The information contained in this document is intended for personnel charged with the management and operation of Certificates issued by the Australian Taxation Office Public Key Infrastructure (ATO PKI) including the Australian Taxation Office Certification Authority (ATO CA) and Australian Taxation Office Organisation Certification Authority (ATO OCA). This document is also applicable to Entities and Certificate Holders who hold Keys and Certificates issued by the ATO OCA to enable communications with the ATO.
Keys and Certificates issued under the ATO PKI are to be used for the sole purpose of an Entity communicating with the ATO. Any person other than the ATO who relies on communications signed using the Certificate Holder’s Private Authentication Key associated with a Certificate issued under an ATO CP does so at their own risk and the ATO disclaims all liability to such persons.
The ATO PKI must ensure that it maintains the trust of those who have been issued with Keys and Certificates.
The ATO CA creates and signs it own Certificate. It also signs the Certificate created by the ATO OCA and acts as the highest point of trust in the ATO PKI.
The framework in which the ATO CA operates, and its possible relationships with other proposed developments are shown in Figure 1.
Figure 1
The attached ATO Certification Practice Statement (CPS) document has been produced in accordance with the general provisions of the Commonwealth Government's Gatekeeper policy and guidelines on the protection of information and information technology environments.
The purpose of this document is to provide factual information describing the practices employed by the ATO CA in relation to the following:
- Management of its Public Key Infrastructure (PKI).
- Administration of the ATO PKI under the Certificate Policy (CP) for Keys and Certificates supported under this CPS as listed at Appendix C.
- Certificate life cycle within its PKI.
These practices are detailed in the formal statement attached as Appendix A - Certification Practice Statement (CPS).
The ATO CA is a self signing Certification Authority. The ATO CA had been granted full Gatekeeper Accreditation by the then Chief Executive Officer, the National Office for the Information Economy (CEO, NOIE).
Currently, The ATO Primary and Secondary Certificate Policies are published and certificates are able to be issued under these policies pending their final approval under the Gatekeeper program administered by the Department of Finance and Administration represented by the Australian Government Information Management Office (AGIMO). The ATO will publish any changes to the Certificate Policies that may arise as a result of the Gatekeeper approval process on this website.
For information concerning Gatekeeper Accreditation see the AGIMO and GPAC web sites, see Appendix C.
The ATO CA and other Certification Authorities may issue multiple Certificate Policies (CP) mapped to this Certification Practice Statement. In each case, the corresponding CP and this CPS will be nominated.
The CPS discussed in this introductory statement is attached as Appendix A.
The function of this CPS is to provide factual information that identifies and details, as appropriate, the standard operating practices that support Keys and Certificates issued by the ATO PKI under relevant Certificate Policies. These Certificate practices cover the following:
- Central generation and issuing of Keys, Certificate Holder generation of Keys, central creation, signing and issuing of associated Certificates, operational use, compromise, expiry, suspension and revocation of Certificates issued under an ATO CP.
- Security, mutual consistency and effectiveness of the ATO PKI’s operations.
- Maintenance of the logical and physical elements of the ATO PKI.
The glossary, published at http://www.ato-pki.ato.gov.au/, contains definitions of the terms used in this CPS.
Some ATO PKI policy and practice documents are available via the Internet. For information about how to access these documents see Appendix C.
In the remainder of this document the repository for the ATO PKI policy and practice documents and the instructions above are referred to as the ATO PKI Web Site.
The composition and functions of the ATO PMA are set out in the ATO Policy Management Authority document published at the ATO PKI Web Site, see Appendix C.
Changes to this CPS or any other document which forms the basis of the Gatekeeper of the ATO CA or an OCA are only implemented with the approval of the Gatekeeper Competent Authority, Australian Government Information Management Office (AGIMO), Department of Finance and Administration (Finance).
As new standards emerge or policy matters are identified for improvement, this CPS will be amended.
After an amendment to this CPS has been approved, the ATO PKI will:
- Publish the amended CPS at ATO PKI Web Site, see Appendix C.
- Advise Entities with Keys and Certificates of the effect of the change and the date of effect.
- Cancel Keys and Certificates where the Entity or Certificate Holder indicates that it no longer wishes to abide by the new arrangements.
If an existing document requires re-issue, the change process employed is the same as for as for initial publication, as described above.
The naming convention for amendment notices shall be:
YYYY
|
Indicating the year the amendment was issued
|
XXX
|
Where XXX represents a sequential number beginning with 000
|
Accreditation
|
Gatekeeper
|
Type:
|
FULL
|
Grade:
|
All
|
Version No:
|
1.5
|
Status:
|
Final
|
ISBN No:
|
0 642 73807 6
|
This Certification Practice Statement (CPS) is written for use within the ATO Public Key Infrastructure (PKI). The ATO PKI is designed and is operated to comply with the Australian Commonwealth Government's Gatekeeper strategy for the use of Public Key Technology in government. At the highest level the ATO PKI consists of the ATO Certification Authority (ATO CA) and the ATO Organisation Certification Authority (ATO OCA). The ATO CA is the highest point of trust in the ATO PKI.
The ATO PKI supports the creation and use of Keys and Certificates for the purposes of the ATO and taxpayers. Keys and Certificates are used for the security of transactions carried out between the ATO and its clients by providing the following functions:
- Authentication.
- Integrity.
- Confidentiality.
- Non-repudiation.
- Other functions as may be approved by the ATO PKI from time to time under a particular CP.
This CPS provides factual information that describes the:
- Practices employed within the ATO PKI to support the use of Keys issued by the ATO CAs and end users and Certificates issued by the ATO CA and ATO OCA.
- Attendant use of technologies and processes to support the underlying operational infrastructure.
The practices described in this CPS together with the technologies and processes referred to in other documents, illustrate the trustworthiness and integrity of ATO PKI’s operations from Certificate generation and signing to expiry.
ATO PKI's Certificate services provide a range of security and assurance levels to support various Gatekeeper compliant and Gatekeeper accredited electronic service delivery.
The Certificates and associated CPs supported under this CPS cover signatory functions and other services required for communication between the ATO and taxpayers.
This CPS supports the operation of the following:
- Nominated Gatekeeper accredited CPs under which Keys and Certificates are provided to Entities who deal with the ATO electronically under Sections 31-25 of the A New Tax System (Goods and Services Tax) Act 1999.
- Such other CPs as may be approved by the ATO PMA and which are Gatekeeper Accredited.
These CP’s provide for:
- Certificates required for Officers of the ATO in their communication with Certificate Holders, Entities and other taxpayers
- Other Certificates required for Entities in their communication with government
CPs supported by this CPS are listed in Appendix B - CP Supported under this CPS and are published on the ATO PKI Web Site, see Appendix C.
This CPS is referred to as the ATO CPS.
The structure of this CPS is based on the Certification Practices Framework (Internet Engineering Task Force RFC 2527); for more information see Section 1.1.2 Standards in a relevant CP.
This CPS differs from the RFC 2527 standard only to the degree necessary to adequately describe the operational practices used within the ATO PKI.
Definitions used within this document are contained in the Glossary published at the ATO PKI Web Site, see Appendix C for details.
These definitions are based on ISO Glossary of IT Security Technology.
It should be noted that not all terms or acronyms which appear in the Glossary have been used in this document. However the list as presented is consistent across the ATO PKI documentation suite.
