from any water

exposures. Prevention and protection and measures against fire exposures are implemented.

Media is stored securely. Backup media is also stored in a separate location that is physically secure

and protected from fire and water damage.

Waste disposal is controlled.

5.2 Procedural Controls

DPWN follows personnel and management practices that provide reasonable assurance of the

trustworthiness and competence of the staff members and of the satisfactory performance of their duties

in the fields of the electronic signature related technologies. Each DPWN member of the DPWN staff

executes a statement of abiding by data protection legislation and meeting confidentiality requirements

like they associate with their post.

All members of the DPWN personnel or the personnel of an authorized outsourced agent operating the

key management operations, administrators, security officers, and system auditors or any other

operations that materially affect such operations are considered as serving in a trusted position.



DPWN conducts an initial investigation of all staff members who are candidates to serve in trusted roles

to make a reasonable attempt to determine their trustworthiness and competence.

Where dual control is required, at least two trusted DPWN staff members need to bring their respective

and split knowledge in order to be able to proceed with the ongoing operation.

The PKI roles are defined by the corresponding CPS documents.

Internal control procedures are designed to ensure that at a minimum, two trusted personnel are

required to have either physical or logical access to the device. Access to CA cryptographic hardware is

strictly enforced by multiple trusted persons throughout its lifecycle, from incoming receipt and

inspection to final logical and/or physical destruction. Once a module is activated with operational keys,

further access controls are invoked to maintain split control over both physical and logical access to the

device.

5.3 Personnel Security Controls

DPWN should perform checks to establish the background, qualifications, and experience needed to

perform within the competence context of the specific job. Such background checks might typically

include:

• criminal convictions for serious crimes

• misrepresentations by the candidate

• appropriateness of references

• any clearances if available

• finished probation period

DPWN makes the relevant checks to prospective employees by means of status reports issued by a

competent authority, third -party statements or self-declarations.

DPWN makes training available for their personnel to perform their CA and RA work functions. Periodic

training updates might also be performed to establish continuity and updates of the knowledge of the

personnel and procedures.

DPWN sanctions personnel for unauthorized actions, unauthorized use of authority, and unauthorized

use of systems for the purpose of imposing accountability on a participant's personnel, as may be

appropriate under the circumstances.



Independent contractors are subject to the same privacy protection and confidentiality conditions as

DPWN personnel.

5.4 Audit Logging Procedures

Audit logging procedures include event logging and audit systems, implemented for the purpose of

maintaining a secure environment. DPWN implements the following controls:

CA key life cycle management events logging, including:- key generation, backup, storage, recovery, archival, and destruction- cryptographic device life cycle management events

CA and Subscriber certificate life cycle management events logging, including:- certificate Applications, renewal, rekey, and revocation- successful or unsuccessful processing of requests- generation and issuance of Certificates and CRLs

Security-related events logging including:- successful and unsuccessful PKI system access attempts- PKI and security system actions performed by DPWN personnel- security sensitive files or records read, written or deleted- security profile changes- system crashes, hardware failures and other anomalies- firewall and router activity- CA facility visitor entry/exit

Audit trail records contain:- the identification of the operation- the date and time of the operation- the identification of the certificate involved in the operation- the identification of the person that performed the operation- a reference to the request of the operation

Documents that are required for audit include:- infrastructure plans and descriptions- physical site plans and descriptions- configuration of hardware and software- personnel access lists

DPWN stores real-time audit logs, which are subsequently processed and archived on a regular basis. Following an alarm or anomalous event the Network Administrator is notified. The log files should be properly protected by an access control mechanism. DPWN implements audit log back up procedures.

Audit logs can only be viewed by authorized personnel as defined by the roles’ definition.

A subject that has caused an audit event to occur is not notified of the audit action. DPWN performs vulnerability assessments at least once a year.



5.5 Records Archival

DPWN retains records of DPWN digital certificates, audit data, certificate application information and

documentation supporting certificate applications in a trustworthy manner. DPWN retains records of

DPWN digital certificates in a trustworthy manner for a term indicated in the DPWN CPS.

