Qualified Time-Stamping Practice Statement - rdc.fina.hrrdc.fina.hr/QTSA2017/FinaQTSA2017-QTPS1-1-en.pdf · Updating reference list of Croatian legal regulations, extension of access

Qualified Time-Stamping Practice Statement

Classification: Designation: 75360501 Revision: 2-05/2018Page: 1/67

FINA QUALIFIED TIME-STAMPING PRACTICE STATEMENT

Version 1.1

Effective date: 09 May 2018 Document OID: 1.3.124.1104.2.3.2.1.1


Classification:: Classification: 75360501 Revision: 2-05/2018 Page: 2/67

Document details

Document Name Qualified Time-Stamping Practice Statement

Document OID 1.3.124.1104.2.3.2.1.1

Document Type TSA practice statement, TPS

Distribution Designation Public

Document Owner Financial Agency, Fina

Contact [email protected]

Amendment History

Version Date Reason for Amendment

1.0 22/05/2017 Initial version

1.1 02/05/2018 Updating reference list of Croatian legal regulations, extension of access rights to the Qualified Electronic Time-Stamping Service using certificates issued by other trust service providers, correction of detected errors.

mailto:[email protected]



CONTENTS: REFERENT DOCUMENTED INFORMATION ................................................................................ 9

Core legislation............................................................................................................................ 9

Other legislation .......................................................................................................................... 9

Standardization documents ......................................................................................................... 9

Fina's Documents ...................................................................................................................... 10

1. INTRODUCTORY NOTES AND GENERAL DETAILS ........................................................... 11 1.1. Overview ..................................................................................................................... 11 1.2. Document name and identification .............................................................................. 11

1.3. Fina QTSA 2017 participants .......................................................................................... 12 1.3.1. Provider of qualified time-stamping services ............................................................ 12 1.3.2. Subscribers .............................................................................................................. 12 1.3.3. Registration authorities ............................................................................................ 12 1.3.4. Relying parties ......................................................................................................... 12 1.3.5. Other participants .................................................................................................... 12

1.4. Usage of time stamps ..................................................................................................... 13 1.4.1. Appropriate usage of time-stamps ........................................................................... 13 1.4.2. Prohibited time-stamp uses ..................................................................................... 13

1.5. Administracija dokumenta Opća pravila .......................................................................... 13 1.5.1. Policy administration ................................................................................................ 13 1.5.2. Contact person ........................................................................................................ 13 1.5.3. Person determining CPS suitability for the policy ..................................................... 13

1.6. Definitions and acronyms ................................................................................................ 14

2. PUBLICATION AND REPOSITORY RESPONSIBILITIES ..................................................... 21 2.1. Repositories ................................................................................................................ 21 2.2. Publication of time-stamping information ..................................................................... 21 2.2.2. Contents Publication and Repository Management Procedures ............................... 21 2.3. Time or frequency of publication .................................................................................. 22 2.4. Access controls on repositories ................................................................................... 22

3. IDENTIFICATION, IDENTITY VALIDATION AND ISSUANCE OF ELECTRONIC TIME-STAMPS ....................................................................................................................................... 23

3.1. Subscriber identification .............................................................................................. 23 3.1.1. Initial Subscriber identity validation .......................................................................... 23 3.1.2. Submission of registration forms .............................................................................. 23 3.1.3. Entry into Agreement ............................................................................................... 24 3.2. Authentication on Fina QTSA 2017 service ................................................................. 24 3.3. Time-Stamp Unit Certificate ........................................................................................ 24 3.4. Electronic time-stamp .................................................................................................. 25 3.4.1. Time-Stamp Request ............................................................................................... 25 3.4.1.1. Time-Stamping Request profile ................................................................................ 26 3.4.2. Time-Stamp Response ............................................................................................ 26 3.4.2.1. Profile of the Fina QTSA 2017 Service’s response to a Time Stamp Request received 27 3.5. Time-stamp profile ....................................................................................................... 27 3.6. Time accuracy in issued time-stamps .......................................................................... 28 3.7. Clock synchronization with UTC .................................................................................. 28 3.7.1. Daylight saving time ................................................................................................. 28 3.8. Time-stamp validation ................................................................................................. 28



3.9. Service availability ....................................................................................................... 29 3.10. Issuing Non-Qualified Electronic Time-Stamps ............................................................ 29 3.11. Transport protocol for the electronic time-stamping service ......................................... 29

4. LIFECYCLE OPERATIONAL REQUIREMENTS FOR FINA QTSA 2017 CERTIFICATE ....... 30 4.1. Issuing of Certificate .................................................................................................... 30 4.2. Certificate revocation and suspension ......................................................................... 30 4.2.1. Circumstances for revocation ................................................................................... 30 4.2.2. Who can request revocation .................................................................................... 30 4.2.3. CRL issuance frequency .......................................................................................... 31 4.2.4. Maximum latency for CRLs ...................................................................................... 31 4.2.5. Online revocation/status checking availability .......................................................... 31 4.2.6. Other forms of revocation advertisements available ................................................. 31 4.2.7. Service availability ................................................................................................... 31 4.3. End of subscription ...................................................................................................... 31

5. FACILITY, MANAGEMENT, AND OPERATIONAL CONTROLS ............................................ 32

5.1. Physical controls ............................................................................................................. 32 5.1.1. Site location and construction .................................................................................. 32 5.1.2. Physical access ....................................................................................................... 32 5.1.3. Power and air conditioning ....................................................................................... 33 5.1.4. Water exposure ....................................................................................................... 33 5.1.5. Fire prevention and protection ................................................................................. 33 5.1.6. Media storage .......................................................................................................... 33 5.1.7. Waste disposal ........................................................................................................ 33 5.1.8. Off-site backup ........................................................................................................ 34

5.2. Procedural controls ......................................................................................................... 34 5.2.1. Trusted roles ............................................................................................................ 34 5.2.2. Number of persons required per task ....................................................................... 34 5.2.3. Identification and authentication for each role .......................................................... 35 5.2.4. Roles requiring separation of duties ......................................................................... 35

5.3. Personnel controls .......................................................................................................... 35 5.3.1. Qualifications, experience and clearance requirements ........................................... 35 5.3.2. Background check procedures ................................................................................. 36 5.3.3. Training requirements .............................................................................................. 36 5.3.4. Retraining frequency and requirements ................................................................... 36 5.3.5. Job rotation frequency and sequence ...................................................................... 37 5.3.6. Sanctions for unauthorised actions .......................................................................... 37 5.3.7. Independent contractor requirements ...................................................................... 37 5.3.8. Documentation supplied to personnel ...................................................................... 37

5.4. Audit logging procedures ................................................................................................ 37 5.4.1. Types of events recorded ........................................................................................ 37 5.4.2. Frequency of processing log .................................................................................... 38 5.4.3. Retention period for audit log ................................................................................... 38 5.4.4. Protection of audit log .............................................................................................. 38 5.4.5. Audit log backup procedures.................................................................................... 39 5.4.6. Audit collection system (internal vs. external) .......................................................... 39 5.4.7. Notification to event-causing subject ........................................................................ 39 5.4.8. Vulnerability assessment ......................................................................................... 39

5.5. Records archival ............................................................................................................. 39 5.5.1. Types of records archived ........................................................................................ 39 5.5.2. Retention period for archive ..................................................................................... 40



5.5.3. Protection of archive ................................................................................................ 40 5.5.4. Archive backup procedures ..................................................................................... 40 5.5.5. Requirements for time-stamping of records ............................................................. 40 5.5.6. Archive collection system (internal or external) ........................................................ 40 5.5.7. Procedures to obtain and verify archive information ................................................. 41

5.6. TSU Key changeover ...................................................................................................... 41

5.7. Compromise and disaster recovery ................................................................................. 41 5.7.1. Incident and Compromise Handling Procedures ...................................................... 41 5.7.2. Computing resources, software and/or data are corrupted ....................................... 42 5.7.3. Entity private key compromise procedures ............................................................... 42 5.7.4. Business continuity capabilities after a disaster ....................................................... 43

5.8. Fina QTSA 2017 termination ........................................................................................... 43

6. TECHNICAL SECURITY CONTROLS ................................................................................... 44

6.1. Key pair generation and installation ................................................................................ 44 6.1.1. TSU key pair generation .......................................................................................... 44 6.1.2. Private key delivery to Fina QTSA ........................................................................... 44 6.1.5. Key sizes ................................................................................................................. 44 6.1.6. Public key parameters generation and quality checking ........................................... 44 6.1.7. Key usage purposes ................................................................................................ 45

6.2. Private Key Protection and Cryptographic Module Engineering Controls ........................ 45 6.2.1. Cryptographic module standards and controls ......................................................... 45 6.2.2. TSU private key (n out of m) multi-person control .................................................... 45 6.2.3. Private key escrow ................................................................................................... 45 6.2.4. Private key backup .................................................................................................. 45 6.2.5. Private key archival .................................................................................................. 45 6.2.6. Private key transfer into or from a cryptographic module ......................................... 45 6.2.7. Private key storage on cryptographic module .......................................................... 46 6.2.8. Method of activating TSU private key ....................................................................... 46 6.2.9. Method of activating TSU private key ....................................................................... 46 6.2.10. Method of destroying private key ............................................................................. 46 6.2.11. Cryptographic Module Rating ................................................................................... 46

6.3. Other Aspects of Key Pair Management ......................................................................... 47 6.3.1. Public key archival ................................................................................................... 47 6.3.2. Fina QTSA certificate operational periods and TSU key pair usage periods ............ 47

6.4. Activation data ................................................................................................................ 47 6.4.1. Activation data generation and installation ............................................................... 47 6.4.2. Activation data protection ......................................................................................... 47

6.5. Computer security controls ............................................................................................. 48 6.5.1. Specific computer security technical requirements ................................................... 48 6.5.2. Computer security rating .......................................................................................... 48

6.6. Tehničke kontrole životnog ciklusa.................................................................................. 48 6.6.1. Life cycle technical controls ..................................................................................... 48 6.6.2. Security management controls ................................................................................. 48 6.6.3. Life cycle security controls ....................................................................................... 49

6.7. Network security controls ................................................................................................ 49

6.8. Time-stamping ................................................................................................................ 50

7. CERTIFICATE, CRL, AND OCSP PROFILES ....................................................................... 51



7.1. Fina QTSA 2017 Certificate profile.................................................................................. 51

7.1.1. Version number(s) ................................................................................................... 51 7.1.2. Basic fields and certificate extensions ...................................................................... 51 7.1.2.1. Basic fields of Fina QTSA 2017 Certificate .............................................................. 51 7.1.2.2. Fina QTSA 2017 Certificate extensions ................................................................... 52 7.1.3. Algorithm object identifiers ....................................................................................... 53 7.1.4. Name forms ............................................................................................................. 53 7.1.5. Name constraints ..................................................................................................... 53 7.1.6. TSU Certificate Policy object identifier ..................................................................... 53 7.1.7. Usage of Policy Constraints extension ..................................................................... 54 7.1.8. Policy qualifiers syntax and semantics ..................................................................... 54 7.1.9. Processing Semantics for the critical Certificate Policies extension ......................... 54

7.2. CRL profile ...................................................................................................................... 54 7.2.1. Version number(s) ................................................................................................... 54 7.2.2. CRL and CRL entry extensions ................................................................................ 54

7.3. OCSP profile ................................................................................................................... 54 7.3.1. Version number(s) ................................................................................................... 54 7.3.2. OCSP extensions .................................................................................................... 55

8. COMPLIANCE AUDIT ........................................................................................................... 56

8.1. Frequency or circumstances of assessment ................................................................... 56 8.1.1. External compliance audit ........................................................................................ 56 8.1.2. Internal compliance audit ......................................................................................... 56

8.2. Identity/qualifications of assessors .................................................................................. 56

8.3. Assessor's relationship to assessed entity ...................................................................... 57

8.4. Topics covered by assessment ....................................................................................... 57

8.5. Actions taken as a result of deficiency ............................................................................ 57

8.6. Communication of results ............................................................................................... 58

9. OTHER BUSINESS AND LEGAL MATTERS ......................................................................... 59

9.1. Fees ............................................................................................................................... 59 9.1.1. Refund policy ........................................................................................................... 59

9.2. Financial responsibility .................................................................................................... 59 9.2.1. Insurance coverage ................................................................................................. 59 9.2.2. Other assets ............................................................................................................ 59 9.2.3. Insurance or warranty coverage for end-entities ...................................................... 59

9.3. Confidentiality of business information ............................................................................ 59 9.3.1. Scope of confidential information ............................................................................. 59 9.3.2. Information not within the scope of confidential information ..................................... 60 9.3.3. Responsibility to protect confidential information...................................................... 60

9.4. Privacy of personal information ....................................................................................... 60 9.4.1. Privacy plan ............................................................................................................. 60 9.4.2. Information treated as private .................................................................................. 61 9.4.3. Information not deemed private ............................................................................... 61 9.4.4. Responsibility to protect private information ............................................................. 61 9.4.5. Notice and consent to use private information ......................................................... 61 9.4.6. Disclosure pursuant to judicial or administrative process ......................................... 61 9.4.7. Other information disclosure circumstances ............................................................. 61

9.5. Intellectual property rights ............................................................................................... 61



9.6. Representations and warranties ..................................................................................... 61

9.6.1. Representations and warranties of Fina as a time-stamping Service Provider ......... 61 9.6.2. RA representations and warranties .......................................................................... 62 9.6.3. Subscriber representation and warranties ................................................................ 62 9.6.4. Relying party representations and warranties .......................................................... 63 The relying part is required to comply with the provisions of this QTPS document. ................ 63

9.7. Responsibilities of participants ........................................................................................ 63 9.7.1. Responsibilities of Fina as a Qualified Time-Stamping Service Provider .................. 63 9.7.2. RA responsibilities ................................................................................................... 64 9.7.3. Subscriber responsibilities ....................................................................................... 64 9.7.4. Relying party responsibilities.................................................................................... 64

9.8. Disclaimer of warranties .................................................................................................. 65

9.9. Limitations of liability ....................................................................................................... 65

9.10. Indemnities .................................................................................................................. 65

9.11. Term and termination .................................................................................................. 65 9.11.1. Term ........................................................................................................................ 65 9.11.2. Termination .............................................................................................................. 65

9.12. Individual notices and communication with participants ............................................... 66

9.13. Amendments ............................................................................................................... 66 9.13.1. Dispute resolution provisions ................................................................................... 66 9.13.2. Notification mechanism and period .......................................................................... 66 9.13.3. Circumstances under which OID must be changed .................................................. 66

9.14. Dispute resolution provisions ....................................................................................... 67

9.15. Governing law ............................................................................................................. 67

9.16. Compliance with applicable law ................................................................................... 67

9.17. Miscellaneous provisions ............................................................................................. 67



COPYRIGHT The Qualified Time-Stamping Practice Statement is the property of Fina, administered by Fina PMA and subject to copyright in accordance with laws of the Republic of Croatia. .