Assumptions
This CPS assumes that the reader is familiar with basic PKI concepts, including:
- The use of digital signatures for authentication, integrity and non-repudiation.
- The use of encryption for confidentiality.
- The principles of asymmetric encryption and Keys and Certificates.
- The role of Certification Authorities.
Object Identifiers (OID) have been assigned by the ATO PKI and documented in a Configuration baseline.
OIDs are assigned to the ATO CA, ATO OCA and each CP.
OIDs are not assigned to this CPS.
All OIDs are recorded in the appropriate CP.
The ATO certificate management life cycle (CMLC) is illustrated in Figure 1.1 below. The CMLC applies to all Certificates issued within the ATO PKI.
The CMLC represents the high-level Certificate management process within the ATO PKI. It consists of primary and secondary Certificate states. The primary states are:
- Generation.
- Operational use.
- Expiry.
- Archive.
All Certificate types issued pass through these three primary states (see shaded area) as part of their life cycle.
The secondary states are:
- Compromise.
- Revocation.
Because these secondary states represent exception situations, it is expected that:
- Most Certificates issued to Certificate Holders will pass through only the primary states during their life cycle.
- A small number of Certificates issued to Certificate Holders may pass through one or more of the secondary states.
The ATO PKI supports the CMLC Certificate states in the delivery of all of its Keys and Certificates.
The CMLC does not support a provisional Certificate state. Keys are generated (by the Certificate Holder or issued to the Certificate Holder if generated by the ATO OCA) and Certificates are issued by the ATO OCA after a Certificate request has been submitted and approved and are deemed to be in operational use in accordance with the relevant CP.
Key pairs
Key pairs are bound to Certificates and the Keys are rendered useless by the expiry of the Certificate.
Expired key pairs are not re-issued or otherwise re-used.
The relevant Certification Authority within the ATO PKI generates Certificates upon receipt of an authorised and validated request for:
- New Certificates.
- Certificate renewal.
Generation involves:
- Receipt of an approved and verified Certificate request from an Entity.
- Creating a new Certificate.
- Binding the Key Pair associated with the Certificate to a Certificate Holder and Entity.
- Issuing the Certificate (which incorporates the associated Public Key) for operational use under both of the following:
- A Distinguished Name associated with the Entity and the Certificate Holder
- A relevant CP
Generation is performed in a physically secure facility, on the receipt of a properly authorised request for a Certificate. This will be put in place under procedures approval by the relevant Certification Authority within the ATO PKI and documented in the relevant CP.
Entity names are unique and comply with the X.500 standard for Distinguished Names.
An audit process operates to ensure that ATO PKI complies with the requirements of the Gatekeeper Accreditation process.
The ATO OCA supports end user generation of key pairs by the Certificate Holder to replace the currently valid Keys and Certificates which have not yet expired. The Private Keys remain obfuscated in memory on the Certificate Holder's computer and each Public Key is attached to a copy of the Certificate information which is extracted from the existing Certificates. The Certificate Holder can update the e-mail address only. The Certificate information and Public Keys are verified by the ATO OCA to ensure that they originated from the Certificate Holder. The ATO OCA takes the Certificate information and Public Keys and converts them into signed Certificates. It records the Certificates and the Public Keys in the Oracle based certificate database with X.500 directory format and sends the signed Certificates and the tightly bound Public Keys back to the Certificate Holder.
The signed Certificates and their tightly bound Public Keys are associated with their respective Private Keys and are both integrated into a PKCS#12 file from which they are imported into the ATO Client Software. The replacement Keys and Certificates are used to submit a revocation request for the replaced Keys and Certificates.
A set of Keys and Certificates come into operational use at the time of issue and remain in operational use until they do one of the following:
- Expire.
- Are compromised or revoked.
Keys and Certificates have a fixed operational lifetime that is determined by the relevant CP.
Certificates expire automatically upon reaching the designated expiry date, at which time the Certificate is archived.
Note that:
- The life of a Certificate can not be and is not extended.
- Expired Certificates can not be and are not re-issued.
Expired Certificates are archived for a minimum period of seven years from the date of expiry, unless another period is specified in the relevant CP.
Certificates in operational use that become compromised are revoked in accordance with a procedure in the relevant CP. Certificates are deemed to be compromised when the integrity of the Private Keys associated with the Public Key Certificates are in doubt.
Consistent with a nominated CP, Keys and Certificates suspected of being compromised remain in the compromised state for only such time as it takes to arrange for revocation.
Certificate revocation permanently invalidates any trusted use of a set of Keys and Certificates. Keys and Certificates are revoked in accordance with the requirements at Section 4.4.1 Circumstances for Revocation.
Revoked Certificates are added to the ATO PKI OCA Certificate Revocation List (CRL) but that directory is not necessarily made public. See the relevant CP for details.
All Certificate operations comply with:
- The policy requirements of:
- A recognised CP
- This CPS
- The Australian Government’s Gatekeeper Strategy
- Published and internal privacy policies and practices including the Privacy Act 1998 (Commonwealth)
- Published and internal security policies and practices
- The technology requirements of:
- Relevant internal guidelines for the physical protection of technology assets
- X.500 Directory services based Oracle certificate database
- X.509 Certificate format
- X.509 CRL format
- X.500 Distinguished name standards
- PKCS#7 format for Digital Encryption and Digital Signatures
- PKCS#10 Certificate Request format
- Recognised PKI conventions and standards
- Appropriate international and domestic standards relevant to PKI operations.
- Audit requirements for the ATO PKI.
The ATO PKI operational infrastructure uses approved products including software that has been certified by DSD from a PKI product provider. These products automate Key and Certificate management functions.
The RA service domain consists of the RAs that operate under the ATO PKI. These RAs are responsible for supplying user registration and, where relevant, actioning key generation requests from Entities. Unless otherwise stated in a CP the ATO performs the RA function for the ATO PKI.
The User service domain includes Certificate Holders who act on behalf of Entities and who use Certificates for authentication, integrity, non-repudiation and confidentiality.
The ATO has published the hash of the authentication certificate for the ATO CA on the ATO PKI Web Site, see Appendix C. ATO clients will also receive written notification from the ATO of the hash of the Authentication Certificate for the ATO CA. They will also be informed of the hash for any other ATO PKI Server engaged in electronic service delivery and the ATO OCA.
In operational use, the Entity’s cryptographic software uses this hash to check the validity of digital signatures originating from the ATO CA.
The practices described in this CPS are:
- Based upon but not limited to, the roles, responsibilities, duties and obligations contained within Gatekeeper compliant and accredited CP.
- Binding upon all parties within the ATO PKI, through the inter-linking contractual responsibilities, obligations and duties between the ATO PKI and Certificate Holders and Entities.
This CPS incorporates information from other documents regarding practices involved in the issue, use and validation of Keys and Certificates and in the operational maintenance of the PKI infrastructure. It includes, but is not limited to the:
- Certificate categories that may be created.
- Establishment of the ATO CA and ATO OCA.
- Functions and obligations of the ATO CA and the ATO OCA.
- Registration of Entities.
- Functions and obligations of Entities.
- Process of approving new Certificate categories and Certificate policy.
The security philosophy governing the operational management of the ATO PKI is:
Considered response describes the execution of such actions as are justified having considered all the circumstances.
This philosophy means that the first aim of the ATO PKI is:
- To prevent any unauthorised action taking place.
- Should an unauthorised action take place, to be able to detect and record the unauthorised event or action.