Conditions for the archive protection include:

• viewing of an archive only by the records administrator (staff member assigned with the records

retention duty)

• protection against archive modification, such as storing the data on a write once medium

• protection against archive deletion

• protection against deterioration of the media on which the archive is stored, such as a

requirement for data to be migrated periodically to fresh media

5.6 Key Changeover

In terms of changing CA keys the new CA key will be made available via the following interfaces:

• distribution via DPWN directories for internal subscribers

• publication in DPWN repository for external subscribers and relying parties

5.7 Compromise and Disaster Recovery

In one or more separate internal documents, DPWN notes applicable incidents, makes compromise

reports and describes the handling procedures. DPWN documents the recovery procedures used if

computing resources, software, and/or data are corrupted or suspected of being corrupted.

DPWN strives to reestablish a secure environment taking steps that include, but are not limited to,

revoking of a corrupted (or suspected of being corrupted) entity’s certificate. Subsequently DPWN may

reissue a new certificate to the entity.

A business continuity plan has been implemented to ensure business continuity following a natural or

other disaster.

5.8 CA or RA Termination

Before terminating its CA activities with DPWN PKI, a DPWN PKI Partner:

• provides valid certificate subscribers with reasonable notice of its intention to cease acting as a

CA



• revokes all certificates that are still valid (i.e. have not been revoked or expired) at the end of the

notice period without seeking subscriber’s consent

• gives timely revocation notice to each affected subscriber

• makes reasonable arrangements to preserve its records according to this CP

• provides succession arrangements, if possible, for the re-issuance of certificates by a successor

CA under the same CP



6 Technical Security Controls

This component is used to define the security measures taken by DPWN PKI to protect its cryptographic

keys and activation data. This component also describes other technical security controls used by

DPWN PKI to securely perform the key generation functions, user authentication, certificate registration,

certificate revocation, auditing and archiving. It can also be used to define any other technical security

controls regarding PKI.

6.1 Key Pair Generation and Installation

The DPWN CAs’ private keys are used to sign their issued certificates, certification revocation lists and

accredited root -signed entities (other CAs). Other usages are restricted.

For its root key, DPWN uses FIPS compliant algorithm with a key length of at least 2048 bits and a

validity period no longer than 15 years.

DPWN securely generates and protects its own private key(s), using a trustworthy system, and takes

necessary precautions to prevent the compromise or unauthorized use of it. DPWN implements and

documents key generation procedures, in line with this CP. DPWN acknowledges public, international

and European standards on trustworthy systems.

The generation of the private key(s) of DPWN CAs occurs within a secure cryptographic device meeting

appropriate requirements including ISO 15782-1, FIPS 140-1 at least level 2, ANSI X9.66. The

generation of the DPWN CAs private key(s) requires the control of more than one appropriately

authorized staff members serving in trustworthy positions. More than one member of the management

makes the key generation authorization in writing.

DPWN CAs use a secure cryptographic device to store its own private key(s) meeting the appropriate

ISO 15782-1/FIPS 140-1/ANSI X9.66 level requirements. The storage of the DPWN private key requires

multiple controls by appropriately authorized staff members serving in trustworthy positions. More than

one member of the management makes the key storage authorization and personnel assignment in

writing.

DPWN’s private key(s) is/are backed up, stored and recovered by multiple and appropriately authorized

staff members serving in trustworthy positions. More than one member of the management makes the

key storage authorization and personnel assignment in writing.

DPWN’s secret share holdings use multiple authorized holders to safeguard and improve the

trustworthiness of private key(s) and to provide for key recovery. Before secret shareholders accept a



secret share they must personally have observed the creation, re -creation, and distribution of the share

or its subsequent custody chain. A secret shareholder receives the secret share within a physical

medium, such as a DPWN approved hardware cryptographic module. DPWN keeps written records of

secret shared distribution.

DPWN private keys are destroyed at the end of their lifetime in order to guarantee that they cannot ever

be retrieved and used again. DPWN keys are destroyed by shredding their primary and backup storage

CD-ROMs, by deleting their shares and by powering off any hardware modules on which the keys are

stored.