REFERENT DOCUMENTED INFORMATION

Core legislation

[1] Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC

[2] Act Implementing Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Council Directive 1999/93 / EC (Croatian Official Gazette (hereinafter referred to as Official Gazette) 62/2017)

Other legislation

[3] The Act on Personal Data Protection (Official Gazette 106/2012 – consolidated text)

Standardization documents

[4] ETSI EN 319 401 V2.1.1 (2016-02); Electronic Signatures and Infrastructures (ESI); General Policy Requirements for Trust Service Providers

[5] ETSI EN 319 421 V1.1.1 (2016-03) Electronic Signatures and Infrastructures (ESI); Policy and Security Requirements for Trust Service Providers issuing Time-Stamps

[6] ETSI EN 319 422 V1.1.1 (2016-03) Electronic Signatures and Infrastructures (ESI); Time-stamping protocol and time-stamp token profiles

[7] ETSI EN 319 411-1 V1.1.1. (2016-02) – Electronic Signatures and Infrastructures (ESI); Policy and security requirements for Trust Service Providers issuing certificates; Part 1: General requirements

[8] ETSI EN 319 411-2 V2.1.1. (2016-02) – Electronic Signatures and Infrastructures (ESI); Policy and security requirements for Trust Service Providers issuing certificates; Part 2: Requirements for trust service providers issuing EU qualified certificates

[9] ETSI EN 319 403 V2.2.2 (2015-08) Electronic Signatures and Infrastructures (ESI); Trust Service Provider Conformity Assessment - Requirements for conformity assessment bodies assessing Trust Service Providers

[10] ETSI EN 319 102-1 V1.1.1 (2016-05) Electronic Signatures and Infrastructures (ESI); Procedures for Creation and Validation of AdES Digital Signatures; Part 1: Creation and Validation

[11] ETSI TS 119 312 – Electronic Signatures and Infrastructures (ESI); Cryptographic Suites

[12] IETF RFC 3161 (2001) Internet X.509: Public Key Infrastructure: Time Stamp Protocol (TSP)

[13] IETF RFC 3739 - Internet X.509 Public Key Infrastructure: Qualified Certificates Profile



[14] IETF RFC 5280 - Internet X.509 Public Key Infrastructure Certificate and Certificate

Revocation List (CRL) Profile

[15] IETF RFC 6960 X.509 Internet Public Key Infrastructure Online Certificate Status Protocol – OCSP (2013)

[16] NIST FIPS PUB 140-2:2002 - Security Requirements for Cryptographic Modules

[17] ISO/IEC 27001:2013 - Information technology — Security techniques — Information security management systems — Requirements

[18] ISO/IEC 27002:2013 - Information technology - Security techniques - Code of practice for information security controls

Fina's Documents

[19] Certificate Policy and Certification Practice Statement for Fina Root CA, CP/CPSROOT

[20] Qualified Time-Stamp Policy, QTP

[21] Certificate Policy for Qualified Certificates for Electronic Signatures and Seals, CPQC-eIDAS

[22] Certification Practice Statement for Non-qualified Certificates, CPSNQC-eIDAS



1. INTRODUCTORY NOTES AND GENERAL DETAILS As a Qualified Trust Service Provider, Fina is listed in Trusted List of Qualified Service Providers in the Republic of Croatia maintained by the central state administration authority competent for economic affairs.

Fina’s Qualified Time-Stamping Service termed Fina QTSA 2017 is listed in Trusted List of Qualified Service Providers in the Republic of Croatia.

Fina QTSA 2017 is part of the existing Fina PKI production environment and Qualified Time-Stamps that it issues may be used together with Qualified Certificates issued by Fina.

1.1. Overview This Qualified Time-Stamping Practice Statement document (QTPS) document (hereinafter: QTPS document) contains the description of processes and procedures applied by Fina PKI which refer to provision of qualified time-stamping services, pursuant to the provisions of Qualified Time-Stamp Policy [20] document.

The time-stamping technology deployed is based on public-key cryptography, X.509 certificates and reliable accurate time services.

The content of this QTPS document is in compliance with the following standardization documents:

• ETSI EN 319 401 [4],

• ETSI EN 319 421 [5],

• ETSI EN 319 422 [6],

• ETSI TS 119 312 [11].

The purpose of this QTPS document is to define practices from the scope of this document, implemented by Fina QTSA 2017 service, time-stamping service subscribers (hereinafter referred to as Subscribers) and relying parties.

The interpretation of the provisions of this QTPS document is governed by the provisions of Regulation (EU) No. 910/2014 [1], Act Implementing Regulation (EU) no. 910/2014 [2], the relevant standardization documents and recommendations referring to it, and the provisions of Qualified Time-Stamp Policy [20].

Qualified Time-Stamps issued according practices defined in this QTPS document are in compliance with the requirements of ETSI EN 319 421 [5].

As a Qualified Time-Stamping Service Provider, Fina includes its own QTP OID: 1.3.124.1104.2.3.1.1.1 in the time-stamps issued by it.

The provision of the time-stamping service is in compliance with the ETSI EN 319 421 [5] BTSP (Best Practices Time-Stamp Policy), OID: 0.4.0.2023.1.1.

1.2. Document name and identification

This QTPS document contains Fina’s practices for the provision of time-stamping services.



British Standards Institution (BSI) International Code Designator (ICD) assigned the OID to Fina. Based on that OID, Fina assigned the following OID for time-stamping service purposes: 1.3.124.1104.2.

Listed below are the Document Name and the corresponding identification data.

• Name: Qualified Time-Stamping Practice Statement

• Version: 1.1

• Effective date: 09 May 2018

• OID: 1.3.124.1104.2.3.2.1.1

• Web page containing this QTPS document is:

http://rdc.fina.hr/QTSA2017/FinaQTSA2017-QTPS1-1-en.pdf.

1.3. Fina QTSA 2017 participants

1.3.1. Provider of qualified time-stamping services

Fina uses Fina QTSA 2017 to provide it’s Qualified Time-Stamping Service (hereinafter referred to as the Time-Stamping Service).

1.3.2. Subscribers

Fina QTSA 2017 Subscribers are natural persons (citizens) or Business Entities that enter into Time-Stamping Service Agreements with Fina.

Fina’s internal subscribers are also Subscribers of Fina’s Qualified Time-Stamping Service.

1.3.3. Registration authorities

Subscriber registration for Fina QTSA 2017 service is be performed in Fina registration offices. For the purpose of Subscriber registration, Fina operates its organized network of registration offices (hereinafter referred to as Fina RA Network) which registers Fina QTSA 2017 service Subscribers.

Fina RA Network is comprised of a network of local registration offices (hereinafter referred to as Fina LRA) in Fina's business network and the Central Fina RA. Subscriber registration with Fina RA Network is carried out by Fina LRA or, in exceptional cases, by the Central Fina RA. In Fina LRA, registration is carried out by Registration Officers. Registration activities in Fina RA Network are coordinated by the Central Fina RA, which is the central point of communication in the Fina RA Network.

Fina may define any other appropriate method of Subscriber registration.

1.3.4. Relying parties

Relying Parties are natural persons or Business Entities receiving time-stamps and acting based on reasonable reliance on time-stamps issued by Fina QTSA 2017 service

1.3.5. Other participants

No stipulations.

http://rdc.fina.hr/QTSA2017/FinaQTSA2017-QTPS1-1-en.pdf



1.4. Usage of time stamps

1.4.1. Appropriate usage of time-stamps Qualified time-stamps issued by Fina QTSA 2017 may be used for any purpose requiring evidence of the existence of a particular data in electronic form in the time specified in the issued time-stamp. Qualified time-stamps issued by Fina QTSA 2017 are also used to ensure the longevity of electronic signatures.

1.4.2. Prohibited time-stamp uses It is prohibited to use qualified time-stamps for such data or electronic records whose content is in violation of the Constitution of the Republic of Croatia, the applicable mandatory regulations or social morality.

1.5. Administracija dokumenta Opća pravila

1.5.1. Policy administration

Fina shall remain authorised and responsible for creation and update of the Qualified Time-Stamp Policy (hereinafter referred to as the Policy) and this QTPS document.

Authorized persons in Fina’s organizational units participating in the development, maintenance, implementation and approval of policies and practices that are applied in provision of trust services in Fina PKI hereinafter are called collectively the Fina PMA.

Amendments and updates of this document are performed and based on internal proposals and requirements for harmonization with the legislation and the relevant standards.

1.5.2. Contact person Contact details for administration and content of this Qualified Time-Stamp Policy are given below.

Mailing address:

Fina

Sektor komercijalnih digitalnih rješenja

Ured za upravljanje politikama e-poslovanja

Koturaška cesta 43

10000 Zagreb

Croatia

Telephone: +385-1-6128-171

Telefax: +385-1-6304-081

E-mail: [email protected]

1.5.3. Person determining CPS suitability for the policy Compliance of this QTPS document with the Qualified Time-Stamp Policy [20] is determined by Fina PMA.




1.5.4. TPS approval procedures

The preparation, approval and entry into effect of this QTPS document that confirm its compliance with Qualified Time-Stamp Policy [20] is described in Sections 1.5.1 and 9.13.1 of this QTPS document and in Sections 1.5.1 and 9.13.1 of Qualified Time-Stamp Policy [20] document.

1.6. Definitions and acronyms

1.6.1. Definitions

TERM MEANING

Activation data Confidential data necessary to access or activate the cryptographic module. Activation data may be PIN, password or electronic key which the person knows or possesses.

Advanced electronic seal Electronic seal that meets the following requirements:

(a) it is uniquely linked to the Creator of a seal;

(b) it is capable of identifying the Creator of a seal;

(c) it is created using electronic seal creation data that the Creator of a seal can, with a high level of confidence under its control, use for electronic seal creation; and

(d) it is linked to the data to which it relates in such a way that any subsequent change in the data is detectable.

Advanced electronic signature

Electronic signature that meets the following requirements:

(a) it is uniquely linked to the Signatory;

(b) it is capable of identifying the Signatory;

(c) it is created using electronic signature creation data that the Signatory can, with a high level of confidence, use under its exclusive control; and

(d) it is linked to the signed data in such a way that any subsequent change in the data is detectable.

Authentication An electronic process that enables the electronic identification of a natural or legal person, or the origin and integrity of data in electronic form to be confirmed.



TERM MEANING

Business entity 1. Legal persons, such as:

• companies;

• credit and financial institutions;

• public and private institutions;

• associations with legal personality;

• non-profit and non-government organizations with legal personality,

• funds with legal personality;

• local and regional self-government units (municipalities, towns and counties) etc.

2. Public authorities, such as:

• state authorities;

• state administration bodies;

• state agencies etc. 3. Natural persons with a registered business, such as:

• trades people;

• attorneys;

• notaries public etc.

CA Certificate Public-key certificate for one CA issued by another CA or by the same CA.

Central RA Central registration office that is primarily in charge of coordinating the entire RA Network, but may also directly perform Subscriber registration.

Certificate See the term "Public Key Certificate".

Certificate for electronic seal

Electronic attestation that connects the electronic seal validation data with the legal person and confirms the name of that person.

Certificate for electronic signature

Electronic attestation that connects the electronic signature validation data with the natural person and confirms at least the name or pseudonym of that person.

Certificate Policy (CP) A named set of rules which indicates the certificate applicability on a certain group and/or class of applications with common security requirements.

Certificate revocation An action that makes a certificate irrevocably invalid from the moment of revocation.

Certificate Revocation List (CRL)

Signed list indicating a set of certificates that are no longer considered valid by the certificate issuer.

Certificate suspension An action that makes a certificate invalid from the moment of suspension. Suspended certificate may be reactivated and thus made valid again.

Certificate validation Process of verifying and confirming that a certificate is valid.



TERM MEANING

Certification Authority (CA)

Authority trusted by one or more users to create and assign public-key certificates.

Certification Authority may be: 1. a trust service provider that creates and assigns public key certificates; or

2. a technical certificate generation service that is used by a certification service provider that creates and assign public key certificates.

Certification Practice Statement (CPS)

Statement of the practices which a Certification Authority employs in issuing managing, revoking, and renewing or re-keying certificates.

Certification services Services of issuance and lifecycle management of certificates and providing of time-stamping services.

Conformity Assessment Body

A body defined in point 13 of Article 2 of Regulation (EC) No 765/2008, which is accredited in accordance with that Regulation as competent to carry out conformity assessment of a qualified trust service provider and the qualified trust services it provides.

Coordinated Universal Time (UTC)

Second-based time scale as defined by ITU-R Recommendation TF.460-5. For most practical applications, UTC is equivalent to mean solar time of the Prime Meridian (0°). More precisely, UTC is a compromise between the very stable atomic time (fr. Temps Atomique International - TAI) and solar time derived from irregular Earth's rotation (in relation to the agreed Greenwich mean sidereal time (GMST)).

Creator of a seal A legal person who creates an electronic seal.

Cryptographic module Software or device of a certain security level which: • generates a key pair and/or

• protects cryptographic information, and/or

• performs cryptographic functions.

Electronic seal Data in electronic form, which is attached to or logically associated with other data in electronic form to ensure the latter’s origin and integrity.

Electronic Seal Creation Data

Unique data, which is used by the creator of the electronic seal to create an electronic seal.

Electronic Seal Creation Device

Configured software or hardware used to create an electronic seal.

Electronic signature Data in electronic form which is attached to or logically associated with other data in electronic form and which is used by the signatory to sign.

Electronic Signature Creation data

Unique data which is used by the signatory to create an electronic signature.

Electronic Signature Creation device

Configured software or hardware used to create an electronic signature.



TERM MEANING

Electronic Time-Stamp Data in electronic form which binds other data in electronic form to a particular time establishing evidence that the latter data existed at that time.

EU Qualified Certificate Qualified Certificate as specified in the Regulation (EU) No 910/2014.

Fina LRA Local Registration Authority in Fina business network.

Fina PKI Public Key Infrastructure (PKI) established in Fina which is intended for providing certification services to natural persons (citizens), business entities and state administration authorities, and which operates as the Trusted Third Party.

Fina RA Network Fina Registration Authority Network consists of the Central Fina RA and Fina LRA.

Key Pair Two uniquely linked cryptographic keys, one of which is a private key and another is a public key.

