• Certificate policy - AUSkey

    1 Overview

    1.1 Overview

    The ABR Registrar has established the AUSkey System as Public Key Infrastructure (PKI) to facilitate internet-based electronic transactions between Business Entities and Agencies, and manages the AUSkey System’s operational Certification Authority (the ABR CA).

    This document is the GKP003 Standard Certificate Policy. This Certificate Policy (CP) sets out the rules applying to, and provides policy and operational guidance on, the deployment of AUSkey Standard Certificates issued by the ABR CA.

    This CP must be read in conjunction with the following documents, which can be accessed online:

    1.1.1 Standard Business Reporting (SBR) Program

    See CPS section 1.1.1.

    1.1.2 The AUSkey System

    See CPS section 1.1.2.

    1.1.3 Community of Interest (COI)

    See CPS section 1.1.3.

    1.1.4 Standard Certificates

    AUSkey Standard Certificates are issued to individuals acting on behalf of Business Entities that:

    • are registered in the ABR as having an ABN (as the Business Entity is identified in the AUSkey Certificate by way of its ABN), and
    • wish to transact electronically with SBR Agencies.

    1.1.5 This Certificate Policy and the Certification Practice Statement

    See CPS section 1.1.4.

    1.2 Document Name and Identification

    This document is known as the GKP003 Standard Certificate Policy. It is identified by the object identifier (OID) 1.2.36.1.3001.1.1.7.1, based on the following structure:

    1

    ISO code

    2

    Member Body

    36

    Australia

    1

    Government

    3001

    Australian Business Register (ABR)

    1

    Australian Business Register Root CA (RCA)

    1

    Australian Business Register Operational CA (OCA)

    7

    Standard Certificate Policy

    1

    Version number

    1.2.1 Attribution

    See CPS section 1.2.1.

    1.3 AUSkey Participants

    1.3.1 ABR Root Certification Authority (ABR RCA)

    See CPS section 1.3.1.

    1.3.2 ABR Certification Authority (ABR CA)

    See CPS section 1.3.2.

    1.3.3 ABR Registration Authority (ABR RA)

    See CPS section 1.3.3.

    1.3.4 Business Entities

    See CPS section 1.3.4.

    1.3.5 Business Associates

    See CPS section 1.3.5.

    1.3.6 Users

    See CPS section 1.3.6.

    1.3.7 Administrators

    See CPS section 1.3.7.

    1.3.8 Device Custodians

    See CPS section 1.3.8.

    1.3.9 Devices

    See CPS section 1.3.9.

    1.3.10 Relying Parties

    See CPS section 1.3.10.

    1.3.11 Trust Broker

    See CPS section 1.3.11.

    1.4 Certificate Usage

    1.4.1 Appropriate certificate use

    The appropriate use of an AUSkey Standard Certificate is limited to the Certificate Holder authenticating him or herself to, and carrying out an electronic transaction with, an SBR Agency within the AUSkey COI on behalf of the Business Entity identified in that Certificate.

    The typical transaction would be the submission of a form for a Business Entity with revenue reporting and payment obligations to an SBR Agency, for example lodgment of a Business Activity Statement with the ATO.

    1.4.2 Limits on use

    An AUSkey Standard Certificate is designed for its Certificate Holder (on behalf of the Business Entity identified by its ABN in that Certificate) to authenticate him or herself to, and to carry out electronic transactions with, SBR Agencies within the AUSkey COI. The AUSkey System does not support use of AUSkeys by or with any other relying parties. Any person who uses, or relies on, an AUSkey Standard Certificate in any other circumstances does so at their own risk and responsibility.

    Attention

    Note: an AUSkey does not provide any indication of the level of authority, delegation or privileges that the AUSkey Holder may possess, and is for authentication rather than authorisation purposes.

    End of attention

    1.4.3 Prohibited certificate uses

    Any kind of unlawful or improper use of an AUSkey Standard Certificate is prohibited.

    1.5 Policy Administration

    See CPS section 1.5.

