Guidance

Certificate Policy

Published 10 September 2009

Applies to England and Wales

© Crown copyright 2009

This publication is licensed under the terms of the Open Government Licence v3.0 except where otherwise stated. To view this licence, visit nationalarchives.gov.uk/doc/open-government-licence/version/3 or write to the Information Policy Team, The National Archives, Kew, London TW9 4DU, or email: psi@nationalarchives.gov.uk.

Where we have identified any third party copyright information you will need to obtain permission from the copyright holders concerned.

This publication is available at https://www.gov.uk/government/publications/certificate-policy/pki-disclosure-statement

1. Background

Public Key Infrastructure (PKI) has been widely accepted by the market and governments worldwide as an important electronic business enabler. PKI can ensure, in a cost-effective manner, the confidentiality and integrity of digital data, as well as guarantee the identities of communicating or transacting entities or persons. Confidentiality is achieved through encryption, whereas identification and integrity are achieved through digital signatures.

These critical internet trust techniques are supported by Certificates issued by a Certification Authority. Such Certificates “bind” a person or legal entity to a cryptographic key that is published within a relevant community. This Public Key corresponds in a unique manner to another key, which for PKI to work must be kept strictly confidential (the Private Key). Digital signatures are created by using the Private Key of the sender, while confidentiality is achieved by use of the Public Key of the receiver.

For users of PKI to have confidence in the Certificates that identify their counterparts in for example web transactions, they need to have confidence that the Certification Authority has properly established procedures and protective measures in order to minimise the operational and financial threats and risks associated with PKI. This document specifies the policy requirements on the operation and management of HM Land Registry and their customers to give users confidence when using our Business e-services.

2. Scope

This document specifies policy requirements relating to HM Land Registry Certification Authority. It defines policy requirements on the operation and management of its Certification Authority issuing Certificates such that Subjects certified by the Certification Authority and Relying Parties may have confidence in the reliability of the Certificate.

Subscribers and Relying Parties should consult the HM Land Registry Certification Practice Statement to obtain further details of precisely how this Certificate Policy is implemented by HM Land Registry for a particular class of Certificate.

3. References

The following documents contain provisions which, through references in this text indicated by [n], constitute provisions of the present document.

References are either specific (eg date of publication, edition number or version number) or non-specific. For a specific reference, subsequent revisions do not apply. For a non-specific reference, the latest version applies.

  1. Directive 1999/93/EC of the European Parliament and of the Council of 13 December 1999 on a Community framework for electronic signatures.

  2. ETSI TS 101 456: Policy requirements for issuing qualified certificates.

  3. IETF RFC 3739: Internet X.509 Public Key Infrastructure: Qualified certificate profile. (Also ETSI TS 101 862).

  4. IETF RFC 3647 (2003): Internet X.509 Public Key Infrastructure Certificate Policy and Certification Practices Framework.

  5. Data Protection Act 1988.

  6. ISO/IEC 9000: 2000 Quality Management Systems.

  7. ISO/IEC 17799:2005: Information Technology – Security Techniques – Code of Practice for Information Security Management.

  8. ISO/IEC 15408:2005 (parts 1 – 3): Information Technology – Security Techniques – Evaluation Criteria for IT Security.

  9. FIPS PUB 140-2 (2001): Security Requirements for Cryptographic Modules.

  10. CEN Workshop Agreement 14167-2: Security Requirements for Trustworthy Systems Managing Certificates for Electronic Signatures – Part 2: Cryptographic Module for CSP signing operations with backup – Protection Profile (CMCSOB-PP).

  11. CEN Workshop Agreement 14167-3: Security Requirements for Trustworthy Systems Managing Certificates for Electronic Signatures – Part 3: Cryptographic Module for CSP key generation services – Protection Profile (CMCKG-PP).

  12. CEN Workshop Agreement 14167-4: Security Requirements for Trustworthy Systems Managing Certificates for Electronic Signatures – Part 2: Cryptographic Module for CSP signing operations – Protection Profile (CMCSO-PP).

  13. IETF RFC 3280: Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile.

4. Definitions

Administrator: A person who controls the service operation of the CA.

Central Signing Service: Private Key storage and use under the End User’s sole control within a secure service operated by HM Land Registry.

Certificate Policy: A named set of rules that indicates the applicability of a Certificate to a particular community and/or class of application with common security requirements.

Certificate: The Public Key of an End User or Device, together with verifiable identity information, rendered unforgeable by encoding with the Private Key of the Certification Authority which issued it.

Certification Authority (CA): An entity trusted by one or more users to create and assign Certificates.

Certification Practice Statement: A statement of the practices that a Certification Authority uses in issuing Certificates.

Conveyancer: Any member, employee, officer or agent of a subscriber authorised under a current full Network Access Agreement.

Device: In these policies is used to include an internet server, software or equipment used to initiate a virtual private network and functions in organisations authorised to sign software code.

Electronic Signature: Data in electronic form in, affixed to, or logically associated with, a data message, which may be used to identify the signatory in relation to the data message and indicate the signatory’s approval of the information contained in the data message.

End User: The person or legal entity having its Public Key and name certified by a Certification Authority in a Public Key Certificate.

Know Your Customer (KYC): The process of establishing a client’s identity using appropriate documentary evidence (eg passport or utility bill) to ensure compliance with the Proceeds of Crime Act 2002 and the Terrorism Act 2000 and the Money Laundering Regulations 2003. Guidance is provided by the FSA and the Law Society.

Key Pairs: Encryption keys used for signature purposes comprise a pair of large prime numbers that have a specific mathematical relationship such that if one is used to encrypt data only the other half of the pair can be used to decrypt the data.

Network: The electronic communications network provided in accordance with section 92 of the Land Registration Act 2002 and any components of it and the services provided by way of that network from time to time.

Private Key: One part of the Key Pair that is kept private to by the Subject. Used for creating the Electronic Signature.

Public Key: The other part of the Key Pair made public to any Relying Party in order to validate the Electronic Signature.

Registration Authority: The organisational entity responsible for the enrolment of subjects into the Certification Authority. It may be a different organisation to the Certification Authority, but is obliged to comply with the Certificate Policy.

Relying Party: The party in a transaction or communication which acts or may act in reliance on a Certificate and/or digital signatures verified using that Certificate.

Representative: The individual who accepts the Certificate associated with computer applications and Devices[footnote 1] in the control of Subscribers, and is responsible for the correct protection and use of the Private Key.

Subject: Entity identified in a Certificate as the rightful holder of the Private Key associated with the Public Key given in the Certificate. The Subject may be an End User or Device.

Subscriber: Entity which subscribes with a Certification Authority on behalf of an End User or End Users to have one or more Public Keys and associated entities certified in the same number of Public Key Certificates. A Subscriber may also be the Subject or Representative.

Technical Manual: The document, including parts 1 and 2, which details the system and security requirements and other technical aspects of the Network and published from time to time by the Registrar. References to the Technical Manual mean the version as updated from time to time.

5. General approach – policy and contract responsibilities

5.1 Background

The authority trusted by the users of the certification services to create and sign Certificates is called the Certification Authority. The Certification Authority has overall responsibility for the provision of these services and is identified in the Certificate as the issuer.

When a Certification Authority issues a Certificate it attests that it has established the name of the Subject by using defined processes based on the examination of defined external evidence. This evidence concerns the certified entity’s name and its association with other information in the Certificate to achieve a targeted level of reliability and trust, and represents information and facts that the Certification Authority chooses to rely upon to make a correct attestation. The evidence collected and the method of examination may vary between different types of certification services, but all services must, in the end, rely on information that is outside the scope of the Certification Authority to challenge.

