Certification Practice Statement (CPS)

 


Table of Contents

1       Introduction. 7

1.1        Overview.. 7

1.1.1     Etisalat Role. 7

1.2        Identification. 7

1.3        Community and Applicability. 7

1.3.1     Certification authorities 8

1.3.2     Registration authorities 9

1.3.3     End entities 9

1.3.4     Applicability. 9

1.4        Contact Details 10

1.4.1     Specification administration organization. 10

1.4.2     Contact person. 10

1.4.3     Person determining CPS suitability for the policy. 10

2       General Provisions 10

2.1        Obligations 10

2.1.1     CA obligations 10

2.1.2     RA obligations 11

2.1.3     Subscriber (End Entities) obligations 11

2.1.4     Relying party obligations 12

2.1.5     Repository obligations 12

2.2        Liability. 12

2.2.1     Warranties & Limitation on Warranties 12

2.2.2     Damages Covered and Disclaimers 12

2.2.3     Loss Limitations 12

2.3        Financial responsibility. 13

2.3.1     Indemnification by Relying Parties and subscribers 13

2.3.2     Fiduciary Relationships 13

2.4        Interpretation and Enforcement 13

2.4.1     Governing Law.. 13

2.4.2     Severability. 13

2.4.3     Notice. 13

2.4.4     Dispute resolution procedures 13

2.5        Fees 14

2.5.1     Certificate issuance or renewal fees 14

2.5.2     Certificate access fees 14

2.5.3     Revocation or status information access fees 14

2.5.4     Fees for other services such as policy information. 14

2.5.5     Refund policy. 14

2.6        Publication and Repository. 14

2.6.1     Publication of CA information. 14

2.6.2     Frequency of publication. 15

2.6.3     Access Controls 15

2.6.4     Repositories 15

2.7        Compliance Audit 15

2.7.1     Frequency of entity compliance audit 15

2.7.2     Identity/qualifications of auditor 15

2.7.3     Auditor's relationship to audited party. 15

2.7.4     Topics covered by audit 15

2.7.5     Actions taken as a result of deficiency. 15

2.7.6     Communication of results 15

2.8        Confidentiality. 16

2.8.1     Types of information to be kept confidential 16

2.8.2     Types of information not considered confidential 16

2.8.3     Disclosure of certificate revocation/suspension information. 16

2.8.4     Release to law enforcement officials 16

2.9        Intellectual Property Rights 16

3       Identification and Authentication. 17

3.1        Initial Registration. 17

3.1.1     Basic Certificate Applications' Validation Requirements 17

3.1.2     Types of names 18

3.1.3     Need for names to be meaningful 18

3.1.4     Rules for interpreting various name forms 18

3.1.5     Uniqueness of names 18

3.1.6     Authentication of organization identity. 18

3.1.7     Authentication of individual identity. 19

3.2        Routine Rekey. 19

3.3        Rekey after Revocation. 19

3.4        Revocation Request 19

4       Operational Requirements 20

4.1        Certificate Application. 20

4.2        Certificate Issuance & Application Refusal 22

4.2.1     Demonstration Certificates 22

4.2.2     User Certificates 22

4.2.3     Business User Certificates 22

4.2.4     Server Certificates (including Wildcard) 22

4.2.5     Application Refusal 22

4.3        Certificate Acceptance. 23

4.4        Certificate Suspension and Revocation. 23

4.4.1     Circumstances for revocation. 23

4.4.2     Who can request revocation. 23

4.4.3     Procedure for revocation request 23

4.4.4     Revocation request grace period. 23

4.4.5     Circumstances for suspension. 24

4.4.6     Who can request suspension. 24

4.4.7     Procedure for suspension request 24

4.4.8     Limits on suspension period. 24

4.4.9     CRL issuance frequency (if applicable) 24

4.4.10       CRL checking requirements 24

4.4.11        On-line revocation/status checking availability. 24

4.4.12       On-line revocation checking requirements 24

4.4.13       Other forms of revocation advertisements available. 24

4.4.14       Checking requirements for other forms of revocation advertisements 24

4.4.15       Special requirements re key compromise. 24

4.5        Security Audit Procedures 25

4.5.1     Types of event recorded. 25

4.5.2     Frequency of processing log. 25

4.5.3     Unauthorized Access 25

4.5.4     Retention period for audit log. 25

4.5.5     Protection of audit log. 25

4.5.6     Audit log backup procedures 25

4.5.7     Audit collection system (internal vs. external) 25

4.5.8     Notification to event-causing subject 25

4.5.9     Vulnerability assessments 25

4.6        Records Archival 25

4.6.1     Types of event recorded. 25

4.6.2     Retention period for archive. 25

4.6.3     Protection of archive. 26

4.6.4     Archive backup procedures 26

4.6.5     Requirements for time-stamping of records 26

4.6.6     Archive collection system (internal or external) 26

4.6.7     Procedures to obtain and verify archive information. 26

4.7        Key changeover 26

4.8        Compromise and Disaster Recovery. 26

4.8.1     Computing resources, software, and/or data are corrupted. 26

4.8.2     Entity public key is revoked. 26

4.8.3     Entity key is compromised. 26

4.8.4     Secure facility after a natural or other type of disaster 26

4.9        CA Termination. 26

5       Physical, Procedural, and Personnel Security Controls 28

5.1        Physical Controls 28

5.1.1     Physical access 28

5.1.2     Site location and construction. 28

5.1.3     Power and air conditioning. 28

5.1.4     Water exposures 28

5.1.5     Fire prevention and protection. 28

5.1.6     Media storage. 28

5.1.7     Waste disposal 28

5.1.8     Off-site backup. 28

5.2        Procedural Controls 28

5.2.1     Trusted roles 28

5.2.2     Number of persons required per task. 28

5.2.3     Identification and authentication for each role. 29

5.3        Personnel Controls 29

5.3.1     Background, qualifications, experience, and clearance requirements 29

5.3.2     Background check procedures 29

5.3.3     Training requirements 29

5.3.4     Retraining frequency and requirements 29

5.3.5     Job rotation frequency and sequence. 29

5.3.6     Sanctions for unauthorized actions 29

5.3.7     Contracting personnel requirements 29

5.3.8     Documentation supplied to personnel 29

6       Technical Security Controls 30

6.1        Key Pair Generation and Installation. 30

6.1.1     Key pair generation. 30

6.1.2     Private Key delivery to end entity. 30

6.1.3     Public key delivery to certificate issuer 30

6.1.4     Public key delivery to users 30

6.1.5     Key sizes 30

6.1.6     Public key parameters generation. 30

6.1.7     Parameter quality checking. 30

6.1.8     Hardware/software key generation. 30

6.1.9     Key usage purposes (as per X.509 v3 key usage field) 30

6.2        CA Private Key Protection. 30

6.2.1     Standards for cryptographic module. 30

6.2.2     Private Key (n out of m) multi-person control 30

6.2.3     Private Key escrow.. 31

6.2.4     Private Key backup. 31

6.2.5     Private Key archival 31

6.2.6     Private Key entry into cryptographic module. 31

6.2.7     Method of activating private key. 31

6.2.8     Method of deactivating private key. 31

6.2.9     Method of destroying private key. 31

6.3        Other Aspects of Key Pair Management 31

6.3.1     Public key archival 31

6.3.2     Usage periods for the public and private keys 31

6.4        Activation Data. 31

6.4.1     Activation data generation and installation. 31

6.4.2     Activation data protection. 32

6.4.3     Other aspects of activation data. 32

6.5        Computer Security Controls 32

6.5.1     Specific computer security technical requirements 32

6.5.2     Computer security rating. 32

6.6        Life Cycle Technical Controls 32

6.6.1     System development controls 32

6.6.2     Security management controls 32

6.6.3     Life cycle security ratings 32

6.7        Network Security Controls 32

6.8        Cryptographic Module Engineering Controls 32

7       Certificate and CRL Profiles 33

7.1        Certificate Profile. 33

7.1.1     Version number(s) 33

7.1.2     Certificate extensions 33

7.1.3     Algorithm object identifiers 33

7.1.4     Name forms 33

7.1.5     Name constraints 33

7.1.6     Certificate policy Object Identifier 33

7.1.7     Usage of Policy Constraints extension. 34

7.1.8     Policy qualifiers syntax and semantics 34

7.1.9     Processing semantics for the critical certificate policy extension. 34

7.2        CRL Profile. 34

7.2.1     Version number(s) 34

7.2.2     CRL and CRL entry extensions 34

8       Specification Administration. 35

8.1        Specification change procedures 35

8.2        Publication and notification policies 35

8.3        CPS approval procedures 35

8.4        Abbreviations used in the CPS. 35

 