    1.6 Definitions and Acronyms

    See CPS section 1.6.

    2 Publications and Repository Responsibilities

    2.1 Repositories and Publication Information

    The AUSkey System operates several repositories supporting its operations.

    2.2 Publications

    See CPS section 2.1.1.

    2.3 The Certificate Revocation List (CRL)

    See CPS section 2.1.2.

    2.4 Internal Data Repositories

    See CPS section 2.1.3.

    3 Identification and Authentication

    3.1 Naming

    Every Certificate issued under this CP must have a Distinguished Name (DN) that is unique to the Certificate Holder the subject of the Certificate and compliant with the X.501 standard. That DN must be in the form of a X.501 printable string and may not be blank.

    That DN will be present in the Certificate’s subjectName field, with the Common Name in the form <User given names><Space><User family name>, as set out in the certificate profile outlined in section 7 of this CP.

    The Certificate Holder’s common name is a component of that DN, and is supplied in the application for the AUSkey Standard Certificate. The name supplied must be meaningful, unambiguous and (in the Business Entity concerned) unique to the Certificate Holder.

    The AUSkey System does not allow anonymity or pseudonymity for any AUSkey Certificate subject names.

    Attention

    Note: an AUSkey Standard Certificate identifies the Certificate Holder in its subjectName field, and the ABN of the Business Entity for which it is held in its subjectOrganisation field – see section 7.1.

    End of attention

    Any disputes in relation to names in AUSkey Standard Certificates will be resolved by the AUSkey Policy Management Authority (AUSkey PMA).

    3.2 Initial Identity Validation

    See section 3.1.2 of the CPS.

    Attention

    Note: for identify validation, the AUSkey System allows identity details to be entered online, which are then validated to a previous documentary based Evidence of Identity (EOI) process/es. In some cases documentary EOI is required, such as where the identity details supplied are insufficient or incorrect.

    End of attention

    An application for an AUSkey Standard Certificate must be authorised by:

    • an Administrator for that Business Entity (a person holding, for that Business Entity, a valid AUSkey Standard Certificate with administrator level privileges), or
    • a validated Business Associate of that Business Entity (a person who has had both their identity, and their status as a Business Associate of that same Business Entity, validated).

    3.2.1 Initial Administrator Identity Validation

    In order to obtain administrator level privileges in relation to an AUSkey Standard Certificate, the Certificate Holder (or proposed Certificate Holder) of that Certificate must:

    • supply or confirm his or her Given names, Family name, and email address (the supply of his or her telephone number is optional)
    • supply a display name that will be displayed to other Administrators of the same Business Entity concerned to identify him or her as an Administrator, and
    • supply his or her date of birth and such other identity details or information as the ABR RA may require to validate or if necessary establish his or her identity in accordance with existing ABR processes on identity verification.
    Attention

    Note: The existing ABR processes on identity verification arise principally because the ABR Registrar must, under the A New Tax System (Australian Business Number) Act 1999, be satisfied that an individual’s identity has been established before including their name in a Business Entity’s ABR entry (for example as an ‘associate’ or ‘nominated representative’ of that Business Entity).

    For applications for Standard AUSkeys with Administrator level privileges, existing ABR processes are applied to verify the identity of the proposed AUSkey holder (and the applicant, if a different person):

    Applications for Standard AUSkeys with User level privileges, and Device AUSkeys, to be held for a Business Entity must be made or approved by an Administrator (for that same Business Entity) whose identity has been verified as above and who verifies the identity of the proposed AUSkey holder.

    End of attention

    3.2.2 Initial Business Associate Validation

    Where an application for an AUSkey Standard Certificate (to be held by the proposed Certificate Holder for a Business Entity) is made by, or is to be authorised by, a Business Associate of that Business Entity, that Business Associate must supply:

    • his or her Given names, Family name, date of birth, and such other identity details or information as the ABR RA may require to validate or if necessary establish his or her identity in accordance with existing ABR processes on identity verification, and
    • such other information as the ABR RA may require to confirm that he or she is listed in the ABR as a Business Associate of that same Business Entity.