Natural person - citizen Natural person requesting the certification service for the purpose of the use of the certificate for and on her/his own behalf, and excluding any natural person with registered business activity, any self-employed natural person and any natural person acting for and on behalf of another natural or legal person (Associated Person).

Policy Management Authority (PMA)

Body with final authority and responsibility for specifying and approving the Certificate Policy.

Private Key In a public key cryptographic system, that key of an entity's key pair which is known only by that entity.

Public Directory IT system which is used for online publication of information concerning certificates, including information on certificate revocation.

Public Key In a public key cryptographic system, that key of an entity's key pair which is known only by that entity.

Public Key Certificate Public key of an entity, together with some other information, rendered unforgeable by digital signature with the private key of the certification authority which issued it.

Public Key Infrastructure (PKI)

Infrastructure able to support the management of public keys able to support authentication, encryption, integrity or non-repudiation services.

QSCD Device Qualified Electronic Signature/Seal Creation Device (see term "Qualified Electronic Signature Creation Device" or "Qualified Electronic Seal Creation Device").

QTSA system Composition of IT products and components organized to support the provision of qualified time-stamping services.

Qualified Certificate for the Electronic Seal

A certificate for an electronic seal, that is issued by a qualified trust service provider and meets the requirements laid down in Annex III of Regulation (EU) No 910/2014 [1].

Qualified Certificate for the Electronic Signature

A certificate for electronic signatures, that is issued by a qualified trust service provider and meets the requirements laid down in Annex I of Regulation (EU) No 910/2014 [1].



TERM MEANING

Qualified Electronic Seal An advanced electronic seal, which is created by a qualified electronic seal creation device, and that is based on a qualified certificate for electronic seal.

Qualified Electronic Seal Creation Device

An electronic seal creation device that meets mutatis mutandis the requirements laid down in Annex II of Regulation (EU) No 910/2014 [1].

Qualified Electronic Signature

An advanced electronic signature that is created by a qualified electronic signature creation device, and which is based on a qualified certificate for electronic signatures.

Qualified Electronic Signature Creation Device

An electronic signature creation device that meets the requirements laid down in Annex II of the Regulation (EU) No 910/2014 [1].

Qualified Electronic Time-Stamp

Electronic Time-Stamp that meets the following requirements:

(a) it binds the date and time to data in such a manner as to reasonably preclude the possibility of the data being changed undetectably;

(b) it is based on an accurate time source linked to Coordinated Universal Time; and

(c) it is signed using an advanced electronic signature or sealed with an advanced electronic seal of the qualified trust service provider, or by some equivalent method.

Qualified Trust Service Provider

Trust Service Provider that provides one or more qualified trust services and is granted the qualified status by the supervisory body.

RA Network The complete registration authority network consisting of the Fina RA Network and of external RAs with which Fina concluded an agreement on the registration services.

Registration Authority (RA)

Authority responsible for identification and authentication of certification subjects, as well as other persons or organisations.

Registration Officer Person responsible for data confirmation necessary for certificate issuance and authorisation of application for certificate issuance.

Relying Party Natural or legal person that relies upon an electronic identification or a trust service.

Root CA Certification authority which is at the highest level within trust service providers domain and which is used to sign subordinate CA(s)

Root CA Certificate CA Certificate that the Root CA issued to itself.

Signatory A natural person who creates an electronic signature.

Signature verification Process of checking the cryptographic value of a signature using signature verification data.

Signature verification data Data, such as codes or public cryptographic keys, used for the purpose of verifying a signature.

Subject Entity identified in a certificate as the holder of the private key associated to the public key given in the certificate.



TERM MEANING

Subscriber Legal or natural person bound by agreement with a trust service provider to any Subscriber obligations.

Time-Stamp Policy (TP) Named set of rules that indicates the applicability of a time-stamp to a particular community and/or class of application with common security requirements.

Trust Service Provider A natural or a legal person who provides one or more trust services either as a qualified or as a non-qualified trust service provider.

Trusted list List that provides information about the status and the status history of the trust services from trust service providers regarding compliance with the applicable requirements and the relevant provisions of the applicable legislation.

Trusted roles Roles which are responsible for secure operation of the trust service provider. Trusted Roles and the corresponding responsibilities is clearly described by the Trust Service Provider in the employee's job description.

Validation Process of verifying and confirming that an electronic signature or a seal is valid.

Validation data Data used for electronic signature or electronic seal validation.

Table 1.1 Definitions

1.6.2. Abbreviations

ABBREVIATION FULL NAME

CA Certification Authority

CP Certificate Policy

CPQC-eIDAS Certificate Policy for Qualified Certificates for Electronic Signatures and Seals

CPS Certification Practice Statement

CPSQC-eIDAS Certification Practice Statement for Qualified Certificates for Electronic Signatures and Seals

CRL Certificate Revocation List

HSM Hardware Security Module

LDAP Lightweight Directory Access Protocol

LRA Local Registration Authority

OCSP Online Certificate Status Protocol

OID Object Identifier

PIN Personal Identification Number

PKI Public Key Infrastructure



ABBREVIATION FULL NAME

PMA Policy Management Authority

QSCD Qualified electronic Signature/Seal Creation Device

QTSA Qualified Time-Stamping Authority

RA Registration Authority

TAI International Atomic Time

TLS Transport Layer Security

TP Time-Stamp Policy

TSU Time-Stamping Unit

UTC Coordinated Universal Time

Table 1.2. Abbreviations



2. PUBLICATION AND REPOSITORY RESPONSIBILITIES

2.1. Repositories Fina QTSA repository is managed by Fina as a Qualified Trust Service Provider. Fina is responsible for the work and publication of documents and information on Fina QTSA repository.

Fina ensures online repository availability 24 hours a day, 7 days a week.

2.2. Publication of time-stamping information On Fina QTSA repository documents and information on on time-stamping services provision are publicly disclosed.

2.2.1. Repository Contents

The following documents and information are published on the website of the Fina QTSA repository:

• Current Qualified Time-Stamp Policy, • Current QTPS document, • Previous versions of Qualified Time-Stamp Policy and QTPS document, • Time-Stamping Terms and Conditions and Disclosure Statement, • TSU Certificate used by Fina QTSA 2017 service to sign time-stamps, • Time-stamping services pricelist, • Fina QTSA 2017 Registration Form, • Current locations of Fina RAs/LRAs, • Subscriber instructions, • Communications to Subscribers related to time-stamping service provision, • Other Fina QTSA 2017 service operation-related information.

The published Fina QTSA repository, being an integral part of Fina PKI repository, is available at http://www.fina.hr/finadigicert.

Confidential information is not publicly disclosed in the Fina PKI repository.

2.2.2. Contents Publication and Repository Management Procedures Subject to authorization, documents are published in the repository by a person authorized to manage contents of the online part of the repository.

Communications to Subscriber and legislative information are published after they become applicable in Fina PKI. The publication of information and documents is authorized by Fina PMA.

Fina CAs’ certificates, the Fina QTSA 2017 certificate and the associated information are published after being issued.

The publication of terms and conditions of services, Subscriber instructions, and request, agreement and power-of-attorney forms are authorized by Fina PMA. These documents are published without prior notice and former versions of documents are removed from the repository.

Fina CA automatically publishes the relevant CRLs in the public directory and on the repository’s website after they are issued.

http://www.fina.hr/finadigicert



The publication of a new pricelist version is authorized by Fina PMA.

Subscriber communications and information may be published on the repository’s website without authorization from Fina PMA; however, Fina PMA must be duly notified of any publication of such communications or information.

2.3. Time or frequency of publication Fina annually and as needed maintains, updates, approves, publishes and applies the Qualified Time-Stamp Policy [20] and this QTPS document. Other Fina PKI documents and other relevant information are published as required, after the approval.

2.4. Access controls on repositories Documents and information published in the Fina PKI repository are free and publicly available.

Fina has access controls established on the repository in order to prevent unauthorised adding, changing or deleting of information and protect its integrity and authenticity. Mode of access to documents and information published on the repository is read-only.

Authorised Fina personnel have the right to add, change or delete information in the Fina PKI repository.



3. IDENTIFICATION, IDENTITY VALIDATION AND ISSUANCE OF ELECTRONIC TIME-STAMPS

3.1. Subscriber identification

Fina QTSA 2017 provides Qualified Electronic Time-Stamp service only to registered Subscribers.

If a Subscriber already has a valid digital dertificate issued by Fina or other trust service providers that Fina approves for accessing the Fina Time-Stamping Service, he is required to complete and signed a Registration Form for the Fina Time-Stamping Service and submit it to Fina LRA together with two copies of signed Time-Stamping Service Agreement. The Registration and Agreement Forms are available on the website of the repository referred to in Section 2.2 of this QTPS document.

If a Subscriber does not have an appropriate digital certificate, he or she may, in addition to the Registration Form and the Time-Stamping Service Agreements, applies for a Fina certificate to access the Fina Time-Stamping Service.

If the Subscriber application does not support certificate-based authentication, the Subscriber may send a query in connection with the use of the service to: [email protected] where he shall receive a reply about the possibility of arranging the Fina Time-Stamping Service for the Subscriber’s specific scenario.

After registration, the Subscriber enters into a Fina Time-Stamping Service Agreement with Fina.

Time-stamping service Subscribers are also subscribers to Fina’s Web e-Signature application.

3.1.1. Initial Subscriber identity validation Fina carries out verification of data collected in the process of Subscriber’s registration by comparing it to the data from the submitted documentation and if applicable, by using communication channels in accordance with the adopted laws in force.

The procedure for identifying applicants for Fina authentication certificate or Fina application certificate is described in the Fina’s Certification Practice Statement for Non-Qualified Certificates (CPSNQC-eIDAS) [22].

To be able to use Time-Stamping Services, digital certificate Subscribers submit a properly completed and signed Registration Form.

Subscriber identification has already been completed for users of certificates, so Subscribers should only provide to Fina LRA the Registration Form according to Section 3.1.2 of this QTPS to be able to use Time-Stamping Services.

3.1.2. Submission of registration forms The Registration Form may be provided as follows:

• personally, by delivering it to a Fina LRA;

• by sending it to a Fina LRA by mail or via courier;




• electronically, by delivering the Registration Form signed by an advanced electronic

signature using a Qualified Certificate to the e-mail address indicated in Section 9.12 of this QTPS or by other electronic channel.

3.1.3. Entry into Agreement The Time-Stamping Service Agreement is an agreement entered into between Subscribers and Fina as a service provider, which defines the provision of the Time-Stamping Service in accordance with the Time-Stamping Terms and Conditions, the general regulations under the law of obligations, the Qualified Time-Stamp Policy and the regulations applicable to the provision of the time-stamping services.

3.2. Authentication on Fina QTSA 2017 service Registered Subscribers access the Time-Stamping Service subject to authentication based on an authentication certificate or application certificate issued by the Fina.

Registered Users can also access the Time-Stamping Service subject to authentication based on a valid digital certificate issued by other trust service providers that Fina accepts. Fina may allow Subscribers to use another appropriate means of Subscriber authentication (e.g. username and password).

Depending on the method of authentication, the URL addresses for Fina QTSA 2017 are:

• Authentication using a Certificate: https://tsa.fina.hr/ts-rfc3161,

• Authentication using a username and password: https://tsa.fina.hr:3443/ts-rfc3161.

Fina’s internal subscribers access the Fina Time-Stamping Service by using the IP address range applicable to Fina’s subscribers. Fina’s internal subscribers use the time-stamping service free of charge.

3.3. Time-Stamp Unit Certificate Fina QTSA publicly discloses the key of the Time-Stamp Unit (TSU) as part of the Fina QTSA 2017 certificate in the repository referred to in Section 2.2 of this QTPS.

Such Fina QTSA 2017 certificate for TSU is issued by Fina RDC 2015 CA as required by ETSI EN 319 411-2 [8].

Fina QTSA 2017 begins to issue electronic time-stamps by using a new TSU private key subject to the following conditions:

• A certificate corresponding to the TSU private key has been issued and published in the repository referred to in Section 2.2 of this QTPS.

• The issuer’s signature on Fina QTSA 2017 certificate has been verified by Fina QTSA 2017 service. This verification includes checking of whether the certificate has been correctly signed by Fina RDC 2015 CA and validation of certification path to Fina Root CA.

The Fina QTSA 2017 Certificate in the Key Usage extension has values set to digitalSignature and nonrepudiation and in the extKeyUsage extension has value set to timeStamping.

https://tsa.fina.hr/ts-rfc3161

https://tsa.fina.hr:3443/ts-rfc3161



3.4. Electronic time-stamp Fina’s electronic time stamps is signed using the RSA private key of Fina QTSA 2017 having a length of 2048 bits and by using the cryptographic algorithms SHA-256 i RSA.

Fina QTSA 2017 ensures that electronic time stamps are issued in a secure manner and provide an accurate time designation.

For each electronic time stamp, it shall be ensured that: • it includes the OID of the QTP document under which it was issued (QTP OID); • it includes a unique identifier, serial number, maximum length: 18-octets; • the time used in TSU may be matched to the actual time received from a reliable

source; • it includes accurate time information provided by TSU at the time of issuing the time

stamp; • it includes a hash representation of the electronic record for which an electronic time

stamp is to be issued; • it is signed using a TSU private key intended solely for the purpose of time stamp

signing; • it includes the identifier of the country where Fina QTSA 2017 is established; • it includes the identifier for Fina QTSA 2017; and • it includes the identifier of the issuing TSU.

An electronic time stamp is issued as recommended by ITF RFC 3161 [12] and ETSI EN 319 421 [5], with a profile compliant with ETSI EN 319 422 [6].

3.4.1. Time-Stamp Request

Fina QTSA 2017 supports client application requests for time stamps in accordance with ETSI EN 319 422 [6] and as recommended by IETF RFC 3161 [12], including the use of the following fields in the request:

• reqPolicy; • nonce; • certReq.

The Fina Time Stamping Service does not support the use of the following field:

• extensions. Fina QTSA 2017 accepts the following hash algorithm (hashAlgorithm) in a time stamp request:

• sha-256 (OID: 2.16.840.1.101.3.4.2.1)

A Subscriber requesting to be issued a time stamp by Fina QTSA 2017 must establish an authenticated connection with the communication server of the Fina QTSA 2017 system. In case such connection fails, the transaction will be terminated and the Subscriber shall be appropriately notified of the failed connection.

The client application on the Subscriber side used to affix the time stamp must support a time stamping protocol as recommended by IETF RFC 3161 [12].



Fina QTSA does not define a fixed time limit for processing time stamp requests.

3.4.1.1. Time-Stamping Request profile Description of the basic fields and extensions in the time stamp request profile:

• Version

The request format corresponds to version “v1” as specified in ETSI EN 319 422 [6] and recommended in IETF RFC 3161 [12], so this field contains the value “1”.