1         Introduction

1.1        Overview

Etisalat is a regional leader in the in the Public Key Infrastructure (PKI) domain and has been offering its digital certification services since 1999 in the electronic commerce marketplace. The PKI based products and services are offered under the brand name of Comtrust Certification Services (CCS). Running the regions first commercial CA, Etisalat offers a variety of PKI products and services designed to provide secure electronic commerce environments. This service involves the introduction of four types of digital certificates catering to the needs of all the major categories of users.  The CPS will detail the processes involved in delivering Etisalat’s Certification Services. The Certification Practice Statement document defines the practices utilized by Etisalat Certification Authority (CA) & Etisalat Issuing Authority (IA) in issuing, managing, revoking, suspending and renewing of digital certificates. Etisalat issues these digital certificates and provides other general security services to facilitate secure business-to-consumer (B2C) and business-to-business (B2B) electronic commerce. The CPS also defines the operational and general technical procedures followed by Etisalat with respect to managing the Certification processes. The users of Etisalat’s Certification Services are expected to have reasonable knowledge of digital certificates and signatures before they will actually be able to use certificates issued by Etisalat. Further information on digital certificates and their use can be found on Etisalat’s web-site at http://www.etisalat.ae/pki.  The following CPS document will govern the services currently offered by Etisalat for CCS.

1.1.1       Etisalat Role

Etisalat will create, sign and issue digital certificates as a trusted third party. The certificate issuance process will cause binding of the public key of subscribers with certificates issued to such subscribers. The parties relying on certificates issued by Etisalat will be able to check the status of each certificate from a Certification Revocation List (CRL) published by Etisalat and updated regularly.  Etisalat will also establish appropriate number of Registration Authorities (RAs) to help address needs of diverse categories of subscribers. Etisalat Registration Authorities (RAs) will carry out the registration and verification process for subscribers at various locations and communities. Etisalat may also appoint Etisalat Service Representatives at various locations to help Registration Authorities in verifying credentials. Various Etisalat Certification Authority processes are listed below:

• Certificate Application and Enrollment Process 

• Validation of Certificate Application by verifying credentials 

• Issuance of Certificate 

• Communication to Subscriber 

• Certificate Revocation and Certificate Revocation List 

• Expiry of Certificate and Renewal 

• Repository and Directory Services 

1.2        Identification

Document Name: Certification Practice Statement - v1.35.docx dated on 11/17/2009

1.3        Community and Applicability

Etisalat CPS is meant to provide a detailed description of the processes and procedures put in place to operate Etisalat’s Comtrust Certification Services (CCS) to deal with certificate application, verification, issuance, acceptance, suspension, revocation and renewal. Etisalat will abide by the procedures set in this CPS to run CCS and thus the specific type of certificates issued in accordance with this CPS will comply with the set of specific rules set up to manage the same certificate type. This has been essentially put in place to facilitate diverse usage, and accordingly, the reliance levels for a specific type of certificate.

1.3.1       Certification authorities

Etisalat’s Certification Authority currently offers the following types of Digital Certificates.

 

a)      Demo Digital Certificates

b)     User Certificates   

c)      Business User Certificates

d)     Server Certificates (including Wildcard)

 

Each class of certificates provides specific functionality, authentication and security features. Certificate applicants choose from this set of service qualities according to their needs; they must specify which class of certificate they desire. Depending on the type of certificate needed, applicants can apply electronically using Etisalat’s web site at http://www.etisalat.ae/pki, or they may be required to apply in person by visiting either of Etisalat’s offices in Abu Dhabi or Dubai. A brief description of the four types of digital certificates mentioned above is given below:

1.3.1.1      Demonstration Digital Certificates (Demo Certificate)

Any individual can apply for a Demo Certificate. After the completion of an on-line enrolment process, an automated e-mail is sent to the applicant advising them of the availability of Demo Certificate from a secured site of Etisalat. Demo certificates are issued without any reliance value with a validity period of 30 days. These certificates can be used for web browsing and exchanging e-mail messages in a secured manner. Etisalat does not vouch for the identity of the individuals.  

1.3.1.2      User Certificates  

 User Certificates (User Certificates) are currently issued to individuals only. These certificates confirm that the information contained on the certificate is consistent with information on the copy of the passport, residence visa number, credit card number, telephone number, Emirates Internet User ID information or other information submitted by the applicant.  User certificates provide reasonable degree of assurance of the identity of an individual based on verification undertaken by Etisalat. This off-line verification compares the information provided by the applicant during enrolment process with identification documents of subscriber. These identification documents may include copy of passport with residence visa, labor card, driver's license and similar other identification papers. This authentication process is detailed in section 3 of this CPS.  Currently UAE Nationals, Etisalat internet users and all UAE residents and their dependants are eligible to apply for  User Certificates.

1.3.1.3      Business User Certificates

Business User certificates are issued to individuals but purchased by organizations, guaranteeing the identity of each individual as their employees, important customers or business partners. These certificates confirm that the information contained on the certificate is consistent with information provided by the organization. This information includes name as contained in passport, organization and organization unit.  Business User Certificates provide reasonable degree of assurance of the identity of an individual based on confirmation of identity provided by respective organizations contained in the certificate and reviewed by Etisalat.  Currently employees and key customers of all UAE organizations, and leading & known organizations of Gulf Cooperative Council (GCC) countries are eligible to apply for Business User Certificates. The application has to be confirmed by the respective organization through a letter of introduction.

1.3.1.4      Server Certificates (including Wildcard)

Server Certificates are issued to government enterprises (including government owned departments) or business entities only. These certificates provide assurances the existence of the organization to whom it is issued. These are secure server certificates. Validation of Server Certificate applications for organizations includes a thorough review by Etisalat of credentials presented by the applicant, business databases, e-mail and domain name services. The validation process may also include personal contacts by Etisalat Account Managers to ensure identity of organizations. These contacts provide a high degree of assurance on the existence of an organization.  The following entities can apply and subscribe to Etisalat Server Certificates.

§  Businesses holding a valid trade license within the UAE

§  Foreign governments and government owned departments

1.3.2       Registration authorities

As and when business conditions so dictate, Etisalat may appoint Registration Authorities in various parts of the UAE.  All Registration Authorities shall conform to the provisions of this CPS.   

1.3.3       End entities

Currently only UAE Nationals, UAE Residents and businesses holding a valid trade license within the UAE are allowed to apply for and subscribe to  User Certificates. However, leading organizations from Gulf Cooperative Council (GCC) countries may purchase Business User Certificates for their employees, key customers and business partners and may have such employees, customers and partners enroll for certificates. The following entities can apply and subscribe to Etisalat Server Certificates.

§  Businesses holding a valid trade license within the UAE

§  Foreign governments and government owned departments (upon presentation of evidence of authority of the applicant to bind the particular government /department).

Demonstration Certificates are issued to applicants irrespective of their nationality and origin. End entities are also referred to as Customers or Subscribers and shall include only individuals subscribing to one of the four types of certificates. 

1.3.4       Applicability

Demo Certificates merely represent that the owner of the Certificate is the user of the e-mail account. Demo certificate do not provide assurance on the identity of individual to whom it is issued. As such these certificates are issued without any reliance value for third parties and are only intended for demonstration purposes.

 

User Certificates can be used to exchange e-mail in a secured environment, as a secure replacement of passwords, to facilitate authentication where proof of identity is required such as on-line purchasing, payment of on-line bills and other similar on-line applications.

 

Business User Certificates can also be used to exchange e-mail in a secured environment, as a secure replacement of password to access applications, or facilitate authentication of proof of identity and association with an organization where it is important.

 

Server Certificates (including Wildcard) are issued primarily to establish identity of web-site on the net and to facilitate business transactions on this site in a secured manner. Typical applications of Server Certificates include; e-tailing, e-banking, on-line payments, membership based services and other similar types of applications.

1.4        Contact Details

1.4.1       Specification administration organization

This CPS is administered by Etisalat Certification Services in accordance with section 8 of this CPS.

