TeleSec Shared-Business-CA

Service Specifications
TeleSec Shared Business CA
1
General
With the TeleSec Shared-Business-CA PKI service, T-Systems
International GmbH (hereinafter referred to as “T--Systems”)
offers a company Public Key Infrastructure (PKI), using which
the customer himself can issue and administer (revoke, renew, etc.) digital certificates for a wide variety of applications
(e.g., e-mail security, VPN, client-server authentication, Microsoft domain registration) in accordance with the X.509v3
standard. TeleSec Shared-Business-CA offers the possibility
of setting up and using a PKI for in-house identity management within a few days.
T-Systems provides the customer with the infrastructure and
accesses needed for this so that the customer can access the
PKI components in T-Systems’ secure Trust Center via the
Internet from the customer’s location.
2
Standard services provided by T-Systems
2.1
TeleSec Shared Business CA
2.1.1 Domain concept
The customer is set up as an independent client within
TeleSec Shared-Business-CA. The customer can autonomously and independently issue and administer certificates
within his client. In the context of TeleSec Shared Business
CA, the client is also termed the master domain, and the subdivision is called the area of responsibility (subdomain). The
domain names are also added to the certificate.
In this way, this two-level domain concept enables the customer’s organizational structures to be mapped.
2.1.2 Certification authority
Certificates are generally issued by an intermediate certification authority (CA), which in turn is hierarchically subordinate
to a master certification authority (root CA).
In this regard, depending on the type or submission, the certificate can be issued by an intermediate certification authority which is subordinate to either a public or internal master
certification authority. The “Deutsche Telekom Root CA 2”
root authority and the “T-TeleSec GlobalRoot Class 2” are already pre-installed as a trustworthy certification authority
(trust anchor) in many certificate stores and applications.
However, subsequent installation is required for the
“Deutsche Telekom Internal Root CA 1” root authority.
2.1.3 Registration authority
Before a certificate is issued, the requester (individual or device) must be registered. Registration takes place by the customer himself in compliance with the requirements of the
Shared Business CA, essentially the Certification Practice
Statement (CPS). The Shared Business CA provides two options.
– Central registration
The certificate for individuals and devices (see Item 2.3) is
issued centrally by the competent subregistrar, once registration has been successfully completed. The subregistrar
can also process (approve, reject, resubmit) certificate requests that are received via SCEP or e-mail interfaces (see
Item 2.3.2). The stipulations of the registration process are
described in the CPS.
– Local registration
The requester (individual) can submit a certificate request
from a user website. The competent subregistrar carries
out the registration according to the stipulations of the
Certification Practice Statement and approves the request,
provided that no objections exist. The certificate is then
available to the requester for downloading. Provisions regarding the registration process are described in the Certi-
fication Practice Statement (CPS).
Provision of TeleSec Shared Business CA
In order to ensure the fast and straightforward use of TeleSec
Shared-Business-CA, the initial provision includes the installation of a PKI client and the delivery of a basic package of
hardware and software components (smart card reader,
driver software), which forms the basis for accessing the Trust
Center. The basic equipment supports the customer in issuing the soft PSE (file consisting of the certificate and private
key) and placing certificates on a smart card that already has
keys generated on it (smart card personalization).
The initial provision includes the following services:
– Setup of a customer-specific administrative area (client or
master domain)
– Provision of a master registrar certificate on the smart card
for administering the client within the Shared Business CA
– Provision of a subregistrar certificate to administer the areas of responsibility (subdomains) created by the customer within the TeleSec Shared Business CA
– A class-2 smart card reader (with keypad)
– The related CSP software or PKCS#11 module
– Documentation, consisting of the Certification Practice
Statement (CPS), the Service Level Agreement (SLA), the
installation instructions for the registrar PC and the rolespecific manuals
The basic package is installed on an Internet-capable standard PC of the customer.
2.3
Provision of the TeleSec Shared-Business-CA service
TeleSec Shared Business CA provides a PKI infrastructure
that is operated by competent staff in T-Systems’ highly secure Trust Center according to the provisions of the Service
Level Agreement (SLA) and the Certification Practice Statement (CPS).
The customer can issue, revoke and renew his own certificates within his administrative area (client or master domain).
The customer is therefore responsible for both key administration and registration.
