FINA QUALIFIED TIME-STAMPING PRACTICE STATEMENT

Transcription

1 Classification: Designation: Page: 1/67 FINA QUALIFIED TIME-STAMPING PRACTICE STATEMENT (Public Document) Version 1.0 Effective date: 22 May 2017 Document OID:

2 Page: 2/67 Document details Document Name Qualified Time-Stamping Document OID Document Type Distribution Designation Document Owner Contact TSA practice statement, TPS Public Financial Agency, Fina Amendment History Version Date Reason for Amendment /05/2017 Initial version

3 Page: 3/67 CONTENTS: REFERENT DOCUMENTED INFORMATION... 9 Core legislation... 9 Subordinate regulations... 9 Other legislation... 9 Standardization documents... 9 Fina's Documents INTRODUCTORY NOTES AND GENERAL DETAILS Overview Document name and identification Fina QTSA 2017 participants Provider of qualified time-stamping services Subscribers Registration authorities Relying parties Other participants Appropriate usage of time-stamps Prohibited time-stamp uses Administracija dokumenta Opća pravila Policy administration Contact person Person determining CPS suitability for the policy Definitions and acronyms PUBLICATION AND REPOSITORY RESPONSIBILITIES Repositories Publication of time-stamping information Contents Publication and Repository Management Procedures Time or frequency of publication Access controls on repositories IDENTIFICATION, IDENTITY VALIDATION AND ISSUANCE OF ELECTRONIC TIME- STAMPS Subscriber identification Initial Subscriber identity validation Submission of registration forms Entry into Agreement Authentication on Fina QTSA 2017 service Time-Stamp Unit Certificate Electronic time-stamp Time-Stamp Request Time-Stamping Request profile Time-Stamp Response Profile of the Fina QTSA 2017 Service s response to a Time Stamp Request received Time-stamp profile Time accuracy in issued time-stamps Clock synchronization with UTC Daylight saving time... 28

4 Page: 4/ Time-stamp validation Service availability Issuing Non-Qualified Electronic Time-Stamps Transport protocol for the electronic time-stamping service CERTIFICATE LIFECYCLE OPERATIONAL REQUIREMENTS FOR FINA QTSA Issuing of Certificate Certificate revocation and suspension Circumstances for revocation Who can request revocation CRL Profile CRL issuance frequency Maximum latency for CRLs Online revocation/status checking availability Other forms of revocation advertisements available Service availability End of subscription FACILITY, MANAGEMENT, AND OPERATIONAL CONTROLS Physical controls Site location and construction Physical access Power and air conditioning Water exposure Fire prevention and protection Media storage Waste disposal Off-site backup Procedural controls Trusted roles Number of persons required per task Identification and authentication for each role Roles requiring separation of duties Personnel controls Qualifications, experience and clearance requirements Background check procedures Training requirements Retraining frequency and requirements Job rotation frequency and sequence Sanctions for unauthorised actions Independent contractor requirements Documentation supplied to personnel Audit logging procedures Types of events recorded Frequency of processing log Retention period for audit log Protection of audit log Audit log backup procedures Audit collection system (internal vs. external) Notification to event-causing subject Vulnerability assessment Records archival... 40

5 Page: 5/ Types of records archived Retention period for archive Protection of archive Archive backup procedures Requirements for time-stamping of records Archive collection system (internal or external) Procedures to obtain and verify archive information TSU Key changeover Compromise and disaster recovery Incident and Compromise Handling Procedures Computing resources, software and/or data are corrupted Entity private key compromise procedures Business continuity capabilities after a disaster Fina QTSA termination TECHNICAL SECURITY CONTROLS Key pair generation and installation TSU key pair generation Private key delivery to Fina QTSA Key sizes Public key parameters generation and quality checking Key usage purposes Private Key Protection and Cryptographic Module Engineering Controls Cryptographic module standards and controls TSU private key (n out of m) multi-person control Private key escrow Private key backup Private key archival Private key transfer into or from a cryptographic module Private key storage on cryptographic module Method of activating TSU private key Method of activating TSU private key Method of destroying private key Cryptographic Module Rating Other Aspects of Key Pair Management Public key archival Fina QTSA certificate operational periods and TSU key pair usage periods Activation data Activation data generation and installation Activation data protection Computer security controls Specific computer security technical requirements Computer security rating Tehničke kontrole životnog ciklusa Life cycle technical controls Security management controls Life cycle security controls Network security controls Time-stamping... 51