1.4.2       Contact person

Comments, suggestions and all queries concerning this CPS must be addressed to:

 

Etisalat

eBusiness Solutions

P. O. Box 93939

Dubai, United Arab Emirates 

Attn: Certification Services

Ph: Local 101. From International: 00971 4004101

Fax: Local 105. From International: 00971 4004105

Email: pkihelp@eim.ae

Web Site: http://www.etisalat.ae/pki

1.4.3       Person determining CPS suitability for the policy

Etisalat’s Certification Services is responsible for determining the suitability of this CPS and can be contacted as stated in sub section 1.4.2 of this CPS.

 


2         General Provisions

2.1        Obligations

Etisalat obligations in respect of CCS are as follows:

2.1.1       CA obligations

a)      Provision of the infrastructure and Certification Services, including the establishment and operation of the Etisalat repository.

b)     Provision of controls and foundation for PKI, including IA key generation, key protection, and secret sharing (challenge phrase related) procedures.

c)      Performance of the application validation procedures for the respective class of certificate in accordance with this CPS.

d)     Issuance of certificates in accordance with this CPS and honoring the various representations to subscribers and to relying parties as described in this CPS.

e)      Publication of accepted certificates in accordance with this CPS.

f)      Make reasonable effort to confirm certificate application information and issue end-user subscriber certificates once all relevant information is provided to one of the designated office of Etisalat within the following time periods:

 

Certificate Type

Time Periods

DEMO Digital Certificate

“Immediately” to 24 Hrs

User Certificates

“Immediately” to 5 Business Days

Business User Certificates

1 to 3 Business Days

Server Certificates (including Wildcard)

1 to 5 Business Days

 

g)      Performance of the obligations of an IA and supporting the rights of the subscribers and relying parties who use certificates in accordance with this CPS.

h)     Suspension and revocation of certificates as detailed in this CPS,

i)       Facilitating of the expiration and renewal of certificates as stated in this CPS.

j)       Making a reasonable effort to comply with the provisions contained in CPS sub section 2.1.1 and 2.1.2.

 

To avoid any ambiguity, Etisalat guarantees that its own private keys are not compromised. In the event of such compromise, Etisalat will provide notice to the contrary via the Etisalat repository and revoke all certificates issued by the CA. Etisalat does not make any other warranties and has no further obligations under this CPS.

2.1.2       RA obligations

Etisalat shall appoint appropriate number of Registration Authorities (RA) in different parts of United Arab Emirates keeping in view the requirements of businesses. It shall be the responsibility of RAs, to examine, approve or reject certificate applications on behalf of Etisalat CA.

 

Following is the obligations of Etisalat RAs:

a)      To accurately represent to CA, the information gathered from the certificate applicants.

b)     (Persons or organizations, who have enrolled for a Demo,  User certificate, Business User Certificate or Server certificate).

c)      To process applicants’ and subscribers’ request in a prompt and timely fashion in accordance with this CPS.

d)     In the process of examining certificate applications, RAs may rely upon appropriate credentials presented by the applicant. These credentials may include passport copy, labor card, driving license for individuals, trade license and similar other documents for organizations.

e)      To maintain the supporting evidence for certificate issuance requests made to Etisalat.

f)      Comply with all the provisions of Etisalat CPS and the CCS business procedures.

g)      Protect its private key and use it for its RA function only.

2.1.3       Subscriber (End Entities) obligations

The following are the obligations of the subscribers of Etisalat’s CCS:

a)      That all the information presented in certificate application is accurate and up to date in all respects.

b)     That the digital signatures generated using the private key corresponding to public key relates to certificate obtained by presenting accurate information. The subscriber further represent that certificate is not revoked or cancelled.

c)      That it is the sole responsibility of subscriber to safeguard his or her private key.

d)     That the subscriber acknowledges that he or she is aware of contents of the certificate and information contained therein is accurate. It shall be the responsibility of subscriber to notify any change that renders part or all information to be obsolete.

e)      That the certificate is being used exclusively for authorized and legal purposes, consistent with this CPS.

f)      That the subscriber shall use the private key for the purpose of generating digital signatures solely as an end-user.

g)      That by enrolling for a certificate issued by Etisalat, the subscriber certifies and acknowledges that they agree to the terms and conditions contained in this CPS and the applicable subscriber agreement relevant to the type of certificate issued and accepted.

2.1.4       Relying party obligations

Relying parties' obligations are as follows:

a)      Relying parties should use the certificate for the purpose for which it was issued in the first place strictly in accordance with this CPS.

b)     Relying parties are obliged to check each certificate for its validity as described in the X.509 standard. For validation purposes Etisalat directory services can be used.

c)      A party receiving a digitally signed message may rely (relying party) upon digital signature if:

                            i.          The validity of certificate has been verified by the recipient to the extent that the signatures were created within the validity of certificate.

                           ii.          If the circumstances are such that a person of ordinary prudence will be satisfied that no further assurance, other than that provided by certificate, is necessary.

d)     The relying party should ensure that the reliance is keeping in view the class of certificate and associated liabilities assumed by Etisalat.

e)      All the responsibilities with respect to reliance on an unverifiable signature shall rest with the relying party and Etisalat assumes no responsibility with respect to such reliance.

f)      In case of a dispute, a relying party that is found to have acted in a manner inconsistent with the obligations listed above will have no valid claim against Etisalat.

2.1.5       Repository obligations

CCS is obliged to timely publish the certificates and the Certificate Revocation List. . On-line validations are available through a link from Repository while certificate validation can be performed through Etisalat directory. Please refer to LDAP procedures in Repository for validation services. 

2.2        Liability

2.2.1       Warranties & Limitation on Warranties

a)      Etisalat warrants that they will operate and provide their certification services in accordance with the terms of this CPS. Etisalat promise to ensure that the technology implementation and services performed as Certification Authority are in accordance with the provisions of this CPS.

b)     Etisalat warrants that it will publish accepted certificates and Certificate revocation list in accordance with this CPS.

c)      Etisalat warrants that they will only suspend and revoke certificates as specified by this CPS, provide for the expiration and renewal of certificates as stated in this CPS.

d)     Etisalat warrants that their own private keys are not compromised unless they provide notice to the contrary via the Etisalat repository.

e)      Etisalat makes no other warranties and has no further obligations under this CPS.

2.2.2       Damages Covered and Disclaimers

Except as expressly provided in the foregoing (CPS sub section 2.2.1), Etisalat disclaims all warranties and obligations of any type, including any warranty of merchantability, warranty of fitness for a particular purpose, and any warranty of the accuracy of unverified information provided.

2.2.3       Loss Limitations

a)      In no event shall Etisalat be liable for any indirect, incidental or consequential damages, or for any loss of profits, loss of data, or other indirect, consequential or punitive damages arising from or in connection with the use of CCS, or any other transactions or services offered or contemplated by this CPS.

b)     The aggregate liability of Etisalat to any and all parties (including without limitation a subscriber, an applicant, a recipient, or a relying party) concerning a specific certificate shall be limited to an amount not to exceed the following liability caps, for the aggregate of all digital signatures and transactions related to such certificate:

 

Certificate Type

Aggregate Liability CAPS

DEMO Digital Certificate

Not applicable

User Certificates

AED 200 (UAE Dirhams Two Hundred Only)

Business User Certificates

AED 1000 (UAE Dirhams One Thousand Only)

Server Certificates (including Wildcard)

AED 100,000 (UAE Dirhams One Hundred Thousands Only)

2.3        Financial responsibility

2.3.1       Indemnification by Relying Parties and subscribers

Etisalat assumes no financial responsibility for improper use of certificates. In addition to all other obligations set-out in this CPS, the subscribers are liable for any misrepresentations they may have made in certificate application or to third parties. The Subscribers and Relying parties indemnify Etisalat from any loss, damage or liability resulting from improper use of certificates and Certificate Revocation List (CRL).

2.3.2       Fiduciary Relationships

Neither Etisalat nor the subscriber shall be treated as agent, fiduciary, trustee, or other representative of subscribers or relying parties. Etisalat expressly denies any representation to the contrary.

2.4        Interpretation and Enforcement

2.4.1       Governing Law

The United Arab Emirates law shall govern the enforceability, interpretation, and validity of this CPS.

