TeleSec Shared-Business-CA
Transcrição
TeleSec Shared-Business-CA
Service Specifications TeleSec Shared Business CA 1 General With the TeleSec Shared-Business-CA PKI service, T-Systems International GmbH (hereinafter referred to as “T--Systems”) offers a company Public Key Infrastructure (PKI), using which the customer himself can issue and administer (revoke, renew, etc.) digital certificates for a wide variety of applications (e.g., e-mail security, VPN, client-server authentication, Microsoft domain registration) in accordance with the X.509v3 standard. TeleSec Shared-Business-CA offers the possibility of setting up and using a PKI for in-house identity management within a few days. T-Systems provides the customer with the infrastructure and accesses needed for this so that the customer can access the PKI components in T-Systems’ secure Trust Center via the Internet from the customer’s location. 2 Standard services provided by T-Systems 2.1 TeleSec Shared Business CA 2.1.1 Domain concept The customer is set up as an independent client within TeleSec Shared-Business-CA. The customer can autonomously and independently issue and administer certificates within his client. In the context of TeleSec Shared Business CA, the client is also termed the master domain, and the subdivision is called the area of responsibility (subdomain). The domain names are also added to the certificate. In this way, this two-level domain concept enables the customer’s organizational structures to be mapped. 2.1.2 Certification authority Certificates are generally issued by an intermediate certification authority (CA), which in turn is hierarchically subordinate to a master certification authority (root CA). In this regard, depending on the type or submission, the certificate can be issued by an intermediate certification authority which is subordinate to either a public or internal master certification authority. The “Deutsche Telekom Root CA 2” root authority and the “T-TeleSec GlobalRoot Class 2” are already pre-installed as a trustworthy certification authority (trust anchor) in many certificate stores and applications. However, subsequent installation is required for the “Deutsche Telekom Internal Root CA 1” root authority. 2.1.3 Registration authority Before a certificate is issued, the requester (individual or device) must be registered. Registration takes place by the customer himself in compliance with the requirements of the Shared Business CA, essentially the Certification Practice Statement (CPS). The Shared Business CA provides two options. – Central registration The certificate for individuals and devices (see Item 2.3) is issued centrally by the competent subregistrar, once registration has been successfully completed. The subregistrar can also process (approve, reject, resubmit) certificate requests that are received via SCEP or e-mail interfaces (see Item 2.3.2). The stipulations of the registration process are described in the CPS. – Local registration The requester (individual) can submit a certificate request from a user website. The competent subregistrar carries out the registration according to the stipulations of the Certification Practice Statement and approves the request, provided that no objections exist. The certificate is then available to the requester for downloading. Provisions regarding the registration process are described in the Certi- fication Practice Statement (CPS). Provision of TeleSec Shared Business CA In order to ensure the fast and straightforward use of TeleSec Shared-Business-CA, the initial provision includes the installation of a PKI client and the delivery of a basic package of hardware and software components (smart card reader, driver software), which forms the basis for accessing the Trust Center. The basic equipment supports the customer in issuing the soft PSE (file consisting of the certificate and private key) and placing certificates on a smart card that already has keys generated on it (smart card personalization). The initial provision includes the following services: – Setup of a customer-specific administrative area (client or master domain) – Provision of a master registrar certificate on the smart card for administering the client within the Shared Business CA – Provision of a subregistrar certificate to administer the areas of responsibility (subdomains) created by the customer within the TeleSec Shared Business CA – A class-2 smart card reader (with keypad) – The related CSP software or PKCS#11 module – Documentation, consisting of the Certification Practice Statement (CPS), the Service Level Agreement (SLA), the installation instructions for the registrar PC and the rolespecific manuals The basic package is installed on an Internet-capable standard PC of the customer. 