The key destruction process is documented and associated records are archived.

6.2 Private Key Protection and Cryptographic Module Engineering Controls

DPWN uses appropriate cryptographic devices to perform CA key management tasks. Those

cryptographic devices are known as Hardware Security Modules (HSMs). Such devices meet the

requirements of FIPS PUB 140-1 Level 2 or higher, which guarantees, amongst other things, that any

device tampering is immediately detected; and private keys cannot leave devices unencrypted.

Hardware and software mechanisms that protect CA private keys are documented. The documentation

demonstrates that CA key protection mechanisms are of at least equivalent strength to the CA keys they

are protecting.

In case HSMs require maintenance or repair that cannot be done within DPWN premises, they are

securely shipped to their manufacturer.

The DPWN Root CA private key remains distributed under all entities operating an intermediate CA.

Within these entities the transport key must remain under n out of m multi-person control. The DPWN

Root CA private key is not escrowed. DPWN records each step of the key backup process using a

specific form for logging information.

6.3 Other Aspects of Key Pair Management

DPWN archives its own public key. DPWN issues subscriber certificates with usage periods as indicated

on such certificates.



6.4 Activation Data

DPWN securely stores and archives activation data associated with its own private key and operations.

6.5 Computer Security Controls

The following functionality may be provided by the operating system, or through a combination of

operating system, PKI CA software, and physical safeguards (policies and procedures). Each CA server

will include the following functionality:

access control to CA services and PKI roles, see Section 5.1

enforced separation of duties for PKI roles, see Section 5.2

identification and authentication of PKI roles and associated identities, see Section 5.3

use of cryptography for session communication and database security, mutually authenticated

and encrypted SSL/TLS is used for all communications

archival of CA history and audit data, see Sections 5.5 and 5.6

audit of security related events, see Section 5.4

trusted path for identification of PKI roles and associated identities, use of X.509 certificates for

all administrators

recovery mechanisms for keys and CA system, see Section 5.7 and business continuity plan

DPWN Root CA server will be detached from the network and stored in an isolated cage. OS

Administration will be done by the CA Administrator group. Patching will be done in accordance with the

CPS document

6.6 Network Security Controls

DPWN maintains high-level network systems security including firewalls and intrusion detection systems

directly or through an authorized agent.

6.7 Time Stamping

Section not applicable



7 Certificate and CRL Profiles

This component is used to specify the certificate format and, if CRL and/or OCSP are used, the CRL

and/or OCSP format.

7.1 Certificate Profile

DPWN publishes the certificate profiles in its CPS.

7.2 CRL Profile

In conformance with IETF PKIX RFC 2459, DPWN supports CRLs compliant with:

• version numbers supported for CRLs

• CRL and CRL entry extensions populated and their criticality

7.3 OCSP Profile

DPWN publishes the OCSP profiles in its CPS.



8 Compliance Audit and Other Assessment

This component addresses the following:• list of topics covered by the assessment and/or assessment methodology• frequency of compliance audit or other assessments • identity and/or qualifications of the personnel performing the audit or other assessments• relationships between the assessor and the entity being assessed. • actions taken as a result of deficiencies found during the assessment• who is entitled to see results

8.1 Frequency or circumstances of assessment

The audit will be conducted annually and can be performed by assigned DPWN department or by an external audit firm.

More than one audit per year is possible if this is requested by the audited party or is a result of unsatisfactory results of previous audit.

8.2 Identity/qualifications of assessor

The auditor must demonstrate competence in the field of compliance audits.

8.3 Assessor's Relationship to Assessed Entity

Compliance Audits performed by third-party audit firms shall be conducted by firms independent of the audited entity. Such firms shall not have a conflict of interest that hinders their ability to perform auditing services.

8.4 Topics Covered by Assessment

The purpose of a compliance audit shall be to verify that the audited party has in place, a system to assure the quality of the services that it provides, and that it complies with all of the requirements of this CP and its CPS. All aspects of the audited party’s operation related to this CP shall be subject to compliance audit inspections.