2.4.2       Severability

In the event that any terms, conditions or provision of this CPS are rendered invalid, unlawful or unenforceable, for whatever reason, the remaining terms and conditions or provisions shall remain valid and applicable. Each provision of this CPS shall stand enforceable independent of other provisions.

2.4.3       Notice

All notices to Etisalat shall be given in writing and sent to Etisalat Office in Dubai, UAE at the address below:

 

Etisalat

eBusiness Solutions

P. O. Box 93939

Dubai, United Arab Emirates 

Attn: Certification Services

 

Such notices shall be treated as valid 24 hours (Excluding week-end periods of Friday and Saturday) after the delivery of notice to Etisalat post box. Such notices can also be sent through a digitally signed e-mail messages.

2.4.4       Dispute resolution procedures

Any dispute, controversy or claim arising out of or relating to this CPS or the breach, termination or invalidity thereof shall be resolved by conciliation. If such negotiations for conciliation are not concluded within thirty (30) days of written notice given by the party requesting negotiations, either party may seek to resolve the dispute by means of arbitration in accordance with the provisions contained herein.  The arbitration tribunal shall be composed of three arbitrators (unless the parties agree on a single arbitrator) under UAE arbitration laws. Proceeding shall be conducted in English language unless the parties otherwise agree. Arbitration awards made pursuant to this article shall be final and binding upon the parties and shall be enforceable in any court of competent jurisdiction. Each party shall bear its own costs, including legal fees, except that the costs of the arbitration shall be borne, as the arbitrators shall determine. 

2.5        Fees

All subscribers and other parties shall pay fees in accordance with published tariff of Etisalat, as amended from time to time, for use of its certification services.  All such schedules and amendments thereof shall be published on Etisalat web site at http://www.etisalat.ae/pki.  All changes shall be effective 15 days after such changes are published on the web-site.

2.5.1       Certificate issuance or renewal fees

Demo Certificates will be provided to the applicants free-of-charge for a period of 30 days while payment against issuance of User Certificates  will be made through credit cards only authorized on-line via Etisalat payment gateway on submission of certificate application. However, Business Users, Server Certificate (including WildCard) subscribers will have an option to pay either by a corporate credit card, Bank Deposit or by cheque to be furnished with the credentials requested for submission by Etisalat. 

2.5.2       Certificate access fees

Access to certificates on CCS directory is free of charge except for any communication costs that users may incur.

2.5.3       Revocation or status information access fees

Access to Etisalat CRLs is free of charge except for any communication costs that users may incur.

2.5.4       Fees for other services such as policy information

Please refer to sub section 2.5.of this CPS titled Fees. 

2.5.5       Refund policy

No refund shall be provided once a digital certificate has been issued.

2.6        Publication and Repository

2.6.1       Publication of CA information

a)      CCS as a CA will publish the following in its repositories:

(i)     Etisalat CPS – Etisalat may amend or modify this CPS from time to time. Each change shall become effective fifteen (15) days after Etisalat publishes the same in the Etisalat repository unless

a)      Etisalat has published a notice of withdrawal of the proposed change in the Etisalat repository prior to the end of such fifteen (15) days period, or

b)     Failure by Etisalat to make the proposed change may result in a compromise of the CCS or any portion of it, in which case, the proposed change is effective upon publication in the Etisalat repository. A subscriber’s decision not to request revocation of his, her, or its certificate following the publication of a proposed change shall constitute agreement to the change. This CPS can be accessed on Etisalat repository at http://comtrust.etisalat.ae/cps.html.

 

(ii)   Certificate Revocation List – Upon suspending or revoking a certificate, Etisalat will publish notice of the suspension or revocation in the Etisalat repository. Etisalat may publish a certificate revocation list (CRL) containing revoked certificates.

 

(iii) All certificates issued –Upon notifying the subscribers of the availability of certificate for download, Etisalat shall publish a copy of the certificate in the Etisalat directory Servers. By publishing a certificate, Etisalat certifies to all who reasonably rely on the information contained in the certificate that it has issued the certificate to the subscriber and that the subscriber has accepted the certificate.

2.6.2       Frequency of publication

a)      CPS publication per sub section 8 of this CPS.

b)     CRL publication per section 4.4.9 of this CPS.

2.6.3       Access Controls

Etisalat CPS, respective Subscriber Agreements, certificates, certificates status and CRLs are pieces of publicly available information and shall be published at Etisalat repository. However, where deemed appropriate, Etisalat may implement access control to certain publications in such a way that only subscribers and other parties, on the basis of pre-determined criteria, are given the privilege to access all or part of this information. 

2.6.4       Repositories

Etisalat shall take immediate action to publish certificates issued, amendments in CPS, updated certificate revocation list, notices, tariff and all other information, consistent with this CPS and applicable law on its web-site. Most of this information shall be available in Etisalat repository, which is accessible at http://www.etisalat.ae/pki.

2.7        Compliance Audit

2.7.1       Frequency of entity compliance audit

a)      Etisalat Certification Authorities may undergo an Internal Audit at any time to monitor and ensure that CA and RAs are operating in accordance with the practices and procedures set in this CPS and in other internal documents.

b)     Compliance audit by an external party will be conducted at a frequency, deemed appropriate by Etisalat, to ensure that CA is operating strictly in accordance with this CPS and other applicable agreements, guidelines, procedures, and standards.

2.7.2       Identity/qualifications of auditor

An independent third party public accountant with demonstrated expertise in computer security or an accredited & professional computer security company shall audit the operations of Etisalat to evaluate its compliance with this CPS. 

2.7.3       Auditor's relationship to audited party

The Independent auditor shall be an organization, separate from Etisalat and independent of any influence by Etisalat. Since Etisalat is not the author of such audit reports it is, therefore, not responsible for their content. Etisalat does not express any opinion on such audit reports and shall not be held responsible for any damages to anyone resulting from reliance on such audit reports. 

2.7.4       Topics covered by audit

Please refer to sub section 2.7.1 of this CPS.

2.7.5       Actions taken as a result of deficiency

Etisalat Certification Services shall be responsible to prescribe an appropriate remedy as soon as it is made aware of a discrepancy as a result of compliance audit. The remedy proposed by Etisalat Certification Services will largely depend on the type of discrepancy reported. 

2.7.6       Communication of results

Audit results will be communicated to Etisalat Certification Services, CA and the RAs.

The results thus communicated will not have the details that can breach the trust of certificates issued by the CA.

2.8        Confidentiality

2.8.1       Types of information to be kept confidential

The following information shall be considered confidential by Etisalat and may not be disclosed to third parties except on the consent of the subscriber or required by a court of law:

 

a)      Signed Subscriber agreements

b)     Application related information and records

c)      Transactional records

d)     Audit reports results of sensitive nature

e)      Information on operation of Etisalat CA

f)      Contingency planning and disaster recovery plans

g)      Details of Security measures controlling the operations of Etisalat’s CCS

h)     Information relating to applicants other than as stipulated in this agreement.

2.8.2       Types of information not considered confidential

Information related to subscribers typically given in a certificate, CRLs, revocation and suspension are not considered confidential. All other information appearing in Etisalat repository per this CPS is also not considered confidential.

2.8.3       Disclosure of certificate revocation/suspension information

Information related to certificate revocation and suspension is not considered confidential and therefore will be disclosed in accordance with this CPS.

2.8.4       Release to law enforcement officials

Etisalat warrants that all confidential information will not be disclosed without an authenticated request made prior to such disclosure from the person who has provided such information to Etisalat, or required through a court order.

2.9        Intellectual Property Rights

All Intellectual Property Rights shall remain vested in the party creating or owning the same and nothing in this CPS shall confer or be deemed to confer on any party any rights or licenses of the Intellectual Property Rights of the other party. It is the responsibility of Certificate applicants and subscribers to ensure that information submitted by them, use of a domain name and other names, etc. do not infringe upon any form of property rights of third parties. The certificate applicants and subscribers indemnify Etisalat from any claim, losses, damages or liabilities arising any act of such property right violations.


3         Identification and Authentication

3.1        Initial Registration

3.1.1       Basic Certificate Applications' Validation Requirements

Following an on-line or offline certificate application submitted by an individual or organization, Etisalat will undertake a validation process to obtain reasonable assurance that the applicant is the person who he claims to be and that the information provided by the individual and/or organization at the time of enrolment is accurate.