• MessageImprint

Time stamped data consisting of two parts:

- Hash algorithm (hashAlgorithm)

OID of the hash algorithm used to create the document/data hash - Hash (hashedMessage)

Hash for the document/data being time stamped. The data length depends on the hash algorithm used.

• Time Stamping Policy identifier (reqPolicy)

- optional field Specifies the Time Stamping Policy under which the time stamp is being requested.

• Nonce - optional field

A whole 64-bit number ensuring that the electronic time stamp issued matches the Subscriber’s request for its issuance. In case the time stamp request contains a nonce value, the time stamping service’s response must contain the same value.

• Certificate Request (certReq)

The default value is "FALSE".

If a request contains the value “TRUE”, the TSU certificate referenced in the SigningCertificate attribute must be included in the time stamping service’s response.

• Extensions - optional field

This field may contain additional information. Fina QTSA 2017 does not support the use of this field. If the Fina Service receives a request containing this field, the time stamp shall not be issued the Service shall respond to the request by an "unacceptedExtension" error message.

3.4.2. Time-Stamp Response The response from Fina QTSA 2017 to a Time Stamp Request is in compliance with ETSI EN 319 422 [6] and Section 2.4.2 of IETF RFC 3161 [12], and the following extensions are supported:



• accuracy; • nonce.

In case the time stamp request contains a nonce value, the time stamping service’s response must contain the same value. Fina QTSA 2017 supports the following hash algorithm (hashAlgorithm):

• sha-256 (OID: 2.16.840.1.101.3.4.2.1)

The relevant TSU in Fina QTSA 2017 has only one signature key active at a time for signing time stamps issued.

3.4.2.1. Profile of the Fina QTSA 2017 Service’s response to a Time Stamp Request received

- Status (PKIStatusInfo)

Information about the success status of time stamp issuance in accordance with Section 2.4.2 of IETF RFC 3161 [12].

- Time stamp token (TimeStampToken) - optional field

This field contains a time stamp token in case the Status (PKIStatusInfo) field has the value “0” or “1”. In case the Status (PKIStatusInfo) contains a different value, this time stamp token (TimeStampToken) field shall not be contained in the response.

3.5. Time-stamp profile

The general information about the profile of Time Stamps issued by Fina QTSA 2017 is provided in Table 3.1.

Polje Vrijednosti za kvalificirani elektronički vremenski žig kojeg izdaje Fina QTSA 2017 servis

Version V1, vrijednost=“1“ Policy OID Fina OID: 1.3.124.1104.2.3.1.1.1 messageImprint Supported hash algorithm: sha-256 (OID: 2.16.840.1.101.3.4.2.1) serialNumber Whole number genTime UTC time, 1 s resolution Nonce Whole number

Polje Vrijednosti za kvalificirani elektronički vremenski žig kojeg izdaje Fina QTSA 2017 servis

signatureAlgorithm sha256WithRSAEncryption (OID: 1.2.840.113549.1.1.11)

Table 3.1 General information about the Time Stamp issued by Fina QTSA 2017



3.6. Time accuracy in issued time-stamps As a Qualified Time-Stamping Service Provider, Fina provides accurate information of the time incorporated in an electronic time-stamp. The UTC time incorporated in each electronic time-stamp has an accuracy of 1 second or better.

An electronic time-stamp issued by Fina QTSA 2017 contains a date and time consistent with the actual UTC time. The accurate time information is obtained from Fina’s satellite receivers

3.7. Clock synchronization with UTC Fina uses satellite receivers receiving accurate UTC time signal distributed from UTC(k) laboratory which is received via GPS satellite system. Fina QTSA 2017 is automatically synchronized with those satellite receivers. Fina QTSA ensures that the Fina QTSA 2017 system’s time is correctly synchronized with the UTC time within the accuracy limits defined in Section 3.6 of this QTPS, in particular by:

• periodic clock calibrations, • protecting against TSU time tampering, • detecting any drifts or jumps out of synchronization with the UTC time, and • providing for leap second events.

The primary reliable source of UTC time in the Fina QTSA 2017 system is the satellite GPS signal.

As an alternative reliable source of UTC time, the Fina QTSA 2017 system utilizes UTC data obtained through an Internet connection using the NTP protocol that enables synchronization with the reliable source of the UTC time of reference laboratory.

In case of unavailability of the primary reliable source of UTC time Fina QTSA 2017 system automatically switches to the alternate reliable source of UTC time.

3.7.1. Daylight saving time Fina QTSA 2017 service includes correct the time in its electronic time-stamps in the UTC format. Subscribers and relying parties are recommended to check how the client application displays time in electronic time-stamps and to pay attention to how local time is displayed in different time zones, especially at the time of switching to daylight saving time.

3.8. Time-stamp validation

Relying parties should validate the Fina QTSA 2017’s electronic signature as required by the standardization document ETSI EN 319 102-1 [10]. Time-stamp validation includes:

• checking that the electronic time-stamped data are associated with the particular time-stamp and the TSU certificate of Fina QTSA 2017,

• validation of the Time-Stamp signature, • checking that the electronic time-stamp meets the specific requirements with respect to

accuracy, reliability Fina QTSA 2017 service and Fina as qualified trust service provider, respectively.



3.9. Service availability

As a Time-Stamping Service Provider, Fina guarantees continuous availability of its electronic time-stamp service and the published Terms and Conditions of Service. In case of failure or unavailability of the Fina QTSA 2017 production service at its primary site, the maximum time for recovery of Fina QTSA 2017 is in accordance with the Business Continuity Plan.

3.10. Issuing Non-Qualified Electronic Time-Stamps Fina QTSA 2017’s TSUs dedicated for issuing qualified electronic time-stamps issue only qualified electronic time-stamps.

3.11. Transport protocol for the electronic time-stamping service Fina QTSA 2017 uses a secure HTTPS protocol (TLS), including certificate-based client authentication (two-way TLS).



4. LIFECYCLE OPERATIONAL REQUIREMENTS FOR FINA QTSA 2017 CERTIFICATE

4.1. Issuing of Certificate

A request for the initial generation of a TSU key pair and issuance of a TSU certificate for Fina QTSA 2017 service is submitted authorised person in Fina PKI. Such request is approved by the authorised person in Fina PMA.

A request for Fina QTSA 2017 certificate re-key is submitted by authorized person in Fina PKI, and is approved by authorized person in Fina PMA.

Fina QTSA 2017 certificates are issued by Fina PKI authorized persons with trusted roles, under at least dual control in accordance with Table 5.2 in Section 5.2.2 of this QTPS, in the Fina PKI protected premises described in Section 5.1.1.

Fina publishes such issued Fina QTSA 2017 TSU certificate on the website of the Fina QTSA repository referred to in Section 2.2.1 of this QTPS.

4.2. Certificate revocation and suspension Revocation of Fina QTSA 2017 Certificates is performed in accordance with the sections below.

Suspension of Fina QTSA 2017 Certificates is not allowed.

4.2.1. Circumstances for revocation

The Fina QTSA 2017 Certificate is revoked for the following reasons: • in a case of private key compromise or if there is a reasonable suspicion about private key

being compromised, • if a piece of information in the certificate becomes inaccurate, • in event of permanent unavailability or loss of the private key, • in case of prohibited use of the TSU private key, • if Fina determines that the Fina QTSA 2017 Certificate with its technical characteristics,

profile or content no longer provides the appropriate level of trust to Relying Parties, • if the cryptographic algorithms and parameters used no longer provide the required level of

security and protection, • if Fina QTSA 2017 ceases to operate and Fina is unable to ensure continued provision of

the QTSA service by another Qualified Service Provider, • if the certificate was not issued in accordance with any requirement or provisions of this

QTPS document.

4.2.2. Who can request revocation

A request for the revocation of Fina QTSA 2017 Certificate is submitted by an authorized person in Fina PKI subject, and is approved by authorised person in Fina PMA.

In case of TSU private key compromise, disaster or discontinuation of the time-stamping service, the revocation of Fina QTSA 2017 Certificate Revocation is submitted by an an authorized person in Fina PKI. The request is approved by authorised person in FinaPMA.



After such Fina QTSA 2017 Certificate Revocation Request is authorized, authorized persons with trusted roles in Fina PKI in accordance with Table 5.2 in Section 5.2.2 in the Fina PKI protected premises revoke such Fina QTSA 2017 Certificate.

Fina shall revoke a Fina QTSA 2017 Certificate as soon as possible, but no later than 24 hours of receiving the relevant aprooved revocation request.

4.2.3. CRL issuance frequency Fina RDC 2015 issues and signs Fina RDC 2015 CRL.

CRL is published immediately after certificate revocation and every six hours from the previous CRL issuance. The time limit for issuing the next CRL (value of the Next Update field) is 24 hours from the previous CRL issuance.

4.2.4. Maximum latency for CRLs Maximum latency for CRL from the moment of its issuance to the moment of its publication in regular circumstances is two minutes.

4.2.5. Online revocation/status checking availability Fina RDC 2015 and Fina RDC-TDU 2016 CAs support online status verification of issued certificates revocation via the Fina OCSP service compliant with the IETF RFC 6960 recommendation [15].

Information on certificate revocation status via the Fina OCSP service is available in real time.

The Fina OCSP service's address is http://ocsp.fina.hr and it is entered in the Authority Information Access extension of each certificate issued by CAs listed in this Section.

To be able to use Fina OCSP, the Relying Party must have software capable of using OCSP service, that is compliant with the IETF RFC 6960 recommendation [15], by using the GET and POST methods.

4.2.6. Other forms of revocation advertisements available No stipulations.

4.2.7. Service availability

CRL and OCSP is available 24 hours a day, 7 days a week. In the event of a system breakdown, circumstances beyond Fina’s control or force majeure, the service shall be available in accordance with the Business Continuity Plan.

4.3. End of subscription

Pursuant to the Terms and Conditions of the Time-Stamping Service, Subscribers enter into a time-stamping service agreement with Fina for an indefinite period of time. Such agreement may cease to apply by cancelation, termination, mutually, on expiration, or by revocation or suspension of the last certificate based on which the Subscriber accessed Fina QTSA 2017.

http://ocsp.fina.hr/



5. FACILITY, MANAGEMENT, AND OPERATIONAL CONTROLS Fina ensures the adequate protection of the assets used for provision of time-stamping service and, to that aim, keeps a comprehensive inventory of assets with the accompanying classification in accordance with the risk assessment.

Physical protection measures, procedures implemented by Fina in protecting the Fina QTSA 2017 system, as well as system management and operational procedure controls in Fina PKI are internal and the details thereof are not publicly disclosed.

5.1. Physical controls

As a Qualified Trust Service Provider, Fina implements Fina QTSA 2017 system physical protection measures aimed at minimising risks related to physical protection and in accordance with Fina's business policy and laws in force.

Fina applies physical protection measures for the issuance of qualified electronic time-stamps in order to limit access to hardware and software system components. as well as for access to the information of registered natural persons and Business Entities.

5.1.1. Site location and construction

Fina's primary QTSA 2017 production system has been situated inside Fina's building, on separate, protected premises envisaged for this purpose, and subject to implementation of multiple levels of physical and technical protection.

The purpose of Fina's secondary Fina QTSA 2017 system is to take over the functions of the primary Fina QTSA 2017 system in case of failure until its recovery and restoration of services. The secondary Fina QTSA 2017 system is situated on Fina's remote site and it meets equal or higher security requirements compared to the primary system.

The Fina PKI protected premises are internally divided into security zones.

Secure premises accommodating Fina's QTSA 2017 systems at the primary and secondary location shall hereinafter be referred to as: the "Fina PKI protected premises".

5.1.2. Physical access

Physical access to the Fina QTSA 2017 system on the Fina PKI protection premises and accompanying security zones within these premises is achieved with the dual control of passage of Fina PKI authorised personnel and in accordance with their roles and authorisations.

Persons who are not authorised to physically access the Fina QTSA 2017 system may access it only in the company of authorised persons and in accordance with the Fina internal procedures.

Each access to the Fina QTSA 2017 system is recorded.

Physical access to the Fina QTSA 2017 system in the Fina PKI protected premises may be achieved only by passing through access zones.

The archives where the Fina PKI paperwork is stored can only be accessed by authorised persons Fina. Fina's archives are equipped with video surveillance and are under constant supervision of the security company that provides constant physical protection of the facility.



5.1.3. Power and air conditioning

Devices and premises where Fina QTSA 2017 system, the Fina RA system and repository, as well as technical protection systems are located, are continuously supplied with electricity and air-conditioning sized to ensure appropriate operational conditions even in case of external supply interruptions.

Backup power has been ensured by a device for continuous power supply in combination with a diesel engine which ensures the continuous and reliable operation of the Fina QTSA 2017 system until the primary power supply has been restored.

Air conditioning devices have been installed on all premises with the Fina QTSA 2017 system equipment for the maintenance or proper work conditions.

5.1.4. Water exposure

Fina QTSA 2017 system equipment is stored at the premises which are ensured against floods and placed on elevated floors.

5.1.5. Fire prevention and protection

A fire alarm and protection system has been installed at the Fina PKI protected premises pursuant to the fire safety regulations. The automatic system uses extinguishing agents for extinguishing fire on electric installations and the IT equipment. The Fina PKI protected premises have a stable fire alarm system and fire detectors.

The Fina RA Network premises have been secured pursuant to the provisions of the Fina's internal fire protection rules.

Fina archives which materials in paper form of Fina PKI have been equipped with a fire alarm system and are secured in accordance with the provisions of the Fina's internal fire protection rules.

5.1.6. Media storage

Media containing archived and backup copies of the Fina PKI data in electronic form, the repository content copies and software equipment backup copies has been safely stored at two separate secured locations in order to protect it against damage, theft or unauthorised access. The media containing data has been stored at the Fina PKI protected premises of primary production system and at a backup location.

Authorised persons with trusted roles have been given access to the data backup.

5.1.7. Waste disposal Documents and data in paper and electronic form located at the Fina PKI protected premises, or containing confidential information, which do not require archiving, are safely removed and destroyed.

Waste disposal from the Fina PKI protected premises is performed under the supervision of the Fina PKI authorised persons.

All confidential documents and data are physically destroyed at the location before being disposed of in such a manner that this information cannot be reconstructed.



Documents and data in paper or electronic form which do not require further archiving are securely removed from the archive system and destroyed.

Destruction of the media that contains secret or confidential data and keys contained in the HSM is conducted according with Fina's internal procedures for destruction of data and cryptographic equipment. Such data deletion or destruction of the HSM module data is carried out prior to their possible servicing or reparation.