6 Page: 6/67 7. CERTIFICATE, CRL, AND OCSP PROFILES Fina QTSA 2017 Certificate profile Version number(s) Basic fields and certificate extensions Basic fields of Fina QTSA 2017 Certificate Fina QTSA 2017 Certificate extensions Algorithm object identifiers Name forms Name constraints Certificate policy object identifier Usage of Policy Constraints extension Policy qualifiers syntax and semantics Processing Semantics for the critical Certificate Policies extension CRL profile Version number(s) CRL and CRL entry extensions OCSP profile Version number(s) OCSP extensions COMPLIANCE AUDIT Frequency or circumstances of assessment External compliance audit Internal compliance audit Identity/qualifications of assessors Assessor's relationship to assessed entity Topics covered by assessment Actions taken as a result of deficiency Communication of results OTHER BUSINESS AND LEGAL MATTERS Fees Refund policy Financial responsibility Insurance coverage Other assets Insurance or warranty coverage for end-entities Confidentiality of business information Scope of confidential information Information not within the scope of confidential information Responsibility to protect confidential information Privacy of personal information Privacy plan Information treated as private Information not deemed private Responsibility to protect private information Notice and consent to use private information Disclosure pursuant to judicial or administrative process Other information disclosure circumstances... 61

7 Page: 7/ Intellectual property rights Representations and warranties Representations and warranties of Fina as a time-stamping Service Provider RA representations and warranties Subscriber representation and warranties Relying party representations and warranties The relying part is required to comply with the provisions of this QTPS document Responsibilities of Fina QTSA 2017 participants Responsibilities of Fina as a Qualified Time-Stamping Service Provider RA responsibilities Subscriber responsibilities Relying party responsibilities Disclaimer of warranties Limitations of liability Indemnities Term and termination Term Termination Individual notices and communication with participants Amendments Dispute resolution provisions Notification mechanism and period Circumstances under which OID must be changed Dispute resolution provisions Governing law Compliance with applicable law Miscellaneous provisions... 67

8 Page: 8/67 COPYRIGHT The Qualified Time-Stamping is the property of Fina, administered by Fina PMA and subject to copyright in accordance with laws of the Republic of Croatia..

9 Page: 9/67 REFERENT DOCUMENTED INFORMATION Core legislation [1] Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC [2] Electronic Signature Act (Croatian Official Gazette (hereinafter referred to as Official Gazette) 10/2002) [3] Act on Amendments to the Electronic Signature Act (Official Gazette 80/2008) [4] Act on Amendments to the Electronic Signature Act (Official Gazette 30/2014) Subordinate regulations [5] Ordinance on the Registry of Certification Service Providers in the Republic of Croatia (Official Gazette 107/2010) [6] Ordinance on the Creation of Electronic Signature, the Use of Signature Creation Devices and on General and Special Terms and Conditions for Providers of Time- Stamping and Certification Services (Official Gazette 107/2010) [7] Ordinance on Amendments to the Ordinance on the Creation of Electronic Signature, the Use of Signature Creation Devices and on General and Special Terms and Conditions for Providers of Time-Stamping and Certification Services (Official Gazette 89/2013) Other legislation [8] The Act on Personal Data Protection (Official Gazette 106/2012 consolidated text) Standardization documents [9] ETSI EN V2.1.1 ( ); Electronic Signatures and Infrastructures (ESI); General Policy Requirements for Trust Service Providers [10] ETSI EN V1.1.1 ( ) Electronic Signatures and Infrastructures (ESI); Policy and Security Requirements for Trust Service Providers issuing Time-Stamps [11] ETSI EN V1.1.1 ( ) Electronic Signatures and Infrastructures (ESI); Time-stamping protocol and time-stamp token profiles [12] ETSI EN V ( ) Electronic Signatures and Infrastructures (ESI); Policy and security requirements for Trust Service Providers issuing certificates; Part 1: General requirements [13] ETSI EN V ( ) Electronic Signatures and Infrastructures (ESI); Policy and security requirements for Trust Service Providers issuing certificates; Part 2: Requirements for trust service providers issuing EU qualified certificates

10 Page: 10/67 [14] ETSI EN V2.2.2 ( ) Electronic Signatures and Infrastructures (ESI); Trust Service Provider Conformity Assessment - Requirements for conformity assessment bodies assessing Trust Service Providers [15] ETSI EN V1.1.1 ( ) Electronic Signatures and Infrastructures (ESI); Procedures for Creation and Validation of AdES Digital Signatures; Part 1: Creation and Validation [16] ETSI TS V ( ) Electronic Signatures and Infrastructures (ESI); Cryptographic Suites [17] IETF RFC 3161 (2001) Internet X.509: Public Key Infrastructure: Time Stamp Protocol (TSP) [18] IETF RFC Internet X.509 Public Key Infrastructure: Qualified Certificates Profile [19] IETF RFC Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile [20] IETF RFC 6960 X.509 Internet Public Key Infrastructure Online Certificate Status Protocol OCSP (2013) [21] NIST FIPS PUB 140-2: Security Requirements for Cryptographic Modules [22] ISO/IEC 27001: Information technology Security techniques Information security management systems Requirements [23] ISO/IEC 27002: Information technology - Security techniques - Code of practice for information security controls Fina's Documents [24] Certificate Policy and Certification for Fina Root CA, CP/CPS ROOT [25] Qualified Time-Stamp Policy, QTP [26] Certificate Policy for Qualified Certificates for Electronic Signatures and Seals, CP QC-eIDAS [27] Certification for Non-qualified Certificates, CPS NQC-eIDAS