3.1.1.1      Certificate Applications Validation Procedure

In line with the validation requirements mentioned above, Etisalat will implement the following internal validation procedures:

 

·        Compare and confirm the accuracy of application data gathered against the credentials

·         User Certificates: The subscribers will be expected to present the following required documents and one of the optional documents for the purpose of verification by an Etisalat Service Representative: The condition of showing original may be waived by RA in circumstances where the subscriber is also a subscriber of Etisalat's Land telephone lines service or Etisalat Internet service and the individuals records can be verified from Internet records by the RA.

 

Required Documents:

 

(i)     Copy of passport with valid residence visa (original to be shown to an Etisalat Service Representative)

 

Optional Documents (one or more may be required at the discretion of RA)

 

1.      Employer/Company/Sponsor’s letter

2.      Copy of UAE Driver’s license

3.      Other form of identification from government or employer

 

After verifying these documents, Etisalat Service Representative will sign and submit copies of these documents to the respective Registration Authorities. Alternatively, documents may be directly submitted to Etisalat RA.

 

Business User Certificates:

 

The validation of applicants will be carried out on the basis of information provided by the respective organizations, purchasing these certificates in bulk. These organizations will be required to provide at minimum  the following:

 

(i)     Copy of a valid trade license (Not required for Government Institutions)

(ii)   A signed copy of the “Business User Certificate Subscriber Agreement” by an authorized signatory within organization.

(iii) A “Letter of Authorization” including the name of the Authorized Administrator as well as the list of approved users within the organization.

(iv)  If necessary, Etisalat may take further appropriate measures to verify identities.

 

 

 

 

 

 

 

 

Server Certificates (including Wildcard):

 

In addition to the verification of the information submitted by the applicant on-line (or off-line) to Etisalat, the documents listed below may be requested from the applicant for validation before issuance of server certificates. Organizations will be required to provide at minimum the following:

 

(i)     Copy of a valid trade license (Not required for Government Institutions and registered Enterprise Customers)

(ii)   Official request letter from the company signed by the Authorized Signatory indicating the following:

1.      Reference number of server certificate enrollment

2.      Domain name requiring server certificate

(iii) Passport copy of Authorized Signatory

(iv)  Payment information (corporate credit card or cheque)

(v)   Evidence of authority binding the applying entity to a particular government / government owned department (Required in the case of application from foreign governments)

(vi)  Additional documents may be needed by the RA at its discretion.

3.1.2       Types of names

Etisalat will follow X-509 naming conventions.

3.1.3       Need for names to be meaningful

The certificates issued by Etisalat shall have legal names of the person to whom the certificate is issued along with name of the organization associated with that person, locality and country.

3.1.4       Rules for interpreting various name forms

See section 7.1.4.

3.1.5       Uniqueness of names

Etisalat will create the unique name by using common name, e-mail, Country, and locality & DN qualifier.

3.1.5.1      Name claim dispute resolution procedure

Etisalat shall have the sole authority to resolve the disputes relating to claims of names. Etisalat shall be the sole and final arbitrator in all such cases.

3.1.5.2      Recognition, authentication and role of trademarks

a)      Etisalat cannot guarantee that the names issued will contain the requested trademarks.

b)     Etisalat will not perform any trademark infringement investigation at the time the naming information is provided by a subscriber. Etisalat is not liable for any trademark infringement by a subscriber or a third party.

3.1.6       Authentication of organization identity

After on-line (or off-line) registration, the applicant is advised of the requirements to prove their identity and proofs relating to the organizations identity by submitting a signed copy of the required credentials, as listed in section 3.1.1.1 for server certificate, and an original letter from the business entity confirming the identity of the applicant by providing their residence telephone number, mobile phone number and/or e-mail (giving details of such subscriptions). If the  application originates from foreign governments, Etisalat will require in addition  evidence of authority binding the applying entity to the particular government / government department. The original documents will need to be shown to the Account Manager or Registration Authority. 

 

Where circumstances so dictate and as deemed required Etisalat may confirm the business entity’s name, address, and other registration information through use of independent sources and databases available to it and through inquiries made to the appropriate government entities. Etisalat, at any time, may involve third parties for providing all or any of the confirmations needed for this purpose. Confirmation of information of companies, banks, and their agents requires certain procedures focusing on specific business-related criteria (such as proper business registration). At times, if requested by Etisalat, the certificate applicant may be required to provide additional information and proof before issuance of certificates. All such additional validations shall be done at the expense of Subscriber.

3.1.7       Authentication of individual identity

After on-line registration, an applicant is advised on the requirements to prove their identity by submitting required credentials, as listed in section 3.1.1.1 of this CPS for Class 1 User Certificate for further verification.

3.2        Routine Rekey

Etisalat will make a reasonable effort to notify subscribers, via E-mail, of the up-coming expiration of their certificates (except for revoked certificates and Demo Certificates). The e-mail notice is intended solely for the convenience of the subscriber and will be sent to the subscriber 30 days prior to the expiration of the relevant certificate.

3.3        Rekey after Revocation

Not Available 

3.4        Revocation Request

The subscriber of a digital certificate may at any time request revocation of the certificate. The revocation request can either be made through sending a digitally signed email to Etisalat at pkihelp@eim.ae. In case the subscriber is not in possession of the private key, then he or she can request revocation by calling Etisalat contact center at 101 and by presenting the password selected by them during the certificate enrollment stage.


4         Operational Requirements

4.1        Certificate Application

All applicants desiring Etisalat certificates are required to complete the following procedure for each certificate application.

 

·        To register on-line, generate a key pair and submit public key of this key pair to Etisalat. 

·        Prove identity by submitting required documents in accordance with section 3.1.7 to Etisalat Service Representative at one of the branches of Etisalat. 

·        Protect the private key (of this key pair) from compromise in accordance with sub section 6.2 of this CPS.

 

Currently only UAE Nationals, UAE Residents and businesses holding a valid trade license within the UAE are allowed to apply for and subscribe to  User Certificates. However, leading organizations from GCC countries may purchase Business User Certificates for their employees, key customers and business partners and may have such employees, customers and partners enroll for certificates.

 

The following entities can apply and subscribe to Etisalat Server Certificates.

 

·        Businesses holding a valid trade license within the UAE

·        Foreign governments and government owned departments (upon presentation of evidence of authority of the applicant to bind the particular government /department)

 

Demonstration Certificates are issued to applicants irrespective of their nationality and origin. End entities are also referred to as Customers or Subscribers and shall include only individuals subscribing to one of four types of certificates.

 

Application procedures involve furnishing the following information to Etisalat:

 

Certificate Type

REQUIRED INFORMATION

DEMO Digital Certificate

Individuals:

Required Information (web based)

First Name

Last Name

Gender

Nationality

Company

Department

Type of Business

Designation (optional)

Country

City

Telephone

Fax

E-mail Address

 

Other Information

 

(a) As prescribed by Etisalat (Details can be found on relevant enrolment form available from Etisalat repository) Enrolment Application: The certificate applicant is expected to apply for a demo certificate on-line accessing the enrolment site of Etisalat demo certificate.

The applicant also accepts terms of conditions of the certificate before submitting the enrolment information to Etisalat. Following the enrolment process, an e-mail is sent to the applicant to download the certificate from a secured site of Etisalat by presenting a confidential reference number.

User Certificates

Individuals:

Required Information (web based)

First Name

Last Name

Gender

Nationality

Type of Business

Mailing Address

Country

City

Telephone 

Fax

E-mail Address

Cryptographic Service Provider (CSP)

Validity Period

Credit Card Number

Credit Card Type

Credit Card Expiry Date

Credit Card Holder Name

 

Identification Information at Etisalat’s discretion:

 

To include any or all of the following:

Applicant Identification Data (Passport no., Passport Validity, UAE Residence Visa no.,

Residence Visa Expiry Date, Tenancy Contract, etc, For details, please refer to section 3.1.1.1)

 

Enrolment Application: The certificate applicant is expected to apply for a Class-1 certificate on-line by accessing the enrolment site of Etisalat  User Certificate and after accepting the online agreement. Following this enrolment, the certificate applicant is requested to prove their identity by presenting credentials as listed in section 3.1.1.1 of this CPS to an Etisalat Service Representative and sign an agreement. If the application is approved, the applicant is communicated to download the certificate from a secured site of Etisalat.