Fina disposes of all waste material generated on its premises and office space pursuant to the internal working instructions and procedures for ecological waste management.

5.1.8. Off-site backup

Backup copies of Fina QTSA 2017, central Fina RA system, repository content and archive in electronic form, backups of programming equipment are retained on a backup location pursuant to Section 5.1.1 hereof.

Backup copies retained on protected premises at a backup site, with respect to their original forms, are retained using the equal or a higher security level of the applied physical protection measures.

5.2. Procedural controls

5.2.1. Trusted roles

Information system management, management of the certificate management system, and Fina PKI operation supervision tasks are performed in separate organisational sections of Fina.

Fina ensures that all authorised persons performing tasks related to Fina QTSA 2017 are assigned to appropriate trusted roles.

Trusted roles are granted to authorised persons in accordance with the rules which make sure no single person may circumvent security measures and endanger the security and reliability of the Fina QTSA 2017 system.

Trusted roles comprise the basis of trust in Fina PKI and are assigned to authorised employees. Each trusted role is documented with a clearly defined description of tasks and responsibilities.

Trusted roles include the roles of Security Officer, System Administrator, System Operator, System Auditor and Registration Officer.

The description of trusted roles and the corresponding job descriptions, authorisations and responsibilities for each role are given in Fina's internal documents. The corresponding lists indicate the Fina employees who have been assigned trusted roles.

5.2.2. Number of persons required per task

Fina has a sufficient number of regular employees with knowledge, experience and qualifications required in Fina PKI for the provision of services falling within the scope of this QTPS document.

Access and work in the Fina PKI protected premises i0073 performed solely in the presence of at least two authorised persons from Fina PKI who have permission to access the system located in the Fina PKI protected premises.

The number of employees with the corresponding trusted roles for performing specific tasks in Fina QTSA 2017 is given in corresponding Fina's internal documents.



5.2.3. Identification and authentication for each role

Upon logging on to critical applications and services within Fina PKI, identification and authentication of the person accessing the application or service is carried out. Identification and authentication of persons is carried out using the appropriate authentication method. Access and use of applications and services within Fina PKI is only enabled for authorised persons in accordance with the trusted role they perform.

Identification of Fina PKI’s authorized persons and determination of their access rights for performing their tasks in Fina PKI is carried out by security and verification procedures.

Authorized persons with trusted roles in Fina PKI must be authenticated before any access to the Fina CA, Fina QTSA and/or or Fina RA system. For that purpose, Fina PKI’s authorized persons are provided with appropriate authentication instruments. Before receiving their authentication means, such personnel must meet the requirements specified in Section 5.3 of this QTPS.

The means for authentication are:

• entry control cards for entering Fina PKI protected security zones specified in Section 5.1.1 of this QTPS;

• digital certificates on secure cryptographic or QSCD devices;

• a username and password or a digital certificate on a secure cryptographic or QSCD device for logging on to Fina QTSA 2017;

• control cards of the cryptographic module are only be given to authorised persons in Fina with trusted roles in Fina PKI pursuant to the roles referred to in Section 5.2.1. hereof.

Each of the referred means of authentication is specifically personalized for each authorized persons. The use of these authentication means is limited to the tasks and system for which a particular trusted role is authorized.

5.2.4. Roles requiring separation of duties The terms of reference for the authorised personnel with trusted roles in the Fina QTSA 2017 system are based on the principle of the separation of duties and allocation of minimal user rights which ensure the undisturbed performance of allocated tasks.

The following rules are applied through the separation of duties: • the Security Officer and the Registration Officer are not allowed to perform the duties of the

System Auditor, • the System Administrator is not allowed to perform the duties of the Security Officer or

System Auditor.

5.3. Personnel controls

5.3.1. Qualifications, experience and clearance requirements

All requirements for adequate professional qualification for each trusted role is taken into account at the time of personnel employment with Fina PKI.



Before starting to work at Fina PKI, the candidates shall have appropriate expertise, experience, qualifications and education in the field of cryptographic technologies, protection of computer systems, information security and personal data protection in the domain of their own scope of work within Fina PKI.

While hiring new employees, Fina tests the candidates in order to evaluate their quality and competence for performing trusted roles in the Fina PKI system.

The Fina PKI personnel with trusted roles shall not be in any conflict of interest which would endanger the operation of the Fina PKI system.

5.3.2. Background check procedures

Before hiring new candidates for work at Fina PKI, Fina conducts psychological testing of the personnel in order to assess their adequacy in relation to the tasks which they will perform.

Before starting work in Fina PKI, the candidate submits the clearance certificate issued by the competent municipal court stating that there are no pending criminal proceedings against the applicant, i.e. that no decision on investigation has been rendered, no effective indictment has been issued, no non-final judgement imposing a sentence has been passed for criminal offences nor has a criminal order been issued.

By signing the employment contract every employee agrees to keep all disclosed confidential information strictly confidential.

5.3.3. Training requirements

Before they start performing their tasks in Fina PKI, employees performing tasks within Fina PKI are provided with training in accordance with the duties to be assigned to them. Employees carrying out tasks within Fina PKI are provided with education and training in accordance with their trusted roles. Such education and training of employees with trusted roles in Fina QTSA 2017 includes:

• Fina QTSA, Fina CA and Fina RA security principles and mechanisms; • security awareness; • QTSA software in use in Fina QTSA 2017; • tasks associated with the trusted roles to be performed by them in Fina QTSA 2017; • disaster recovery and business continuity procedures.

The training to be provided to the Registration Officer in Central Fina RA and the Registration Officer in Fina LRA includes:

• basics of certificates and electronic time-stamps; • methods of Subscriber registration and use of Fina RA and Fina CSM applications; • security awareness; • information to be provided to Subscribers.

5.3.4. Retraining frequency and requirements

Information Security Awareness course takes place annually for all Fina PKI employees.

Employees with trusted roles in Fina PKI are responsible for improving their skills and acquiring new knowledge in their area of expertise through self-education or organised internal and external training.



The knowledge of Fina RA Network employees, especially in terms of tasks they perform, is regularly refreshed, at least once every year.

5.3.5. Job rotation frequency and sequence

No stipulations.

5.3.6. Sanctions for unauthorised actions

Non-abidance of prescribed measures for authorised persons when working in Fina PKI is subject to breach of work obligations, while possible penalties are determined through disciplinary proceedings.

In the event of unauthorised actions by external contractors, the provisions defined in the agreement with the external contractors shall apply.

5.3.7. Independent contractor requirements

Requirements for suppliers of goods and services for Fina PKI are regulated by internal documents governing work with suppliers. The access to the information property in Fina PKI for independent contractors is approved solely under a contract for that particular information which is the subject of the contract and solely for activities referred to in the contract.

5.3.8. Documentation supplied to personnel

Each employee has been given access to the documentation necessary for the performance of their tasks, which includes internal and external education materials and work instructions and procedures for performing certain tasks in Fina PKI pursuant to the allocated trusted role and the corresponding authorisation.

5.4. Audit logging procedures

5.4.1. Types of events recorded

All relevant events in Fina QTSA 2017 are recorded as audit logs in electronic or paper format. Audit logs include information about the event type, date and time, and information about the success or failure of the event being monitored.

Fina PKI’s date and time information in its event audit logs in electronic format is aligned with the NTP server which is synchronized with an accurate time source and has an accuracy of better than 1 second in relation to the UTC time.

Fina QTSA 2017 audit logs contain electronic or paper records of events related to: • management of lifecycles of TSU keys; • management of lifecycles of TSU certificates; • management of lifecycles of HSM protecting the Fina QTSA 2017 TSU private key; • synchronization of TSU clock with UTC time • detection of UTC time synchronization failures, • registration of a natural person and Business Entity; • issuance of electronic time-stamps;



• security events, including system activation and deactivation events, system failure events,

hardware defect events and changes to system security settings.

Data and events recorded in the Fina PKI audit logs are described in Fina's internal documents.

5.4.2. Frequency of processing log

The Fina QTSA 2017 audit log inspection procedure includes: • inspection of audit logs created since the last audit, • if necessary, preparation of a summary report including explanations of significant events.

These inspections include audit log corruption checks and short log reviews, as well as thorough investigations of any irregular events recorded.

Fina QTSA 2017 and HSM audit logs are inspected by the System Auditor. Fina QTSA 2017 and HSM audit logs are inspected on a regular basis, once daily on business days and in emergencies. Records of inspections of these audit logs are maintained in paper or electronic format by the person holding the System Auditor trusted role.

Other audit logs are analyzed as necessary by Fina PKI’s authorized personnel.

In case of irregularities or errors relating to security, the person authorised for audit log review prepares a report on the analysis of the audit logs and further necessary activities. In case of an unauthorised activityFina's internal procedures shall be implemented.

All actions taken based on an audit log analysis are documented.

5.4.3. Retention period for audit log

Audit logs with records referred to in Section 5.4.1 are stored for at least 10 years from the issuance of electronic time-stamp to which the logs refer.

5.4.4. Protection of audit log

Fina QTSA 2017 audit logs are protected using such mechanisms and procedures that ensure such logs remain confidential and integral and do not allow for them to be altered or easily deleted or destroyed.

Confidentiality of Fina QTSA 2017 audit logs is also ensured by system access and log reading privilege controls.

Access to audit logs is limited to Fina PKI’s authorized personnel, i.e. to the System Auditor, Security Officer and System Administrator, combining controls of physical access to the Fina PKI protected premises and system data access security controls.

After being retained in the systems where they were created for the relevant retention period, audit logs of all systems within Fina PKI containing information specified in Section 5.4.1 of this QTPS are archived and protected in accordance with the procedures described in Section 5.5.3 of this QTPS.

Audit logs maintained in paper format are protected against unauthorized viewing, deletion, alteration or destruction using routine paper document protection methods.

Audit logs maintained in paper format, such as Records of PKI Protected Premises Entry/Exit, are protected against unauthorized viewing, deletion, alteration or destruction using routine paper document protection methods.



5.4.5. Audit log backup procedures

New audit logs in Fina PKI are backed up on a daily basis, and their backup copies stored and protected within the primary production Fina PKI protected premises. In addition, audit logs files backups in Fina PKI are stored on media for data storage in secondary protected premises on a remote backup site, pursuant to Section 5.1.8. hereof.

The procedures for creating audit log backups are described in more detail in the Fina's internal documents.

5.4.6. Audit collection system (internal vs. external)

The Log Collection System for all logs in Fina PKI is an internal system in which log systems are collected through the combination of automatic and manual processes which are carried out on the Fina PKI servers and which are initiated and monitored respectively by the Fina PKI personnel with trusted roles.

Manual processes of audit logs collection refer to up-to-date recording of the Records for monitoring of entries and exits into and from Fina PKI protected premises.

5.4.7. Notification to event-causing subject

In case of detecting a significant event log in the Fina PKI operation related to a particular participant, Fina reserves the right to decide on the notification of the participant or Subscriber causing the event.

5.4.8. Vulnerability assessment

Fina carries out regular risk assessment of the information assets, vulnerability assessment for identified public and private addresses and penetration testing.

Information risk assessment is carried out once every year. The system vulnerability assessment for identified public and private addresses of Fina PKI is carried out once every quarter. Information risk assessment, system vulnerability assessment and penetration test is carried out after significant changes.

5.5. Records archival

5.5.1. Types of records archived

Fina QTSA 2017 archives data specified below, which may come in electronic and/or paper form: • Qualified Time-Stamp Policies, • Qualified Time-Stamping Practice Statements, • Terms and conditions of time-stamping service provision, • Filled and signed registration forms for the time-stamping service provision, • data and accompanying documentation collected in the natural person and Business Entity

registration procedure, • audit logs referred to in Section 5.4.1. hereof, • other Fina's internal documents.

Each archived record contains data indicating the time referring to it.



More specific provisions relating to archived records types and locations of Fina PKI archive are given in the internal Fina's documentation.

5.5.2. Retention period for archive

Fina keeps all archived data and documentation for at least 10 years from the issuance of electronic time-stamp to which the records refer.

5.5.3. Protection of archive

Fina QTSA 2017 system documentation archived in hard copy form is retained in Fina PKI protected premises described in Section 5.1.1. hereof. Upon request, archived records are made available only to authorised Fina PKI persons, under dual control.

Documents archived in hard copy form which were collected during the procedure of natural persons and Business Entities registration is retained on Fina’s protected archive premises which are under constant supervision by a security service, and the access to the archived documentation is made available only to Fina PKI authorised persons and the personnel in charge of Fina’s archive. Thereby, the archive is protected from unauthorised review, modification or deletion.

Archived records in electronic form referred to in Section 5.5.1. hereof are stored on media suitable for data archiving on Fina PKI protected premises described in Section 5.1.1. Archived records are protected by mechanisms and procedures ensuring confidentiality and integrity of the logs and not allowing records modification, nor easy records deletion or destruction. Confidentiality of archived records in electronic form is protected by encryption, and the integrity of records by a digital signature. Upon request, archived records are made available only to authorised Fina PKI persons, under dual control. At least once a year, Fina PKI authorised persons check archive integrity, and if the archive is damaged, it is renewed by a backup copy.

Archived Fina PKI documents are accessible only to authorised persons.

5.5.4. Archive backup procedures

Backup copies of records archived in electronic form referred to in Section 5.5.1. hereof are retained in the secondary protected premises on a backup site referred to in Section 5.1.1. hereof with equal or higher level of protection comparing to Fina PKI protected premises on the primary location.

Access to backup copies of archived records in electronic form is granted only to Fina PKI authorised personnel, under dual control

5.5.5. Requirements for time-stamping of records No stipulations

5.5.6. Archive collection system (internal or external)

Archived records are collected in a way which depends on the type of data and documents.

Fina QTSA 2017 system documentation in paper form is retained manually and archived internally.



Records in electronic form referred to in Section 5.5.1. hereof are collected automatically and archived internally in Fina PKI protected premises on the primary location and on the secondary protected premises on the backup location referred to in Section 5.1.1. hereof.

5.5.7. Procedures to obtain and verify archive information

Access to archived records is granted only to persons with authorised access to archived data. Access to data archived in protected premises referred to in Section 5.1.1. hereof is granted only to authorised Fina PKI persons, under dual control.

Archived data are verified by their integrity control, e.g. by the verification of the digital signature on the archived data.

Archived data in electronic form are compared to the pertaining backup data, if necessary.

5.6. TSU Key changeover

Fina shall sufficiently before the expiration date of the relevant TSU private key generate a new TSU key pair for Fina QTSA 2017 in accordance with Section 6.3.2 of this QTPS to maintain the level of security of the cryptographic algorithm of the TSU private key in use.