11 Page: 11/67 1. INTRODUCTORY NOTES AND GENERAL DETAILS As a Qualified Certification and Time-Stamping Service Provider, Fina is registered under number HR-QC in the Registry of Certification Service Providers in the Republic of Croatia maintained by the central state administration authority competent for economic affairs. Fina s Qualified Time-Stamping Service termed Fina QTSA 2017 is part of the existing Fina PKI production environment. Fina QTSA 2017 issues Qualified Time-Stamps that may be used together with Qualified Certificates and it is based on a system whose secuity level is equal to that of the Qualified Certificate System Overview This Qualified Time-Stamping document (QTPS) document (hereinafter: QTPS document) contains the description of processes and procedures applied by Fina PKI which refer to provision of qualified time-stamping services, pursuant to the provisions of Qualified Time-Stamp Policy [25] document. The time-stamping technology deployed is based on public-key cryptography, X.509 certificates and reliable accurate time services. The content of this QTPS document is in compliance with the following standardization documents: ETSI EN [9], ETSI EN [10], ETSI EN [11], ETSI TS [16]. The purpose of this QTPS document is to define practices from the scope of this document, implemented by Fina QTSA service, time-stamping service subscribers (hereinafter referred to as Subscribers) and relying parties. The interpretation of the provisions of this QTPS document is governed by the provisions of Regulation (EU) No. 910/2014 [1], the Electronic Signature Act [2], [3] and [4], the subordinate regulations [5], [6] and [7] issued pursuant to that Act, the relevant standardization documents and recommendations referring to it, and the provisions of Qualified Time-Stamp Policy [25]. Qualified Time-Stamps issued according practices defined in this QTPS document are in compliance with the requirements of ETSI EN [10]. As a Qualified Time-Stamping Service Provider, Fina includes its own QTP OID: in the time-stamps issued by it. The provision of the time-stamping service is in compliance with the ETSI Best Time-Stamping Practices (BTSP): ETSI EN [10] BSTP: Best practices Time-Stamp Policy OID:

12 Page: 12/ Document name and identification This QTPS document contains Fina s practices for the provision of time-stamping services. British Standards Institution (BSI) International Code Designator (ICD) assigned the OID to Fina. Based on that OID, Fina assigned the following OID for time-stamping service purposes: Listed below are the Document Name and the corresponding identification data. Name: Qualified Time-Stamping Version: 1.0 Effective date: 22 May 2017 OID: Web page containing this QTPS document is: Fina QTSA 2017 participants Provider of qualified time-stamping services Fina uses Fina QTSA 2017 to provide it s Qualified Time-Stamping Service (hereinafter referred to as the Time-Stamping Service) Subscribers Fina QTSA 2017 Subscribers are natural persons (citizens) or Business Entities that enter into Time-Stamping Service Agreements with Fina. Fina s internal subscribers are also Subscribers of Fina s Qualified Time-Stamping Service Registration authorities Subscriber registration for Fina QTSA 2017 service is be performed in Fina Registration Authorities. For the purpose of Subscriber registration, Fina operates its organized network of registration authorities (hereinafter referred to as Fina RA Network) which registers Fina QTSA 2017 service Subscribers. Fina RA Network is comprised of Local Registration Authority networks (hereinafter referred to as Fina LRA) in Fina's business network and the Central Fina RA. Subscriber registration with Fina RA Network is carried out by Fina LRA or, in exceptional cases, by the Central Fina RA. In Fina LRA, registration is carried out by Registration Officers. Registration activities in Fina RA Network are coordinated by the Central Fina RA, which is the central point of communication in the Fina RA Network. Fina may define any other appropriate method of Subscriber registration Relying parties Relying Parties are natural persons or Business Entities receiving time-stamps and acting based on reasonable reliance on time-stamps issued by Fina QTSA 2017 service

13 Page: 13/ Other participants No stipulations Appropriate usage of time-stamps Qualified time-stamps issued by Fina QTSA 2017 may be used for any purpose requiring evidence of the existence of a particular data in electronic form in the time specified in the issued timestamp. Qualified time-stamps issued by Fina QTSA 2017 are also used to ensure the longevity of electronic signatures Prohibited time-stamp uses It is prohibited to use qualified time-stamps for such data or electronic records whose content is in violation of the Constitution of the Republic of Croatia, the applicable mandatory regulations or social morality Administracija dokumenta Opća pravila Policy administration Fina shall remain authorised and responsible for creation and update of the Qualified Time-Stamp Policy (hereinafter referred to as the Policy) and this QTPS document. Authorized persons in Fina s organizational units participating in the development, maintenance, implementation and approval of policies and practices that are applied in provision of trust services in Fina PKI hereinafter are called collectively the Fina PMA. Amendments and updates of this document are performed and based on internal proposals and requirements for harmonization with the legislation and the relevant standards Contact person Contact details for administration and content of this Qualified Time-Stamp Policy are given below. Mailing address: Fina Sektor financijskih i elektroničkih usluga Ured za upravljanje politikom e-poslovanja Koturaška cesta Zagreb Croatia Telephone: Telefax: pma@fina.hr