Business User Certificates

Individuals:

Required Information (web based)

First Name 

Last Name 

Gender 

Nationality 

Company

Department

Type of Business

Mailing Address 

Designation 

Country

City 

Telephone 

Fax 

E-mail Address 

Cryptographic Service Provider (CSP)

 

Identification Information at Etisalat’s discretion:

 

For more details, please refer to section 3.1.1.1

 

Enrolment Application: The certificate applicant is expected to apply for a Business User certificate on-line by accessing the enrolment site of Etisalat Business User Certificate. The authentication of individual is done on the basis of a letter provided by their organization.  If the application is approved, the applicant is communicated to download the certificate from a secured site of Etisalat.

Server Certificates (including Wildcard)

Government, Business Enterprises & Public Organizations:

 

Required Information (web based)

First Name

Last Name

Gender

Nationality

Company

Department

Type of Business

Mailing Address

Designation

Country

City

Telephone

Fax

E-Mail

Credit Card No. 

Credit Card Type 

Credit Card Expiry Date 

Card Holder's Name 

 

Identification Information at Etisalat’s discretion:

 

For more details, please refer to section 3.1.1.1

 

Method of Communicating Application: 

 

The certificate applicants are expected to apply for a Server certificate on-line accessing the enrolment site of Etisalat Server Certificate or through one of the Account Managers of Etisalat.  In case of an online enrolment, the online agreement must be accepted by the applicant before proceeding for enrolment. Following this enrolment process, applicants are expected to prove their identity by presenting credentials as listed above and in section 3.1.1.1 of this CPS.  They are also expected to sign an agreement, if enrolment is offline. If the application is approved, the applicant is communicated to download the certificate from a secured Etisalat site or alternatively, certificate can also be provided on a computer diskette.

 

4.2        Certificate Issuance & Application Refusal

Upon approving a certificate application, Etisalat issues a certificate. The issuance of a certificate indicates a complete and final approval of the certificate application by Etisalat.

4.2.1       Demonstration Certificates

Upon completion of specified validation procedures, Etisalat sends an e-mail to the certificate applicant communicating a certificate reference number and URL of a website from where the respective Demo Certificate can be downloaded by the applicant.

4.2.2       User Certificates

Upon completion of specified validation procedures listed under sub section 4.1 of this document, Etisalat sends an e-mail to the e-mail address that was previously provided by the certificate applicant during the certificate application phase. This e-mail contains a URL that authorizes the certificate applicant to download the certificate from Etisalat.

4.2.3       Business User Certificates

Upon completion of specified validation procedures listed under sub section 4.1 of this document, Etisalat sends an e-mail to the customer Authorized Administrator which contains the enrollment URL. The administrator may choose to visit the enrollment URL and apply for business user certificates on behalf of the users, or alternatively provide this URL to their users and ask them to apply for a business user certificate directly.

4.2.4       Server Certificates (including Wildcard)

Upon completion of specified validation procedures listed under sub section 4.1 of this document, Etisalat sends an e-mail to the e-mail address that was previously provided by the certificate applicant during the certificate application phase. This e-mail contains a URL that authorizes the certificate applicant to download the certificate from Etisalat. Alternatively, on Etisalat’s sole discretion, a certificate can also be provided to an applicant on a computer diskette as required and paid for by the applicant after completion of the verification procedures.

4.2.5       Application Refusal

At its sole discretion, Etisalat may refuse issuance of certificate to any individual without assigning any reason and without incurring any liability, whatsoever.  However, when a validation fails, Etisalat shall reject the certificate application and promptly notify the certificate applicant of the validation failure and providing the reason (except where prohibited by law) for such failure. Such notice shall be communicated to the certificate applicant by Etisalat via e-mail or fax as appropriate. A person or a business entity whose certificate application has been rejected may re-apply later.

4.3        Certificate Acceptance

The certificate is deemed to be a valid certificate upon the subscriber’s acceptance which happens during enrolment, credentials verified and an e-mail containing relevant URL & Certificate reference number is sent to the subscriber. The relevant certificate will be published at Etisalat’s directory, once intimation relating to availability of certificate for download is sent to the subscribers. 

4.4        Certificate Suspension and Revocation

4.4.1       Circumstances for revocation

Etisalat shall make a reasonable effort to suspend or revoke a certificate, if it determines any of the following:

a)      Upon receiving a request from the subscriber after authenticating that the requester is the subscriber or a legally authorized representative of the subscriber.

b)     A compromise (including: loss, theft, modification and unauthorized disclosure) of the private key or system materially affecting the certificate's reliability.

c)      The subscriber has failed to meet any material obligation under this CPS.

d)     Any act of God, natural disaster, or any other factor beyond human control rendering private key associated with certificate being compromised or not usable.

e)      Certain information submitted by the applicant are learned to be inaccurate at any point after issuance of certificate 

f)      A condition relating to use of certificate are not satisfied. 

g)      Trade license of the organization has expired and renewal is not provided to Etisalat within the grace period of one month from expiry of such license. Etisalat will notify the organization to provide a copy of renewed trade certificate on or about the date of such expiry.

 

In the event revocation happens due to CA compromise or any human errors on behalf of CCS, CA will provide a new equivalent certificate to the subscriber, free of charge. Moreover, suspension and revocation services are not available for Demonstration Certificates. 

4.4.2       Who can request revocation

The revocation request can be made by:

-        The subscriber in whose name this certificate has been issued.

-        Etisalat Registration Authority

-        Authorized Etisalat employee finding out that a subscriber has failed to meet their obligations.

-        The organization concerned, in writing, for Business User Certificates issued to individual on its request.

4.4.3       Procedure for revocation request

a)      Revocation can be a request in the form of an authenticated record from the subscriber or its agent, authenticated by means of a password or recitation of certain pre-submitted enrolment information. An authenticated record is generated by subscriber’s personal presence, phone call followed by a letter in original, digitally signed e-mail message to pkihelp@eim.ae , by mail or by fax to be followed by a letter in original.

b)     A completely documented and valid revocation request will be followed within a maximum period of 2 working days. As a result of such an investigation, CCS will either authenticate and validate the revocation request by revoking the certificate or otherwise, unsuspend it. For clarity, revocation is an irreversible process.

c)      Revocation of a certificate shall not affect any underlying contractual obligations created or communicated under this CPS.

4.4.4       Revocation request grace period

As explained in sub section 4.4.3 b) of this CPS. 

4.4.5       Circumstances for suspension

Not Available

4.4.6       Who can request suspension

Not Available

4.4.7       Procedure for suspension request

Not Available

4.4.8       Limits on suspension period

Not Available

4.4.9       CRL issuance frequency (if applicable)

CRL issuance frequency shall be once in every twenty-four hour.

4.4.10    CRL checking requirements

The relying party must determine if any of the certificates along the chain from the signer to an acceptable root within the CCS has been revoked or suspended, because a revocation or suspension has the effect of prematurely terminating the operational period during which verifiable digital signatures can be created. The Etisalat repository may be queried for the most up-to-date revocation status in CRLs. For Etisalat Root CA, only offline CRL checking will be possible at the moment, and can be verified by downloading the CRL from Etisalat CRL repository at http://comtrust.etisalat.ae/rootca.crl.

 

Root link: http://comtrust.etisalat.ae/root.crl

 

User and Business User link: http://comtrust.etisalat.ae/userca.crl

 

Server link: http://comtrust.etisalat.ae/serverca.crl

 

User Demo link: http://comtrust.etisalat.ae/serverdemoca.crl

 

Server Demo link: http://comtrust.etisalat.ae/userdemoca.crl

 

4.4.11    On-line revocation/status checking availability

Online Certificate Revocation List is published regularly and is available at Etisalat’s website at http://ldap.comtrust.etisalat.ae.

4.4.12    On-line revocation checking requirements

The Etisalat VA (Validation Authority) provides on-line validation services and revocation information through the following

a)      World Wide Web (WWW). A URL will host the published CRL.

b)     Lightweight Directory Access Protocol (LDAP)

4.4.13    Other forms of revocation advertisements available

Not Available

4.4.14    Checking requirements for other forms of revocation advertisements

Not Applicable. 

4.4.15    Special requirements re key compromise

Please see sub section 4.8.2 of this CPS.

4.5        Security Audit Procedures

4.5.1       Types of event recorded

At the system level all the CA related activities are recorded. Main archiving events are requests for certificate generation / revocation, creation / revocation of certificates, certificate issuance and establishment of trusted roles on the CA, actions of trusted personnel, CRL issuance and CA keys changes. Records are also maintained for accesses at network level including events logging at the firewall and the intrusion detection systems. 