The new Fina QTSA 2017 TSU Certificate with the newly generated public key shall be signed by the Fina RDC 2015 CA private key.

Fina shall duly notify the Fina PKI participants of a planned TSU key changeover by publishing the relevant information on the website of the qualified Fina PKI repository referred to in Section 2.2 of this QTPS. The new Fina QTSA 2017 TSU Certificate shall be available to Fina PKI participants via the public directory and repository’s website.

5.7. Compromise and disaster recovery

5.7.1. Incident and Compromise Handling Procedures

Fina has a Business Continuity Plan for Fina PKI which regulates the procedures in cases of: • natural disaster, • attack, robbery or building blockade, • IT infrastructure destruction on the primary production site, • IT infrastructure unavailability on the primary production site due to hardware or software

malfunction of a larger scale, • unavailability of workers, • termination of services by the supplier, • loss or compromise or alleged compromise of TSU private key or Fina QTSA 2017.

Procedures that should be undertaken for the purpose of recovery and establishment of initial security settings of the RA system, archive and repository are encompassed by internal plans.

Notification in case of the aforementioned disasters is described in the adequate procedures in cases of natural disasters.

Notification in case of compromise or suspected compromise of the TSU private key or Fina QTSA 2017 is described in Section 5.7.3. hereof.



The Business Continuity Plan is revised once a year.

5.7.2. Computing resources, software and/or data are corrupted

Fina QTSA 2017 system is based on reliable hardware and software components, and system critical operations are supported with redundant components.

Functionality, proper work and timely damage removal of FINA QTSA 2017 system components is ensured under support and maintenance with equipment suppliers.

The Business Continuity Plan for Fina PKI regulates procedures for Fina QTSA 2017 system recovery in case of malfunction or damage of equipment and network resources, as well as data recovery.

Backup of electronic records created during the operation of Fina PKI system is made on a daily basis and submitted periodically in the protected premises on a backup site.

5.7.3. Entity private key compromise procedures

In case a Fina QTSA 2017 TSU private key is compromised, Fina shall, as soon as it becomes aware of it, cease to use the compromised Fina QTSA 2017 TSU private key and shall investigate the circumstances surrounding the key compromise If the key compromise is confirmed, Fina PMA makes its decision to revoke the Fina QTSA 2017 Certificate associated with the compromised key. Fina shall notify the participants that, in such case, the revocation information should not necessarily be trusted. Fina shall notify the following participants of such Fina QTSA 2017 Certificate revocation:

• Fina RA network, • Subscribers, • Relying Parties.

After determining and eliminating the cause responsible for TSU key compromise, Fina shall if appropriate, undertake measures to prevent the recurrence of such an event. Depending on the determined causes of TSU key compromise, Fina may decide to temporarily switch to production from a secondary site. Fina shall generate a new TSU key pair for the TSU whose private key was compromised and Fina RDC 2015 CA shall issue a new Fina QTSA 2017 Certificate for the new TSU public key. In case the cryptographic algorithms and parameters used no longer provide the required level of security and protection, Fina shall, if possible, duly notify:

• Fina RA network, • Subscribers, • Relying Parties.

Fina shall consider the possibility of using other appropriate recommended cryptographic algorithms that are more secure and shall, if possible, decide to use another algorithm. Fina shall develop specific plans and procedures and shall notify them and the relevant procedures to



Subscribers and Relying Parties and shall undertake appropriate activities for the purpose of continuing to provide its services to Subscribers. In the event of unavailability of a reliable UTC source signal distributed from the reference UTC laboratory, for any reason, the Fina QTSA 2017 service will stop delivering electronic time-stamps until the reset synchronization is completed. For all Subscribers and Relying Parties through Fina PKI Repository webpages from Section 2.2.1. herein Fina will announce description of compromise or calibration failures. In the event of a larger compromise of QTSA 2017 or calibration failures, Fina will, through the Fina PKI Repository websites, publish to all Subscribers and Relying Parties the information for a clear identification of issued time stamps that contain incorrect information.

5.7.4. Business continuity capabilities after a disaster

The Business Continuity Plan defines procedures for business continuation after a disaster. Depending on the type of disaster, Fina shall continue providing time-stamp issuance service on its primary production Fina QTSA 2017 system or it shall continue service provision on its secondary Fina QTSA 2017 system referred to in Section 5.1.1. hereof, until the recovery of the primary production system.

Business continuity strategy regulates the requirements and transition of trust services to the secondary Fina QTSA 2017 system referred to in Section 5.1.1. hereof.

5.8. Fina QTSA 2017 termination

With regards to the planned termination of qualified electronic time-stamping services provision, Fina shall:

• inform all Subscribers, Trusted parties and the central state administration authority responsible for economy at least three months prior to the planned termination of qualified electronic time-stamping service provision,

• make all possible efforts to ensure the continuation of qualified electronic time-stamping service provision with another Qualified Trust Service Provider, and shall deliver all documentation collected in the Subscriber registration process, as well as all documentation on issued time-stamps to that service provider,

• destroy actual TSU private key of qualified electronic time-stamping service and revoke corresponding Fina QTSA 2017 certificate in case Fina, for any reason whatsoever, cannot ensure the continuity of qualified electronic time-stamping service provision with another Qualified Trust Service Provider.

In case of the termination of qualified electronic time-stamping service provision, Fina shall archive, protect and store the records according to the provisions referred to in Section 5.5. hereof to make those records available for evidence in court, administrative or other proceedings in accordance with applicable provisions of legislation, or Fina shall enter into an agreement with another entity with respect to archiving, protection and keeping of records.



6. TECHNICAL SECURITY CONTROLS

6.1. Key pair generation and installation

6.1.1. TSU key pair generation

Fina CA carries out Fina QTSA 2017 TSU key pair generation using cryptographic algorithms for key generation in compliance with the standardization document ETSI TS 119 312 [11].

The cryptographic algorithms used to generate keys were selected according to ETSI TS 119 312 [11] to be applicable for the entire QTSA certificate validity period.

A Fina QTSA 2017 TSU key pair is generated in HSM that meets the requirements referred to in Section 6.2.1 of this QTPS.

The Fina QTS system and the corresponding HSM are located in Fina PKI protected premises referred to in Section 5.1.1 of this QTPS during and after performing the key pair generation procedure, and access to Fina QTSA 2017 is allowed only to Fina PKI authorized persons with trusted roles exercising at least dual control.

The Fina QTSA 2017 TSU key pair generation procedure involves authorized persons with trusted roles in Fina QTSA.

Minutes of the carried out Fina QTSA 2017 TSU keys generation are recorded.

6.1.2. Private key delivery to Fina QTSA

Not applicable 6.1.3. Public key delivery to certificate issuer

The TSU public key is delivered to Fina RDC 2015 CA pursuant to internal procedure.

The TSU public key is delivered for certification to Fina RDC 2015 CA in a way that ensures verification of the integrity and authenticity of the public key.

The delivery of the TSU public key is performed by authorised persons with trusted roles in Fina PKI, in Fina PKI protected premises, under at least dual control.

6.1.4. TSU public key delivery to relying parties

The TSU public key is an integral part of the Fina QTSA 2017 certificate which is published on web page of the Fina PKI repository referred to in Section 2.2.1 of this QTPS.

6.1.5. Key sizes

SubordinateFina RDC 2015 CA use sha256WithRSA algorithm with a 4096-bit long key. Fina QTSA 2017 service uses 2048-bit long RSA keys.

6.1.6. Public key parameters generation and quality checking

TSU key pair that is used in Fina QTSA 2017 service Is generated using generation parameters in compliance with the standardised document ETSI TS 119 312 [11].



6.1.7. Key usage purposes

The TSU private key for Fina QTSA 2017 is only used for electronic signing of qualified electronic time-stamps.

The corresponding certificate for Fina QTSA 2017 in the Key Usage extension has set the values digitalSignature and nonrepudiation and in the extKeyUsage extension has the set value timeStamping.

6.2. Private Key Protection and Cryptographic Module Engineering Controls

6.2.1. Cryptographic module standards and controls

The HSM that TSU uses to sign qualified electronic time-stamps complies with the requirements of FIPS 140-2 [16], level 3.

6.2.2. TSU private key (n out of m) multi-person control

TSU private key multi-person control is a security measure requiring multi-person authorisation for access to the TSU private key for time-stamp signing purposes. Such mechanism prevents an individual from accessing the Fina QTSA 2017 TSU private signature key alone.

Fina QTSA 2017 TSU private key control is exercised by physical access to HSM with at least dual control and authorization from two authorized persons with trusted roles in Fina QTSA.

6.2.3. Private key escrow

TSU private key escrow for Fina QTSA 2017 service is not allowed.

6.2.4. Private key backup

TSU private key backup for Fina QTSA 2017 service is carried out under dual control by authorised persons with trusted roles in Fina PKI on the premises of the highest security level within the Fina PKI protected premises. TSU private key is outside of the HSM exclusively in encrypted form and in that form it is backed-up and retained in a secure location of the highest security level within the Fina PKI protected premises on separate locations.

Physical access to security copies of TSU private keys of Fina QTSA 2017 have only authorised persons with Fina QTSA trusted roles at least dual control.

6.2.5. Private key archival

TSU private key escrow for Fina QTSA 2017 is not allowed.

6.2.6. Private key transfer into or from a cryptographic module

While out of HSM, the TSU private key is protected by encryption. Private key encryption is carried out by strictly abiding by the requirements given in the HSM certification documents and this ensures the same security level of private key protection, as well as when the key is in the HSM. The transfer of TSU private key from HSM is authorised by persons with trusted roles in Fina PKI, using dual control, within Fina PKI protected premises referred to in Section 5.1.1 hereof.



During the transfer of private keys from one HSM into another HSM, the TSU private key is only transferred to an HSM of equal or higher level of security in relation to the HSM from which the private key is being transferred.

6.2.7. Private key storage on cryptographic module

TSU private key for Fina QTSA 2017 service is protected by HSMs and they may be used only if duly activated.

There are no limitations regarding the format in which private TSU keys are stored in HSMs.

6.2.8. Method of activating TSU private key

The activation of TSU private keys for Fina QTSA 2017 is carried out by authorized persons with a Fina QTSA System Administrator trusted role. Each of these persons authorized to activate the HSM uses the control cards of the cryptographic module and the corresponding secret PIN.

Once activated, the private key remains activated without any time limits.

6.2.9. Method of activating TSU private key

The deactivation of Fina QTSA 2017 TSU private keys is carried out according to procedures and upon complying with requirements set in the certification document of the HSM used, with dual control by authorized persons with a Fina QTSA 2017 System Administrator trusted role.

The deactivation of TSU private keys is carried out in case of a direct request for suspension of system activity, in case the private key validity period expires and in case the corresponding certificate is revoked.

Fina QTSA 2017 TSU private keys are deactivated: • by terminating the Fina QTSA 2017 server process, • by shutting down HSM, • by shutting down the HSM-related server.

When deactivated, the TSU private key is kept in protected form.

6.2.10. Method of destroying private key

The procedure for destruction of a TSU private key is carried out after the expiry of the TSU private key validity period, because it has been compromised or because of reasonable suspicion that a private key has been compromised, or due to cessation of its use, and is carried out by authorized persons with trusted roles in Fina QTSA 2017 with at least dual control. The procedure for destruction of a Fina CA private key also includes permanent disabling of all security copies of this private key, which are no longer usable.

A TSU key is destroyed pursuant to Fina′s internal procedures and in strict compliance with the requirements specified in the HSM certification documents. A Fina QTSA 2017 TSU private key is destroyed in the presence of persons with trusted roles in Fina PKI. Minutes of TSU private key destruction is recorded.

6.2.11. Cryptographic Module Rating

HSM is assessed by certification according to the norm for cryptographic modules given in Section 6.2.1 hereof.



6.3. Other Aspects of Key Pair Management

6.3.1. Public key archival

TSU public keys of Fina QTSA 2017 service are archived in order to provide evidence about certificates in judicial, administrative and other procedures.

TSU public keys of Fina QTSA 2017 service are an integral part of pertaining Fina QTSA 2017 certificates which are archived pursuant to Sections 5.5.3. and 5.5.4. hereof, and are stored in the archive for the time limit set in Section 5.5.2 hereof.

6.3.2. Fina QTSA certificate operational periods and TSU key pair usage periods

The Fina QTSA 2017 Certificate has a validity period of 4 years.

The validity period of the Fina QTSA 2017 TSU private key defined by the extension Private Key Usage Period in the Fina QTSA 2017 Certificate is 12 months.

The validity periods for Fina QTSA 2017 TSU keys and TSU certificates is specified in the PrivateKeyUsagePeriod certificate extension in the relevant Fina QTSA 2017 Certificate.

Fina QTSA 2017 TSU private keys are not used after the expiry of the certificate validity period, after certificate revocation or after the expiry of the TSU private key validity period and in those cases time-stamp requests shall be rejected.

On expiry of the validity period, the TSU keys and their copies are securely make unusable so there is no copy of them left and they may not be reused.

The Fina QTSA 2017 TSU validity period is specified in the Validity field in the Fina QTSA 2017 TSU Certificate.

Relying Parties may use a Fina QTSA 2017 TSU Certificate to validate the TSU signature in issued electronic time-stamps after the TSU certificate validity period if the cryptographic algorithms used provide the required level of security.

6.4. Activation data

6.4.1. Activation data generation and installation

Activation data related to the Fina QTSA 2017 TSU private key is generated and installed in the process of generating the corresponding private key.

6.4.2. Activation data protection

The activation data connected with the TSU private keys for Fina QTSA 2017 are assigned to control cards for cryptographic module which are protected by the corresponding PINs and securely stored in Fina PKI protected premises.



6.5. Computer security controls

6.5.1. Specific computer security technical requirements

Only authorized persons after authentication have access to the IT system and applications in Fina PKI after authentication. The Fina QTSA 2017 server operating system access control only allows access to authorized personnel with trusted roles in Fina QTSA, in accordance with Section 5.2.1 of this QTPS.

Fina segregates duties and responsibilities for the respective personnel’s trusted roles in Fina QTSA in accordance with Section 5.2.4 hereof.

The identification and authentication for each trusted role in Fina QTSA is carried out using appropriate authentication instruments in accordance with Section 5.2.3 of this QTPS.

The Fina PKI system carries out continuous monitoring and has an alarm system for the purpose of detecting, recording and timely reaction to attempts at unauthorized access to system resources.

A protection system against malicious code has been implemented and it is prohibited to use any unauthorized software.