    3.2.3 Initial User Identity Validation

    Where an application is made for an AUSkey Standard Certificate, to be held by the proposed User for a Business Entity (and in respect of which that User is not to have Administrator level privileges):

    • that User must supply or confirm his or her Given names, Family name, and email address (the supply of his or her telephone number is optional), and
    • the validation of that User’s identity is the responsibility of, and is provided by, that Business Entity’s Administrator or Business Associate (as the case may be) approving that application.

    3.3 Identification and Authentication for Renewal Requests

    AUSkey Standard Certificates are renewed automatically. See CPS section 3.1.4.

    The renewal process is described in sections 4.5 and 4.6 below.

    3.4 Identification and Authentication for Revocation Request

    If the revocation of an AUSkey Standard Certificate (held by the Certificate Holder for a Business Entity) is requested through the AUSkey Manager by that Certificate Holder, or by an Administrator for that same Business Entity, that Certificate Holder or Administrator (as the case may be) identifies and authenticates him or herself to the AUSkey Manager using their AUSkey (a website logon, including a valid password).

    If a telephone request is made to an AUSkey Operator for the revocation of an AUSkey Standard Certificate (held by the Certificate Holder for a Business Entity), the caller must provide sufficient identity details to allow the AUSkey Operator, in accordance with existing ABR processes, to validate the caller’s identity, and verify their status as that Certificate Holder or an Administrator for or a Business Associate of that same Business Entity.

    All such revocation requests must come through the ABR RA. The ABR CA will only action a revocation request if the ABR CA successfully validates the request by verifying the ABR RA’s signing certificate.

    4 Certificate Life-Cycle Operational Requirements

    This section deals only with the life-cycle operational requirements for AUSkey Standard Certificates. For life-cycle event details for AUSkey Device Certificates, see the applicable CP. Details of certain infrastructure certificates not used by any end entities may be found in the CPS. The certificate life-cycle events are described at a high-level, from the perspective of human end users.

    4.1 Certificate Application

    In most cases, AUSkey Standard Certificate applications are carried out online through the AUSkey Manager and AUSkey website. However, the AUSkey System provides alternate processes so that, where necessary, process steps can be carried out manually via AUSkey Operators. Sections 4.1.2 to 4.1.6 describe the usual process steps for AUSkey Standard Certificate online applications.

    4.1.1 Who can submit an application for an AUSkey Standard Certificate?

    The AUSkey System supports the following AUSkey Standard Certificate applications:

    • An application for an AUSkey Standard Certificate with user level privileges – to be held by a proposed new User for a Business Entity – may be made by:
      • an Administrator for that same Business Entity, or
      • that proposed new User (but the application must be authorised by an Administrator for that same Business Entity).
       
    • An application for an AUSkey Standard Certificate with administrator level privileges – to be held by a proposed new Administrator for a Business Entity – may be made by:
      • an (existing) Administrator for that same Business Entity, or
      • a Business Associate of that same Business Entity.
       
    • An Administrator for a Business Entity may apply to vary the privileges associated with a current AUSkey Standard Certificate (held for that same Business Entity) from user level to administrator level or from administrator level to user level.

    4.1.2 Administrator applies for an AUSkey for a new User

    The process for an Administrator for a Business Entity applying online for an AUSkey Standard Certificate – to be held by a new User for that same Business Entity – is generally as follows:

    1. The Administrator authenticates to the AUSkey Manager using their AUSkey.
    2. The Administrator enters and submits details of the new User, including their:
      • Given names and Family name
      • email and confirmation email address
      • privilege level (as user).
       
    3. The AUSkey System sends the new User a notification email informing them that they are being issued an AUSkey Standard Certificate (with user privileges).
    4. The new User clicks on a link in the notification email to initiate Certificate activation, and enters and submits the displayed Captcha code (to begin the issuance process).