- Finally, to respond to unauthorised events or actions in a considered and positive manner.
In all cases, the ATO PKI operates to:
- Enable the ATO CAs and where applicable Certificate Holders, to securely generate Keys and the ATO CAs to securely generate and issue Certificates and take adequate precautions to protect against their compromise, modification, disclosure, loss or unauthorised use.
- Be able to detect and record unauthorised events and actions.
These procedures extend to the ATO. Where a Key Pair is generated by the ATO OCA, the ATO PKI must ensure that only the Certificate Holder holds or has access to, its Private Keys.
The ATO PKI has adopted and employs personnel and management practices to ensure the trustworthiness, integrity and professional conduct of its staff. ATO complies with Gatekeeper requirements for the vetting of its operations staff by the Australian Security Vetting Service (ASVS). This also applies to contractors engaged to operate various parts of the ATO PKI.
The following personnel standards are applied:
- The minimum standard for personnel vetting is Highly Protected.
- All ATO PKI operations staff are trained in the following:
- Basic PKI concepts
- The use and operation of the CA software
- Documented CA procedures (including physical, personal and information security and disaster recovery procedures)
- Computer security awareness and procedures
- The meaning and effect of the Conditions of Use that applies to the Keys and Certificates
- The meaning and effect of the relevant CP and this CPS
The ATO PKI reserves the right to make reasonable inquiry in accordance with arrangements agreed with an Entity to determine the validity of a revocation request.
This CPS is referred to as the ATO CPS Certification Practice Statement for the ATO PKI.
This CPS supports:
- All CA and RA services that operate under the ATO PKI and are within the ATO PKI’s chain of trust.
- All types of Certificates issued under the ATO PKI.
As a consequence, the practices described in this document allow for a wide range and variety of:
- Certificate types, supporting individual and non individual transactions that have differing levels of information sensitivity and financial value.
- Entities, who include:
- Individuals
- Organisations including Government departments, agencies and other Entities
The practices in this CPS must:
- Accommodate the diversity of the community and the scope of applicability within the ATO PKI’s chain of trust.
- Adhere to the primary purpose of the CPS, of ensuring the uniformity and efficiency of practices throughout the PKI.
In keeping with their primary purpose, the practices in this document:
- Are the minimum requirements necessary to ensure that Entities and Certificate Holders have the highest possible level of assurance and that critical functions are provided at appropriate levels of trust.
- Apply to all stakeholders, for the generation, issue, use and management of all Keys and Certificates.
Two policy authorities are relevant to this CP:
The Gatekeeper Competent Authority (the General Manager AGIMO), is effectively the Gatekeeper policy authority. All decisions regarding Gatekeeper accreditation are vested in the Gatekeeper Competent Authority. The GCA is advised by the Gatekeeper Policy Committee (GPC) which consists of Commonwealth, State or Territory representatives.
GCA maintains the criteria for Gatekeeper Accreditation and the GM, AGIMO accredits CA service providers to offer and issue Certificates to Commonwealth agencies or to those organisation and entities with which Commonwealth agencies transact business, once the CA service providers have been successfully evaluated.
The Competent Authority may be contacted at: Australian Government Information Management Office.
The composition and functions of the ATO PMA are set out in the ATO Policy Management Authority document published at the ATO PKI Web Site, see Appendix C.
Contact details for the ATO PMA are set out at the ATO PKI Web Site, see Appendix C.
The primary purpose of the ATO CA signing its own Certificate and operating under the ATO PKI hierarchy is to provide Certificate management services (generation, operational use, compromise, revocation and expiry) for internal ATO Users within their respective policy domains.
The ATO CA performs the following functions:
- Generating its own Keys and issuing a self signed Certificate, publishing the Public Key of the ATO CA with the hash which establishes the ATO CA as the highest point of trust in the ATO PKI.
- Publishing each CP under which it issues Keys and Certificates and this CPS at the ATO PKI Web Site, see Appendix C.
- Certifying the Public Key of the ATO OCA.
- Operating the ATO PKI in an efficient and trustworthy manner and in accordance with:
- The terms of the accreditation of the ATO CA by the GM, AGIMO
- The ATO Concept of Operations
- The CP that it issues Certificates under
- This CPS
- The ATO PKI System Security Plan
- Documented internal operational procedures
- Issuing Keys and Certificates in accordance with the relevant CP.
- Revoking Certificates it has issued on receipt of authenticated signed revocation requests or when Certificates have been compromised.
- Posting revoked Certificates in the directory services CRL.
- Conducting regular audits and facilitating external audits including those required for the purpose of maintaining Gatekeeper Accreditation.
Contact details for the ATO CA are set out on the ATO PKI Web Site, see Appendix C.
The contact details for the ATO CA are published in each CP that they issue Certificates under or the CP may advise a web site address or other location where the contact details may be found.
The ATO OCA has the following functions:
- Publishing the CP, for Certificates issued by the ATO OCA.
- Issuing Certificates to Certificate Holders for Entities in accordance with the relevant CP, whether the OCA has issued the Key Pairs or the Key Pairs have been generated by the Certificate Holder.
- Maintaining an Oracle based certificate database with X.500 directory format for the internal use of the ATO to which it will post Certificate information. (See section 2.6.3).
- Monitoring compliance with the relevant CP.
Contact details for the ATO OCA are set out on the ATO PKI Web Site, see Appendix C.
The ATO PKI adduces evidence of the identity of Entities and Certificate Holders by reference to information provided in accordance with legislation administered by the ATO. That information may not be provided to any other person in any circumstances.
Users may be any entity that is required to lodge a business activity statement under the A New Taxation System (Australian Business Number) Act 1999 or any other type of person as provided in the relevant CP.
The Key length of an Entity’s Authentication and Confidentiality Keys in the ATO PKI is designed to be fully compliant with the Gatekeeper schema.
|
Where Key pairs are generated by the ATO OCA, this is done in a way that only the Certificate Holder holds or has access to, the relevant Private Key.
|
Certificate Holders are required to take reasonable security measures to ensure the protection of their Private Keys against compromise.
The Entity’s functions are defined in the Conditions of Use or other relevant CP.
The following Certificate Holder contact details may be published in a Certificate Holder's Public Key Certificate in compliance with X.509 standards:
- Entity name and Certificate Holder’s name in the User's Distinguished Name in the Subject field.
- The Entity's e-mail address or Universal Resource Location (URL) in the Subject Alternative Name field.
Entity contact information is maintained by the ATO as taxpayer information.
Certificates issued in the ATO PKI are used to support secure exchange of information between the ATO and clients of the ATO. Later, the ATO may permit the use of ATO issued Keys and Certificates for broader electronic commerce purposes and the secure exchange of information between Entities and Government.
The ATO PKI user community may regard the practices described in this CPS as:
- Ensuring standard operating procedures and uniform quality of service delivery across the PKI.
- Fostering and promoting high levels of trust and integrity across the ATO PKI.
Under the Gatekeeper requirements, the use of each type and grade of Certificate is restricted to a specified level of sensitivity of information.
These restrictions are detailed in the table below.
Certificate
|
Applicable Use
|
Type
|
Grade
|
Sensitivity of information
|
1 Individual
|
1
|
Non-sensitive information
|
|
|
2
|
In confidence
|
|
|
3
|
Protected/ Restricted
|
2 Non Individual
|
1
|
Non-sensitive information
|
|
|
2
|
In confidence
|
|
|
3
|
Protected/ Restricted
|
The ATO PKI supports one functional class. Certificates supported by this CPS fall into the primary functional class set out below:
Within this class, different assurance levels apply or different attributes are used.