4.5.2       Frequency of processing log

4.5.3       Unauthorized Access

Etisalat’s system is heavily protected from unauthorized access to back-end systems through a combination of firewalls and intrusion detection systems. Attempts aimed at unauthorized access of the system are logged and reported. Trusted employees from Etisalat’s network team undertake a bi-weekly review of this processing log and take immediate action when alerted by such an unauthorized attempt.

4.5.4       Retention period for audit log

The audit log is maintained for a period of three months.

4.5.5       Protection of audit log

The audit log at Etisalat is protected from unauthorized access through implementation of strict physical and logical security controls. Furthermore, the periodic backups of the audit log are maintained at a site away from the one housing the CA equipment. 

4.5.6       Audit log backup procedures

Audit log backups follow the same frequency and procedures as detailed for the rest of the data. The audit log backups are stored off-site for enhanced security. 

4.5.7       Audit collection system (internal vs. external)

Etisalat's CA system collects audit data at three levels, namely operating system, network, and application. Audit data collection starts at system startup and ends at system shutdown 

4.5.8       Notification to event-causing subject

Notification is made through email and SMS.

4.5.9       Vulnerability assessments

Etisalat carries out periodic security audits internally. Furthermore, Etisalat has also appointed an external security auditor for carrying out vulnerability assessments. The external security audit is carried out annually. 

4.6        Records Archival

4.6.1       Types of event recorded

At the system level all the CA related activities are recorded. Main archiving events are requests for certificate generation / revocation, creation / revocation of certificates, certificate issuance establishment of trusted roles on the CA, actions of trusted personnel, CRL issuance and CA keys changes. Records are also maintained for accesses at network level including events logging at the firewall and the intrusion detection systems. 

4.6.2       Retention period for archive

Archives are retained for a period of three months.

4.6.3       Protection of archive

A multilevel security scheme has been implemented at the Etisalat site to ensure integrity of the archived data. This security scheme entails both physical (ID cards, smart cards, biometrics, retina scanners) and logical (segregation of sensitive data through Virtual LANs implementation) levels of security. 

4.6.4       Archive backup procedures

Archives backups follow the same frequency and procedures as detailed for the rest of the data. The audit log backups are stored off-site for enhanced security.

4.6.5       Requirements for time-stamping of records

Etisalat's CA system employs GPS based time stamping for the purpose of records keeping. 

4.6.6       Archive collection system (internal or external)

Archived data is on external storage media and is provided to the backup site through Etisalat's trusted employees.

4.6.7       Procedures to obtain and verify archive information

Etisalat employs Message Digest (MD5) log keeping scheme to ensure integrity of the archived data and to ensure that only authorized access to data takes place. 

4.7        Key changeover

Etisalat CA key pair will be valid until the year 2015. At the end of this period, the key pair will be changed. 

4.8        Compromise and Disaster Recovery

4.8.1       Computing resources, software, and/or data are corrupted

Etisalat shall implement, document, and periodically test appropriate contingency planning and disaster recovery capabilities and procedures, consistent with this CPS. 

4.8.2       Entity public key is revoked

In the event that Etisalat public key is revoked, Verizon/Cybertrust will list Etisalat’s root CA on its CRL. Etisalat will ensure that this revocation information is conveyed to all subscribers and through Etisalat web site. Etisalat will then re-establish its operations, and will follow the same procedures that were employed for establishing the earlier operations and will re-key all certificates issued to subscribers. 

4.8.3       Entity key is compromised

In the event that Etisalat entity key is compromised, Verizon/Cybertrust will list Etisalat’s entity key on its CRL. Etisalat will ensure that this revocation information is conveyed to all subscribers and relying third parties. Etisalat will then re-establish its operations under a new PKI. 

4.8.4       Secure facility after a natural or other type of disaster

In the event of a natural or man-made disaster that would render Etisalat un-operative, the damaged site along with the equipment will be secured by highly trained security personnel and the all sensitive materials will be salvaged and evacuated to another secure site. 

4.9        CA Termination

If at any point Etisalat Certification Authority finds it necessary to terminate its operations, it will take the following actions to minimize the impact on all parties:

 

a)      Issue a minimum of 60 days notice to all subscribers of its intention to cease operations.

b)     Advertise its intention to cease acting as a Certification Service Provider sixty (60) days before the expiry of its License or the date of its ceasing to act as a Certification Service Provider, as the case may be, in daily newspapers, or by such other mediums and in the manner the Controller may determine. 

c)      Revoke all un-expired and un-revoked certificates on the expiry of 90 days period.

d)     Preserve all necessary records in accordance with applicable laws of UAE.

e)      CRL will be maintained for at-least the period till expiry of all issued certificates which will occur within a maximum period of two years as certificates are issued for a maximum validity period of two years.

f)      Before ceasing to act as a Certification Service Provider, a Certification Service Provider shall provide a written notice to the Controller of its intention to cease operating as a Certification Service Provider, this notice shall also include a copy of the Certification Service Provider's cessation of operations plan and the transition plan, and which shall be provided to the Controller at least ninety (90) days before:

                           i.          the date when it will cease to act as a Certification Service Provider

                          ii.          expiry of the Certification Service Provider's License, where the Certification Service Provider has no intention to proceed with a renewal application.

g)      Make arrangements for its records and Electronic Attestation Certificates to be archived in a Trustworthy manner for a period of seven (7) years after discontinuing its operations, or any other period of time determined by the Controller. Make arrangements to adequately ensure the ongoing maintenance of its systems and security measures for sensitive and accurate data.

h)     Make reasonable efforts to assist its Signatories with a transition to another Certification Service Provider as may be determined by the Controller.


5         Physical, Procedural, and Personnel Security Controls

5.1        Physical Controls

5.1.1       Physical access

Etisalat’s network and operations is hosted in one of Etisalat’s buildings. A number of measures have been adopted for physical security of site and to ensure that access is limited to only authorized individuals. The facilities hosting the on-line CA, off-line CA and the repository have formidable access control mechanisms to allow only authorized personnel and visitors to access these facilities. The building is a reinforced concrete structure with heavy doors and powerful locks. 

5.1.2       Site location and construction

Trusted employees man the Etisalat facility round the clock. The building has a four-tier security structure entailing employee ID cards, smart cards, biometric readers and retina scan. Access to security tier 1 is through smart card whereas access to security tiers 2 and 3 is through smart card and biometric readers. Access to security tier 4 (highest security level) is through smart cards and retina scanner. 

5.1.3       Power and air conditioning

The building has a reliable primary and secondary power / air conditioning system for ensuring a safe operation. The power backup consists of high power diesel generators and battery based UPS system. In case of a power failure, the UPS system immediately starts providing the backup power until the diesel generators are fully activated 

5.1.4       Water exposures

No exposure 

5.1.5       Fire prevention and protection

A fully automated system has been installed in the building to ensure fire prevention and protection. 

5.1.6       Media storage

Daily backups for mission critical data and full system backups are kept off-site in another building. The building has extensive physical security to ensure access to authorized personnel only. 

5.1.7       Waste disposal

All paper waste is shredded before disposal. There is no other type of waste emanating from the Etisalat site as all the systems are recyclable 

5.1.8       Off-site backup

See section 5.1.6

5.2        Procedural Controls

5.2.1       Trusted roles

Etisalat shall formulate and follow personnel and management practices that provide reasonable assurance of the trustworthiness and competence of their employees and of the satisfactory performance of their duties. Such practices shall be consistent with this CPS. All employees working for trusted roles shall be treated as trusted employees.

5.2.2       Number of persons required per task

Etisalat has designed and implemented strict security regimens to ensure that only authorized personnel perform the tasks as delegated to them. Tasks with high sensitivity are required to be performed by multiple trusted employees. These policies also ensure that a sensitive task cannot be performed until at least two trusted employees jointly have both physical and logical access to the device / facility. 

5.2.3       Identification and authentication for each role

Identification and authentication stipulations for each trusted role are ensured through a combination of physical and logical security implementations. These are:

(i)     Physical Security Controls

(ii)   Smart Cards

(iii) Biometrics

(iv)  Retina Scanners

(v)   Logical Security Controls

(vi)  Access levels defined in line with job responsibilities for the trusted role. 