    4.1.3 New User applies for their own AUSkey

    The process for a person applying for an AUSkey Standard Certificate – to be held by them as a User for a Business Entity – is generally as follows:

    1. The applicant accesses an unauthenticated page on the AUSkey website and follows the system prompts to register.
    2. The applicant enters and submits:
      • the displayed Captcha code
      • the ABN of that Business Entity
      • their Given names and Family name
      • their email and confirmation email address
      • their privilege level (as user)
      • the email address of an Administrator for that Business Entity to approve their application.
       

    On submission, an activation code is displayed to the applicant.

    1. The AUSkey System sends that Administrator an email informing them of the new application, and the Administrator authenticates to the AUSkey Manager using their AUSkey, and locates and approves that application.
    2. The AUSkey System sends the applicant a notification email informing them that their application has been approved.
    3. The applicant clicks on a link in the notification email, and enters and submits the activation code (to initiate certificate activation) and the displayed Captcha code (to begin the issuance process).

    4.1.4 Administrator applies for an AUSkey for a new Administrator

    The process for an Administrator for a Business Entity applying for an AUSkey Standard Certificate – to be held by a new Administrator for that same Business Entity – is generally as follows:

    1. The Administrator authenticates to the AUSkey Manager using their AUSkey.
    2. The Administrator enters and submits details of the new Administrator, including their:
      • Given names and Family name
      • email and confirmation email address
      • privilege level (as administrator).
       
    3. The AUSkey System sends a notification email to the new Administrator informing them that they have been nominated for an AUSkey Standard Certificate (with administrator privileges).
    4. The new Administrator clicks on a link in the notification email and is taken to the application form in the AUSkey website.
    5. The new Administrator enters and submits:
      • the displayed Captcha code
      • a display name that will be displayed to other Administrators for that Business Entity to identify them as Administrator
      • their identity validation details (as described in section 3.2.1).
       
    6. Once the new Administrator’s identity is validated and confirmed, the AUSkey System sends a second notification email to the new Administrator confirming that they have registered successfully.
    7. The new Administrator clicks on a link in the email, and enters and submits the displayed Captcha code to initiate certificate activation and begin the issuance process.

     

    4.1.5 Business Associate applies for an AUSkey for a new Administrator

    The process for a Business Associate of a Business Entity applying for an AUSkey Standard Certificate – to be held by a new Administrator for that same Business Entity – is generally as follows:

    1. The Business Associate accesses an unauthenticated page on the AUSkey website.
    2. The Business Associate identifies they are a Business Associate, identifies whether they, or another person, is the new Administrator, and enters and submits:
      • the displayed Captcha code
      • the ABN of that Business Entity
      • their identity validation details (as described in section 3.2.2)
      • where the new Administrator has been identified as:
        • the Business Associate – a display name that will be displayed to other Administrators within that Business Entity to identify them as an Administrator, or
        • another person – that other person’s Given names and Family name, and email and confirmation email address.
         
       
    3. Once the Business Associate’s identity and status (as a listed Business Associate of that Business Entity) is validated and confirmed:
    • where the Business Associate is the new Administrator:
      • an activation code is displayed to the Business Associate
      • the AUSkey System sends a notification email to the Business Associate confirming that they have registered successfully
      • the Business Associate clicks on a link in the notification email and enters and submits the activation code (to initiate certificate activation) and the displayed Captcha code (to begin the issuance process), or
       
    • where another person is the new Administrator, the process continues through steps 3 to 7 in section 4.1.4 above save that:
      • at the end of step 5, an activation code is displayed to the new Administrator
      • in step 7, the new Administrator enters and submits the activation code (to initiate certificate activation) and the displayed Captcha code (to begin the issuance process).
       

    4.1.6 Administrator varies privilege level of an existing AUSkey

    Attention

    Note: the privilege level of an AUSkey Standard Certificate is managed outside the Certificate. A variation to the privilege level (from user level to administrator level, or vice versa) does not result in, or require, a new Certificate being issued.