Gatekeeper compliant and accredited Certificates may encompass all of the above mentioned Certificate classes. Within nominated policy domains, Certificates may also be used for multiple purposes as defined in the relevant CP.
Table of functional certificate classes
Class
|
Purpose
|
Assurance levels
|
Identity
|
Authenticates Certificate Holder's identity through appropriate EOI processes specified in the relevant CPs, e.g. Authenticates a Primary Certificate Holder’s identity through a rigorous EOI process, and authenticates a Secondary Certificate Holder’s identity through a trust-based EOI arrangement with a Primary Certificate Holder
|
Low, medium and high
|
Identity Certificates authenticate the identity of the person or organisation to whom they are issued. Designated uses include:
- Within messaging systems, to authenticate the identity of a person or organisation sending a message and to provide assurance that subsequent communications are from the same person or organisation.
- In secure electronic data exchange, to authenticate and protect sensitive information.
The criteria used by a registrar for the authentication of a Certificate owner's identity depend upon:
- The type of Certificate.
- The grade of Certificate that is Grade 1, 2 or 3.
Entities who receive Certificates from the ATO PKI are to use those Keys and Certificates only in the manner and for the purposes prescribed in a relevant CP. Any use of a Certificate in a manner or for a purpose not in accordance with a relevant CP is not recognised nor supported by this CPS.
This CPS is administered by the ATO PKI.
Enquiries or other communications about this document should be addressed to the ATO CA, see section 1.3.1.1.2.
The Gatekeeper Competent Authority in the Australian Government Information Management Office (AGIMO) is in position to determine CPS suitability for the policy.
ATO OCA shall provide a secure message infrastructure that enables the operation of Keys and Certificates using Public Key cryptographic methods. The ATO CA will be the highest point of trust within the ATO PKI.
Certificate Holders are:
- Advised through the CP of their duties and obligations to ensure the safety, protection and integrity of their Private Keys.
- Required for specific classes of Keys and Certificates to comply with the Conditions of Use.
- Not to interfere with or damage or attempt to interfere with or damage, the operational infrastructure of the ATO PKI. The ATO PKI has:
- Been structured and is operated in such a manner as to minimise the risk of compromise or wilful damage by a Certificate Holder
- Defined a security policy that provides for the early detection of an attempt to damage the infrastructure and to collect sufficient evidence for a prosecution
Changes to this CPS can only be made at the direction of the ATO PMA. Factors that will normally result in change requests include, but are not limited to:
- A mandated change to a Gatekeeper Accreditation requirement.
- A change in the technology supporting the PKI.
- A change required to ensure compliance with published international and Australian standards.
The ATO PMA will consult with the Gatekeeper Competent Authority before making any change to this CPS. ATO PMA may advise ATO PKI of any changes that need to be made to this CPS
The obligations functions of the ATO CA are set out in the relevant CP.
The obligations and functions of the ATO OCA are set out the relevant CP.
The obligations of Entities and Certificate Holders (Subscribers) are set out in the relevant CP and the Conditions of Use.
Relying parties other than the ATO OCA have no obligations under this CPS. The ATO OCA’s obligations are set out in the relevant CP and Conditions of Use.
The ATO Repository functions are performed by the Oracle based certificate database with X.500 directory format. This repository is restricted to access by the ATO.
The ATO PKI provides and maintains the operational infrastructure for the Oracle based certificate database.
The ATO CA has introduced a number of measures to manage risk. They include the following event that the safeguards in place to protect its resources fail to:
- Inhibit misuse of those resources by authorised personnel.
- Prohibit access to those resources by unauthorised individuals.
These measures include but are not limited to:
- Identifying contingency events and appropriate recovery actions in a Disaster Recovery and Business Continuity plan.
- Performing regular system data backups.
- Performing a backup of the current operating software and certain software configuration files.
- Storing all backups in secure local and offsite storage.
- Maintaining secure offsite storage of other material needed for disaster recovery.
- Periodically testing local and offsite backups to ensure that the information is retrievable in the event of a failure.
- Periodically reviewing its Disaster Recovery and Business Continuity plan, including the identification, analysis, evaluation and prioritisation of risks.
- Periodically testing uninterrupted power supplies.
Specific matters relating to liability are set out in the CPs.
Please refer to the relevant CP.
Please refer to the relevant CP.
Please refer to the relevant CP.
Please refer to the relevant CP.
Please refer to the relevant CP.
This CPS is governed by the laws in force in the Australian Capital Territory, Australia.
Please refer to the relevant CP.
Please refer to the relevant CP.
Please refer to the relevant CP.
Please refer to the relevant CP.
Please refer to the relevant CP.
Please refer to the relevant CP.
Each CP includes a statement on dispute resolution.
Please refer to the relevant CP.
This CPS is published under the International Standard Book Number (ISBN) system.
This CPS is published electronically on the ATO PKI Web Site, see Appendix C for access details.
A CD-ROM version of this CPS is held by the National Library of Australia, in compliance with Australian ISBN Agency requirements.
Newly approved versions of this CPS and relevant CP are published promptly.
There are no access controls on the reading of this CPS or of relevant CP on the web sites nominated for publication.
Access to Certificate information (including CRLs) within the Oracle based certificate database is limited in the case of Certificates issued to Entities and Certificate Holders to a single named search enquiry by officers within the ATO.
Appropriate Access Controls are used to restrict to authorised personnel the ability to write to or modify these items.
The Repository for the ATO PKI is provided through the ATO Oracle based certificate database. This directory contains Certificate information for all Certificates issued by Certification Authorities within the ATO PKI.
The ATO Oracle based certificate database does not contain any information about any Private Keys of any kind.
The ATO Oracle based certificate database does not contain any information of a confidential nature. It is intended that it may be made available for public access at some time in the future.
The ATO PKI has been granted Gatekeeper Accreditation by the CIO, AGIMO in accordance with the Gatekeeper criteria and following evaluation by a team of independent evaluators.
The evaluation criteria have been defined by the CIO, AGIMO and may be found on the AGIMO web site, see Appendix C.
The ATO must conduct a comprehensive compliance audit of the practices documented in the ATO PKI:
- Within one year of the commencement of operations of the ATO CA.
- At any other time that it deems warranted.
The ATO PKI will also be audited from time to time in accordance with the terms of the Gatekeeper Accreditation Agreement between the ATO and AGIMO to ensure compliance with the policies documented in this CPS.
Any non-ATO person engaged to perform an audit on the ATO PKI must have sufficient experience in the application of PKI and cryptographic technologies. Where audits are required under the conditions of Gatekeeper Accreditation the auditors will be selected by the ATO from the Gatekeeper Compliance Audit Panel.
External audits may be conducted under the supervision of the Australian National Audit Office. Any ANAO audits will be additional to the mandatory Gatekeeper Compliance Audits. Aside from the audit function, the auditor and audited party shall not have any current or planned financial, legal or other relationship that could result in a conflict of interest.
Topics covered by audit will include, but will not necessarily be limited to, the following, and will be set against the background of Gatekeeper policy and criteria, the ATO’s Approved Documents and industry and Australian standards:
- Physical Security.
- Documentation and process.
- Vetting of operations personnel.
- Technology.