The responsibility of the Certification Authority is limited to the correct execution of its defined procedures which will include evidence collection and examination procedures that are defined to be part of its service. If an error is caused by false external evidence (such as a false ID-card) that was correctly collected and processed according to defined procedures, the Certification Authority has fulfilled its obligations and is not responsible for the error. However, the Certification Authority always maintains responsibility for processes defined to be part of its service for ensuring that the policy requirements imposed on the Certification Authority in this document are met; and for liability issues arising out of the issue and management of certificates. The Certification Authority may use other parties to provide services, and the distribution of responsibilities among these parties is contractually agreed between the Certification Authority and its subcontractors. In these cases, it is also the responsibility of the Certification Authority to provide adequate instructions to Subscribers and Relying Parties and to provide the details required for the Subscribers or the Relying Parties to meet their obligations.

5.2 Certificate Policy and Certification Practice Statement

5.2.1 Purpose

In general, the purpose of the Certificate Policy (these are referenced by a policy identifier in a Certificate) states the rules on how the Certificate is to be issued, used and when it may be relied upon. The Certification Practice Statement is a summary of the processes and procedures the Certification Authority will use in creating and maintaining the Certificate. The relationship between the Certificate Policy and Certification Practice Statement is similar in nature to the relationship of other business policies that state the requirements of the business, while operational units define the practices and procedures of how these policies are to be carried out. If a Certification Authority is issuing Certificates against a number of Certificate Policies, then the Certification Authority’s Certification Practice Statement (only one is necessary) will state how the Certification Authority implements the controls.

5.2.2 Level of specificity

A Certificate Policy is a less specific document than a Certification Practice Statement. A Certification Practice Statement is a more detailed description of the business and operational practices of a Certification Authority in issuing and otherwise managing Certificates. The Certification Practice Statement of a Certification Authority enforces the rules established by entities prescribing a specific Certificate Policy. A Certification Practice Statement defines how a specific Certification Authority meets the technical, organisational and procedural requirements identified in a Certificate Policy.

5.2.3 Approach

The approach of a Certificate Policy is significantly different from that of a Certification Practice Statement. A Certificate Policy is defined independently of the details of the specific operating environment of a Certification Authority, whereas a Certification Practice Statement is tailored to the organisational structure, operating procedures, facilities, and computing environment of a Certification Authority. A Certificate Policy may be defined by the user of certification services, whereas the Certification Practice Statement is always defined by the provider. The Certification Practice Statement relevant to the HM Land Registry Certification Authority will be incorporated into the Technical Manual.

6. Introduction to the Certificate Policies for HM Land Registry

6.1 Overview

Certificates issued by the HM Land Registry Certification Authority (hereafter referred to as the CA) in accordance with the current document include a Certificate Policy identifier that can be used by Relying Parties in determining the Certificate’s suitability and trustworthiness for a particular application.

Certificates for four types of use are defined by these policies:

  • Where End Users apply Electronic Signatures locally.
  • Where End Users apply Electronic Signatures centrally.
  • Where End Users have authentication needs.
  • Devices with software key storage.

The main body of this document describes the general requirements for issuing and managing Certificates. Annex B covers more specific details for issuing and managing Certificates for use where End Users are in possession of their cryptographic token and apply Electronic Signatures locally. Annex C describes the requirements for issuing and managing Certificates for use where End Users apply Electronic Signatures centrally under sole control. Annex D describes the requirements for issuing and managing Certificates for use by End Users with cryptographic tokens for authentication purposes. Annex E describes the requirements for issuing and managing Certificates for use by Devices.

Sections 1 to 7 are common to all four policies, whereas the requirements on the CA will differ according to the Certificate issued, as defined in Annexes B to E.

6.2 Identification

The identifiers for the Certificate Policies specified in the current document are at Annex A.

6.3 Policy changes

6.3.1 Change procedures

The following aspects of these Certificate Policies can change without notification and without requiring a new object identifier to be allocated:

a. formatting and

b. correction of minor typographic errors.

The following aspects of this Certificate Policy can change with notification, but without requiring a new object identifier to be allocated:

c. any aspect that does not lower, and cannot be perceived to lower, the fundamental trust that can be placed in the Certificate.

The following aspects of this Certificate Policy cannot be changed unless a new object identifier is created:

d. any aspect that lowers, or could be perceived to lower, the fundamental trust that can be placed in the Certificate.

6.3.2 Publication and notification

An electronic copy of this document, duly signed by an authorised representative of the CA, is to be made available:

a. on GOV.UK

b. via an email request to certificate.policies@landregistry.gov.uk

6.4 Conformance

The CA shall only use the identifier for the appropriate Certificate Policy as provided in 6.2 if:

  • the CA claims conformance to the identified Certificate Policy and makes available on request the evidence to support the claim of conformance; or
  • the CA has been certified to be conformant to the identified Certificate Policy.

6.5 Contact details

These Certificate Policies are published by:

Information Management Committee
HM Land Registry Head Office,
Trafalgar House,
1 Bedford Park,
Croydon,
CR0 2AQ

Contact: certificate.policies@landregistry.gov.uk

7. Obligations and liability

7.1 Certification Authority obligations

The CA shall ensure that all requirements, as detailed in the relevant sections applicable to the policy issued, are implemented. The CA has the responsibility for conformance with the procedures prescribed in the policy, regardless of its operational responsibilities in performing its functions. The CA shall also fulfil any additional obligations that are indicated in the Certificates either directly or incorporated by reference.

7.2 Subscriber obligations

The terms and conditions agreed with the Subscriber (see 9.4.4) shall include an obligation upon the Subscriber to address all the following obligations. If the Subject and Subscriber are different parties, the Subscriber shall make the Subject aware of those applicable obligations as listed below:

a. only use the Key Pairs for the purposes defined in Section 9, 10, 11 or 12 and in accordance with any other limitations that may be notified to the Subscriber

b. submit accurate and complete information to the CA during Subject registration in accordance with the requirements of the policy

c. exercise reasonable care to avoid unauthorised use of the Subject’s Private Key

d. notify the CA, without any unreasonable delay, if any of the following occur up to the end of the validity period indicated in the Certificate:

  • the Subject’s Private Key has been potentially or actually lost, stolen or compromised
  • control over the Subject’s Private Key has been lost due to potential or actual compromise of activation data (eg PIN code) or other reasons and/or
  • inaccuracy or changes to the Certificate content, as notified to the Subscriber.

e. ensure that if the Subscriber or Subject generates the Subject’s Key Pair, only the Subject holds the Private Key

f. ensure that Private Keys are generated within the hardware key storage device.

7.3 Relying Party obligations

The obligations of the Relying Party if it is to reasonably rely on a Certificate are to:

a. verify the validity, suspension or revocation status of the Certificate using current revocation status information as indicated to the Relying Party (see 9.4.6)

b. take account of any limitations on the usage of the Certificate indicated to the Relying Party, either in the Certificate, or in the terms and conditions supplied as required in 9.4.4 and 9.4.5 and

c. take any other precautions prescribed in the Certification Practice Statement.

7.4 Certification Authority liability

Certificates issued by the CA will be used primarily for signing electronic dispositionary documents relating to registered land when permitted by law such as transfers or mortgages. Certificates can also be used to sign electronic contracts relating to registered land when permitted by law. Additional Certificates will be issued for End User and Device authentication purposes and for enabling secure communication channels. The liability taken by the CA, however, is limited to the correct application of procedures as declared in the Certification Practice Statement (as incorporated into the Technical Manual); these procedures relate to the issue and management of digital Certificates. Therefore any failure of transaction that utilises the digital Certificate is out of scope.

In essence, the liability will include the correct identification of Subjects according to the declared practices. If a transaction is found to be in error through the incorrect identification of the Subject through failing to follow the declared practices, then the CA is liable. If however the Subject is incorrectly identified, but the error was within the documents used to support the Subject’s claim to an identity, then the CA shall not be liable.