14 Page: 14/ Person determining CPS suitability for the policy Compliance of this QTPS document with the Qualified Time-Stamp Policy [25] is determined by Fina PMA TPS approval procedures The preparation, approval and entry into effect of this QTPS that confirm its compliance with Qualified Time-Stamp Policy [25] is described in Sections and of this QTPS and in Sections and of Qualified Time-Stamp Policy [25] document Definitions and acronyms Definitions TERM Activation data Advanced electronic seal Advanced electronic signature Associated Person Authentication MEANING Confidential data necessary to access or activate the cryptographic module. Activation data may be PIN, password or electronic key which the person knows or possesses. Electronic seal that meets the following requirements: (a) it is uniquely linked to the Creator of a seal; (b) it is capable of identifying the Creator of a seal; (c) it is created using electronic seal creation data that the Creator of a seal can, with a high level of confidence under its control, use for electronic seal creation; and (d) it is linked to the data to which it relates in such a way that any subsequent change in the data is detectable. Electronic signature that meets the following requirements: (a) it is uniquely linked to the Signatory; (b) it is capable of identifying the Signatory; (c) it is created using electronic signature creation data that the Signatory can, with a high level of confidence, use under its exclusive control; and (d) it is linked to the signed data in such a way that any subsequent change in the data is detectable. Natural person employed at the Business Entity or otherwise associated with the Business Entity, and who is authorized by the same Business Entity to receive certificates. Such certificate identifies both the person and the Business Entity, and indicates that the person is associated with the Business Entity. An electronic process that enables the electronic identification of a natural or legal person, or the origin and integrity of data in electronic form to be confirmed. Authorised Representative Natural person authorised legally or by proxy to represent the Creator of a seal in the issuance procedure and/or revocation of the Certificate for the Electronic Seal.

15 Page: 15/67 TERM Business entity CA Certificate Central RA Certificate Certificate for electronic seal Certificate for electronic signature Certificate Policy (CP) Certificate reactivation Certificate revocation Certificate Revocation List (CRL) Certificate suspension Certificate validation 1. Legal persons, such as: companies; credit and financial institutions; public and private institutions; MEANING associations with legal personality; non-profit and non-government organizations with legal personality, funds with legal personality; local and regional self-government units (municipalities, towns and counties) etc. 2. Public authorities, such as: state authorities; state administration bodies; state agencies etc. 3. Natural persons with a registered business, such as: trades people; attorneys; notaries public etc. Public-key certificate for one CA issued by another CA or by the same CA. Central registration office that is primarily in charge of coordinating the entire RA Network, but may also directly perform Subscriber registration. See the term "Public Key Certificate". Electronic attestation that connects the electronic seal validation data with the legal person and confirms the name of that person. Electronic attestation that connects the electronic signature validation data with the natural person and confirms at least the name or pseudonym of that person. A named set of rules which indicates the certificate applicability on a certain group and/or class of applications with common security requirements. An action that makes a suspended certificate valid from the moment of reactivation. An action that makes a certificate irrevocably invalid from the moment of revocation. Signed list indicating a set of certificates that are no longer considered valid by the certificate issuer. An action that makes a certificate invalid from the moment of suspension. Suspended certificate may be reactivated and thus made valid again. Process of verifying and confirming that a certificate is valid.

16 Page: 16/67 TERM Certification Authority (CA) MEANING Authority trusted by one or more users to create and assign public-key certificates. Certification Authority may be: 1. a trust service provider that creates and assigns public key certificates; or 2. a technical certificate generation service that is used by a certification service provider that creates and assign public key certificates. Certification Practice Statement (CPS) Certification services Certification system Conformity Assessment Body Coordinated Universal Time (UTC) Creator of a seal Cryptographic module Distinguished Name (DN) Electronic seal Electronic Seal Creation Data Electronic Seal Creation Device Electronic signature Electronic Signature Creation data Statement of the practices which a Certification Authority employs in issuing managing, revoking, and renewing or re-keying certificates. Services of issuance and lifecycle management of certificates. System of IT products and components organised for providing certification services. A body defined in point 13 of Article 2 of Regulation (EC) No 765/2008, which is accredited in accordance with that Regulation as competent to carry out conformity assessment of a qualified trust service provider and the qualified trust services it provides. Second-based time scale as defined by ITU-R Recommendation TF For most practical applications, UTC is equivalent to mean solar time of the Prime Meridian (0 ). More precisely, UTC is a compromise between the very stable atomic time (fr. Temps Atomique International - TAI) and solar time derived from irregular Earth's rotation (in relation to the agreed Greenwich mean sidereal time (GMST)). A legal person who creates an electronic seal. Software or device of a certain security level which: generates a key pair and/or protects cryptographic information, and/or performs cryptographic functions. A unique name of the Subject entered in the certificate. The distinguished name uniquely identifies the Subject to whom the certificate is issued and it is unique within one CA. Data in electronic form, which is attached to or logically associated with other data in electronic form to ensure the latter s origin and integrity. Unique data, which is used by the creator of the electronic seal to create an electronic seal. Configured software or hardware used to create an electronic seal. Data in electronic form which is attached to or logically associated with other data in electronic form and which is used by the signatory to sign. Unique data which is used by the signatory to create an electronic signature.