- Privacy, including compliance with Information Privacy Principles set out in section 14 of the Privacy Act 1988.
Copies of the Audit report are submitted to:
- The Commissioner of Taxation
- The Gatekeeper Competent Authority, AGIMO
When irregularities are found or in response to directions from the Gatekeeper Competent Authority (in accordance with the terms of the Memorandum of Agreement), the Commissioner of Taxation shall promptly oversee or implement appropriate corrective action to maintain compliance with Gatekeeper accreditation as well as trust in the operation of the ATO PKI, and report publicly on matters as appropriate.
Audit results are considered to be sensitive operational information, however, the ATO PKI will endeavour to make as much information from audit reports public as possible.
- The ATO is subject to the information security requirements of the Commonwealth’s Protective Security Manual. That manual requires information in the hands of agencies to be classified depending on the damage that release of that information would do to the Commonwealth and certain other entities. In this CP, the type of information that is able to be transmitted is information that receives an X-IN-CONFIDENCE classification (applies to non-national security information). Examples of types of X-IN-CONFIDENCE markings include Staff-in-Confidence, Security-in-Confidence, Commercial-in-Confidence and Audit-in-Confidence.
- The category of information “Commercial-in-Confidence“ is the type of information that entities are concerned to protect in the context of their business transactions. For the purposes of this CP, this category of information is called “Confidential Information“.
- Each entity must protect all categories of information it holds against unauthorised disclosure in accordance with the requirements of the Protective Security Manual.
Personal Information, as defined in the Privacy Act 1988 (Commonwealth) (The Act) provided to the ATO is regulated by the Information Privacy Principles as set out the Act. The ATO is bound by and is required to operate fully within, the requirements of the Act.
While Tax File Number information may be used to establish the identity of the Entity and the Certificate Holder, that information will not be disclosed or used in the Keys and Certificates, except as permitted in the Taxation Administration Act 1953.
The requirements for the confidentiality and privacy of registration information are dealt with at sections 2.8.1.1 and 2.8.1.2 of this CPS, and in accordance with the secrecy provisions in the taxation legislation.
At the time a registration record is created, information collected will include Personal Information.
Some of that information will, pursuant to the ITU - T Recommendation X500 (1993) ISO/IEC 9594 -1:1993, Information technology - Open Systems Interconnection - The Directory: Overview of Concepts, Models and Services and in accordance with the Distinguished Name conventions approved by Gatekeeper, be included in the Certificate Holder’s Certificate.
All other information concerning the registration record will be considered confidential to the ATO clients and will not be disclosed.
The following Certificate Holder contact details may be published in a Certificate Holder's Public Key Certificate in compliance with X.509 standards:
- Entity name and Certificate Holder’s name in the End Entity's Distinguished Name in the Subject field.
- The Entity's e-mail address or Universal Resource Location (URL), in the Subject Alternative Name field.
Entity contact information is maintained by the ATO as taxpayer information.
Certain details relating to an Entity may be available in the Register of Australian Business Numbers. The information in the Register is in accordance with the applicable legislation.
Information embodied in a Certificate held as part of the Registration Record and included in the Certificate in accordance with the relevant CP, is not considered to be confidential. All other information will be considered confidential to the relevant ATO clients.
Some of the documentation required for the operation of the ATO PKI contains information that may not be released.
The ATO is required to inform potential Entities and Certificate Holders that the information included on the Certificate that identifies the Entity or Certificate Holder is not treated as confidential and is deemed to be Public knowledge where the Certificate is used in its intended fashion.
The following ATO documents are public documents and are not considered to be confidential information:
- CPs issued by the ATO CA or ATO OCA.
- This CPS.
- Security Policy (Public).
- Privacy Policy (Public).
The ATO will publish at ATO PKI Web Site, see Appendix C, a Certificate Revocation List that will record when Certificates issued to the ATO CA, ATO OCA have been revoked.
As a general principle, no document or record belonging to or held within the ATO PKI shall be released to law enforcement agencies or officials except where both of the following conditions are met:
- A properly constituted warrant is produced or the information is otherwise legally required to be disclosed.
- The law enforcement official is properly identified.
|
Despite anything above the ATO will not have access to or hold, a copy of a Certificate Holders’ Private Keys and accordingly will not be able to make them available to any law enforcement agency.
|
As a general principle, no document or record belonging to or held by the ATO CA shall be released to any person except where:
- A properly constituted instrument that has emanated from a court having jurisdiction or an authority having legal jurisdiction requiring production of the information is produced.
- The person requiring production is a person authorised to do so.
If officers of the ATO want to obtain access to similar information they will have to document the reason for access to the satisfaction of the Assistant Commissioner, Infrastructure Development and Delivery (see section 1.3.1.1.2).
An Entity shall have full access to any information that it has provided to the ATO CA and shall be empowered to authorise release of that information to another person in accordance with the normal arrangements approved by the Commissioner of Taxation or under the Freedom of Information Act 1982 (Cth). Similarly a Certificate Holder will have access to their information. However the subject of a registration record will not have access to any other person's registration record unless proper authorisation is given by the relevant person.
Formal authorisation by the subject of a registration record may take two forms:
- A properly constituted electronic authorisation providing that the request is electronically signed by a valid Private Key.
- By authorisation in writing.
No other release of information is permitted unless authorised by the person subject of the information or unless required by law.
Please refer to the relevant CP.
A fundamental concept underpinning the operation of ATO PKI is trust. Trust must be realised in each and every aspect of the service operation.
Entities making their initial application for a Certificate under a relevant CP are provided with the following information prior to registration:
- A copy of the Conditions of Use.
- An explanation of the nature, purpose and effect of the use of the Keys and Certificates.
- The web site addresses for this CPS and relevant CPs.
- Advice about the documentation required for Evidence Of Identity (EOI) purposes.
The detailed procedures are set out in the relevant CP.
All Certificate Holders require a distinguished name that is compliant with the X.500 standard for Distinguished Names.
The ATO CA approves naming conventions for the creation of distinguished names for Certificate applicants. Different naming conventions may be used in different policy domains.
Distinguished names must be meaningful. Pseudonymous names may not be used.
The normal operation of some types of Certificate generation requires the insertion of an organisation name and department as part of the distinguished name.
Where a CP does not require an organisation identifier or department identifier in a Certificate, the following changes are to be made to the distinguished name:
Organisation name
|
Not Applicable
|
Department name
|
Not Applicable
|
Distinguished names are to be unambiguous and unique.
Any dispute regarding a Distinguished Name is resolved under the terms of the relevant CP.
Recognition, Authentication and the role of trademarks is a commercial issue. Nothing in this CPS shall prevent the use of a trademark in a Distinguished Name.
As stipulated in relevant Certificate Policies.
An Entity’s identity is to be authenticated by reference to the register of Australian Business Numbers and to the records of the ATO.
Please note that taxpayer information cannot be supplied to persons outside the ATO.
An individual's identity is to be authenticated by reference to the records of the ATO. Please note that this information cannot be supplied to other persons (See Section 2.8 Confidentiality and Privacy).
Certificate Holders may request that the ATO OCA issue new Keys and Certificates at the end of the life of the relevant Certificate provided that:
- The request is made prior to the expiry of the current Keys and Certificates.
- Certificate information has not changed except for the Certificate Holder's email address.
- The current Keys and Certificates have not been revoked.