2.3 Provision of the TeleSec Shared-Business-CA service TeleSec Shared Business CA provides a PKI infrastructure that is operated by competent staff in T-Systems’ highly secure Trust Center according to the provisions of the Service Level Agreement (SLA) and the Certification Practice Statement (CPS). The customer can issue, revoke and renew his own certificates within his administrative area (client or master domain). The customer is therefore responsible for both key administration and registration. The TeleSec Shared Business CA service issues certificates for the following users, depending on their functional roles: – Registration employees of the domain operator (master registrar, subregistrars and their derivatives (central key backup)) as subordinate registration authorities – Individuals (end users, pseudonyms) as single, dual and triple key certificates – Legal entities (such as associations, function groups) as single, dual and triple key certificates – Devices (e.g., machines such as routers, gateways, servers, domain controllers or mail gateways) The certificates are administered after successful authentication in a role-based manner (master registrar, subregistrar, user) via SSL-protected websites. The Certification Practice Statement (CPS) documents how to use TeleSec Shared Business CA. 2.3.1 Certificate administration via role-specific websites The customer accesses the TeleSec Shared Business CA website via an SSL-secured Internet connection (HTTPS protocol). Only upon successful authentication (access control) can the customer’s role holder use his specific TeleSec Shared Business CA functions. The customer can use the following range of functions, depending on the assigned role. a) Website for the “master registrar” role For administering the master domain, the customer (e.g., company, institution) names a responsible person to whom a master registrar certificate is issued and who will 2.2 T-Systems, last revision: Nov. 1, 2012 This translation is not the authentic text. The German version shall be part of the agreement. 1 Service Specifications, TeleSec Shared Business CA then perform the function of the master registrar. The website provides the master registrar with the following functions: - Create, find and process areas of responsibility (subdomains) - Issue, find and revoke subregistrar certificates; optional: role assignment of subregistrar certificates (derivatives) for downloading p12 or password files with central key backup according to the principle of dual control (see Item 2.3.8), optional: role assignment of CMP certificates for the CMP interface - Find and process user certificates - Initiate and download certificate revocation lists (CRL) - Display and download CA and root CA certificates - Administer the client by posting advisories, posting customer documents and changing login data - Display information such as advisories and download T-Systems documents - Renew the master registrar certificate - Generate statistics within the master domain At least one area of responsibility (subdomain) must be defined according to the customer’s specifications in order, for example, to properly map the organizational structure. The master registrar creates the area of responsibility and issues a subregistrar certificate for the authorized person. A subregistrar can also have the rights to administer multiple areas of responsibility. b) Website for the “subregistrar” role The subregistrar has the task of initiating the issue of user certificates within his area of responsibility (see Item 2.1.3 Central registration) or of processing (approving, rejecting, resubmission, Item 2.1.3 Local registration) certificate requests. The subregistrar carries out the user registration in accordance with the requirements of the Certification Practice Statement (CPS). He is also responsible for renewing and revoking certificates. The following functions are available to the subregistrar on the website: - Issue, approve, find and process end user certificates. In handling the request, attention should be paid to whether the certificate is to be placed on a smart card or if key material is to be generated as a soft PSE. In order to simplify the smart card personalization process, certificate data can be uploaded and copied for the request - Request soft PSEs in bulk mode (bulk generation of key materials, including certificate) - Initiate and download certificate revocation lists (CRL) - Display and download CA and root CA certificates - Administer the customer-specific domain by posting advisories, posting customer documents and setting default user input - Display information such as advisories and download T-Systems documents - Renew the subregistrar certificate Optional: Pre-registration data (pre-authentication) can be uploaded as a result of the registration process. Certificate requests that are made via the user website, mail interface or SCEP interface are checked against the pre-registration data and processed accordingly. If the checks have a positive outcome, the certificate is issued directly. Otherwise the subregistrar must process the request manually. c) Website for the “user” role If the user is to request his own certificates, a separate website is available and provides the following functions: - Request, retrieve, find, revoke and renew user certificates after successfully logging into the website - Download certificate revocation lists (CRL) - Display and download CA and root CA certificates - Display information such as advisories and download T-Systems documents 2.3.2 Other interfaces a) SCEP (Simple Certificate Enrollment Protocol) TeleSec Shared Business CA supports the request and administration of certificates for network components 2.3.3 2.3.4 2.3.5 2.3.6 2.3.7 2.3.8 2.4 2.4.1 (routers) via the SCEP protocol. b) E-mail TeleSec Shared Business CA offers the possibility of requesting certificates for users (single key only) and servers by e-mail. The