17 Page: 17/67 TERM Electronic Signature Creation device Electronic Time-Stamp MEANING Configured software or hardware used to create an electronic signature. Data in electronic form which binds other data in electronic form to a particular time establishing evidence that the latter data existed at that time. EU Qualified Certificate Qualified Certificate as specified in the Regulation (EU) No 910/2014. Fina LRA Fina PKI Fina RA Network Key Pair Legal Representative Natural person - citizen Policy Management Authority (PMA) Private Key Public Directory Public Key Public Key Certificate Public Key Infrastructure (PKI) QSCD Device Qualified Auditor Local Registration Authority in Fina business network. Public Key Infrastructure (PKI) established in Fina which is intended for providing certification services to natural persons (citizens), business entities and state administration authorities, and which operates as the Trusted Third Party. Fina Registration Authority Network consists of the Central Fina RA and Fina LRA. Two uniquely linked cryptographic keys, one of which is a private key and another is a public key. A person legally authorised to represent the Subscriber which is a Business Entity. Natural person requesting the certification service for the purpose of the use of the certificate for and on her/his own behalf, and excluding any natural person with registered business activity, any self-employed natural person and any natural person acting for and on behalf of another natural or legal person (Associated Person). Body with final authority and responsibility for specifying and approving the Certificate Policy. In a public key cryptographic system, that key of an entity's key pair which is known only by that entity. IT system which is used for online publication of information concerning certificates, including information on certificate revocation. In a public key cryptographic system, that key of an entity's key pair which is known only by that entity. Public key of an entity, together with some other information, rendered unforgeable by digital signature with the private key of the certification authority which issued it. Infrastructure able to support the management of public keys able to support authentication, encryption, integrity or non-repudiation services. Qualified Electronic Signature/Seal Creation Device (see term "Qualified Electronic Signature Creation Device" or "Qualified Electronic Seal Creation Device"). Natural or legal person that meets the requirements stated in the document Baseline Requirements, published by the CA/Browser Forum.

18 Page: 18/67 TERM Qualified Certificate for the Electronic Seal Qualified Certificate for the Electronic Signature MEANING A certificate for an electronic seal, that is issued by a qualified trust service provider and meets the requirements laid down in Annex III of Regulation (EU) No 910/2014 [1]. A certificate for electronic signatures, that is issued by a qualified trust service provider and meets the requirements laid down in Annex I of Regulation (EU) No 910/2014 [1]. Qualified Electronic Seal Qualified Electronic Seal Creation Device Qualified Electronic Signature Qualified Electronic Signature Creation Device Qualified Electronic Time- Stamp Qualified Trust Service Provider RA Network Registration Authority (RA) Registration Officer Regular Certificate Renewal Relying Party Remote electronic signing and sealing service An advanced electronic seal, which is created by a qualified electronic seal creation device, and that is based on a qualified certificate for electronic seal. An electronic seal creation device that meets mutatis mutandis the requirements laid down in Annex II of Regulation (EU) No 910/2014 [1]. An advanced electronic signature that is created by a qualified electronic signature creation device, and which is based on a qualified certificate for electronic signatures. An electronic signature creation device that meets the requirements laid down in Annex II of the Regulation (EU) No 910/2014 [1]. Electronic Time-Stamp that meets the following requirements: (a) it binds the date and time to data in such a manner as to reasonably preclude the possibility of the data being changed undetectably; (b) it is based on an accurate time source linked to Coordinated Universal Time; and (c) it is signed using an advanced electronic signature or sealed with an advanced electronic seal of the qualified trust service provider, or by some equivalent method. Trust Service Provider that provides one or more qualified trust services and is granted the qualified status by the supervisory body. The complete registration authority network consisting of the Fina RA Network and of external RAs with which Fina concluded an agreement on the registration services. Authority responsible for identification and authentication of certification subjects, as well as other persons or organisations. Person responsible for data confirmation necessary for certificate issuance and authorisation of application for certificate issuance. Certificate renewal in Fina PKI means issuance of a new certificate the parameters of which are the same as the parameters of the certificate to which the application relates, but with a new public key, new certificate serial number, new operational period and new signature of the same CA, and is carried out in the defined period before the expiry of certificate validity. Natural or legal person that relies upon an electronic identification or a trust service. Service that coordinates and manages the process through which the end-user may, by using his/her personal device, remotely sign or seal a document or another information by using a signing key stored in this service, remotely from the users.