The CA shall include any limitation of liability within the Certificate, providing the relevant information within an easily accessible statement both on its website and within the Certification Practice Statement. The information above shall be available through a durable (ie with integrity and availability over time) means of communication, which may be transmitted electronically, and in readily understandable language.

8. Annex A – Registered HM Land Registry Certificate Policies

The following Certificate Policies are defined within the HM Land Registry e-Security service[footnote 2]:

Policy name Object identifier Description
HM Land Registry Local Signing {iso(1) memberbody(2) GB(826) UK National registration (0) HM Land Registry(1359) policy (1) certificatepolicy(1) 2} Where End Users apply Electronic Signatures locally
HM Land Registry Central Signing {iso(1) memberbody(2) GB(826) UK National registration (0) HM Land Registry(1359) policy (1) certificatepolicy(1) 3} Where End Users apply Electronic Signatures centrally
HM Land Registry Individual Authentication {iso(1) memberbody(2) GB(826) UK National registration (0) HM Land Registry(1359) policy (1) certificate policy(1) 4} Electronic identity-based Authentication
HM Land Registry Device Authentication {iso(1) memberbody(2) GB(826) UK National registration (0) HM Land Registry(1359) policy (1) certificatepolicy(1) 5} Device authentication Certificate Policy

9. Annex B – Requirements on Certification Authority Practice for HM Land Registry Local Signing Certificate Policy

This Certificate Policy applies to all Conveyancers and their customers who wish to sign electronic dispositionary documents relating to registered land such as transfers or mortgages, and who wish to keep their Private Keys in their possession. It includes HM Land Registry signing acknowledgement of any data presented to the Network and authenticating documents and information issued by HM Land Registry.

The identifier for the HM Land Registry Local Signing Certificate Policy is:
Policy Identifier =1.2.826. 0.1359. 1.1.2

By including this object identifier in a Certificate, the CA claims conformance to the identified HM Land Registry Local Signing Certificate Policy.

The Certificates issued under this policy may be used to support Electronic Signatures which meet the requirements of the Directive [1] and English law, in connection with information services, transactions, agreements, exchange of valuable information and contracting for property and land transactions. The decision to accept the Certificate, however, is at the discretion of the Relying Party.

Certificates issued under this policy are primarily focused on the following main classes of security services:

  • identification of originator
  • creation of an Electronic Signature
  • integrity of data.

The Certificate Authority shall implement the controls that meet the requirements set out in this annex. This Certificate Policy incorporates Sections 5, 6 and 7 of this document with the amendments and changes defined in this Annex.

9.1 Subscriber obligations

The terms and conditions agreed with the Subscriber (see 9.4.4) shall include an obligation upon the Subscriber to address all the following obligations. If the Subject and Subscriber are different parties, the Subscriber shall make the Subject aware of those applicable obligations as listed below:

a. only use the Key Pairs for Electronic Signatures and in accordance with any other limitations that may be notified to the Subscriber and

b. sub-paragraphs b. to f. contained in 7.2 above.

9.1.1 Key usage

Certificates issued under this policy shall be used:

a. by Conveyancers and their customers who wish to sign dispositionary documents for registration at HM Land Registry, for example for transfer or mortgage of title between parties, to enable Electronic Signatures

b. by HM Land Registry for signing acknowledgement of data presented to the Network and/or

c. by HM Land Registry to authenticate documents and other such information issued by HM Land Registry.

The constraint is that the policy shall not cover any key usage other than non-repudiation as defined in [13].

9.2. Certification Practice Statement

The CA shall ensure that it has a Certification Practice Statement[footnote 3] that identifies the practices and procedures used to address all the requirements identified in this policy, as considered necessary through its risk analysis. In particular, the CA shall ensure that:

a. its Certification Practice Statement identifies the obligations of all external organisations supporting the relevant HM Land Registry services including the applicable policies and practices

b. details are made available of its Certification Practice Statement as necessary to assess conformance to the Certificate Policy

c. the terms and conditions regarding use of the Certificate as specified in 9.4.4 are disclosed to all Subscribers and potential Relying Parties

d. it has a management body with final authority and responsibility for approving the Certification Practice Statement

e. it has a defined review and maintenance process for its Certification Practice Statement

f. revisions to the Certification Practice Statement are made available to the auditors and to all appropriate Subscribers and Relying Parties as in b.

9.3 Key Management Life Cycle

9.3.1 Generation of Certification Authority Keys

The CA shall ensure that CA keys are generated in accordance with industry standards.

In particular, the CA shall ensure that:

a. generation of CA keys is undertaken in a physically secure environment (see 9.5.3) under, at least, dual control, and no greater number of personnel shall be authorised to carry out this function than required under the CA’s practices

b. generation of CA keys is carried out within a hardware key storage device which:

  • meets the requirements identified in FIPS 140-2[9] Level3 or higher or
  • meets the requirements identified in one of the following CEN Workshop Agreement 14167-2 [10], CWA 14167-3 [11] or CWA 14167-4 [12] or
  • is a trustworthy system which is assured to EAL 4 or higher in accordance to ISO/IEC 15408 [8], or equivalent security criteria

c. the selected key length and algorithm for CA signing key shall be one which is recognised as being fit for purposes of qualified[footnote 4] Certificates as issued by the CA.

9.3.2 Certification Authority Key storage, backup and recovery

The CA shall ensure that CA Private Keys remain confidential and maintain their integrity.

In particular, the CA shall ensure that:

a. its private signing key is held and used within a hardware key storage device which:

  • meets the requirements identified in FIPS 140-2[9] Level3 or higher
  • meets the requirements identified in one of the following CEN Workshop Agreement 14167-2 [10], CWA 14167-3 [11] or CWA 14167-4 [12] or
  • is a trustworthy system which is assured to EAL 4 or higher in accordance with ISO/IEC 15408 [8], or equivalent security criteria

b. its private signing key is backed up, stored and recovered only by personnel in trusted roles using, at least, dual control in a physically secured environment (see 9.5.4). No more personnel shall be authorised to carry out this function than required under the CA’s practices

c. backup copies of the CA private signing keys are subject to the same or greater level of security controls as keys currently in use

d. where the keys are stored in a dedicated key processing hardware module, access controls are in place to ensure that the keys are not accessible outside the hardware module.

9.3.3 Certification Authority Public Key distribution

The CA shall ensure that the integrity of the CA Public Key and any associated parameters is maintained during its distribution to Relying Parties. In particular, the CA shall ensure that its Public Key is made available to Relying Parties in a manner that assures the integrity of the CA Public Key and authenticates its origin.

9.3.4 Key Escrow

The CA shall not keep copies of Subject Private Keys.

9.3.5. Certification Authority Key usage

The CA shall ensure that CA signing keys are used only for appropriate activities related to the CA operation such as signing Certificates (as defined in 9.4.3) and signing Certificate Revocation Lists (CRL), within physically secure premises.

9.3.6 End of Certification Authority Key life cycle

The CA shall ensure that, at the end of their life cycle, all copies of the CA Private Keys are either destroyed such that the Private Keys cannot be retrieved, or archived in a manner such that they are protected against being put back into use.

9.3.7 Life cycle management of cryptographic hardware used to sign Certificates

The CA shall ensure that:

a. cryptographic hardware used for Certificate signing is shipped in such a manner that is tamper-evident

b. cryptographic hardware used for Certificate signing is stored in such a way that is tamper-evident

c. the installation, activation, back-up and recovery of cryptographic hardware used for Certificate signing requires a minimum of two trusted employees

d. Certificate signing cryptographic hardware is functioning correctly

e. CA Private Keys stored on CA cryptographic hardware are destroyed on device retirement.

9.3.8 CA provided Subject Key management services The CA shall ensure that any Subject keys that it generates are generated securely and the privacy of the Subject’s Private Key is assured.