6.5.2. Computer security rating With aim of security and quality of the provided trust services, Fina has established a system for information security management pursuant to ISO/IEC 27001 [17] standard. Compliance is verified by a certificate issued by an independent certification authority.

6.6. Tehničke kontrole životnog ciklusa

6.6.1. Life cycle technical controls

When procuring development software from an external subcontractor, Fina ensures the system development security principles in an agreement with the supplier.

The analysis of security requirements is carried out in the design and specification phase of any development project of Fina PKI systems, to ensure that security has been incorporated in the information technology of Fina PKI systems.

New software versions are tested in a test environment.

Implementation of software in production is carried out in accordance with documented procedures of change management.

The Fina PKI system configuration management plan includes a clear presentation of the current status, a list of documents resulting from the creation of the information system, quality assurance measures, a vulnerability assessment, software design, a system test and definitions of the control mechanisms.

6.6.2. Security management controls

Through the tender documents in the procedures of procurement the HSM for TSU Fina ensures that the HSM is not tampered with during shipment or storage.



Installation, activation of HSM for TSU is done in in Fina PKI protected premises by authorised persons in trusted roles using, at least, dual control.

Their integrity is verified at the time of starting the HSM.

During the installation of software and its patches in Fina PKI, measures are undertaken to verify the authenticity and integrity of the software being installed.

The Fina PKI settings are controlled and monitored by Fina’s authorized personnel.

Fina carries out verification of all parts of the time-stamping system with respect to security, reliability and quality of operation, all in accordance with laws in force referred to in Section 9.14 of this QTPS.

In the event of a Fina QTSA 2017 system security breach or loss of its integrity which may have a significant impact on the provision of Trust Services or on the protection of personal data, Fina shall within 24 hours notify the central state administration authority competent for economic affairs, as the authority competent for supervision of Qualified Trust Service Providers, and if necessary Fina shall, also, notify other competent authorities. In the event that the loss of integrity may have a negative impact on the Subscribers of Fina Trust Services, Fina shall immediately notify all natural persons and business entities that may be impacted by the security breach thereof.

6.6.3. Life cycle security controls

Fina carries out change management in Fina PKI to ensure that changes occur for justified reasons, and in a controlled and formalised way.

The integrity of the QTSA 2017 systems is protected by anti-virus protection and the use of authorised software.

Monitoring of available capacities of the Fina QTSA 2017 system is carried out, and the compliance of existing capacities for future needs of the system is assessed to plan their expansion in a timely manner.

6.7. Network security controls

The computer network security of Fina PKI system is based on the concept of network separation by network zones of different levels. Network zones are separated by firewalls allowing only necessary network traffic. Equal security measures are applied to all systems located within the same network zone.

Equipment for computer network protection keeps record of traffic flow and attempts to access Fina PKI services. The recorded information is defined in Section 5.4.1. hereof. Only authorised Fina PKI personnel have administration authorisations for the set-up and management of the equipment for the protection of computer network. Remote adjustment of computer network protection equipment is not allowed.

Unnecessary communication, accounts, ports, protocols and services are explicitly prohibited or deactivated.

The Fina PKI internal computer network is protected against unauthorised access, including access by Subscribers and third parties.



All systems critical for providing Trust Services are located in the Fina PKI protected premises.

Network access to critical systems in the Fina PKI protected premises is disabled from outside of the Fina PKI protected premises.

Fina QTSA 2017 system is specially security adjusted and hardened.

The Fina PKI internal computer network is protected against unauthorized access, including access by Subscribers and third parties.

All systems critical for providing Trust Services are located in the Fina PKI protected premises.

The network components of Fina PKI systems are stored in a physically and logically secure environment and the compliance of its configurations is periodically checked.

6.8. Time-stamping

Time in the Fina PKI system is synchronised with UTC time. Fina QTSA 2017 audit logs contain accurate data regarding the date and time they originated, with an accuracy of better than 1 second.



7. CERTIFICATE, CRL, AND OCSP PROFILES

7.1. Fina QTSA 2017 Certificate profile

A document containing a description of Fina QTSA 2017 TSU Certificate profile is available on the website of the repository referred to in Section 2.2.1 of this QTPS.

Fina QTSA 2017 certificates are issued by Fina RDC 2015 CA.

7.1.1. Version number(s)

• Version

Certificates are compliant with version 3 according to the X.509 specification.

7.1.2. Basic fields and certificate extensions

7.1.2.1. Basic fields of Fina QTSA 2017 Certificate

This Section describes the basic fields of a Fina QTSA 2017 TSU Certificate.

• Serial Number

Unique identifier of the Fina QTSA 2017 Certificate generated by Fina RDC 2015 CA.

The length of the serial number is 16 or 17 octets, which provides 64 bits of entropy.

• Algorithm Identifier

Cryptographic algorithm. Fina uses the cryptographic algorithm: sha256WithRSAEncryption for signing Fina QTSA 2017 Certificates.

• Signature

Electronic signature of the certificate issuer for Fina QTSA 2017.

• Issuer

Name of the certificate issuer under X.520. The certificate issuer for Fina QTSA 2017 is Fina Certification Authority (CA): Fina RDC 2015.

• Validity

The Validity field defines the certificate validity period. The time is indicated in UTC format and the contents of the field are encrypted according to IETF RFC 5280.

• Subject

The Subject field contains the unique name of the time-stamp issuer according to X.520

• Subject Public Key

The subjectPublicKey attribute contains a public key corresponding to the TSU private key whereby Fina QTSA 2017 signs time stamps issued.



7.1.2.2. Fina QTSA 2017 Certificate extensions

This Section describes the Fina QTSA 2017 TSU Certificate extensions.

• Key Usage – critical extension

Only the following attribute values are allowed for this extension in a certificate issued to a Fina QTSA 2017 TSU: "digitalSignature" and "nonRepudiation".

• Subject Directory Attributes – non-critical extension

OID = 1.2.840.113533.7.68, internal value=18.

• Private Key Usage Period – non-critical extension

The Private Key Usage Period field defines the TSU private key validity period of Fina QTSA 2017 service. The time is indicated in UTC format and the contents of the field are encrypted according to IETF RFC 5280. This period is set to 12 months.

• Extended Key Usage – critical extension

The attribute in the extKeyUsage extension specifically defines the use of a Fina QTSA 2017 TSU private key.

In a certificate issued to a Fina QTSA 2017 TSU extKeyUsage extension contains attribute timeStamping (OID: 1.3.6.1.5.5.7.3.8).

• Certificate Policies – non-critical extension

The attributes in this extension contain Fina’s identifier (OID) of the rules under which the Fina QTSA 2017 TSU Certificate was issued.

This extension also contains the URL for the current QTPS applicable in Fina QTSA 2017.

• CRL Distribution Points – non-critical extension

The attributes in this extension contain addresses through which the CRL is available by using the HTTP and LDAP protocols.

• Authority Key Identifier – non-critical extension

The content of this extension’s attribute is a unique identifier of the key used to sign the Fina QTSA 2017 TSU Certificate.

The value of the attribute is a SHA-1 hash of Fina RDC 2015’s public key having a length of 160 bits.

• Subject Key Identifier – non-critical extension

The content of this extension’s attribute is a unique identifier of the Fina QTSA 2017 TSU public key.

The value of the attribute is a SHA-1 hash of Fina QTSA 2017’s public key having a length of 160 bits.

• Basic Constraints – non-critical extension

The values for this extension are:

cA=FALSE



pathLenConstraint=None

• Authority Information Access – non-critical extension

Attribute values must be entered in this extension, but this Fina QTSA 2017 extension must not be critical. The attributes in this extension are:

- the address of Fina OCSP for online verification of Fina QTSA 2017 certificate revocation status,

- the address for certification path verification that may be used to access the certificate of the Fina CA that issued the Fina QTSA 2017 Certificate.

• Qualified Certificate Statements – non-critical extension

esi4-qtstStatement-1

esi4-qtstStatement-5 provide URL to Terms and Conditions of Providing Qualified Electronic Time Stamp Services documents in English and in Croatian language:

https://rdc.fina.hr/pds/PDSqts-en.pdf, en

https://rdc.fina.hr/pds/PDSqts-hr.pdf, hr

7.1.3. Algorithm object identifiers

Algorithms with pertaining OID identifiers for Fina QTSA 2017 TSU certificate are shown in Table 7.1.

Algorithm OID

sha256WithRSAEncryption 1.2.840.113549.1.1.11

rsaEncryption 1.2.840.113549.1.1.1

Table 7.1. Algorithms with Pertaining OID Identifiers

7.1.4. Name forms

Name forms for Subject field in Fina QTSA 2017 certificate:

commonName (CN) Fina QTSA 2017 <incremental number>

organizationIdentifier VATHR-85821130368

organizationName (O) Financijska agencija

countryName (C) HR

7.1.5. Name constraints

The Name Constraints extension is not used.

7.1.6. TSU Certificate Policy object identifier

The Certificate Policies extension of TSU certificate contains the corresponding Fina's OID: 1.3.124.1104.5.12.52.



7.1.7. Usage of Policy Constraints extension

The Policy Constraints extension is not used.

7.1.8. Policy qualifiers syntax and semantics

Policy qualifiers in the extension Certificate Policies contain two pointers in the URI format that contain the website address of this QTPS document in Croatian and English language.

7.1.9. Processing Semantics for the critical Certificate Policies extension

No stipulations. 7.2. CRL profile

CRL profile issued by subordinate Fina RDC 2015 CA is in line with IETF RFC 5280 [14] recommendation.

7.2.1. Version number(s) CRL is compliant to version 2 according to the X.509 specification.

7.2.2. CRL and CRL entry extensions

CRL extensions used in CRL lists and extensions used in entry elements of CRLs that are issued by Fina CAs are defined in Table 7.2.

Extensions Critical Value

crlExtensions

cRLNumber NO Monotonically increasing sequence number for CRL in the form of 20 octets.

AuthorityKeyIdentifier NO 160 bits SHA-1 hash

crlEntryExtensions

reasonCode NO Reason code of the certificate revocation

Table 7.2. Extensions of CRL List and Entry Elements of CRL Lists issued by Fina CAs

7.3. OCSP profile

The Fina OCSP service responder OCSP profile is in accordance with the IETF RFC 6960 recommendation [15].

7.3.1. Version number(s)

The Fina OCSP service responder OCSP profile is in accordance with version 1 according to IETF RFC 6960 [15].



7.3.2. OCSP extensions Fina OCSP service response extensions are given in Table 7.3.

Extensions Critical Value

Nonce NO Nonce value from certificate status request.

Extended Revoked Definition NO Reason code for certificate revocation

Table 7.3. Fina OCSP service response extensions



8. COMPLIANCE AUDIT Supervision over the work of Fina as a Qualified Trust Service Provider is regulated by Regulation (EU) No 910/2014 [1] and Act Implementing Regulation (EU) no. 910/2014 [2], and is carried out by the central state administration authority competent for economic affairs.

Supervision over the work of Qualified Trust Service Providers in the field of collection, use and protection of a Signatory's personal data may also be carried out by government and other bodies determined by law and other rules and regulations governing personal data protection.

Compliance audit is carried out with the aim of confirming that Fina as a Qualified Trust Service Provider and qualified certificates issuance services provided by Fina, meets the requirements stipulated in Regulation (EU) No. 910/2014 [1], Act Implementing Regulation (EU) no. 910/2014 [2] and the standards ETSI EN 319 401 [4] and ETSI EN 319 421 [5].

Fina have implemented a quality management system in line with ISO 9001 standard, and it is in the certification cycle, which means that it meets the requirements of the standard, it has a documented system, defined authorisations, responsibilities and described processes.

Also, Fina have established a continuously supervised, certified and, based on business needs, enhanced own system of information security in line with ISO/IEC 27001 [17] standard.

8.1. Frequency or circumstances of assessment

Compliance audits of Fina PKI operations are external compliance audits and internal compliance audits.

8.1.1. External compliance audit

External compliance audits are carried out at least each 24 months in accordance with the requirements of Regulation (EU) No. 910/2014 [1] and the standard ETSI EN 319 403 [9].

8.1.2. Internal compliance audit

Internal compliance audits are carried out prior to the commencement of providing new Qualified Trust Services, periodically at least each 12 months, and after significant changes to Fina PKI operations.

8.2. Identity/qualifications of assessors

External compliance audits are conducted by a conformity assessment body. The competence of the conformity assessment body and the qualification of the associated assessors is ensured by the accreditation of the conformity assessment body according to the standard ETSI EN 319 403 [9].

Internal compliance audits are conducted by internal compliance assessors who together have knowledge and understanding:

• of the provisions of the standard ETSI EN 319 421 [5], • of PKI areas and information security area, • of legislation in the area of providing Trust Services.



8.3. Assessor's relationship to assessed entity

The conformity assessment body and associated assessors are independent of Fina and Fina's assessment system.

Internal compliance assessors do not assess compliance within their own scope of responsibilities.

8.4. Topics covered by assessment

The topics of compliance assessment include the following areas of providing Trust Services: • integrity and accuracy of documentation, • implementation of requirements for Qualified Trust Services, • organisational processes and procedures, • technical processes and procedures, • implementing information security measures, • trustworthy systems, • physical security at subject locations.

The description of the topics of compliance assessment is defined in the compliance assessment plan.

Fina shall enable the compliance assessor to access all Fina PKI system premises, access to reports of all internal and external compliance audits and to other reports and records within the scope of trust services. Fina shall also enable the compliance assessor to access records and agreements relating to thirds parties, to internal, external and management reports etc. within the scope of trust services.

8.5. Actions taken as a result of deficiency

If non-compliance in providing of Trust Services has been detected, Fina shall undertake the necessary steps to eliminate detected non-compliance, and if applicable within the period set by the supervisory body.

In case of a significant deficiency, Fina shall form a plan of the significant deficiency elimination as soon as possible, and it shall eliminate the deficiency as soon as possible after consulting with the external assessor.

In the event that a significant deficiency has been detected during the provision of trust services and it has not been eliminated within a short notice, Fina shall take the necessary steps to eliminate the deficiency, and, if applicable, within the period set by the supervisory body.

In consultation with the external assessor, Fina shall eliminate smaller deficiencies until the next compliance audit.

Fina shall keep an internal log of the time periods in which the QTSA 2017 service was not working in accordance with this QTPS document with the reasons for non-compliance.



8.6. Communication of results

The results of internal compliance audits are of a confidential nature and Fina does not make these public.

All documents about the internal compliance audit areavailable at request to external assessors carrying out compliance audit in the Fina PKI system.

In the case of external compliance audits, Fina shall forward the report of the external assessor on compliance audit to the supervisory body within three working days from receipt.