19 Page: 19/67 TERM Revocation Officer Root CA Root CA Certificate Secure Cryptographic Device Signatory Signature verification MEANING Person responsible for the change of the certificate's operative status. Certification authority which is at the highest level within trust service providers domain and which is used to sign subordinate CA(s) CA Certificate that the Root CA issued to itself. Device which holds the Subscriber's private key, protects this key against compromise and performs signing or decryption functions on behalf of the user. A natural person who creates an electronic signature. Process of checking the cryptographic value of a signature using signature verification data. Signature verification data Data, such as codes or public cryptographic keys, used for the purpose of verifying a signature. State Administration Body (TDU) Subject Subscriber Trust Service Provider Trusted list Trusted roles TSA system Validation Validation data State authority body responsible for performing state administration tasks in the administrative domain of its competence. State administration bodies include ministries, state offices, administrative organizations and county state administration offices or other state administration bodies established by the applicable law in force. Entity identified in a certificate as the holder of the private key associated to the public key given in the certificate. Legal or natural person bound by agreement with a trust service provider to any Subscriber obligations. A natural or a legal person who provides one or more trust services either as a qualified or as a non-qualified trust service provider. List that provides information about the status and the status history of the trust services from trust service providers regarding compliance with the applicable requirements and the relevant provisions of the applicable legislation. Roles which are responsible for secure operation of the trust service provider. Trusted Roles and the corresponding responsibilities is clearly described by the Trust Service Provider in the employee's job description. Composition of IT products and components organized to support the provision of time-stamping services. Process of verifying and confirming that an electronic signature or a seal is valid. Data used for electronic signature or electronic seal validation. Table 1.1 Definitions

20 Page: 20/ Abbreviations ABBREVIATION FULL NAME CA CP CP QC-eIDAS CPS CPS QC-eIDAS CRL DN LDAP LRA OCSP OID PIN PKI PMA QC QCP QCP-l QCP-l-qscd QCP-n QCP-n-qscd QSCD RA TDU UTC Certification Authority Certificate Policy Certificate Policy for Qualified Certificates for Electronic Signatures and Seals Certification Certification for Qualified Certificates for Electronic Signatures and Seals Certificate Revocation List Distinguished Name Lightweight Directory Access Protocol Local Registration Authority Online Certificate Status Protocol Object Identifier Personal Identification Number Public Key Infrastructure Policy Management Authority Qualified Certificate Qualified Certificate Policy Certificate policy for EU qualified certificate issued to a legal person Certificate policy for EU qualified certificate issued to a legal person where the private key and the related certificate reside on a QSCD Certificate policy for EU qualified certificate issued to a natural person Certificate policy for EU qualified certificate issued to a natural person where the private key and the related certificate reside on a QSCD Qualified electronic Signature/Seal Creation Device Registration Authority State Administration Body (Bodies) Coordinated Universal Time Table 1.2. Abbreviations

21 Page: 21/67 2. PUBLICATION AND REPOSITORY RESPONSIBILITIES 2.1. Repositories Fina QTSA repository is managed by Fina as a Qualified Trust Service Provider. Fina is responsible for the work and publication of documents and information on Fina QTSA repository. Fina ensures online repository availability 24 hours a day, 7 days a week Publication of time-stamping information Fina QTSA repository publishes documents and information on on time-stamping services provision Repository Contents The following documents and information are published on the website of the Fina QTSA repository: Current Qualified Time-Stamp Policy, Public version of current QTPS document, Previous versions of Qualified Time-Stamp Policy and QTPS document, Time-Stamping Terms and Conditions and Disclosure Statement, TSU Certificate used by Fina QTSA 2017 service to sign time-stamps, Time-stamping services pricelist, Fina QTSA 2017 Registration Form, Current locations of Fina RAs/LRAs, Subscriber instructions, Communications to Subscribers related to time-stamping service provision, Other Fina QTSA 2017 service operation-related information. The published Fina QTSA repository, being an integral part of Fina PKI repository, is available at Confidential information is not publicly disclosed in the Fina PKI repository Contents Publication and Repository Management Procedures Subject to authorization, documents are published in the repository by a person authorized to manage contents of the online part of the repository. Communications to Subscriber and legislative information are published after they become applicable in Fina PKI. The publication of information and documents is authorized by Fina PMA. Fina CAs certificates, the Fina QTSA 2017 certificate and the associated information are published after being issued. The publication of terms and conditions of services, Subscriber instructions, and request, agreement and power-of-attorney forms are authorized by Fina PMA. These documents are published without prior notice and former versions of documents are removed from the repository. Fina CA automatically publishes the relevant CRLs in the public directory and on the repository s website after they are issued.