If any of these conditions are not met, the Entity must apply for new Keys and Certificates and agree to be bound by the Conditions of Use.
Certificate renewal is governed by the relevant CP.
Rekey is not permitted after Certificate revocation. A Certificate Holder requiring replacement Keys and Certificates after revocation must:
- Apply for new Keys and Certificates.
- Comply with all initial registration and requirements as though they were a new Entity.
As stipulated in section 4.4.
It is the responsibility of the taxpayer requiring Keys and Certificates to make that request to the ATO OCA in accordance with the requirements of the relevant CP.
The ATO PKI is to take reasonable care in accepting and processing Certificate applications. They are to comply with the practices described in this CPS and with any requirements imposed by the relevant CP under which the Keys and Certificates are issued.
The Certificate issuing process is governed by the relevant CP.
The ATO OCA supports two Certificate issuing processes as follows:
- The ATO OCA generates the Keys and Certificates and delivers these to the Certificate Holder
- The Certificate Holder uses End User Key generation software to generate its own Key Pairs and then requests the ATO OCA to create, sign and deliver the associated Certificates.
Where the ATO OCA generates and delivers the Keys and Certificates, Certificate issue involves the down-loading of Keys and Certificates from a secure Internet site and the use of a Personal Identification Code (PIC). In some cases Keys and Certificates can be delivered on diskette.
In the case of End User Key generation, the currently valid Keys and Certificates in the Certificate Holder's possession ensure the security and integrity of this kind of Key replacement process. The Certificate Holder down loads the Key Renewal applet from the secure ATO OCA web site and uses End User generation software to generate Key Pairs on the local machine. The Key Renewal applet sends Certificate requests and Public Keys via the Internet to the ATO OCA. The ATO OCA creates and signs the Certificates and delivers them to the Certificate Holder via the Internet.
A Certificate Holder’s receipt of Keys and Certificates where the ATO OCA generates Keys and Certificates or just Certificates in the case of End User key generation and the subsequent use of the Certificates constitutes Certificate acceptance in accordance with the requirements of the relevant CP.
Certificates are revoked in accordance with the requirements of the relevant CP when:
- The associated Private Key is compromised.
- Media holding the associated Private Key is compromised.
- The Entity ceases to hold an Australian Business Number.
- The Certificate Holder ceases to represent the Entity.
- There has been improper or faulty issue of the Keys and Certificates.
- The Certificate information becomes inaccurate.
- The ATO CA or ATO OCA ceases to operate.
- The relevant part of the ATO PKI believes that is appropriate in the circumstances.
- Upon receipt by the ATO OCA of request from the Entity or the Certificate Holder.
After Revocation of the Certificate, the Keys or the associated Certificates must not be used.
Certificate revocation can be initiated in accordance with the requirements of the relevant CP but generally the following entities can request revocation:
- The ATO OCA.
- The Certificate Holder who is named in the Certificate.
- The Entity named in the Certificate.
- Authorised third parties.
The procedure as set out in the relevant CP shall apply to revocation requests.
The revocation request grace period is 28 days.
No stipulation
No stipulation
No stipulation
No stipulation
As stipulated in CP.
No stipulation
No stipulation
No stipulation
No stipulation
No stipulation
No stipulation
The ATO PKI is required to maintain adequate records and archives of information pertaining to the operation of the ATO CA or the ATO OCA.
The minimum audit records to be kept by the ATO OCA include all:
- Types of registration records.
- Key generation requests.
- Certificate generation requests.
- Certificate issuance records, including CRLs.
- Audit records, including security related events.
- Revocation records.
- Successive versions of this CPS and all the CPs
Audit logs are processed on a daily, weekly, monthly and annual basis.
Audit logs shall be maintained on site for a minimum period of three months and a maximum period of twelve months. The audit log shall be retained in archives for a minimum period as set out in the relevant CP to meet the National Archives of Australia (NAA) requirements and then transferred to the NAA.
Audit logs are protected by a special user account and password known only to the officer carrying out audit duties. Audit logs will not be modified, or deleted without backup.
The ATO PKI is to establish and maintain a backup procedure for audit logs.
The ATO PKI audit collection system is a combination of automated and manual processes performed by the CA or RA operating system, the CA or RA application and by operational personnel.
Type of event
|
Collection System
|
Recorded by
|
Successful and failed attempts to changes operating system security parameters
|
Automatic
|
Operating system
|
System start up and shutdown
|
Automatic
|
Operating system
|
Successful and failed log-in and log-off attempts
|
Automatic
|
Operating system
|
Successful and failed attempts to create, modify or delete system accounts
|
Automatic
|
Operating system
|
Successful and failed attempts to create, modify or delete authorised system users
|
Automatic
|
Operating system
|
Successful and failed attempts to request, generate, sign, issue or revoke Keys and Certificates
|
Automatic
|
CA or RA software
|
Successful and failed attempts to create, modify or delete Certificate holder information
|
Automatic
|
RA software
|
Backup, archiving and restoration
|
Automatic and manual
|
Operating system and operations personnel
|
System configuration changes
|
Manual
|
Operations personnel
|
Software and hardware updates
|
Manual
|
Operations personnel
|
Systems maintenance
|
Manual
|
Operations personnel
|
Personnel changes
|
Manual
|
Operations personnel
|
ATO PKI operations personnel notify the ATO PKI security administrator when a process or action causes a critical security event or discrepancy in accordance with the procedures put in place to meet the requirements of SE01: Security Policy.
A Protective Security Risk Review (PSRR) has been completed for the entire ATO PKI. This PSRR covers the overarching risks and threats that may impact on the ATO PKI.
The ATO PKI maintains an archive of relevant records described in this CPS.
The following audit information is archived by the ATO PKI:
- Audit logs.
- Certificate request information.
- Certificates, including CRLs generated.
- Complete back up records.
- Copies of e-mail logs.
- Formal correspondence.
- Successive versions of this CPS and any CP.
Certificate Holders' Private Keys are never held within the ATO PKI or by the ATO.
Certificates are archived for a minimum period of seven years from the date of expiry, unless another period is specified in the relevant CP.
Audit trail information is kept for a minimum period of seven years from the date of expiration, unless another period is specifically required under the relevant CP.
Archive media is protected either by physical security or a combination of physical security and cryptographic protection. It is also protected from environmental factors such as temperature, humidity and magnetism. The archive will be protected against modification and unauthorised deletion.
The ATO PKI has established archive back up procedures to ensure and enable complete restoration of current service in the event of a disaster situation as set out in the relevant CP.
Trusted third party time stamping is not supported, but nothing in this CPS will operate to prevent a third party from offering that service outside of the ATO PKI structure.
The ATO PKI has established an archive collection system that meets the requirements of this CPS as set out in the relevant CP.
The integrity of the ATO PKI's archives is verified:
- Annually at the time of a programmed Security Audit.
- At any other time when a full security audit is required.
- At the time the archive is prepared.
ATO CA and ATO OCA Key changeovers shall:
- Be formally applied for by the ATO PMA, using a designated application process
- Be effected in such a manner as to cause minimal disruption to Certificate Holders and Entities
- Require the ATO PKI to give a minimum notice period of three months
Keys and Certificates for the PKI Subordinate Elements will be re-issued by the ATO OCA.