If the CA generates the Subject’s keys:

a. CA-generated Subject keys shall be generated using an algorithm recognised as being fit for purpose for this policy

b. CA-generated Subject keys shall be of a key length and for use with a Public Key algorithm which is recognised as being fit for the purposes of this policy

c. CA-generated Subject keys shall be generated and stored securely before delivery to the Subject

d. the Subject’s Private Key shall be delivered to the Subscriber in a manner such that the privacy of the key is not compromised and on delivery only the Subject has access to its Private Key.

9.3.9 Hardware Key storage device preparation

The CA shall ensure that if it issues to the Subject a hardware key storage device, this is carried out securely.

In particular, if the CA issues hardware key storage devices:

a. hardware key storage device preparation shall be securely controlled by the CA

b. hardware key storage devices shall be securely stored and distributed

c. hardware key storage deactivation and reactivation shall be securely controlled

d. where the hardware key storage device has associated user activation data (eg PIN code), the activation data shall be securely prepared and distributed separately from the hardware key storage device[footnote 5]

9.4 Certificate Management life cycle

9.4.1 Subject registration

The CA shall ensure that evidence of Subjects’ identification and accuracy of their names and associated data are either properly examined as part of the defined service or, where applicable, concluded through examination of attestations from appropriate and authorised sources, and that Subscriber Certificate requests are accurate, authorised and complete according to the collected evidence or attestation.

In particular, the CA shall ensure that:

a. before entering into a relationship with a Subscriber, the Subscriber is adequately informed through a formal agreement of the precise terms and conditions regarding use of the Certificate as given in 9.4.4

b. if the End User is not the same as the Subscriber, the End User shall be informed of his/her obligations

c. the agreement at a above is communicated through a durable (ie with integrity and availability over time) means of communication, which may be transmitted electronically, and in readily understandable language

d. it has collected – either by direct evidence or by an attestation from an appropriate and authorised source – that the name and, if applicable, any specific attributes of the person to which a Certificate is issued, has been verified by appropriate means in accordance with ‘Know Your Customer’ procedures, and that evidence of the name has been checked against a physical person either directly or indirectly using means providing assurance equivalent to physical presence, and that evidence may be in the form of either paper or electronic documentation[footnote 6][footnote 7]

e. where the Subject is a person acting on behalf of an organisation, an attestation according to d has been collected from the organisation, which constitutes a declaration that evidence has been provided of the following:

  • full name (including surname and given names) of the person
  • attributes of the Subject which may be used, to the extent possible, to distinguish the person from others with the same name, such as date and place[footnote 8] of birth or a nationally recognised identity number
  • full name and legal status of the associated legal person or other organisational entity
  • any relevant existing registration information (eg company registration) of the associated legal person or other organisational entity
  • evidence that the Subject is associated with the legal person or other organisational entity
  • a physical address, or other attributes, provided by the Subject, which describe how the Subject may be contacted.

f. where the Subject is a person acting on their own behalf, evidence is provided of:

  • full name (including surname and given names)
  • attributes which may be used, to the extent possible, to distinguish the person from others with the same name, such as date and place of birth, or a nationally recognised identity number

g. all the information used to verify the Subject’s name, including any reference number on the documentation used for verification, and any limitations on its validity, is recorded[footnote 9]

h. the signed agreement with the Subscriber is recorded, including:

  • Subscriber’s agreement to the Subscriber’s obligations as defined in Section 7.2[footnote 10][footnote 11][footnote 12]
  • consent to the keeping of a record by the CA of information used in registration (see 9.5.11 h and i) and any subsequent revocation (see 9.5.11 j), and passing of this information to third parties under the same conditions as required by this policy in the case of the CA terminating its service
  • whether, and under what conditions, the Subscriber requires and consents to the publication of its Certificate
  • that the information held in the Certificate is correct

i. the records of evidence identified in d e and f above are retained for the period of time as indicated to the Subscriber within the precise terms and conditions (see a above) and as necessary for the purposes for providing evidence of certification in legal proceedings

j. the Certificate request process ensures that the Subject has possession of the Private Key associated with the Public Key presented for certification

k. the requirements of data protection legislation are complied with (including the use of pseudonyms if applicable) within its registration process.

9.4.2 Certificate renewal, re-key and update

The CA shall ensure that requests for Certificate renewal, re-key following revocation or prior to expiration, or update due to change to the Subject’s attributes are complete, accurate and duly authorised.[footnote 13]

In particular, the CA shall ensure that:

a. the information used to verify the name and attributes of the Subject is still valid

b. if any of the CA terms and conditions have changed, these are communicated to the Subscriber and agreed to in accordance with 9.4.1 a, b and g

c. if any certified names or attributes have changed, or the previous Certificate has been revoked, the registration information is verified, recorded and agreed to by the Subscriber in accordance with 9.4.1 d to h

d. it only issues a new Certificate using the Subject’s previously certified Public Key if its cryptographic security is still sufficient for the new Certificate’s intended lifetime and no indications exist that the Subject’s Private Key has been compromised.

9.4.3 Certificate generation

The CA shall ensure that new, renewed and re-keyed Certificates are issued securely.

In particular, the CA shall ensure that:

a. the procedure of issuing the Certificate is securely linked to the associated registration, Certificate renewal or re-key, including the provision of any Subject generated Public Key

b. if it generates the Subject’s key, the procedure of issuing the Certificate is securely linked to the generation of the key pair by the CA

c. over time the uniqueness of the distinguished name assigned to the Subject within the domain of the CA is ensured (ie over the lifetime of the CA a distinguished name which has been used in an issued Certificate shall never be re-assigned to another entity)

d. the confidentiality and integrity of registration data are protected especially when exchanged with the Subject or between distributed CA system components.

9.4.4 Dissemination of terms and conditions

The CA shall ensure that the terms and conditions are made available to Subscribers, Subjects and Relying Parties.

In particular, the CA shall ensure that:

a. the terms and conditions regarding the use of the Certificate are made available to Subscribers, Subjects and Relying Parties, including:

  • any limitations on Certificate use
  • the Subscriber’s obligations as defined in 7.2
  • information on how to verify the Certificate, including requirements to check the revocation status of the Certificate, such that the Relying Party is considered to “reasonably rely” on the Certificate (see 7.3)
  • limitations of liability
  • the period of time registration information (see 9.4.1) is retained
  • express consent for the use of personal data if present in the Certificate
  • the period of time CA event logs (see 9.5.11) are retained
  • procedures for complaints and dispute settlement
  • the applicable legal system
  • the information identified in a above is available through a durable (ie with integrity and availability over time) means of communication, which may be transmitted electronically, and in readily understandable language.

9.4.5 Certificate dissemination

The CA shall ensure that Certificates are made available as necessary to Subjects and Relying Parties.

In particular, the CA shall ensure that:

a. upon generation, the complete and accurate Certificate is available to the Subject for whom the Certificate is being issued

b. Certificates are available for retrieval from the CA system in only those cases for which the Subject’s consent has been obtained

c. the terms and conditions regarding the use of the Certificate are made available to Relying Parties (see 9.4.4)

d. the applicable terms and conditions are readily identifiable for a given Certificate

e. the information identified in c above is available for a minimum of 21 hours per day, seven days per week, and in case of failure, the CA shall make best endeavours to ensure that any unavailability of this information service is less than the maximum period of time as denoted in the Certification Practice Statement

f. the information identified in c above is publicly and internationally available.

9.4.6 Certificate revocation and suspension

The CA shall ensure that Certificates are revoked in a timely manner based on authorised and validated Certificate revocation requests.