8.5 Actions Taken as a Result of Deficiency

In case of a deficiency, the DPWN PKI Board will announce the steps that will be taken to remedy the deficiency. This announcement will include a timetable.

If a discovered deficiency has direct consequences on the reliability of the certification process, the certificates (suspected to be) issued under the influence of this problem shall be revoked immediately.



8.6 Communications of Results

The Compliance Auditor shall provide the DPWN PKI Board with a copy of the results of the Compliance Audit. The results will not be made public unless required by law.



9 Other Business and Legal Matters

This component covers general business and legal matters.

9.1 Fees

No stipulation.

9.1.1 Certificate issuance or renewal fees

No stipulation.

9.1.2 Certificate access fees

No stipulation.

9.1.3 Revocation or status information access fees

No stipulation.

9.1.4 Fees for other services

No stipulation.

9.1.5 Refund policy

No stipulation.

9.2 Financial Responsibilities

No Financial responsibility is accepted for certificates issued under this policy.

9.2.1 Insurance coverage

No stipulation.

9.2.2 Other assets

No stipulation.



9.2.3 Insurance or warranty coverage for end-entities

No stipulation.

9.3 Confidentiality of Business Information

9.3.1 Scope of confidential information

Audit information is to be considered confidential and shall not be disclosed to anyone for any purpose other than audit purposes or where required by law, or a contractual agreement between the CA and the company being given access to the report that protects the confidentiality of the audit information.

Any disclosure of information is subject to the requirements of any privacy laws and other relevant legislation and applicable organizational policy.

The digital signature private key of each Subscriber is to be held only by the Subscriber and shall be kept confidential by them. Any disclosure of the private key or media containing the private key by the Subscriber is at the Subscriber's own risk.

The Subscriber shall keep the Subscriber's copy of their confidentiality private key confidential. Disclosure by the Subscriber is at the Subscriber's own risk. Confidentiality keys may be backed up by the issuing CA in which case these keys shall be protected in accordance with Section 6, and shall not be disclosed without prior consent of the Subscriber or a duly authorized representative of the issuing CA unless required by law.

9.3.2 Information not within the scope of confidential information

Certificates, OCSP responses, CRLs and personal or corporate information appearing in them and in public directories are not considered confidential information.

9.3.3 Responsibility to protect confidential information

A CA must ensure that confidential information be physically and/or logically protected from unauthorized viewing, modification or deletion. In addition, the CA must ensure that storage media used by the CA system is protected from environmental threats such as temperature, humidity and magnetism.

Confidentiality keys may be backed up by the issuing CA, in which case these keys shall be protected in accordance with Section 6, and shall not be disclosed without prior consent of the Subscriber or a duly authorized representative of the issuing CA unless required by law.

9.4 Privacy and Personal Information

The DPWN service collects information about the subscribers. Information included in issued certificates and CRLs is not considered confidential.



Under no circumstances will the DPWN CA have access to the private keys of any subscriber to whom it issues a certificate.

9.4.1 Privacy plan

A CA’s guiding principle is to not disclose private personal information of its Subscribers, customers, employees, and partners without the prior consent of the aforementioned unless required by law.

9.4.2 Information treated as private

Any information about subscriber or requester that is not made public through the certificates issued by this CA, the CRL or the LDAP directory’s content is considered private information.

9.4.3 Information not deemed private

Subject to local laws, all information made public in a certificate is deemed not private.

9.4.4 Responsibility to protect private information

A CA must ensure that private personal information be physically and/or logically protected from unauthorized viewing, modification or deletion. In addition, the CA must ensure that storage media used by the CA system is protected from environmental threats such as temperature, humidity and magnetism.

9.4.5 Notice and consent to use private information

Unless where otherwise stated in this CP, the applicable Privacy Policy or by agreement, private information will not be used without the consent of the party to whom that information applies. This section is subject to applicable privacy laws.

9.4.6 Disclosure pursuant to judicial or administrative process

This section is subject to applicable privacy laws.

9.4.7 Other information disclosure circumstances

No stipulation.