22 Page: 22/67 The publication of a new pricelist version is authorized by Fina PMA. Subscriber communications and information may be published on the repository s website without authorization from Fina PMA; however, Fina PMA must be duly notified of any publication of such communications or information Time or frequency of publication Fina are annually maintains, updates, approves, publishes and applies the Qualified Time-Stamp Policy [25] and this QTPS document. Other Fina PKI documents and other relevant information are published as required, after the approval Access controls on repositories Documents and information published in the Fina PKI repository are free and publicly available. Fina has access controls established on the repository in order to prevent unauthorised adding, changing or deleting of information and protect its integrity and authenticity. Mode of access to documents and information published on the repository is read-only. Authorised Fina personnel has the right to add, change or delete information in the Fina PKI repository.

23 Page: 23/67 3. IDENTIFICATION, IDENTITY VALIDATION AND ISSUANCE OF ELECTRONIC TIME-STAMPS 3.1. Subscriber identification Fina QTSA 2017 provides Qualified Time-Stamp service only to registered Subscribers holding a Fina Authentication Certificate or Fina Application Certificate. If a Subscriber already has a Fina digital dertificate for accessing the Fina Time-Stamping Service, he is required to complete and signed a Registration Form for the Fina Time-Stamping Service and submit it to Fina LRA together with two copies of signed Time-Stamping Service Agreement. The Registration and Agreement Forms are available on the website of the repository referred to in Section 2.2 of this QTPS document. If a Subscriber does not have Fina digital certificates, he, in addition to the Registration Form and the Time-Stamping Service Agreements, applies for a Fina certificate whereby he shall access the Fina Time-Stamping Service. If the Subscriber application does not support certificate-based authentication, the Subscriber may send a query in connection with the use of the service to: info.rdc@fina.hr where he shall receive a reply about the possibility of arranging the Fina Time-Stamping Service for the Subscriber s specific scenario. After registration, the Subscriber enters into a Fina Time-Stamping Service Agreement with Fina. Time-stamping service Subscribers are also subscribers to Fina s Web e-signature application Initial Subscriber identity validation Fina carries out verification of data collected in the process of Subscriber s registration by comparing it to the data from the submitted documentation and if applicable, by using communication channels in accordance with the adopted laws in force. The procedure for identifying applicants for Fina authentication certificate or Fina application certificate is described in the Fina s Certification for Non-Qualified Certificates (CPS NQC-eIDAS ) [27]. To be able to use Time-Stamping Services, registered Fina certificate Subscribers submit a properly completed and signed Registration Form. Subscriber identification has already been completed for Subscribers of Fina certificates, so Subscribers should only provide to Fina LRA the Registration Form according to Section of this QTPS to be able to use Time-Stamping Services Submission of registration forms The Registration Form may be provided as follows: by personally delivering it to a Fina LRA; by sending it to a Fina LRA by mail or via courier;

24 Page: 24/67 by electronically delivering the Registration Form signed by an advanced electronic signature using a Qualified Certificate to the address indicated in Section 9.12 of this QTPS or by other electronic channel Entry into Agreement The Time-Stamping Service Agreement is an agreement entered into between Subscribers and Fina as a service provider, which defines the provision of the Time-Stamping Service in accordance with the Time-Stamping Terms and Conditions, the general regulations under the law of obligations, the Time-Stamp Policy and the regulations applicable to the provision of the timestamping services Authentication on Fina QTSA 2017 service Registered Subscribers access the Time-Stamping Service subject to authentication based on an authentication certificate or application certificate issued by the Fina. Fina QTSA may allow Subscribers holding an authentication certificate or application aertificate to use another appropriate means of Subscriber authentication (e.g. username and password). Depending on the method of authentication, the URL addresses for Fina QTSA are: Authentication using a Certificate: Authentication using a username and password: Fina s internal subscribers access the Fina Time-Stamping Service by using the IP address range applicable to Fina s subscribers. Fina s internal subscribers use the time-stamping service free of charge Time-Stamp Unit Certificate Fina QTSA publicly discloses the key of the Time-Stamp Unit (TSU) as part of the Fina QTSA certificate in the repository referred to in Section 2.2 of this QTPS. Such Fina QTSA certificate for TSU is issued by Fina RDC 2015 CA as required by ETSI EN [13]. Fina QTSA 2017 begins to issue electronic time-stamps by using a new TSU private key subject to the following conditions: A certificate corresponding to the TSU private key has been issued and published in the repository referred to in Section 2.2 of this QTPS. The issuer s signature on Fina QTSA 2017 certificate has been verified by Fina QTSA 2017 service. This verification includes checking of whether the certificate has been correctly signed by Fina RDC 2015 CA and validation of certification path to Fina Root CA. The Fina QTSA 2017 Certificate in the Key Usage extension has values set to digitalsignature and nonrepudiation and in the extkeyusage extension has value set to timestamping Electronic time-stamp Fina s electronic time stamps is signed using the RSA private key of Fina QTSA 2017 having a length of 2048 bits and also by using the cryptographic algorithms SHA-256 i RSA.