    End of attention

    The process for an Administrator for a Business Entity to vary the privilege level of an existing AUSkey Standard Certificate – held for that Business Entity – is generally as follows:

    1. The Administrator authenticates to the AUSkey Manager using their AUSkey.
    2. The Administrator selects the AUSkey Standard Certificate, selects the privilege level to which it is to be varied, and submits the request for that variation.
    3. The AUSkey System sends a notification email to the Certificate Holder informing them that an Administrator has approved variation to the privilege level associated with their Certificate.
      • Where the variation is from administrator to user level, the system applies the variation.
      • Where the variation is from user level to administrator level, the following steps apply.
       
    4. The Certificate Holder clicks on the link in the notification email, is taken to a form in the AUSkey website, and enters and submits:
      • the displayed Captcha code
      • a display name that will be displayed to other Administrators within that Business Entity to identify them as an Administrator
      • their identity validation details (as described in section 3.2.1).
       
    5. Once the Certificate Holder’s identity is validated and confirmed, the AUSkey System applies variation and sends a second notification email to the Certificate Holder informing them that they now have administrator privileges.

    4.2 Certificate Issuance

    The typical issuance of an AUSkey Standard Certificate includes these steps. The:

    1. AUSkey System prompts the Certificate Holder to accept the AUSkey Standard Certificate Conditions of Use.
    2. Certificate Holder accepts those Conditions of Use.
    3. Certificate Holder selects the location to which the AUSkey Standard Certificate is to be downloaded and stored (the Certificate Holder’s local hard drive or portable USB device).
    4. system prompts the Certificate Holder to create and confirm a password to protect their Certificate (and criterion are displayed explaining how to construct a “strong” password).
    5. Certificate Holder enters and confirms the password.
    Attention

    Note: if a password already exists due to prior issuance of an AUSkey Certificate to the Certificate Holder’s selected location, then the correct password must be entered.

    End of attention
    1. AUSkey Standard Certificate is generated and downloaded to the selected store file.
    2. AUSkey System generates and stores a confirmation message that the AUSkey Standard Certificate has been activated successfully.

    4.3 Certificate Acceptance

    The AUSkey Standard Certificate Conditions of Use set out responsibilities of the Certificate Holder of an AUSkey Standard Certificate (and of the Business Entity for which that Certificate is held) in relation to that Certificate. Responsibilities of the Certificate Holder are also set out in this CP. That Certificate Holder’s acceptance of those Conditions of Use constitutes acceptance of that Certificate. The use of that Certificate constitutes acceptance of:

    • that AUSkey Standard Certificate, and
    • the GKP003 Standard Certificate Policy, the GKP002 Certification Practice Statement, and the AUSkey Standard Certificate Conditions of Use (in each case, as current as at the time of use).

    4.4 Key Pair and Certificate Usage

    AUSkey Standard Certificates operate with a single key pair and have their keyUsage extension set to include these values:

    • Digital Signature
    • Non-Repudiation
    • Key Encipherment
    • Data Encipherment.

    This means that, for the purposes of both X.509 and this CP, an AUSkey Standard Certificate may be used for (and its one Key Pair can be used for) both signing and encryption (confidentiality) purposes. However, encryption use should only be for traffic in transit. AUSkey Standard Certificates are not designed to encrypt data long term, for example in a database.

    4.4.1 Certificate Holder responsibilities

    The Certificate Holder of an AUSkey Standard Certificate is responsible for:

    • downloading the Certificate when it is issued, following registration
    • creating the password that protects the Certificate and its associated Keys, and changing that password at recommended intervals
    • safely installing the Certificate onto a local keystore such as a hard drive or USB memory device
    • safeguarding the Certificate throughout its lifetime
    • requesting revocation of the Certificate, when required.

    Other responsibilities and obligations of the Certificate Holder are also set out in this CP, the AUSkey Standard Certificate Conditions of Use and the CPS (e.g. CPS sections 4.1.2, 4.4, 5.7.3 and 6.1.1).