5.3        Personnel Controls

5.3.1       Background, qualifications, experience, and clearance requirements

Etisalat will employ suitable personnel in accordance with specific skills & qualifications, clearance requirements of UAE Immigration Department and train them appropriately to operate its Certification Services to comply with internationally acceptable industry standards to assume trusted roles. Such employees shall be treated as trusted employees.  Etisalat representatives (including CSRs) will be fluent in written and spoken Arabic and English and will be imparted suitable training on verification of relevant documents submitted by certificate applicants. 

5.3.2       Background check procedures

See section 5.3.1

5.3.3       Training requirements

Etisalat imparts all the necessary training to its operational staff to help them perform their duties in best possible manner. These human resources are also trained on-the-job to specialize in a certain functional area of expertise. As and when changes in Certification Authority system occur, staffs undergo necessary training to make sure that such changes are implemented in a smooth manner. 

5.3.4       Retraining frequency and requirements

See section 5.3.3. 

5.3.5       Job rotation frequency and sequence

Not applicable 

5.3.6       Sanctions for unauthorized actions

All trusted employees are made to understand that they are supposed to adhere to the functional roles and responsibilities specified for them. If any violation is noticed, Etisalat shall suspend the access of the personnel involved to all CA systems-immediately on noticing such violation. 

5.3.7       Contracting personnel requirements

Etisalat shall formulate and follow personnel and management practices that provide reasonable assurance of the trustworthiness and competence of their employees and of the satisfactory performance of their duties. Such practices shall be consistent with this CPS. Any Etisalat sub-contractor, when employed for a certain task, is judged in accordance with the criteria applicable to full-time employee.

5.3.8       Documentation supplied to personnel

All Etisalat personnel are provided detailed job descriptions in order for them to successfully perform in their designated roles.


6         Technical Security Controls

6.1        Key Pair Generation and Installation

6.1.1       Key pair generation

Key pair generation on the subscriber’s local system ensures that only the user and no one else knows the private key. Etisalat key pairs are generated in Etisalat’s Offline CA (Offline CA houses the cryptographic module) on hardware tokens.

6.1.2       Private Key delivery to end entity

As the key pair is generated on the subscriber’s local system, hence the delivery of the private key is achieved in a secure manner on the subscriber’s system.

6.1.3       Public key delivery to certificate issuer

PKCS#10 construction is employed to deliver the public key to Etisalat, thus ensuring against tampering and proving that the sender is in possession of the corresponding private key. 

6.1.4       Public key delivery to users

Etisalat will post public key certificates at Etisalat directory for retrieval by subscribers.

6.1.5       Key sizes

Etisalat CA key pair is 2048 bits. Subscriber key pairs will range from 1024 bits to 2048 bits.

6.1.6       Public key parameters generation

Not applicable

6.1.7       Parameter quality checking

Not applicable

6.1.8       Hardware/software key generation

Not applicable see section 6.2.1

6.1.9       Key usage purposes (as per X.509 v3 key usage field)

        User  & Business User Certificates

-        Key Usage: Digital Signature, Key Encipherment

        Server Certificate:

-        Key Usage: Key Encipherment Extended Key Usage: Server Authentication, Step-up certificates (Server Gated Cryptography)

6.2        CA Private Key Protection

6.2.1       Standards for cryptographic module

Etisalat’s cryptographic module offers safe storage of keys within the FIPS 140-1 Level 3 certified product. The CA key and certificates are stored on industry standard smart cards.

6.2.2       Private Key (n out of m) multi-person control

Access to cryptographic module containing the root CA requires the insertion of cryptographic hardware tokens into the cryptographic signer. A minimum number of required hardware tokens out of the total numbers of hardware tokens must be inserted one at a time to access the cryptographic module.

6.2.3       Private Key escrow

Not Available

6.2.4       Private Key backup

CA private key back-ups are performed to support disaster recovery plan. Performing a cryptographic operation creates a high security backup of the private key. The operation encrypts the private key, splits it into two parts and stores them on separate hardware tokens. These backups are securely stored and are subject to extensive multi tier security measures.

6.2.5       Private Key archival

Not Available

6.2.6       Private Key entry into cryptographic module

An authorized person makes private key entry into the cryptographic module in a special state of operation. The private key is stored in split hardware tokens for additional security.

6.2.7       Method of activating private key

Etisalat hardware token utilize PIN based activation mechanism. The PIN is generated during token initialization and is split into various shares for enabling multi-party access control.

6.2.8       Method of deactivating private key

The private key will deactivate itself as soon as it is removed from the cryptographic module.

6.2.9       Method of destroying private key

Hardware token’s “discard key” command will destroy the private key, where required.

6.3        Other Aspects of Key Pair Management

6.3.1       Public key archival

The public key is archived along with the archival of the certificate.

6.3.2       Usage periods for the public and private keys

All certificates shall be considered valid upon acceptance by the subscriber which happens when the e-mail containing the URL to download the certificate is sent to the subscriber. The standard operational periods for the various classes of certificates, calculated from issuance of certificates (as opposed to acceptance), are as follows (subject to earlier termination of the operational period due to suspension or revocation.

 

Certificate Type

Validity Periods

DEMO Digital Certificate

30 days

User Certificates

One or Two years unless earlier revoked

Business User Certificates

One or Two years unless earlier revoked

Server Certificates (including Wildcard)

One or Two years unless earlier revoked

 

Approaching end of the first year of certificate validity, Etisalat will send Certificate Renewal reminder e-mails to subscribers who have subscribed to certificates with one-year validity. Upon subscriber request for renewal, Etisalat will contact the subscriber for necessary documentation to validate and authenticate the renewal request. Upon successful validation, subscriber’s certificate will be renewed for one more year.

6.4        Activation Data

6.4.1       Activation data generation and installation

The activation data is protected by PIN, which is automatically generated. Furthermore, it is split into multiple hardware tokens to ensure multi-party control of this sensitive information.

6.4.2       Activation data protection

Activation data is protected by splitting it and storing it on multiple hardware tokens each in the possession of a trusted employee.

6.4.3       Other aspects of activation data

Not applicable.

6.5        Computer Security Controls

6.5.1       Specific computer security technical requirements

The operating system used by Etisalat has to undergo rigorous security evaluations by an independent third party.

6.5.2       Computer security rating

All critical components of Etisalat CA use HP UX (version 11.0) Operating System whereas some of the associated components are based on Windows 2003 Operating  System. All components of Etisalat’s PKI system are based on Oracle (version 10g) databases.

6.6        Life Cycle Technical Controls

6.6.1       System development controls

Not Applicable

6.6.2       Security management controls

Not Applicable

6.6.3       Life cycle security ratings

Not Applicable

6.7        Network Security Controls

In order to reduce the threats to network security, a multi layer system has been implemented. These layers of security include firewalls and intrusion detection systems, SSL protocols. System security is monitored round the clock by shifts of operations team. All key system statistics and events are logged for reference.

6.8        Cryptographic Module Engineering Controls

Refer to section 6.2


7         Certificate and CRL Profiles

7.1        Certificate Profile

7.1.1       Version number(s)

Digital certificates issued by Etisalat are X.509 version 3.

7.1.2       Certificate extensions

Etisalat root CA certificate details are as follows:

 

CA Signing Algorithm

SHA-1 with RSA Encryption

DName

C=AE

O=Etisalat

OU=Etisalat eBusiness Services

CN=Comtrust Root CA

Issuer DN 

C=US

O=GTE Corporation

CN=GTE CyberTrust Root   

Key Size 

2048 bits

Validity 

until year 2015

Certificate Type 

Version 3

Authority Key Identifier

Certificate Issuer:

Directory Address:

CN=GTE CyberTrust Root

O=GTE Corporation

C=US

Certificate Serial Number=01:A3

Subject Key Identifier 

To be generated according to RFC 2459

Key Usage

Digital Signature

Non-Repudiation

Key Encipherment

Certificate Signing

CRL Signing

Basic Constraints 

Subject Type=CA

Path Length Constraint= None

Extended Key Usage 

Client Authentication

Server Authentication

Secure Email

Step-up / SGC

 

7.1.3       Algorithm object identifiers

See section 7.1.1

7.1.4       Name forms

See section 7.1.1

7.1.5       Name constraints

Not applicable.

7.1.6       Certificate policy Object Identifier

Same as section 7.1.2