In particular, the CA shall ensure that:

a. as part of its Certification Practice Statement (see 9.2), the procedures for revocation of Certificates are documented, including:

  • who may submit revocation reports and requests
  • how they may be submitted
  • any requirements for confirmation of revocation reports and requests
  • whether and for what reasons Certificates may be suspended
  • the mechanism used for distributing revocation status information
  • the maximum delay between receipt of a revocation request or report and the change to revocation status information being available to all Relying Parties, and this shall be at most one day

b. requests and reports relating to revocation (eg due to compromise of Subject’s Private Key, death of the Subject, violation of contractual obligations) are processed on receipt

c. requests and reports relating to revocation are authenticated and checked to be from an authorised source, if possible, and the method is to be documented in the CA’s practices

d. a Certificate’s revocation status is set to ‘suspended’ whilst the revocation is being confirmed, and the CA shall ensure that a Certificate is not kept suspended for longer than is necessary to confirm its status[footnote 14]

e. the Subscriber agrees to inform the Subject (or Representative where the Subject is a Device) of a revoked or suspended Certificate within a reasonable time and to their best effort of the change of status of its Certificate[footnote 15]

f. once a Certificate is definitively revoked (ie not suspended) it is not reinstated

g. where CRLs, including any variants (eg Delta CRLs), are used, these are published at least daily and

  • every CRL shall state a time for next scheduled CRL issue
  • a new CRL may be published before the stated time of the next CRL issue and
  • the CRL shall be signed by the CA

h. revocation management services for processing of revocation requests from authorised revocation personnel are available 21 hours per day, seven days per week (hours as published on GOV.UK), and in case of failure, the CA shall make best endeavours to ensure that any unavailability of this information service is less than a maximum period of time as denoted in the Certification Practice Statement

i. revocation status information is available 21 hours per day, seven days per week (hours as published on GOV.UK), and in case of failure, the CA shall make best endeavours to ensure that any unavailability of this information service is less than a maximum period of time as denoted in the Certification Practice Statement[footnote 16]

j. the integrity and authenticity of the status information are protected

k. revocation status information is publicly and internationally available

l. revocation status information shall include information on the status of revoked Certificates at least until the Certificate expires.

9.5 Management and operation

The CA shall ensure that a risk assessment is carried out to evaluate operational risks and determine the necessary security requirements and operational procedures. The risk analysis shall be regularly reviewed and revised if necessary.

9.5.1 Security management

The CA shall ensure that administrative and management procedures are applied which are adequate and correspond to recognised standards.

In particular, the CA shall ensure that:

a. it retains liability towards Relying Parties for all aspects of the provision of certification services, even if some functions are outsourced, except liability for accuracy of underlying evidence and attestations according to 9.4.1 on which the CA reasonably relies as part of the service provision. Responsibilities of third parties shall be clearly defined by the CA and appropriate arrangements made to ensure that third parties are obliged to implement any controls required by the CA. The CA shall retain responsibility for the disclosure of relevant practices of all parties

b. it provides, through its management, direction on information security through HM Land Registry’s IT Security Committee (ITSC) that is responsible for defining the CA’s information security policy and for ensuring publication and communication of the policy to all employees of the CA who are affected by the policy

c. it maintains a system (or systems) for quality and information security management appropriate for the certification services it is providing

d. it maintains at all times the information security infrastructure necessary to manage the security within the CA. Any changes that will affect the level of security provided shall be approved by the ITSC[footnote 17]

e. it documents, implements and maintains the security controls and operating procedures for CA facilities, systems and information assets providing the certification services[footnote 18]

f. the security of information is maintained when the responsibility for CA functions has been outsourced to another organisation or entity.

9.5.2 Asset classification and management

The CA shall ensure that assets and information related to HM Land Registry E-Security services receive an appropriate level of protection. In particular the CA shall maintain an inventory of all information assets and shall assign a classification of their protection requirements consistent with the risk analysis (9.2).

9.5.3 Personnel security

The CA shall ensure that personnel and hiring practices support the trustworthiness of the operation of HM Land Registry E-security services.

In particular, the CA shall ensure that:

a. it only employs or contracts personnel possessing the expert knowledge, experience and qualifications necessary for the offered services and which are appropriate to the job function

b. security roles and responsibilities, as specified in the CA’s security policy, are documented in job descriptions. Trusted roles, on which the security of the CA’s operation is dependent, shall be clearly identified

c. its own and relevant subcontractors’ and customers’ staff (both temporary and permanent) have job descriptions defined from the view point of separation of duties and least privilege, determining position sensitivity based on the duties and access levels, background screening and employee training and awareness. Where appropriate, these job descriptions shall differentiate between general functions and functions specific to HM Land Registry E-security services. These job descriptions should include skills and experience requirements

d. staff exercise administrative and management procedures and processes that are adequate and that correspond to recognised standards

e. managerial staff are employed within CA functions who possess appropriate expertise in the field of CA services and familiarity with proper security procedures for personnel with security responsibilities

f. all its staff, and all its relevant subcontractors’ and customers’ staff in trusted roles, are free from conflicting interests that might prejudice the trustworthiness of the CA operations

g. trusted roles include, but are not limited to, roles that involve the following responsibilities:

  • Security Officers: Overall responsibility for administering the implementation of the security practices. Additionally approve the generation, revocation, suspension and resumption of HM Land Registry ‘Security Administrator’ Certificates
  • System Administrators: Authorised to install, configure and maintain the CA trustworthy systems for registration, Certificate generation, Subject Device provision and revocation management
  • System Operators: Responsible for operating the CA trustworthy systems on a day-to-day basis. Authorised to perform system backup and recovery
  • System Auditors: Authorised to view and maintain archives and audit logs of the CA trustworthy systems.

h. its staff, and all its relevant subcontractors’ and customers’ staff, are formally appointed to trusted roles by an appropriate senior management group such as the ITSC (9.5.1.b) above)

i. that no person is appointed to trusted roles who is known to have a conviction for a serious crime or other offence which may affect their suitability for the position[footnote 19]. Staff shall not have access to the trusted functions until any necessary checks are completed.

9.5.4 Physical and environmental security[footnote 20]

The CA shall ensure that:

  • physical access to its premises and equipment is limited to properly authorised individuals
  • Certificate issuance facilities are protected from environmental hazards
  • controls are implemented to avoid loss, damage or compromise of assets and interruption to business activities and
  • controls are implemented to avoid compromise or theft of information and information processing facilities.

In particular, the CA shall ensure that:

a. facilities concerned with CA key management, Certificate generation and revocation management shall be operated from an environment which physically protects the services from compromise through unauthorised access to systems or data

b. physical protection is achieved through the creation of clearly defined security perimeters (ie physical barriers) around the facilities concerned with Certificate generation and revocation management. Any parts of the premises shared with other businesses shall be outside this perimeter

c. physical and environmental security controls are implemented to protect the facility housing system resources, the system resources themselves, and the facilities used to support their operation. The CA’s physical and environmental security programmes concerned with CA key management, Certificate generation and revocation management services shall address the physical access control, natural disaster protection, fire safety factors, failure of supporting utilities (eg power, telecommunications), structure collapse, plumbing leaks, protection against theft, breaking, entering, and disaster recovery.

d. controls are implemented to protect against equipment, information and software relating to the HM Land Registry E-Security services being taken off-site without authorisation.

9.5.5 Operations management

The CA shall ensure that:

  • the correct and secure operation of CA systems are ensured
  • the risk of CA systems failure are minimised
  • its systems and information are protected against viruses and malicious software to maintain their integrity
  • damage from security incidents and malfunctions is minimised through the use of incident reporting and response procedures
  • data media are handled securely to protect media from damage, theft and unauthorised access. In particular, the CA shall ensure that:

a. procedures are established and implemented for all trusted and administrative roles that affect the provision of certification services[footnote 21]

b. all data media are handled securely in accordance with requirements of the information classification scheme (see 9.5.2). Media containing sensitive data shall be securely disposed of when no longer required

c. capacity demands are monitored and projections of future capacity requirements made to ensure that adequate processing power and storage are available

d. parties act in a timely and co-ordinated manner in order to respond quickly to incidents and to limit the impact of breaches of security. All incidents shall be reported as soon as possible after the incident[footnote 22]

e. CA systems for CA key management, Certificate generation and revocation management are operated under senior management control

f. CA security operations are separated from normal operations[footnote 23]

9.5.6 System access management

The CA shall ensure that CA system access is limited to properly authorised individuals.