    4.4.2 Administrator privileges

    An AUSkey Standard Certificate is held by an individual – the Certificate Holder – for the Business Entity identified in that Certificate (by way of its ABN). Where that Certificate has administrator level privileges, the Certificate Holder can perform the following administrative functions associated with that Business Entity’s correct and effective utilisation of the AUSkey system:

    • View a list of all AUSkeys issued for that the Business Entity, including the relevant Certificate Holder’s username, status (active, inactive, pending) and type (User, Administrator or Device Custodian).
    • View a list of all pending AUSkey applications made for that Business Entity (including the proposed Certificate Holder’s username and type) and delete and cancel pending applications from that list.
    • View and edit contact information (including email address and name) for all existing and proposed Certificate Holders of AUSkeys issued for, and pending AUSkey applications made for, that Business Entity.
    • Request new AUSkey Standard Certificates (with user or administrator level privileges), and new AUSkey Device Certificates, for that Business Entity.
    • Request the revocation of any AUSkey held for that Business Entity.
    • Reassign an AUSkey Device Certificate held for that Business Entity from one Device Custodian to another.
    • Vary the privilege level associated with an AUSkey Standard Certificate held for that Business Entity from user level to administrator level, or from administrator level to user level.

    4.4.3 Relying Party responsibilities

    See CPS sections 1.3.10 and 6.1.4.

    4.5 Certificate Renewal

    4.5.1 Routine renewal

    Routine Renewal of an AUSkey Standard Certificate takes place through the AUSkey System generating a new Key Pair and issuing a new Certificate that certifies the new Public Key. The auto-renewal process is invisible to the Certificate Holder and is generally as follows:

    1. Whenever an AUSkey Standard Certificate is used, the AUSkey System checks the Certificate’s expiration date.
    2. If the system determines that the expiration date is near (within 14 months), a new AUSkey Standard Certificate request is generated and signed using the old Certificate’s Keys. The Certificate Holder’s authentication with their existing AUSkey provides the necessary EOI for Certificate renewal.

     

    Attention

    Note: once the AUSkey has been renewed, expiry is again two years. If it is used after 10 months from its renewal date and before its expiration date, it is once again renewed. This means an AUSkey Holder who uses their AUSkey only once year would always have a current AUSkey.

    End of attention
    1. The PKCS#10 Certificate request is sent to the AUSkey Manager and then forwarded to the ABR RA.
    2. The ABR RA validates and checks the contents of the PKCS#10 data. The only difference between renewal and the original issuance process is that for a renewal, the PKCS#10 is signed with the old Certificate’s Keys.
    3. The ABR RA signs the AUSkey Standard Certificate request.
    4. The ABR RA stores the signed request in the local ABR RA database.
    5. The ABR RA sends the request to the ABR CA.
    6. The ABR CA issues and returns a Certificate chain containing the Certificate Holder’s new AUSkey Standard Certificate, the ABR CA Certificate and the ABR RCA Certificate.

    See section 4.6 below for Certificate re-key.

    4.5.2 Renewal after revocation

    If an AUSkey Standard Certificate is revoked it will not be renewed. Instead, a new Certificate must be applied for and issued (see sections 3.2, 4.1 and 4.2 above).

    4.6 Certificate Re-Key

    Certificate re-key is the process of generating a new Key Pair and issuing a new Certificate that certifies the new Public Key. All AUSkey Standard Certificate renewals include re-keying as follows:

    1. Whenever the Certificate Holder uses their existing AUSkey Standard Certificate, the AUSkey System checks the Certificate’s expiration date.
    2. If the AUSkey Standard Certificate is due to expire within 14 months, the system initiates the renewal process (see section 4.5 above).
    3. The new AUSkey Standard Certificate is generated and downloaded to the local key store (where the existing AUSkey is stored), silently, with no interaction with the Certificate Holder.
    4. The next time the Certificate Holder attempts to authenticate using the existing AUSkey, the system selects the new AUSkey Standard Certificate, confirms that it is functioning, and overwrites the old AUSkey in the key store.
    5. The system generates and stores a confirmation that the AUSkey Standard Certificate has been renewed successfully. This confirmation is not displayed in the user interface.