request is sent to a defined e-mail address in compliance with format standards (PKCS#10 request). After the subregistrar has approved the certificate request, the certificate is issued to the sender’s e-mail address. c) CMP (Certificate Management Protocol) TeleSec Shared Business CA supports the request and administration of certificates (users, servers) via the CMP protocol. However, to use this interface, the customer needs to individually develop a CMP client. Directory service T-Systems provides a central directory service for TeleSec Shared Business CA, which allows the current revocation lists (CRL, ARL) as well as various certificate types to be retrieved. Access to the directory service is public or protected by a user name/password. The LDAP protocol is used for access. Revocation lists Revoked end user and registrar certificates are published in a certificate revocation list (CRL), which is updated once a day. Revocation lists can also be initiated on particular occasions (see Item 2.3.1). Revoked CA certificates are published in an authority revocation list (ARL). Generation is undertaken by T-Systems on particular occasions but no later than after 6 months. Online certificate validation The online validation of end user and registrar certificates is supported via the OCSP protocol (Online Certificate Status Protocol). Setting default values in data fields The subregistrar role can set default values in certain data fields for submitting requests. Information and messages TeleSec Shared Business CA provides the option of selectively distributing customer-specific items of information as well as information from T-Systems (advisories and documents) within the role-specific websites (master registrar, subregistrar and user). Central key backup for soft PSE An optional central key backup can also be configured for a master domain. This makes it possible to upload key material (private key and certificate) that was not created in bulk and to store it in the Trust Center. Two additional functional roles are authorized to separately find and download the p12 and password file according to the principle of dual control. Provision of certificates In addition to the individual data about the certificate holder, the requested certificate types always include information about the master domain and subdomain. The certificates also contain information about how the key is used (digital signature, key encryption). The login certificate (see Item 2.4.1, letter c)) contains the attribute “extended key usage” (smart card login, client authentication). The certificate validity can be set for one year or three years and is valid for the configured master domain. Other validity periods can be configured as an option. Certificates for individuals and legal entities and groups of individuals and functions According to the configuration, only certain certificate bundles can be requested. These are: a) Single key Consists of a certificate that is suitable for the purposes of key encryption and digital signature. Extended key usage is not set. b) Dual key Consists of two separate certificates, one each for the purposes of key encryption and digital signature. Extended key usage is not set. c) Triple key Consists of three separate certificates, one each for the purposes of key encryption, digital signature and smart card-based login to Microsoft Windows domains. Smart card login and client authentication are set as the ex- T-Systems, last revision: Nov. 1, 2012 This translation is not the authentic text. The German version shall be part of the agreement. 2 Service Specifications, TeleSec Shared Business CA tended key usage. 2.4.2 Certificates for devices a) Server certificates Server certificates for authenticating web servers in accordance with the SSL/TLS standard. b) Router/gateway certificates Certificates for use in network components. c) Mail gateway certificates d) Domain certificate for use in an e-mail gateway Domain controller certificates Certificates are issued for servers that are operated as domain controllers in a Microsoft server domain. 2.4.3 Certificates for the client’s registration employees Registration employees receive a certificate that is suitable for the purposes of key encryption and digital signature. Extended key usage is not set. 3 3.1 Technical service specifications General conditions of PC workstations for issuing, administering and using certificates 3.1.1 Registrar workstation 1) Certificates are issued and administered from TeleSec Shared Business CA via web-based components of a workstation computer (PC), which must meet defined requirements. a) General system requirements - Standard PC, at least 128 MB of RAM, at least 50 MB of available hard disk space - CD-ROM drive - USB ports for one or two readers Optional: USB port for removable data media - Internet port (http protocol, HTTPS); the standard SSL port 443 must be enabled - Enabled LDAP port, if access to the LDAP directory service of TeleSec Shared Business CA is to be supported - Sufficient access protection to prevent external use - Rights assignment without preventing or limiting the ability to request and administer certificates b) Supported operating systems - Microsoft Windows 7 (32-bit and 64-bit system), Service Pack 1. Recommended: All the latest patches should be installed. - Microsoft Windows XP, Service