The ATO PKI:
- Has established and maintains detailed documentation covering its:
- Disaster Recovery and Business Continuity plan, including key compromise, hardware, software and communications failures and natural disasters such as fire and flood
- Configuration Baseline, including operating software, anti virus software and PKI specific application programs
- Backup, archiving and offsite storage procedures
- Provides the above documentation on the request of
- Persons conducting a security or compliance audit
- Provides appropriate training to all relevant staff in contingency and disaster recovery procedures.
- At least annually tests its Disaster Recovery and Business Continuity plan with the minimum test activity being the full restoration of operational services as follows:
- The current operational platform is shut down and disconnected from communications links
- System operating software, application programs and operational data is restored onto a new hardware platform, solely from backup media and in compliance with the Configuration Baseline
- The restored service is connected to the communications links and the correct operation of its Certificate services tested
- Service operations are resumed using the original operational platform
- All files on the hard disk of the test platform are securely deleted
- The Disaster Recovery and Business Continuity plan is reviewed in the light of the test results
The ATO PKI has established a configuration baseline plan and back-up, archiving and response plan to provide data for identifying component failure and subsequent service restoration.
The ATO PKI has a key and user compromise plan that addresses the actions to be taken in the event that the ATO CA’s or the ATO OCA’s Private Keys are compromised or the Certificates are revoked. This is described in the ATO PKI Key Management Plan.
No stipulation.
The ATO PKI manages its backup, archive and offsite storage in accordance with its configuration baseline plan and back-up, archiving and response plan.
The purpose of the plan is to restore core business operations as quickly as practicable when systems operations have been significantly and adversely impacted by fire, strikes and so on.
The plan acknowledges that any impact on system operations will not cause a direct and immediate operational impact on the ATO PKI. The plan has the primary goal of reinstating the ATO PKI’s platform in order to make accessible the logical records kept within the software. Recovery actions approved within the plan are given a priority that is in keeping with the recovery of other organisational records that do not have a direct and immediate impact on the ATO PKI’s operations.
To implement a Disaster Recovery and Business Continuity plan, ATO PKI:
- Identifies an internal owner for the plan.
- Identifies individuals authorised to initiate disaster recovery action.
- Identifies major elements at risk, for example.
- Operational hardware
- CA or RA software application
- Logical records
- Identifies criteria that might prompt disaster recovery initiation.
- Implements recommended precautionary measures such as setting up:
- An uninterruptable power supply
- Power surge protectors
- A second power supply using an alternate power source
- Providing in-built hardware redundancy
- Develops recovery actions and timeframes.
- Prioritises recovery actions from most significant to least significant.
- Maintains a record of the hardware and software configuration baseline.
- Maintains records of the necessary equipment and procedures required to recover from an unexpected event such as a hardware failure, including the intended maximum period that the system is to be down.
If the operation of the ATO CA or the ATO OCA is terminated for any reason the ATO will endeavour to give Entities as much warning as possible and put in place alternative arrangements.
The ATO PKI is committed to providing a secure process that will enable Entities to discharge their obligations in a cost effective and efficient manner.
The primary site location of the ATO CA and ATO OCA shall be in a secure office environment at the ATO Computer Centre at Bruce in the ACT.
A second, alternative site location of the ATO PKI shall be in a secure operating environment at the EDS Computer Centre at Burwood in Sydney, NSW. This site will be become operatable if the disaster recovery is unachievable in a deemed timeframe in the primary site of ATO PKI Operation.
The ATO PKI operates within a secure physical environment within the office area that meets the standards required by ACSI 33 CR2.
The ATO PKI permits entry to their secure operating area only to authorised personnel and to visitors under the constant supervision of an authorised person. The number of personnel authorised to enter the area is kept to a minimum and a log is maintained of all accesses.
The ATO PKI secure operating areas are connected to a standard power supply. All critical components are connected to uninterrupted power supply (UPS) units, to prevent abnormal shutdown in the event of a power failure.
The area has an air conditioning system to control the heat and humidity that is independent of the building air conditioning system.
The ATO PKI secure operating areas is protected against water exposure by being located on an above ground floor of an office building that is not in a flood zone and having a built-in raised floor.
Suitable fire extinguishers are maintained in the ATO PKI secure operating area, to guard against the possibility of fire.
All magnetic media containing ATO PKI information, including backup media, is stored in containers, cabinets or safes with fire protection capabilities and are located either within the service operations area or in a secure off-site storage area.
Paper documents and magnetic media containing the ATO CA or the ATO OCA Private Key or commercially sensitive or confidential information are securely disposed of by:
- In the case of magnetic media:
- Physical damage to or complete destruction of the asset
- The use of an approved utility to wipe or overwrite magnetic media
- In the case of printed material, shredding or destruction by an approved service.
Endorsed off site storage agents are used for the storage and retention of backup ATO PKI software and data.
The off site storage:
- Is available to authorised personnel 24 hours per day seven days per week for the purpose of retrieving software and data.
- Has appropriate levels of physical security in place with staff holding on appropriate level of clearance.
In order to ensure that one person acting alone cannot circumvent the entire system, the area where the servers and work stations (machines) that comprise the ATO PKI are located is a declared no lone zone where two people are required to carry out an operation.
To gain access to a machine, two keys are required to be inserted and turned simultaneously to open the cabinet securing the machine. All actions carried out in the vicinity of a cabinet containing a machine is captured on video tape.
Staff are vetted for Positions of Trust in accordance with Section 5.2.3 and the requirements of the relevant CP.
When gaining access to a work station, one person enters the password. Once access is gained to the work station, one person performs the task while the other audits the task performance to ensure it is done properly. All Keystrokes typed on a keyboard attached to a machine with the exception of passwords are captured and recorded in an audit log.
At a minimum, the following roles are established at each location:
- System Administrator.
- Security Administrator.
Separate individuals fill each of the roles described above. This provides the maximum security and affords the opportunity for the greatest degree of checks and balances over system operation. However:
- A single individual may assume the role of the System Administrator.
- The Security Administrator must always remain separate from the System Administrator in order to provide an independent review of the audit log.
- Any task requiring the creation, backup or importation into a database of the ATO CA’s Private Key must involve two trusted persons, one performing the function and the second fulfilling a security monitoring role.
Each of the operations that require dual control by two personnel within the ATO PKI shall not be carried out by one person. Each person in a dual control shall be responsible for the integrity of the process they are performing. They will not disclose to the other person any parts of a password.
Persons filling trusted roles must undergo a formal vetting process conducted by the Australian Security Vetting Service, designated Position of Trust.
The recruitment and selection practices for ATO PKI services personnel take into account the background, qualifications, experiences and clearance requirements of each position, which are compared against the profiles of potential candidates.
Background checks are conducted on all persons selected to take up a trusted role in accordance with the designated security screening procedure, prior to the commencement of their duties.
All ATO PKI services personnel staff shall be trained in:
- Basic PKI concepts.
- The use and operation of the certification authority organisation certification authority and registration authority software as certified by Defence Signals Directorate (DSD), see Appendix C.
- Documented ATO PKI procedures.
- Privacy legislation and practices within the ATO.
- ATO's confidentiality requirements for the protection of taxpayer information including the requirements in the taxation legislation and the Crimes Act 1914 (Commonwealth).
- Computer security awareness and procedures.
- The meaning and effect of this CPS and the CPs.
ATO PKI services personnel staff receive a security briefing update at least once a year.
Training in the use and operation of the CA and RA’s software is provided when new versions of the software are installed.
Remedial training is completed as required or when recommended by audit comments.