    The AUSkey System has no limit on the number of renewals it will perform on a single Certificate.

    If an AUSkey Standard Certificate is not used within 14 months of its expiration date, it will expire at the end of its validity period (as set out in the Certificate Profile in section 7 below). The AUSkey System will not renew revoked or expired AUSkeys. Instead, a new Certificate must be applied for and issued (see sections 3.2, 4.1 and 4.2 above).

    4.7 Certificate Modification

    Certificate modification is not supported by the AUSkey System. See CPS section 4.7.

    4.8 Certificate Revocation and Suspension

    4.8.1 Circumstances for revocation

    See CPS sections 4.8.1, 4.10 and 5.7.1.

    4.8.2 Who may request revocation

    Revocation of an AUSkey Standard Certificate – held by the Certificate Holder for a Business Entity – may be requested by:

    • that Certificate Holder
    • an Administrator for, or a Business Associate of, that Business Entity
    • the ABR RA, or
    • the ABR Registrar.

    Organisations cannot initiate revocation action when acting as Relying Parties.

    4.8.3 Procedure for revocation request

    The revocation of an AUSkey Standard Certificate may be requested by the Certificate Holder, an Administrator for or a Business Associate of, the Business Entity identified in that Certificate, as follows:

    • The Certificate Holder authenticates to the AUSkey Manager using, and requests the revocation of, their own AUSkey Standard Certificate.
    • That Administrator authenticates to the AUSkey Manager using their own AUSkey and requests the revocation of that AUSkey Standard Certificate.
    • The Certificate Holder telephones an AUSkey Operator, provides sufficient identity details to allow the AUSkey Operator, in accordance with existing ABR processes, to validate their identity and their status as the Certificate Holder, and requests the revocation of their AUSkey Standard Certificate.
    • That Administrator or Business Associate telephones an AUSkey Operator, provides sufficient identity details to allow the AUSkey Operator, in accordance with existing ABR processes, to validate their identity and their status as an Administrator for or a Business Associate of that Business Entity, and requests the revocation of that AUSkey Standard Certificate.

    The CA must advise the Trust Broker of the revocation in accordance with the requirements of the CPS, and notify the relevant Certificate Holder (or in default, an Administrator for or Business Associate of the relevant Business Entity) that the AUSkey Standard Certificate is revoked. The notice need not include the reason for revocation.

    The CA must also archive the revoked AUSkey Standard Certificate and the certificate revocation request for a period of seven years after the Certificate would have otherwise expired.

    Attention

    Note: this is to provide proof of who requested the digital certificate or its revocation, which may be necessary as part of a forensic investigation if the existence of the Certificate itself is ever questioned.

    End of attention

    Access to revocation information will be through a standards compliant and approved X.509 protocol such as LDAP.

    4.8.4 Suspension of AUSkey Standard Certificates

    Suspension is not supported for AUSkey Standard Certificates under this CP. See CPS section 4.8.4.

    4.9 Certificate Status Services

    See CPS section 4.9.

    4.10 End of Subscription

    See CPS section 4.10.

    4.11 Key Escrow and Recovery

    See CPS section 4.11.

    5 Facility, Management and Operational Controls

    See section 5 of the CPS for a description of the AUSkey System’s facility, management and operational controls, including:

    • CPS section 5.1 – Physical Security Controls
    • CPS section 5.2 – Procedural Controls
    • CPS section 5.3 – Personnel Controls
    • CPS section 5.4 – Audit logging procedures
    • CPS section 5.5 – Records Archival
    • CPS section 5.6 – Key Changeover
    • CPS section 5.7 – Compromise and disaster recovery
    • CPS section 5.8 – ABR RA or ABR CA termination.

    6 Technical Security Controls

    See section 6 of the CPS for a description of the AUSkey System’s technical security controls, including:

    • CPS section 6.1 – Key Pair Generation and Installation
    • CPS section 6.2 – Private Key Protection
    • CPS section 6.3 – Other Aspects of Key Pair Management
    • CPS section 6.4 – Activation Data
    • CPS section 6.5 – Computer Security Controls
    • CPS section 6.6 – Life Cycle Technical Controls
    • CPS section 6.7 – Network security controls
    • CPS section 6.8 – Time-stamping.