The TeleSec Shared Business CA service issues certificates
for the following users, depending on their functional roles:
– Registration employees of the domain operator (master
registrar, subregistrars and their derivatives (central key
backup)) as subordinate registration authorities
– Individuals (end users, pseudonyms) as single, dual and
triple key certificates
– Legal entities (such as associations, function groups) as
single, dual and triple key certificates
– Devices (e.g., machines such as routers, gateways, servers, domain controllers or mail gateways)
The certificates are administered after successful authentication in a role-based manner (master registrar, subregistrar,
user) via SSL-protected websites. The Certification Practice
Statement (CPS) documents how to use TeleSec Shared
Business CA.
2.3.1 Certificate administration via role-specific websites
The customer accesses the TeleSec Shared Business CA
website via an SSL-secured Internet connection (HTTPS protocol). Only upon successful authentication (access control)
can the customer’s role holder use his specific TeleSec
Shared Business CA functions. The customer can use the following range of functions, depending on the assigned role.
a) Website for the “master registrar” role
For administering the master domain, the customer (e.g.,
company, institution) names a responsible person to
whom a master registrar certificate is issued and who will
2.2
T-Systems, last revision: Nov. 1, 2012
This translation is not the authentic text. The German version shall be part of the agreement.
1
Service Specifications, TeleSec Shared Business CA
then perform the function of the master registrar.
The website provides the master registrar with the following functions:
- Create, find and process areas of responsibility (subdomains)
- Issue, find and revoke subregistrar certificates; optional: role assignment of subregistrar certificates (derivatives) for downloading p12 or password files with
central key backup according to the principle of dual
control (see Item 2.3.8), optional: role assignment of
CMP certificates for the CMP interface
- Find and process user certificates
- Initiate and download certificate revocation lists (CRL)
- Display and download CA and root CA certificates
- Administer the client by posting advisories, posting
customer documents and changing login data
- Display information such as advisories and download
T-Systems documents
- Renew the master registrar certificate
- Generate statistics within the master domain
At least one area of responsibility (subdomain) must be defined according to the customer’s specifications in order,
for example, to properly map the organizational structure.
The master registrar creates the area of responsibility and
issues a subregistrar certificate for the authorized person.
A subregistrar can also have the rights to administer multiple areas of responsibility.
b) Website for the “subregistrar” role
The subregistrar has the task of initiating the issue of user
certificates within his area of responsibility (see Item 2.1.3
Central registration) or of processing (approving, rejecting,
resubmission, Item 2.1.3 Local registration) certificate requests. The subregistrar carries out the user registration in
accordance with the requirements of the Certification
Practice Statement (CPS). He is also responsible for renewing and revoking certificates.
The following functions are available to the subregistrar on
the website:
- Issue, approve, find and process end user certificates.
In handling the request, attention should be paid to
whether the certificate is to be placed on a smart card
or if key material is to be generated as a soft PSE.
In order to simplify the smart card personalization
process, certificate data can be uploaded and copied
for the request
- Request soft PSEs in bulk mode (bulk generation of
key materials, including certificate)
- Initiate and download certificate revocation lists (CRL)
- Display and download CA and root CA certificates
- Administer the customer-specific domain by posting
advisories, posting customer documents and setting
default user input
- Display information such as advisories and download
T-Systems documents
- Renew the subregistrar certificate
Optional: Pre-registration data (pre-authentication) can
be uploaded as a result of the registration process. Certificate requests that are made via the user website,
mail interface or SCEP interface are checked against
the pre-registration data and processed accordingly. If
the checks have a positive outcome, the certificate is
issued directly. Otherwise the subregistrar must process the request manually.
c) Website for the “user” role
If the user is to request his own certificates, a separate
website is available and provides the following functions:
- Request, retrieve, find, revoke and renew user certificates after successfully logging into the website
- Download certificate revocation lists (CRL)
- Display and download CA and root CA certificates
- Display information such as advisories and download
T-Systems documents
2.3.2 Other interfaces
a) SCEP (Simple Certificate Enrollment Protocol)
TeleSec Shared Business CA supports the request and
administration of certificates for network components
2.3.3
2.3.4
2.3.5
2.3.6
2.3.7
2.3.8
2.4
2.4.1
(routers) via the SCEP protocol.
b) E-mail
TeleSec Shared Business CA offers the possibility of requesting certificates for users (single key only) and servers
by e-mail. The request is sent to a defined e-mail address
in compliance with format standards (PKCS#10 request).