25 Page: 25/67 Fina QTSA 2017 ensures that electronic time stamps are issued in a secure manner and provide an accurate time designation. For each electronic time stamp, it shall be ensured that: it includes the OID of the QTP document under which it was issued (QTP OID); it includes a unique identifier, serial number, maximum length: 18-octets; the time used in TSU may be matched to the actual time received from a reliable source; it includes accurate time information provided by TSU at the time of issuing the time stamp; it includes a hash representation of the electronic record for which an electronic time stamp is to be issued; it is signed using a TSU private key intended solely for the purpose of time stamp signing; it includes the identifier of the country where Fina QTSA is established; it includes the identifier for Fina QTSA 2017; and it includes the identifier of the issuing TSU. An electronic time stamp is issued as recommended by ITF RFC 3161 [17] and ETSI EN [9], with a profile compliant with ETSI EN [10] Time-Stamp Request Fina QTSA 2017 supports client application requests for time stamps in accordance with ETSI EN [10] and as recommended by IETF RFC 3161 [17], including the use of the following fields in the request: reqpolicy; nonce; certreq. The Fina Time Stamping Service does not support the use of the following field: extensions. Fina QTSA 2017 accepts the following hash algorithms (hashalgorithm) in a time stamp request: sha-1 (OID: ) i sha-256 (OID: ) A Subscriber requesting to be issued a time stamp by Fina QTSA 2017 must establish an authenticated connection with the communication server of the Fina QTSA 2017 system. In case such connection fails, the transaction will be terminated and the Subscriber shall be appropriately notified of the failed connection. The client application on the Subscriber side used to affix the time stamp must support a time stamping protocol as recommended by IETF RFC 3161 [17]. Fina QTSA does not define a fixed time limit for processing time stamp requests.

26 Page: 26/ Time-Stamping Request profile Description of the basic fields and extensions in the time stamp request profile: Version The request format corresponds to version v1 as specified in ETSI EN [10] and recommended in IETF RFC 3161 [17], so this field contains the value 1. MessageImprint Time stamped data consisting of two parts: - Hash algorithm (hashalgorithm) OID of the hash algorithm used to create the document/data hash - Hash (hashedmessage) Hash for the document/data being time stamped. The data length depends on the hash algorithm used. Time Stamping Policy identifier (reqpolicy) - optional field Specifies the Time Stamping Policy under which the time stamp is being requested. Nonce - optional field A whole 64-bit number ensuring that the electronic time stamp issued matches the Subscriber s request for its issuance. In case the time stamp request contains a nonce value, the time stamping service s response must contain the same value. Certificate Request (certreq) The default value is "FALSE". If a request contains the value TRUE, the TSU certificate referenced in the SigningCertificate attribute must be included in the time stamping service s response. Extensions - optional field This field may contain additional information. Fina QTSA 2017 does not support the use of this field. If the Fina Service receives a request containing this field, the time stamp shall not be issued the Service shall respond to the request by an "unacceptedextension" error message Time-Stamp Response The response from Fina QTSA 2017 to a Time Stamp Request is in compliance with ETSI EN [10] and Section of IETF RFC 3161 [17], and the following extensions are supported:

27 Page: 27/67 accuracy; nonce. In case the time stamp request contains a nonce value, the time stamping service s response must contain the same value. Fina QTSA 2017 supports the following hash algorithms (hashalgorithm): sha-1 (OID: ) i sha-256 (OID: ) The relevant TSU in Fina QTSA 2017 has only one signature key active at a time for signing time stamps issued Profile of the Fina QTSA 2017 Service s response to a Time Stamp Request received - Status (PKIStatusInfo) Information about the success status of time stamp issuance in accordance with Section of IETF RFC 3161 [17]. - Time stamp token (TimeStampToken) - optional field - This field contains a time stamp token in case the Status (PKIStatusInfo) field has the value 0 or 1. In case the Status (PKIStatusInfo) contains a different value, this time stamp token (TimeStampToken) field shall not be contained in the response Time-stamp profile The general information about the profile of Time Stamps issued by Fina QTSA 2017 is provided in Table 3.1. Polje Version Policy OID messageimprint serialnumber gentime Nonce signaturealgorithm Vrijednosti za kvalificirani elektronički vremenski žig kojeg izdaje Fina QTSA 2017 servis V1, vrijednost= 1 Fina OID: ETSI OID: Supported hash algorithms: hashalgorithm: sha-1 (OID: ) and hashalgorithm: sha-256 (OID: ) Whole number UTC time, 1 s resolution Whole number SHA-1 with RSA Encryption (OID: ) sha256withrsaencryption (OID: ) Table 3.1 General information about the Time Stamp issued by Fina QTSA 2015