In particular, the CA shall ensure that:

a. controls (eg firewalls) are implemented to protect the CA’s internal network domains from external network domains accessible by third parties[footnote 24]

b. sensitive data are protected when exchanged over networks which are not secure[footnote 25]

c. there is effective administration of user access to maintain system security (this includes operators, Administrators and any users given direct access to the system), including user account management, auditing and timely modification or removal of access

d. access to information and application system functions are restricted in accordance with the access control policy and that the CA system provides sufficient computer security controls for the separation of trusted roles identified in CA practices, including the separation of security administrator and operations functions. Particularly, use of system utility programs shall be restricted and tightly controlled

e. CA personnel are successfully identified and authenticated before using critical applications related to Certificate management

f. users (ie trusted roles) are accountable for their activities, for example by retaining event logs (see 9.5.11)

g. sensitive data are protected against being revealed through re-used storage objects (eg deleted files) being accessible to unauthorised users[footnote 26]

h. local network components (eg routers) are kept in a physically secure environment and their configurations periodically audited

i. continuous monitoring and alarm facilities are provided to enable the CA to detect, register and react in a timely manner upon any unauthorised or irregular attempts to access its resources[footnote 27]

j. the repository enforces access control on attempts to add or delete Certificates and modify other associated information

k. the revocation status application enforces access control on attempts to modify revocation status information.

9.5.7 Trustworthy systems deployment and maintenance The CA shall use trustworthy systems and products that are protected against modification[footnote 28][footnote 29].

In particular, the CA shall ensure that:

a. an analysis of security requirements is carried out at the design and requirements specification stage of any systems development project undertaken by the CA or on behalf of the CA to ensure that security is built into IT systems

b. change control procedures exist for releases, modifications and emergency software fixes for any operational software

9.5.8 Business continuity management and incident handling

The CA shall ensure that in the event of a disaster, including compromise of the CA’s private signing key, operations are restored as soon as possible.

In particular, the CA shall ensure that:

a. its business continuity plan (or disaster recovery plan) addresses the compromise or suspected compromise of its private signing key as a disaster

b. as a minimum, it provides the following undertakings in the case of compromise of the CA private signing key:

  • inform all Subscribers, Subjects, Relying Parties and other Certification Authorities with which it has agreements or other form of established relations of the compromise
  • indicate that Certificates and revocation status information issued using this CA key may no longer be valid[footnote 30]
  • stop the issuance of new Certificate revocation lists associated with the compromised CA and stop provision of other related Certificate status checking services[footnote 31]

9.5.9 Certification Authority termination

The CA shall ensure that potential disruptions to Subjects and Relying Parties are minimised as a result of the cessation of its services, and in particular ensure continued maintenance of records required to provide evidence of certification for the purposes of legal proceedings.

In particular, the CA shall ensure that:

a. before it terminates its services the following procedures are executed as a minimum:

  • inform all Subscribers, and other entities with which the CA has agreements or other form of established relations[footnote 32]
  • terminate all authorisation of subcontractors to act on behalf of the CA in the process of issuing Certificates
  • perform necessary undertakings to transfer obligations for maintaining registration information (see 9.4.1) and event log archives (see 9.5.11) for their respective period of time as indicated to the Subscriber and Relying Party (see 9.4.4)
  • CA Private Keys are destroyed, or withdrawn from use, as defined in 9.3.6.

b. it has an arrangement to cover the costs to fulfil these minimum requirements in case the CA becomes bankrupt or for other reasons is unable to cover the costs by itself

c. it states in its practices the provisions made for termination of service. This shall include:

  • notification of affected entities
  • transfer of the CA obligations to other parties
  • how the revocation status of unexpired Certificates that have been issued will be handled.

9.5.10 Compliance with Legal Requirements and HM Land Registry’s policies and practices

The CA shall ensure that:

  • it complies with legal requirements
  • it complies with HM Land Registry’s policies and practices
  • the effectiveness of the system audit process is maximised and interference with or from the system audit process is minimised.

In particular, the CA shall ensure that:

a. important records are protected from loss, destruction and falsification. Some records may need to be securely retained to meet statutory requirements, as well as to support essential business activities

b. the requirements of the Data Protection Act [5] are met

c. Subjects are assured that the information they contribute to the Subscriber is completely protected from disclosure unless with their agreement or by court order or other legal requirement

9.5.11 Recording of information concerning Certificates

The CA shall ensure that all relevant information concerning a Certificate is recorded for an appropriate period of time, in particular for the purpose of providing evidence of certification for the purposes of legal proceedings[footnote 33].

In particular, the CA shall ensure that:

a. the confidentiality and integrity of current and archived records concerning Certificates is maintained

b. records concerning Certificates are completely and confidentially archived in accordance with disclosed business practices

c. records concerning Certificates are made available if required for the purposes of providing evidence of certification for the purpose of legal proceedings. The Subject shall have access to registration and other information relating to the Subject[footnote 34]

d. the precise time of significant CA environmental, key management and Certificate management events is recorded[footnote 35]

e. records concerning Certificates are held for a period of time as appropriate for providing necessary legal evidence in support of Electronic Signatures[footnote 36][footnote 37]

f. the events are logged in a way that they cannot be easily deleted or destroyed within the period of time that they are required to be held[footnote 38]

g. the specific events and data to be logged are documented, that is, all events relating to registration, including requests for Certificate re-key or renewal, are logged

h. all registration information is recorded including the following:

  • type of document(s) presented by the applicant to support registration
  • record of unique identification data, numbers, identification documents (eg driving licence number) or a combination of these, if applicable
  • storage location of copies of applications and identification documents, including the signed Subscriber agreement (see 9.4.1 h)
  • any specific choices in the Subscriber agreement (eg consent to publication of Certificate)
  • identity of the Subscriber
  • method used to validate identification documents, if any
  • name of receiving CA and/or submitting Registration Authority, if applicable.
  • it maintains privacy of Subject information
  • it logs all requests and reports relating to revocation, as well as the resulting action
  • it logs all events relating to the life cycle of CA keys
  • it logs all events relating to the life cycle of Certificates.

9.6 Organisational

The CA shall ensure that its organisation is reliable. In particular, the CA shall ensure that:

a. the policies and procedures under which the CA operates are non-discriminatory

b. its services are made accessible to all applicants whose activities fall within its declared field of operation

c. it has adequate arrangements to cover liabilities arising from its operations and activities, in particular to bear the risk of liability for damages

d. it has the financial stability and resources required to operate in conformity with this policy

e. it has policies and procedures for the resolution of complaints and disputes received from customers or other parties about the provisioning of CA services or any other related matters

f. it has a properly documented agreement and contractual relationship in place where the provisioning of services involves subcontracting, outsourcing or other third party arrangements

g. with regard to its CA key management, Certificate generation and revocation management capabilities, it is independent of others for its decisions relating to the establishing, provisioning and maintaining and suspending of services. In particular its senior executives and staff must be free from any commercial, financial or other pressures which might adversely influence trust in the services it provides

h. with regard to its CA key management, Certificate generation and revocation management capabilities, it has a documented structure which safeguards impartiality of operations.

10. Annex C – Requirements on Certification Authority Practice for HM Land Registry Central Signing Certificate Policy

This Certificate Policy applies to all Conveyancers and their customers who wish to sign electronic dispositionary documents relating to registered land when permitted by law, such as transfers or mortgages, and who wish to store their Private Keys within the HM Land Registry Central Signing server, but used under their sole control.