    7 Certificate, CRL and OCSP Profiles

    7.1 User Certificate Profile

    Certificate Fields
    Attribute Value

    version

    “3” to indicate X.509 version 2 certificates.

    serialNumber

    Unique identifier for each certificate, composed of incremental positive integers.

    signature

    Algorithm identifier for the algorithm used by the CA to sign the certificate: SHA-1 with RSA encryption.

    issuer

    Distinguished Name of the issuing CA:

    Common Name = Australian Business Register CA

    OU = Certification Authority

    Organisation = Australian Business Register

    Country = AU.

    validity

    2 years maximum (expressed as “From” and “To” dates)

    subject

    Distinguished Name of the certificate subject, in this case the User associated with the private key.

    Common Name = <User given names><Space><User family name>

    dnQualifier=<Person identifier value>

    Organisation = Business entity ABN value

    Country = AU

    subjectPublicKeyInfo

    The public key and the public key algorithm (RSA 1024 with a SHA-1 digest).

    Certificate Extensions
    Attribute Value

    Key size

    1024

    keyUsage

    Defines valid purposes, such as encipherment or signature, for the key contained in the certificate. Settings will include Digital Signature, Non-Repudiation, Key Encipherment, Data Encipherment. The values keyCertSign or crlSign are not allowed in User Certificates. See section 4.4 above for more information on valid usage of the single key pair.

    certificatePolicies

    CP information such as the OID and the URL where the CPS is available:

    Policy Identifier OID = 1.2.36.1.3001.1.1.7.1

    Certificate Practice Statement available on the Terms and Conditions page.

    User Notice = This certificate may only be used for the purpose permitted in the applicable Certificate Policy. Limited liability applies – refer to the Certificate Policy.

    basicConstraints

    Indicates if the subject may act as a CA and should be set to “False”.

    ABN (custom extension)

    Uses the Gatekeeper II OID to identify the ABN:

    1.2.36.1.333.1

    The ABN value is encoded as an IA5String.

    7.2 CRL Profile

    CRL Attributes
    Attribute Value

    CRL issue period

    90 minutes

    CRL validity

    7 hours

    CRL signature digest

    SHA-1 (since SHA-256 is not supported by the UniCERT CA or The Trust Broker.

    revokedCertificates

    List of revoked certificates by serial number.

    reasonCode

    Not used.

    invalidityDate

    Date at which it is known or suspected that the private key was compromised or that the certificate should otherwise be considered invalid.

    7.3 OCSP Profile

    No stipulation.

    8 Compliance Audits and Other Assessments

    See section 8 of the CPS for a description of the AUSkey System’s compliance audits and other assessments, including:

    • CPS section 8.1 – Frequency or Circumstances of Assessment
    • CPS section 8.2 – Identity/Qualifications of Assessor
    • CPS section 8.3 – Assessor's Relationship to Assessed Entity
    • CPS section 8.4 – Topics Covered by Assessment
    • CPS section 8.5 – Actions Taken as a Result of Deficiency
    • CPS section 8.6 – Communication of Results.

    9 Other Business and Legal Matters

    9.1 Privacy of Personal Information

    See CPS section 9.1.

    9.2 Representations and Warranties

    See CPS section 9.2.

    9.3 Disclaimers of all other Warranties

    See CPS section 9.3.

    9.4 Limitation of Liability

    See CPS section 9.4.

    9.5 Indemnities

    See CPS section 9.5.

    9.6 Notices

    See CPS section 9.6.

    9.7 Amendments

    See CPS section 9.7.

    9.8 Dispute Resolution Procedures

    See CPS section 9.8.

    9.9 Governing Law

    See CPS section 9.9.

    Version 1.2 - updated 5 November 2013.

    • Last modified: 15 Jun 2016QC 253