The ATO PKI may implement formal job rotation practices (for example through formal reliefs). Where formal job rotation is not implemented, cross-training activities are conducted to ensure operations continuity.
Unauthorised actions by ATO PKI services personnel staff are submitted to appropriate authorities including, but not limited to, the Security Administrator for further instruction and any appropriate action.
ATO PKI services personnel (management or operational) may be contractors who are appointed in writing and given written notification of the terms and conditions of their position. They are normally assigned full-time to their responsibilities.
ATO PKI services personnel have access to their relevant:
- Hardware and software documentation.
- Policy documents, including this CPS.
- Operational practice and procedural documents, including a relevant CP.
Key pairs shall be generated in accordance with the relevant CP.
Private Keys will be delivered in accordance with the relevant CP.
Public Keys will be delivered in accordance with the relevant CP.
The ATO OCA’s Public Key is available from the ATO PKI Web Site, see Appendix C.
A Certificate holder’s Keys generated by the ATO OCA will be made available in accordance with the requirements of section 4.2.1.
The ATO PKI key lengths are determined by the relevant CP. It is typically a minimum of 2048 bits for the ATO CA and ATO OCA’s Keys and 1024 bits for Keys issued to or by, Entities and Certificate Holders.
The parameters used to create Key Pairs are generated by the ATO PKI.
The quality of Public Key parameters is automatically checked by the ATO PKI software.
Key generation is performed in hardware or software as prescribed by the DSD certification requirements and Gatekeeper Accreditation requirements.
|
The ATO does not have access to or hold, Entities' Private Keys.
|
Entities' Keys may be used for the purposes and in the manner described in section 1.3.4 Applicability.
Cryptographic modules that may be in use from time to time as part of the operations of the ATO PKI comply with the DSD certification requirements and Gatekeeper Accreditation requirements.
Keys used by the ATO CA and the ATO OCA are generated and stored in software evaluated to Gatekeeper standards (up to ITSEC E3 certification).
The Private Keys of the ATO CA and ATO OCA shall be under multi-person control.
Private Key escrow is not supported by the ATO PKI.
The ATO CA and ATO OCA’s Private Keys are stored securely in accordance with the relevant CP.
|
The ATO does not have access to or hold, copies of Private Keys issued to Certificate Holders or Entities.
|
See section 4.6.2.1 Secure maintenance of Keys.
The software supplied to an Entity by the ATO is designed to ensure that the Private Keys are stored in an encrypted format and only available to memory when activated by the user. The Private Keys are held in an obscure format that disguises the Keys within padding.
The software supplied to an Entity by the ATO is designed to ensure that the Private Keys will be activated by the software issued to the Entity.
The software supplied to an Entity by the ATO is designed to ensure that the Private Keys will be de-activated when the Entity software application is terminated.
The software supplied to an Entity by the ATO is designed to ensure that the Private Keys are destroyed in memory by overwriting it with zeros when the software shuts down.
The ATO PKI shall archive its Public Keys. The public keys for archival will be stored on suitable electronic media, and archived in accordance with relevant clauses in Section 4.6.3
The usage period for the ATO CA Private and Public Key is 10 years from generation. The usage period for other Keys issued by the ATO PKI shall be as set out in the relevant CP.
No activation data other than Access Control mechanisms is required to operate cryptographic software supplied to an Entity.
No activation data other than Access Control mechanisms is required to operate cryptographic modules.
No stipulation
The ATO PKI has established a System Security Plan that incorporates computer security technical requirements for the operation of the ATO PKI.
The ATO PKI has established a System Security Plan that incorporates computer security ratings for the operation of the ATO PKI.
ATO PKI operational software has been developed in a controlled environment employing appropriate quality controls.
System security management is controlled by the privileges assigned to operating system accounts and by the trusted roles described in section 5.2.1 Trusted roles.
The ATO PKI has established a Protective Security Risk Review that identifies and addresses all high or significant life cycle security threats.
The ATO PKI has established a Protective Security Risk Review that identifies and addresses all high or significant network security threats.
The ATO PKI has established a Protective Security Risk Review that identifies and addresses all high or significant cryptographic module engineering security threats.
The ATO PKI supports and uses X.509 Version 3 Certificates, which contain V.3 (integer value 3) in the version field.
The ATO PKI supports and uses X.509 Version 3 Certificate extensions.
OIDs may be allocated to algorithms supported and used within the ATO PKI.
Algorithm Type
|
Algorithm
|
Object Identifier
|
Encryption
|
RSA
|
1.2.840.113549.1.1.1
|
Encryption
|
Message Digest 5 (MD5) with RSA
|
1.2.840.113549.1.1.4
|
Encryption
|
Secure Hash Algorithm-1 (SHA-1) with RSA
|
1.2.840.113549.1.1.5
|
Encryption
|
Triple DES
|
1.3.6.1.4.1.4929.1.6
|
Hashing
|
SHA-1
|
1.3.14.3.2.26
|
Hashing
|
MD5
|
1.2.840.113549.2.5
|
Padding
|
PKCS#1
|
1.2.840.113549.1.1
|
Web Encryption
|
RC2
|
RFC 2268
|
Web Encryption
|
RC4
|
1.2.840.113549.3.2
|
The use of multiple algorithms within the same hierarchy is supported.
Certificates issued by the ATO PKI contain the full X.500 distinguished name of the Certificate issuer and Certificate subject in the issuer name and subject name fields.
Anonymous or pseudonymous names are not supported.
The OID of the relevant CP is carried in the standard extension field of X.509 Certificates and is published in the CP.
The ATO PKI supports the use of the Policy Constraints extension.
The ATO PKI supports the use of syntax and semantics policy qualifiers.
See section 1.3.1 of the relevant CP.
The ATO PKI supports and uses X.509 Version 2 CRLs for CRLs that are publicly available under the relevant CP.
The ATO PKI supports and uses X.509 Version 2 CRL entry extensions for CRLs that are publicly available under the relevant CP.
The ATO PKI operates a Policy Management Authority (PMA) which is responsible for setting Certificate Policy direction for the ATO PKI. Changes to accredited documents are approved by the CIO, AGIMO. Contact details for the ATO PMA appear on the ATO PKI web site, see Appendix C.
See section 6 in the introductory part of this document.
The CPS is published on the ATO web site as in Appendix C.
The CPS is evaluated and approved by a member of Gatekeeper Legal Evaluation Panel.
The ATO CA's self signed Certificate. – PO 01a
The ATO OCA Certificate signed by the ATO CA. – PO 01a
Certificates for the ATO PKI's subordinate elements issued by the ATO OCA. – PO 01a
ATO Primary Certificate issued by the ATO OCA. – PO 01
ATO Secondary Certificate issued by the ATO OCA. – PO 01B
List of Relevant Web Sites
- ATO PKI Certificate Policy and Practice Documents
There is a requirement for this and other ATO PKI policy and practice documents to be available via the Internet. To access these documents do the following:
Go to: http://www.ato-pki.ato.gov.au/
In this document the repository for these ATO PKI policy and practice documents and the instructions above are referred to as the ATO PKI Web Site.
- Australian Government Information Management Office
- Defence Signals Directorate (DSD)
- Web Site for Cybertrust Pty Limited
- Internet X.509 Public Key Infrastructure Certificate policy and Certification Practices Framework
- Web Sites for Further Information About PKI
Last Modified: Friday, 27 April 2007
Subscribe