Pack 3 (to support SHA-256). Recommended: All the latest patches should be installed. Microsoft Windows 2000, Service Pack 4 (to support SHA-1). Recommended: All the latest patches should be installed. Personalization software (including function for local key backup of the encryption certificate) supported only by Microsoft operating systems. The Windows 95, Windows 98, Windows 98 SE, Windows ME and Windows NT4 operating systems are not approved for master and subregistrar workstations for security reasons. c) Supported web browsers - Microsoft Internet Explorer IE 6 to 9 - Mozilla Firefox (16.x recommended) d) Other - E-mail account - Administrator rights for installing the CSP and driver software and PKCS#11 module for supporting the use of smart cards - Optional: telephone line 3.1.2 Other components that use certificates a) User workstations for e-mail security, client-server authentication or VPN These workstations comply with the stipulations pursuant to Item 3.1. The rights can be limited according to the customer’s specifications. b) Other components that use certificates Certificates must be used as specified by the supplier 1) All product and company names stated in the document are brand names of the respective trademark owners. (e.g., routers, servers, gateway). 3.2 General conditions for applications 3.2.1 Certificates and keys a) The application must support the relevant certificate profiles (see “Certification Practice Statement” document) as well as key lengths and cryptographic functions (see “Technical Service Specifications” document). b) The application must be able to either access the private key via a Cryptographic Service Provider (CSP) or PKCS#11 or support the integration of a soft PSE (PKCS#12). 3.2.2 Directory service a) The client must have an Internet connection. b) The client application must support the LDAPv3 protocol, and the standard LDAP port 389 must be enabled. c) If LDAP replications exist, the data is transmitted over a secure connection with a dedicated port. 4 4.1 4.2 4.3 5 5.1 5.2 5.3 5.4 5.5 Rate plan models Advanced Within the “Advanced” rate plan, billing is based on a defined maximum number of active certificates per identity, regardless of whether the certificate holder receives two or three certificates. The “Active” status means that the certificate is valid and has not be revoked on a particular date (the 15th day of a calendar month in this case). Classic Within the “Classic” rate plan, billing is based on generated certificates with a validity of one year. Classic Pro Within the “Classic Pro” rate plan, billing is based on generated certificates with a validity of three years. Additional services provided by T-Systems By agreement and subject to technical and operational feasibility, T-Systems shall perform, in particular, the following additional services against payment of a separate charge based on the list prices in effect when the order is placed: Workshop T-Systems shall offer the customer a workshop for planning and integrating TeleSec Shared Business CA. The goal is to develop a configuration concept that serves as a basis for integrating TeleSec Shared Business CA. The workshop shall be tailored to individual customer requirements and shall generally take place at the customer’s location. Training T-Systems shall offer the customer training in the configuration, use and operation of TeleSec Shared Business CA. The goal is to familiarize the customer with the range of functions of the role-specific websites, in particular the websites for users, master registrars and subregistrars. The training shall generally take place at the customer’s location. Customized services Customized services that are provided for the customer within the scope of TeleSec Shared Business CA (e.g., initial provision and installation of an LDAP replication or the development of a migration concept when changing operators). Smart card reader Sale of the Cardreader Advanced smart card reader (USB) with PIN pad for entering the card PIN (see data sheet). Smart card Sale of the following smart card types, which can be used in conjunction with TeleSec Shared Business CA. The smart cards are based on the TCOS smart card operating system and meet maximum security requirements. a) Netkey 3.0 Smart card with four key pairs and a key length of 2,048 bits. The smart card can be used for certification by the TeleSec Shared-Business-CA and to produce a qualified certificate. b) Netkey 3.0 Plug-In Same services as Netkey 3.0, but in the form of a SIM plugin. c) Netkey IDkey Smart card with up to ten key pairs and a key length of 2,048 bits. This card cannot be used as a key medium for T-Systems, last revision: Nov. 1, 2012 This translation is not the authentic text. The German version shall be part of the agreement. 3 Service Specifications, TeleSec Shared Business CA 5.8 qualified signatures in accordance with the German Digital Signature Act. Software card module TCOS 3.0 for Base CSP Sale of a software tool that enables Microsoft Base Smart 5.9 Card CSPs to access and use the TCOS 3.0 card. Software PKCS#11 SDK for TCOS 3.0 Sale of software PKCS#11 SDK for TCOS 3.0, which enables the TCOS 3.0 card to be accessed via a PKCS#11 interface. T-Systems, last revision: Nov. 1, 2012 This translation is not the authentic text. The German version shall be part of the agreement. 4