This section defines a Certificate Policy identical to the main HM Land Registry Local Signing Certificate Policy except for limitations on key usage and items concerning the Certificate management life cycle.

The identifier for the HM Land Registry Central Signing Certificate Policy is:
Policy Identifier =1.2.826. 0.1359. 1.1.3

By including this object identifier in a Certificate, the CA claims conformance to the identified HM Land Registry Central Signing Certificate Policy.

The Certificates issued under this policy may be used to support digital signatures which “are not denied legal effectiveness and admissibility as evidence in legal proceedings” as specified in article 5.2 of the Directive [1], in connection with information services, transactions, agreements, exchange of valuable information and contracting for property and land transactions. The acceptability of the Certificate, however, is at the discretion of the Relying Party.

Certificates issued under this policy are primarily focused on the following main classes of security services:

  • identification of originator
  • creation of an Electronic Signature
  • integrity of data.

The CA shall implement the controls that meet the following requirements.

This Certificate Policy incorporates Sections 5, 6, 7 and 9 of this document with the amendments and changes defined in this Annex.

10.1 Deviation from the original policy This policy is identical to the HM Land Registry Local Signing Certificate Policy except for the following deviations:

10.1.1 Key Escrow The CA shall keep copies of Subject Private Keys for backup purposes. Subject Private Keys may only be stored for Central Signing purposes and, as such, will be backed up in a way that ensures the End User retains sole control.

10.1.2 CA – Provided Subject Key Management Services The CA shall ensure that any Subject keys, that it generates, are generated securely and the privacy of the Subject’s Private Key is assured.

If the CA generates the Subject’s keys:

a. CA-generated Subject keys shall be generated using an algorithm recognised as being fit for purpose for this policy

b. CA-generated Subject keys shall be of a key length and for use with a Public Key algorithm which is recognised as being fit for the purposes of this policy

c. CA-generated Subject keys shall be generated and stored securely before allocation to the Subject

d. The Subject’s Private Key shall be stored and provided for use by the Subject in a manner such that the privacy of the key is not compromised and on allocation only the Subject has access to its Private Key.

11. Annex D – Requirements on Certification Authority Practice for HM Land Registry Individual Authentication Certificate Policy

This Certificate Policy applies to all HM Land Registry and others who wish to be authenticated to HM Land Registry’s Network. This section defines a Certificate Policy identical to the main HM Land Registry Local Signing Certificate Policy except for limitations on key usage and items concerning the Certificate management lifecycle.

The identifier for the HM Land Registry Individual Authentication Certificate Policy is:
Policy Identifier =1.2.826. 0.1359. 1.1.4

By including this object identifier in a Certificate the CA claims conformance to the identified HM Land Registry Individual Authentication Certificate Policy.

This Certificate Policy incorporates Sections 5, 6, 7 and 9 of this document.

The Certificates issued under this policy are typically suitable for verifying the identity of an individual in connection with access to HM Land Registry e-Security systems. The acceptability of the Certificate, however, is at the discretion of the Relying Party.

Certificates issued under this policy are primarily focused on the following main classes of security services:

  • identification of originator
  • authentication for access to a server.

The CA shall implement the controls that meet the following requirements.

11.1 Deviation from the original policy

This policy is identical to the HM Land Registry Local Signing Certificate Policy except for the following deviations:

11.1.1 Subscriber obligations

The terms and conditions agreed with the Subscriber (see 9.3.4) shall include an obligation upon the Subscriber to address all the following obligations. If the Subject and Subscriber are different parties, the Subscriber shall make the Subject aware of those applicable obligations as listed below:

  1. only use the Key Pairs for authentication and in accordance with any other limitations that may be notified to the Subscriber; and
  2. Sub paras. b. to f. contained in 7.2 above.

11.1.2 Key usage

Certificates issued under this policy shall only be used by HM Land Registry and Conveyancer administrators for authentication to HM Land Registry e-Security systems. Therefore the constraint is that they shall not cover any key usage other than digital signature as defined in [13][footnote 39].

11.1.3 Key escrow

Where the CA stores Subject Private Keys for Central Authentication purposes any copies of Subject Private keys made for back up purposes will be made in such a way that ensures the End User retains sole control. Where the CA does not store Subject Private Keys for Central Authentication purposes , the CA shall not keep copies of Subject Private Keys.

11.1.4 CA provided Subject Key Management Services

The CA shall ensure that any Subject keys that it generates, are generated securely and the privacy of the Subject’s Private Key is assured.

If the CA generates the Subject‘s keys:

  1. CA-generated Subject keys shall be generated using an algorithm recognised as being fit for purpose for this policy;

  2. CA-generated Subject keys shall be of a key length and for use with a Public Key algorithm which is recognised as being fit for the purposes of this policy;

  3. CA-generated Subject keys shall be generated and stored securely before allocation or delivery to the Subject;

  4. Where the CA stores Subject Private Keys for Central Authentication purposes, the Subject’s Private Key shall be delivered to the Subscriber in a manner such that the privacy of the key is not compromised and on delivery only the Subject has access to its Private Key.

  5. Where the CA does not store Subject Private Keys for Central Authentication purposes, the Subject’s Private Key shall be stored and provided for use by the Subject in a manner such that the privacy of the key is not compromised and on allocation only the Subject has access to its Private Key.

12. Annex E – Requirements on Certification Authority Practice for HM Land Registry Device Authentication Certificate Policy

This Certificate Policy applies to Devices used within HM Land Registry’s Network.

This section defines a Certificate Policy identical to the main HM Land Registry Local Signing Certificate Policy except for limitations on key usage and items concerning the Certificate management lifecycle.

The identifier for the HM Land Registry Device Authentication Certificate Policy is:
Policy Identifier =1.2.826. 0.1359. 1.1.5

By including this object identifier in a Certificate the CA claims conformance to the identified HM Land Registry Device Authentication Certificate Policy.

This Certificate Policy incorporates Sections 5, 6, 7 and 9 of this document with the amendments and changes defined in this Annex.

The Certificates issued under this policy are suitable for verifying the identity of an internet server or communications (Virtual Private Networking [VPN]) Device; for initiating a secure connection between a server and client internet browser or between VPN Devices. The acceptability of the Certificate, however, is at the discretion of the Relying Party.

Certificates issued under this policy may be suitable for a wide range of applications primarily focusing on the following main classes of security services:

  • identification of a server
  • identification of a VPN Device
  • message integrity
  • enabling the confidentiality of data.

12.1 Deviation from the original policy

This policy is identical to the HM Land Registry Local Signing Certificate Policy except for the following deviations:

12.1.1 Subscriber obligations

The terms and conditions agreed with the Subscriber (see 9.4.4) shall include an obligation upon the Subscriber to ensure, where relevant, that the Representative fulfils the following obligations. The Subscriber shall:

a. only use the Key Pairs for authentication and data confidentiality and in accordance with any other limitations that may be notified to the Subscriber and

b. sub paragraphs b to f contained in 7.2 above.

12.1.2 Key usage

Certificates issued under this policy shall only be used by Devices used within HM Land Registry’s Network for authentication and communications security. Therefore the constraint is that they shall not cover any key usage other than digital signature and key encipherment as defined in [13].

12.1.3 CA Provided Subscriber Key Management Services Clause 9.3.8 does not apply to this Certificate Policy.

12.1.4 Hardware Key Storage Device Preparation Clause 9.3.9 does not apply to this Certificate Policy.

12.1.5 Subject Registration

This Section replaces Section 9.4.1.

All Devices shall have an associated Representative, and the Representative shall be subject to all obligations placed on the Subject by the Subscriber. The CA shall ensure that evidence of Subjects’ identification and accuracy of their names and associated data are either properly examined as part of the defined service or, where applicable, concluded through examination of attestations from appropriate and authorised sources, and that Subscriber Certificate requests are accurate, authorised and complete according to the collected evidence or attestation.