After the subregistrar has approved the certificate request,
the certificate is issued to the sender’s e-mail address.
c) CMP (Certificate Management Protocol)
TeleSec Shared Business CA supports the request and
administration of certificates (users, servers) via the CMP
protocol. However, to use this interface, the customer
needs to individually develop a CMP client.
Directory service
T-Systems provides a central directory service for TeleSec
Shared Business CA, which allows the current revocation lists
(CRL, ARL) as well as various certificate types to be retrieved.
Access to the directory service is public or protected by a
user name/password.
The LDAP protocol is used for access.
Revocation lists
Revoked end user and registrar certificates are published in a
certificate revocation list (CRL), which is updated once a day.
Revocation lists can also be initiated on particular occasions
(see Item 2.3.1).
Revoked CA certificates are published in an authority revocation list (ARL). Generation is undertaken by T-Systems on particular occasions but no later than after 6 months.
Online certificate validation
The online validation of end user and registrar certificates is
supported via the OCSP protocol (Online Certificate Status
Protocol).
Setting default values in data fields
The subregistrar role can set default values in certain data
fields for submitting requests.
Information and messages
TeleSec Shared Business CA provides the option of selectively distributing customer-specific items of information as
well as information from T-Systems (advisories and documents) within the role-specific websites (master registrar,
subregistrar and user).
Central key backup for soft PSE
An optional central key backup can also be configured for a
master domain. This makes it possible to upload key material
(private key and certificate) that was not created in bulk and
to store it in the Trust Center. Two additional functional roles
are authorized to separately find and download the p12 and
password file according to the principle of dual control.
Provision of certificates
In addition to the individual data about the certificate holder,
the requested certificate types always include information
about the master domain and subdomain. The certificates
also contain information about how the key is used (digital
signature, key encryption). The login certificate (see Item
2.4.1, letter c)) contains the attribute “extended key usage”
(smart card login, client authentication). The certificate validity can be set for one year or three years and is valid for the
configured master domain. Other validity periods can be
configured as an option.
Certificates for individuals and legal entities and groups of individuals and functions
According to the configuration, only certain certificate bundles can be requested. These are:
a) Single key
Consists of a certificate that is suitable for the purposes of
key encryption and digital signature. Extended key usage
is not set.
b) Dual key
Consists of two separate certificates, one each for the purposes of key encryption and digital signature. Extended
key usage is not set.
c) Triple key
Consists of three separate certificates, one each for the
purposes of key encryption, digital signature and smart
card-based login to Microsoft Windows domains. Smart
card login and client authentication are set as the ex-
T-Systems, last revision: Nov. 1, 2012
This translation is not the authentic text. The German version shall be part of the agreement.
2
Service Specifications, TeleSec Shared Business CA
tended key usage.
2.4.2 Certificates for devices
a) Server certificates
Server certificates for authenticating web servers in accordance with the SSL/TLS standard.
b) Router/gateway certificates
Certificates for use in network components.
c) Mail gateway certificates
d) Domain certificate for use in an e-mail gateway
Domain
controller
certificates
Certificates are issued for servers that are operated as domain controllers in a Microsoft server domain.
2.4.3 Certificates for the client’s registration employees
Registration employees receive a certificate that is suitable
for the purposes of key encryption and digital signature. Extended key usage is not set.
3
3.1
Technical service specifications
General conditions of PC workstations for issuing, administering and using certificates
3.1.1 Registrar workstation 1)
Certificates are issued and administered from TeleSec
Shared Business CA via web-based components of a workstation computer (PC), which must meet defined requirements.
a) General system requirements
- Standard PC, at least 128 MB of RAM, at least 50 MB of
available hard disk space
- CD-ROM drive
- USB ports for one or two readers
Optional: USB port for removable data media
- Internet port (http protocol, HTTPS); the standard SSL
port 443 must be enabled
- Enabled LDAP port, if access to the LDAP directory
service of TeleSec Shared Business CA is to be supported
- Sufficient access protection to prevent external use
- Rights assignment without preventing or limiting the
ability to request and administer certificates
b) Supported operating systems
- Microsoft Windows 7 (32-bit and 64-bit system), Service
Pack 1. Recommended: All the latest patches should
be installed.
- Microsoft Windows XP, Service Pack 3 (to support
SHA-256). Recommended: All the latest patches
should be installed.
