Certificate Policy / Certification Practice Statement (CP/CPS) For the Certificate Classes „Diamant“ (regulated/qualified) and „Saphir“ (advanced) Version: 3.2 Date: April 18, 2018 Swisscom (Switzerland) Ltd. Alte Tiefenaustrasse 6 3050 Bern Document history Version Date Changed by Comments/nature of the change 3.2 18.04.2018 Kerstin Wagner Synchronized with German version 3.2 3.2 18.04.2018 Governance Board Approval ©Swisscom (Switzerland) Ltd. CP/CPS „Diamant“ and „Saphir“ Version 3.2 2/39 Date 18.04.2018 Referenced Documents [ZertES] SR 943.03: Federal Act on Electronic Signatures, ZertES [VZertES] SR 943.032: Ordinance on Certification Services in the area of Electronic Signatures, VZertES [TAV] SR 943.032.1, TAV: Technical and administrative provisions for certification services in the field of electronic signatures [UIDG] Federal Act on the Company Identification Number, UIDG [RFC 3647] IETF RFC 3647: "Internet X.509 Public Key Infrastructure - Certificate Policy and Certification Practices Framework" [RFC 5280] IETF RFC 5280: "Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile" [CEN/TS 419 241] Security Requirements for Trustworthy Systems supporting Server Signing [ETSI TS 119 312] Electronic Signatures and Infrastructures (ESI); Cryptographic Suites [ETSI EN 319 401] General Policy Requirements for Trust Service Providers [ETSI EN 319 411-1] Policy and security requirements for Trust Service Providers issuing certificates; Part 1: General requirements [ETSI EN 319 411-2] Policy and security requirements for TSPs; Part 2: Requirements for trust service providers issuing EU qualified certificates [ETSI EN 319 421] Policy and Security Requirements for Trust Service Providers issuing Time-Stamps [ETSI EN 319 412-1-5] Certificate Profiles [Addendum] Addendum to the CP/CPS: profiles of the certificates, certificate revocation lists (CRL) and online status requests (OCSP) [TOU] Terms and Conditions of Usage [Role Concept] Role Concept SDCS [Security Concept] Security Concept SDCS [Authority Seals] Concept for seal for authorities / cooperation with the signature validator V2.0, federal IT control body (ISB) ©Swisscom (Switzerland) Ltd. CP/CPS „Diamant“ and „Saphir“ Version 3.2 3/39 Date 18.04.2018 Table of Contents 1 Introduction ................................................................................................................................................. 8 1.1 Overview ............................................................................................................................................................................... 8 1.2 Document Identification ............................................................................................................................................... 8 1.3 Participants of the PKI ..................................................................................................................................................... 9 1.3.1 Certificate Authorities (CA)..................................................................................................................................... 9 1.3.2 Registration Authorities (RA) .............................................................................................................................. 10 1.3.3 Subscriber .................................................................................................................................................................... 10 1.3.4 Relying Parties ........................................................................................................................................................... 10 1.3.5 Other Participants .................................................................................................................................................... 10 1.4 Certificate Usage ............................................................................................................................................................ 11 1.4.1 Permitted Certificate Usage ................................................................................................................................ 11 1.4.2 Prohibited Certificate Usage ............................................................................................................................... 11 1.5 Policy Administration ................................................................................................................................................... 11 1.6 Definitions and Acronyms ......................................................................................................................................... 12 1.7 Abbreviations ................................................................................................................................................................... 15 2 Publications and Repository Responsibility ............................................................................................ 16 2.1 Repository Service .......................................................................................................................................................... 16 2.2 Publication of Information ........................................................................................................................................ 16 2.3 Frequency of Publication ............................................................................................................................................ 16 2.4 Access Controls on Repositories .............................................................................................................................. 16 3 Identification and Authentication ........................................................................................................... 16 3.1 Naming ............................................................................................................................................................................... 16 3.1.1 Name Components Required for Natural Persons ................................................................................... 17 3.1.2 Name Components Required for Organizations ....................................................................................... 17 3.1.3 Optional Name Components ............................................................................................................................. 18 3.1.4 Test-Certificates ........................................................................................................................................................ 18 3.2 Initial Identity Validation ............................................................................................................................................ 18 3.2.1 Identification for Applications by Natural Persons .................................................................................. 18 3.2.2 Identification for Applications by Organizations ...................................................................................... 20 3.2.3 Identification for applications from administrative bodies (authorities) ...................................... 21 3.2.4 Non-verified Information ..................................................................................................................................... 21 3.2.5 Method for proving Possession of Private Key ........................................................................................... 21 3.3 Identification and Authentication for Re-key Requests ............................................................................... 21 3.3.1 Identification and Authentication for Routine Re-Key ........................................................................... 21 3.3.2 Identification and Authentication for Re-Key after Revocation ......................................................... 21 3.4 Identification and Authentication for Revocation Request ........................................................................ 22 4 Certificate Life-Cycle Operational Requirements ................................................................................... 22 4.1 Certificate Application ................................................................................................................................................. 22 4.2 Certificate Application Processing ......................................................................................................................... 22 4.3 Certificate Issuance ....................................................................................................................................................... 22 4.3.1 Certificate Issuance for Natural Persons ....................................................................................................... 22 4.3.2 Certificate Issuance for Organizations ........................................................................................................... 22 4.4 Certificate Acceptance ................................................................................................................................................. 23 4.5 Key Pair and Certificate Usage ................................................................................................................................. 23 4.5.1 Use of Keys and Certificates by the Subscriber .........................................................................................