In particular, the CA shall ensure that:

a. before entering into a contractual relationship with a Subscriber, the CA shall inform the Subscriber of the terms and conditions regarding use of the Certificate as given in 9.4.4

b. the agreement above is communicated through a durable (ie with integrity over time) means of communication, which may be transmitted electronically, and in readily understandable language

c. the CA shall verify by appropriate means in accordance with national law, the identity and, if applicable, any specific attributes of Subjects to whom a Certificate is issued. Submitted evidence may be in the form of either paper or electronic documentation

d. as the Subject is a Device or system, operated by or on behalf of an organisational entity, the organisational entity has the right to the Subject[footnote 40] and evidence shall be provided of:

  • the identifier of the Device by which it may be referenced (eg internet domain name)
  • the full name of the organisational entity
  • a nationally recognised identity number, or other attributes which may be used to distinguish, as far as possible, the organisational entity from others with the same name

e. the Subscriber shall provide a physical address, or other attributes, which describe how the Subscriber may be contacted

f. the CA shall record all the information necessary to verify the Subject’s identity, including any reference number on the documentation used for verification, and any limitations on its validity

g. the signed agreement with the Subscriber is recorded, including:

  • Subscriber agreement to the Representative’s obligations as defined in Section 7.2[footnote 41][footnote 42][footnote 43]
  • consent of the Subscriber to the keeping of a record by the CA of information used in registration (see 9.4.11 h and i) and any subsequent revocation (see 9.4.11 j) and passing of this information to third parties under the same conditions as required by this policy in the case of the CA terminating its service
  • whether, and under what conditions, the End User requires and consents to the publication of its Certificate
  • that the information held in the Certificate is correct.

h. the records of evidence identified in e and f above are retained for the period of time as indicated to the Subscriber (see b above) and as necessary for the purposes for providing evidence of certification in legal proceedings

i. the Certificate request process ensures that the Subject has possession of the Private Key associated with the Public Key presented for certification

j. the requirements of its national data protection legislation are complied with (including the use of pseudonyms if applicable) within its registration process.

13. Footnotes

  1. eg firewalls, routers, in-line network encryptors, trusted servers, and other infrastructure components 

  2. See ISO/IEC 8824:1988 CCITT X.208 Specification of Abstract Syntax Notation One (ASN.1), Annexes B to D for a definition. 

  3. This policy makes no requirement as to the structure of the Certification Practice Statement. 

  4. As defined by the Electronic Signatures Regulations 2002. 

  5. Separation may be achieved by ensuring distribution and delivery at different times, or via a different route. 

  6. An example of evidence checked indirectly against a physical person is documentation presented for registration which was acquired as the result of an application requiring physical presence and shall be certified evidence such as a national ID card or passport. 

  7. The Certification Authority is liable as regards the accuracy “of all information contained in the Certificate”. 

  8. The place should be given in accordance to national conventions for registering births. 

  9. Copies of documents, appropriately countersigned (including by Electronic Signature), are suitable. The records should be securely stored as close as practicable to the location where the evidence is checked. Hence the use of an attestation in 9.4.1.d. if the location where the evidence is checked differs from the place of registration. 

  10. The End User may agree to different aspects of this agreement during different stages of registration. For example, agreement that the information held in the Certificate is correct may be carried out subsequent to other aspects of the agreement. 

  11. Other parties (eg the associated legal person) may be involved in establishing this agreement. 

  12. This agreement may be in electronic form. 

  13. The End User may, if the Certification Authority offers this service, request a Certificate renewal for example where relevant attributes presented to the Certification Authority for the Certificate have changed or when the Certificate lifetime is running out. 

  14. Support for Certificate suspension is optional. 

  15. This may be done electronically. 

  16. Revocation status information may be provided, for example, using on-line Certificate status service or through distribution of CRLs through a repository. 

  17. See ISO/IEC 17799-1 for guidance on information security management including information security infrastructure, management information security forum and information security policies. 

  18. This documentation (commonly called a system security policy) should identify all relevant targets, objects and potential threats related to the services provided and the safeguards required to avoid or limit the effects of those threats. It should describe the rules, directives and procedures regarding how the specified services and the associated security assurance are granted in addition to stating policy on incidents and disasters. 

  19. In some countries it may not be possible to obtain information on past convictions. However, the employer may be able to ask the candidate to provide such information and turn down an application in case of refusal. 

  20. See ISO/IEC 17799 [REF _ Ref159998961 \r \h 7] for guidance on physical and environmental security. 

  21. Every member of staff with management responsibilities is responsible for planning and efficiently implementing the Certificate Policy and associated practices as documented in the Certification Practice Statement. 

  22. The responsibilities of End Users are defined in the terms and conditions as defined in 9.4.4. 

  23. CA Security Operations’ responsibilities include:

    • operational procedures and responsibilities
    • secure systems planning and acceptance
    • protection from malicious software
    • housekeeping
    • network management
    • active monitoring of audit journals, event analysis and follow-up
    • media handling and security
    • data and software exchange

    These responsibilities will be managed by the Certification Authority, but may actually be performed by non-specialist operational staff (under supervision) as defined within the appropriate security policy and roles and responsibility documents. 

  24. Firewalls should be configured to prevent protocols and accesses not required for the operation of the Certification Authority. 

  25. Sensitive data includes registration information. 

  26. Sensitive data includes registration information. 

  27. This may use, for example, an intrusion detection system, access control monitoring and alarm facilities. 

  28. Requirements for the trustworthy systems may be ensured using, for example, systems conforming to a suitable protection profile (or profiles), defined in accordance with ISO/IEC 15408 [8] or equivalent. 

  29. The risk analysis carried out on the Certification Authority’s services (see REF _Ref159999867 \r \h 9.2) should identify its critical services requiring trustworthy systems and the levels of assurance required. 

  30. When another Certification Authority with which a compromised Certification Authority has an agreement is informed of the compromise, any Certification Authority Certificate that has been issued for the compromised Certification Authority should be revoked. 

  31. This is a means to force Relying Parties to reject related Certificates due to non-availability of valid Certificate revocation information. 

  32. The Certification Authority is not required to have any prior relationship with the Relying Party. 

  33. Records concerning Certificates include registration information (see 9.3.1) and information concerning significant Certification Authority environmental, key management and Certificate management events. 

  34. This may be used, for example, to support the link between the Certificate and the End User. 

  35. The Certification Authority should state in its practices the accuracy the clock used in timing of events, and how this accuracy is ensured. 

  36. The duration of the record retention period is difficult to pinpoint, and requires weighing the need for reference to the records against the burden of keeping them. The records could be needed at least as long as a transaction relying on a valid Certificate can be questioned. For most transactions, statutes of limitation will eventually place a transaction beyond dispute. However, for some transactions such as real property conveyances, legal repose may not be realised until after a lengthy time elapses, if ever. 

  37. Where differing periods of times are applied to Certificates being used for different purposes, they shall be clearly identified and they should have different specific Certificate Policy identifiers. Where differing periods are applied to different parts of the registration and event log records, this shall be indicated to the Relying Party as specified in 9.3.1 and 9.3.4. 

  38. This may be achieved, for example, through the use of write-only media, a record of each removable media used, and the use of off-site backup. 

  39. With reference to [13] “non-repudiation” is used for signing, whereas “digital signature” is used for authentication. 

  40. This is to ensure that the device belongs to the organisation or is being operated on their behalf, and as such the organisation has the right to associate its name with it. 

  41. The Representative may agree to different aspects of this agreement during different stages of registration. For example, agreement that the information held in the Certificate is correct may be carried out subsequent to other aspects of the agreement. 

  42. Other parties (for example, the associated legal person) may be involved in establishing this agreement. 

  43. This agreement may be in electronic form. 

Back to top