9.5 Intellectual Property Rights

DPWN owns and reserves all intellectual property rights associated with its database, web sites, DPWN CA certificates and any other publication whatsoever originating from DPWN CA including this CP.



9.6 Representations and Warranties

A CA will issue and revoke certificates, operate its certification and repository services, and provide certificate status information in accordance with this CP. Authentication and validation procedures will be implemented as set forth in Section 3 of this CP.

All CAs will operate in accordance with this CP, their respective CPS(s) and applicable when issuing and managing certificates provided to CAs, RAs, sub-CAs and Subscribers under this CP. All participating CAs will require that all the RAs operating on their behalf will comply with the relevant provisions of this CP concerning the operations of the RAs. All participating CAs will take commercially reasonable measures to make Subscribers and Relying Parties aware of their respective rights and obligations with respect to the operation and management of any keys, certificates or End-Entity hardware and software used in connection with the PKI. Subscribers should also be notified as to procedures for dealing with suspected key compromise, certificate or key renewal, and service cancellation.

When a CA publishes or delivers a certificate, it declares that it has issued a certificate to a Subscriber and that the information stated in the certificate was verified in accordance with this CP.

CA personnel associated with PKI roles shall be individually accountable for actions they perform. "Individually accountable" means that there shall be evidence that attributes an action to the person performing the action.

Subscribers are required to protect their private keys, associated passphrase(s) and tokens, as applicable, in accordance with Section 6, and to take all commercially reasonable measures to prevent their loss, disclosure, modification, or unauthorized use Any Subscriber information shall be complete, validated and accurate with full disclosure of all required information in connection with a certificate or a query to a CA. The Subscriber shall only use the keys and certificates for the purposes identified in this CP and in any applicable agreement(s).

When a Subscriber suspects a private key compromise, the Subscriber shall notify the issuing Certification Authority in the manner specified by Section 4.9. When any other entity suspects private key compromise, they should notify the issuing CA

9.7 Disclaimers of Warranties

Not applicable.

9.8 Limitations of Liability

In no event will DPWN be liable for any damages to Subscribers, Relying Parties or any other party arising out of or related to the misuse of, or reliance on Certificates issued by DPWN CAs.

9.9 Indemnities

The DPWN CA declines any payment of indemnities for damages arising from the use or rejection of certificates it issues.



End entities shall indemnify and hold harmless the DPWN CAs operating under this CP/CPS against all claims and settlements resulting from fraudulent information provided with the certificate application, and the use and acceptance of a certificate which violates the provisions of this CP/CPS document.

9.10 Term and Termination

This document remains in force until:- no more valid certificates, issued under this CP, exist- it is replaced by a new version.

This document remains available for at least 5 years after no more valid certificates, issued under this CP, exist.

9.11 Individual Notices and Communications with Participants

Any participant has to communicate, in a proper way, to all those concerned, any changes in its status as participant of the DPWN PKI which may reasonably affect any or all of those concerned.

9.12 Amendments

Changes to this CP are indicated by an appropriate numbering.

9.12.1 Procedure for amendment

Amendments to this CP must undergo the same procedures as for the initial approval. Rephrasing provisions to improve their understandability as well as pure spelling corrections are not considered amendments.

9.12.2 Notification mechanism and period

The amended CP document shall be published on the DPWN CA Web pages at least 2 weeks before it becomes effective.

The DPWN CA will inform its subscribers and all relying parties it knows of by means of an e-mail.

9.12.3 Circumstances under which OID must be changed

No stipulation.

9.13 Dispute Resolution Procedures

Disputes arising out of the CP shall be resolved by the DPWN PKI Board.

9.14 Governing Law

Section not applicable.



9.15 Compliance with Applicable Law

This CP is subject to applicable national, state, local and foreign laws, rules, regulations, ordinances, decrees and orders including but not limited to restrictions on exporting or importing software, hardware or technical information.

9.16 Miscellaneous Provisions

No stipulation.

9.17 Other Provisions

No stipulation.


DPWN PKI CP - DHL

Documents

Transcript of DPWN PKI CP - DHL