Microsoft Windows 2000, Service Pack 4 (to support
SHA-1). Recommended: All the latest patches should
be installed. Personalization software (including function for local key backup of the encryption certificate)
supported only by Microsoft operating systems. The
Windows 95, Windows 98, Windows 98 SE, Windows
ME and Windows NT4 operating systems are not approved for master and subregistrar workstations for security reasons.
c) Supported web browsers
- Microsoft Internet Explorer IE 6 to 9
- Mozilla Firefox (16.x recommended)
d) Other
- E-mail account
- Administrator rights for installing the CSP and driver
software and PKCS#11 module for supporting the use
of smart cards
- Optional: telephone line
3.1.2 Other components that use certificates
a) User workstations for e-mail security, client-server authentication or VPN
These workstations comply with the stipulations pursuant
to Item 3.1. The rights can be limited according to the customer’s specifications.
b) Other components that use certificates
Certificates must be used as specified by the supplier
1)
All product and company names stated in the document are brand
names of the respective trademark owners.
(e.g., routers, servers, gateway).
3.2
General conditions for applications
3.2.1 Certificates and keys
a) The application must support the relevant certificate profiles (see “Certification Practice Statement” document) as
well as key lengths and cryptographic functions (see
“Technical Service Specifications” document).
b) The application must be able to either access the private
key via a Cryptographic Service Provider (CSP) or
PKCS#11 or support the integration of a soft PSE
(PKCS#12).
3.2.2 Directory service
a) The client must have an Internet connection.
b) The client application must support the LDAPv3 protocol,
and the standard LDAP port 389 must be enabled.
c) If LDAP replications exist, the data is transmitted
over a secure connection with a dedicated port.
4
4.1
4.2
4.3
5
5.1
5.2
5.3
5.4
5.5
Rate plan models
Advanced
Within the “Advanced” rate plan, billing is based on a defined
maximum number of active certificates per identity, regardless of whether the certificate holder receives two or three
certificates. The “Active” status means that the certificate is
valid and has not be revoked on a particular date (the 15th
day of a calendar month in this case).
Classic
Within the “Classic” rate plan, billing is based on generated
certificates with a validity of one year.
Classic Pro
Within the “Classic Pro” rate plan, billing is based on generated certificates with a validity of three years.
Additional services provided by T-Systems
By agreement and subject to technical and operational feasibility, T-Systems shall perform, in particular, the following additional services against payment of a separate charge based
on the list prices in effect when the order is placed:
Workshop
T-Systems shall offer the customer a workshop for planning
and integrating TeleSec Shared Business CA. The goal is to
develop a configuration concept that serves as a basis for integrating TeleSec Shared Business CA. The workshop shall
be tailored to individual customer requirements and shall
generally take place at the customer’s location.
Training
T-Systems shall offer the customer training in the configuration, use and operation of TeleSec Shared Business CA. The
goal is to familiarize the customer with the range of functions
of the role-specific websites, in particular the websites for users, master registrars and subregistrars. The training shall
generally take place at the customer’s location.
Customized services
Customized services that are provided for the customer within
the scope of TeleSec Shared Business CA (e.g., initial provision and installation of an LDAP replication or the development of a migration concept when changing operators).
Smart card reader
Sale of the Cardreader Advanced smart card reader (USB)
with PIN pad for entering the card PIN (see data sheet).
Smart card
Sale of the following smart card types, which can be used in
conjunction with TeleSec Shared Business CA. The smart
cards are based on the TCOS smart card operating system
and meet maximum security requirements.
a) Netkey 3.0
Smart card with four key pairs and a key length of 2,048
bits. The smart card can be used for certification by the
TeleSec Shared-Business-CA and to produce a qualified
certificate.
b) Netkey 3.0 Plug-In
Same services as Netkey 3.0, but in the form of a SIM plugin.
c) Netkey IDkey
Smart card with up to ten key pairs and a key length of
2,048 bits. This card cannot be used as a key medium for
T-Systems, last revision: Nov. 1, 2012
This translation is not the authentic text. The German version shall be part of the agreement.
3
Service Specifications, TeleSec Shared Business CA
5.8
qualified signatures in accordance with the German Digital
Signature Act.
Software card module TCOS 3.0 for Base CSP
Sale of a software tool that enables Microsoft Base Smart
5.9
Card CSPs to access and use the TCOS 3.0 card.
Software PKCS#11 SDK for TCOS 3.0
Sale of software PKCS#11 SDK for TCOS 3.0, which enables
the TCOS 3.0 card to be accessed via a PKCS#11 interface.
T-Systems, last revision: Nov. 1, 2012
This translation is not the authentic text. The German version shall be part of the agreement.
4