9. OTHER BUSINESS AND LEGAL MATTERS

9.1. Fees

Fina, in accordance with the terms and conditions referred to in the concluded time-stamping service agreement, notifies Subscribers and Relying Parties about all services to be charged for. Unless otherwise provided for in a separate agreement, services are charged in accordance with the Fina’s price list. The price list of all charged services is published on the website of the repository referred to in Section 2.2 of this Policy.

Fina reserves the right to price changes. Amendments to the price list are published on the website of the repository referred to in Section 2.2 of this Policy.

Depending on a specific Subscriber request, an extra charge in addition to the fee may apply.

9.1.1. Refund policy

Fina refunds fees to Subscribers in the event of incorrect payment or overpayment.

9.2. Financial responsibility

Fina as a Trust Services Provider possesses financial stability and has at its disposal sufficient financial resources to ensure unhindered provisions of time-stamping services in accordance with this QTPS document.

9.2.1. Insurance coverage

Fina, as a Trust Service Provider, has insured itself against damage liability risks occurring while carrying out Time-Stamping Services.

Fina additionally insures property by means of an insurance policy the covers insurance against the risk of fire, severe weather, floods, explosions, vehicle impact, aircraft fall or impact, demonstrations, insurance of equipment, machinery, electronic and communication devices, installations etc.

9.2.2. Other assets

No stipulations.

9.2.3. Insurance or warranty coverage for end-entities

See Section 9.2.1.

9.3. Confidentiality of business information

9.3.1. Scope of confidential information

Confidential business information includes all data in any form that participants exchange in any way in relation to establishing and providing time-stamping service, and which participants label as



confidential, or as being of a specific type or having a specific level of secrecy, or which are confidential by their nature as their unauthorized disclosure may cause damage to the participant.

Confidential information also include data files, data in any form, system and application documents, operating procedures and plans, internal corporate documents, business processes, internal training materials, records of internal audits, personal data, etc. Confidential information also includes source code, application and system software, and other software within Fina QTSA 2017.

All information relating to how Fina QTSA manages TSU keys and Fina QTSA 2017 is treated as confidential information.

All data relating to how and by which means Fina CAs manage certificates also treated as confidential.

Access to confidential information is allowed to authorized persons on a need-to-know basis.

9.3.2. Information not within the scope of confidential information

Information not within the scope of confidential information includes any business data in any form that participants exchange in any way in relation to establishing and providing time-stamping service, and which participants do not label as confidential, or as being of a specific type or having a specific level of secrecy, or which are not confidential by their nature as their unauthorized disclosure may not cause damage to the participant.

9.3.3. Responsibility to protect confidential information

Each participant is required to protect confidential business information referred to in Section 9.3.1 of this QTPS document that he/she somehow became aware of, in accordance with laws regulating the information protection considering information type and information secrecy type and level. Otherwise, it is held liable for the damage occurred.

9.4. Privacy of personal information

Fina collects personal data of natural persons exclusively for the purposes of registration for the purpose of time-stamp service provision.

Upon concluding a qualified time-stamping service agreement, Subscriber mutually agrees that Fina may use and process data collected in the registration process in accordance with valid legislation, and mutually agree that Fina is be authorized to keep this data for a duration of at least 10 years.

9.4.1. Privacy plan

Fina carries out technical, personnel and organisational protection measures of personal data in accordance with the Act on Personal Data Protection [3] for the purpose of protection of personal privacy and protection of data against possible misuse, and the preservation of the accuracy, completeness and relevance of personal data.

Measures for personal data protection apply during the exchange of Subscriber personal data between the RA network and time-stamping system, and during the keeping and archiving of Subscriber personal data until their extraction from the archive and destruction.



9.4.2. Information treated as private

During and after the Subscriber registration procedure, Fina is authorized to collect personal data required for valid Subscriber identification and other data required for valid time-stamping service provision. Personal data collected by Fina that are not integrated in certificate contents and are not disclosed in public records and/or registries required to be duly maintained for time-stamping service purposes are deemed confidential personal data duly protected by Fina.

9.4.3. Information not deemed private

All personal data collected are deemed confidential.

9.4.4. Responsibility to protect private information

Fina is responsible for the protection of personal data collected for the purpose of providing time-stamping services.

9.4.5. Notice and consent to use private information

Aside from the needs of fulfilling legal obligations or contractual obligations according to qualified time-stamping service agreements, Fina uses or publishes personal data only on the basis of written consent from the Subscriber.

9.4.6. Disclosure pursuant to judicial or administrative process

Fina does not make the data referred to in Sections 9.3.1 and 9.4.2 of this QTPS document available except in cases stipulated by law or when required in writing by the competent court, administrative or other government body.

9.4.7. Other information disclosure circumstances

No stipulations.

9.5. Intellectual property rights

Fina has intellectual property rights over this QTPS document, as well as other Fina documentation published on the website of the repository referred to in Section 2.2. of this Policy.

Fina does not exercise intellectual property rights over the software used in Fina PKI which is owned by third parties.

The Fina QTSA 2017 TSU private keys and the corresponding TSU certificates used for signing electronic time-stamps are property of Fina.

9.6. Representations and warranties

9.6.1. Representations and warranties of Fina as a time-stamping Service Provider

As a provider of qualified electronic time-stamping services (Fina QTSA), Fina is required to provide accurate information of the time incorporated in an electronic time-stamp. The UTC time incorporated in each electronic time-stamp has a accuracy of better than 1 second in relation to the UTC time.



Fina is also required to:

• provide its time-stamping services in accordance with Regulation (EU) No. 910/2014 [1], Act Implementing Regulation (EU) no. 910/2014 [2], and the relevant standardization documents and recommendations referring to it, the Policy [20], this QTPS and other Fina’s documents in connection with the performance of time-stamping services;

• issue time-stamps using equipment compliant with the requirements provided in Section 6.2.1 of this;

• carry out the required security measures for protection of premises and equipment of the time-stamping system;

• ensure the unhindered work and maximum availability of time-stamping services according to best practices;

• publish documents that may be publicly available at http://www.fina.hr/finadigicert; • exercise due diligence in the performance of its time-stamping services; • use in its operations organizational and technical measures for the protection of

data collected from Subscribers when arranging for this service and keep such data in confidence and only use them for purposes within the scope of this QTPS and for additional certification services within the Fina PKI service family;

• comply with the provisions of the Personal Data Protection Act [3] and other regulations relevant to the protection and confidentiality of personal data in the Republic of Croatia;

• not infringe on any intellectual property, license or any other rights; • handle any time-stamping system interruptions or errors as soon as possible; • plan the maintenance and further development of the time-stamping system in

compliance with the applicable standards and technological development.

9.6.2. RA representations and warranties

RA network’s obligations: • carrying out registration and identification procedures for natural persons and

Business Entities in the manner prescribed by this QTPS; • forwarding integral, accurate and verified data about Subjects to Fina QTSA for

further processing; • retention, archiving and protection of data for at least 10 years; • protecting the archived Subscriber data against loss or breach of confidentiality,

integrity and accessibility, as laid down in this QTPS; • notification of the applicant for Fina QTSA 2017 service about the published and

accessible terms and conditions of providing time-stamping services and this QTPS.

9.6.3. Subscriber representation and warranties

The Subscriber is required to:

• at the time of submitting the Time-Stamp Registration Form, provide in such Registration Form accurate and true information and immediately notify Fina as the service provider of any changes thereto;



• validate the Fina QTSA 2017 electronic signature on the time-stamp received and verify the

validity of the Fina QTSA 2017 Certificate;

• securely keep the private key and the corresponding activation data pertaining to the certificate which he uses to access the time-stamping service;

• pay Fina the relevant time-stamping service fee in accordance with the Fina QTSA service pricelist referred to in Section 9.1 of this QTPS.

The Subscriber is required to not request a time-stamp for such data or electronic records whose contents are in violation of the Constitution of the Republic of Croatia, the applicable mandatory regulations or social morality. Otherwise, he is liable to Fina for any damage incurred.

The Subscriber is also required, exercising due diligence, to keep up to date with and receive information on any amendments to this QTPS at http://www.fina.hr/finadigicert in a timely manner.

9.6.4. Relying party representations and warranties

Before relying on an electronic time-stamp, the relying party have to:

• validate the electronic time-stamp signature;

• check on the applicable list of revoked certificates (CRL) or by using the Fina OCSP online service the revocation status of the Fina QTSA 2017 Certificate whose TSU private key was used to sign the electronic time-stamp.

In case a time-stamp is being verified after the validity period of a Fina QTSA 2017 Certificate, the relying party should check on the website of the Fina QTSA 2017 repository referred to in Section 2.2 of this Policy whether or not the TSU private key has been compromised and whether or not the signature cryptographic algorithm and the length of the TSU signature key used to sign the electronic time-stamp are still considered secure.

The relying part is required to comply with the provisions of this QTPS document.

9.7. Responsibilities of participants

9.7.1. Responsibilities of Fina as a Qualified Time-Stamping Service Provider

As a Qualified Time-Stamping Service Provider, Fina is fully responsible for the provision of time-stamping services and for complying with all requirements defined in this QTPS.

Fina is responsible for: • using Fina QTSA 2017 TSU private keys in compliance with the provisions of this QTPS; • proper protection of Fina QTSA 2017 TSU private keys; • immediately terminating the use of a Fina QTSA 2017 TSU private key and acting in

compliance with Section 5.7.3 of this QTPS in case the TSU private key is compromised.

Fina is responsible for ensuring that all requirements relating to the provision of time-stamping services, including procedures pertaining to the issuance of electronic time-stamps, system auditing and security controls, are in compliance with the provisions of this QTPS.

http://www.fina.hr/finadigicert



9.7.2. RA responsibilities

The Fina RA Network is responsible for: • forwarding integral, accurate and verified data about Subjects to Fina QTSA for further

processing; • retention, archiving and protection of data for at least 10 years; • protecting the archived Subscriber data against loss or breach of confidentiality, integrity

and accessibility, as laid down in this QTPS.

9.7.3. Subscriber responsibilities

The Subscriber is responsible for:

• the content of the information or electronic record for which he requests a time-stamp;

• the user application he uses to install the time-stamp and for ensuring its full interoperability with Fina QTSA 2017;

• any damage caused by him by disclosing his private key and/or the corresponding activation data associated with the certificate he uses to access the time-stamping service;

• completeness, accuracy and authenticity of all information provided by him in the Time-Stamping service Request based on which he agreed for the use of the service;

• any violation resulting from his non-fulfillment of any of his obligations set forth in Section 9.6.2 of this QTPS.

If a Subscriber should fail to perform any stipulated obligations, he may be temporarily or permanently denied the time-stamping service and he may forfeit all his rights arisen from the time-stamping service agreement.

9.7.4. Relying party responsibilities

A relying party that, acting in violation of the provisions of this QTPS and failing to perform its obligations set forth in Section 9.6.3 of this QTPS, relies on an invalid time-stamp bears all risks of relying on such electronic time-stamp.

A relying party intending to rely on time-stamps issued by Fina QTSA 2017 should: • ensure that the public key and certificate described in this QTPS are used appropriately

and take into account the prohibitions of their use as described in this QTPS; • check the validity period for all certificates in the certification chain and verify the certificates

according to the certification path validation procedure; • check the Fina QTSA 2017 TSU Certificate revocation status.

The relying party bears all risks of relying on an electronic time-stamp if it is aware of or has reason to believe that there are facts that may cause personal or business loss as a result of using such electronic time-stamp.



9.8. Disclaimer of warranties

Fina is not liable for damage, including indirect damage in the event of an accident, damage in the event of disaster with consequences or for any loss of profit, loss of data or other indirect damage arising out of time-stamp issuing services.

Fina is not liable for damage: • caused by fraudulent or negligent authentication within the Fina time-stamping service; • occurring as a result of a malfunction or error in the Subscriber's and a Relying Party's

software and hardware.

9.9. Limitations of liability

Fina's total financial liability for electronic time-stamps issued according to this Policy and transactions carried out in reliance on certificates issued in such a way amounts to a maximum of HRK 100.000,00.

9.10. Indemnities

Each participant is liable to the damaged party for damages caused by failing to comply with the provisions of this Policy and relevant regulations in force.

The Fina Time-Stamping Service Subscriber is liable to the damaged party or any other participant if it obtains and use the service based on fraudulent data provided in the process of registering for the time-stamping service.

The Relying Party is liable to the damaged party or any other participant if it relies on the issued electronic time-stamp without having checked its validity or uses it contrary to the purposes set out in this Policy and the Certificate Policy under which the certificate was issued.

Fina is only liable to a person relying on an electronic time-stamp issued and Fina QTSA 2017 Certificate if such liability is clearly defined by an agreement, the Policy [20], this QTPS document or the applicable Croatian legislation.

9.11. Term and termination

9.11.1. Term

This QTPS document is valid until a new QTPS document comes into force or until its termination is published. A new document version or published termination of the current version shall be published on the website of the repository referred to in Section 2.2 of this Policy, with an indication of the effective date. The new document shall be assigned a new OID and it shall contain an indication of the modifications made thereto.

9.11.2. Termination

Fina may amend some provisions of the QTPS document in force, as specified in Section 9.12 of this QTPS document.



9.12. Individual notices and communication with participants

Individual communication with participants is primarily conducted through Fina's Call Centre, whose contact details are:

• Call free of charge: 0800 0080

Individual notifications and other official written communication id done using the following contact details:

Contact data for delivery of correspondence to Fina

Mailing address: Fina e-Business Centre, Ulica grada Vukovara 70 10000 Zagreb Hrvatska

E-mail: [email protected]

Fax: +385-1-6304-081

9.13. Amendments

9.13.1. Dispute resolution provisions

This Policy document is revised as required.

Fina may correct spelling mistakes, change contact data and make other minor corrections not materially affecting the participants, without notice to the participants.

All participants may send a letter to the Fina PMA contact address listed in Section 1.5.2 of this Policy, containing a proposal for corrections or for amendments to this document. The letter lists the contact details of the person sending the modification proposal. After consideration, Fina PMA may accept, adjust or reject proposed modifications.

9.13.2. Notification mechanism and period

All amendments to this QTPS document are published in electronic form on the website of the repository referred to in Section 2.2 of this QTPS document.

New versions of the QTPS document with changed OID of the QTPS document are published in electronic form on the website of the repository referred to in Section 2.2 of this Policy.

The effective date of amendments or newly-published QTPS document is indicated on its cover page as well as on the website where it ispublished.

9.13.3. Circumstances under which OID must be changed




Major amendments to the QTPS document that may materially affect the participants shall require the change of QTPS document OID. Fina PMA shall determine the new OID for the new document version.

9.14. Dispute resolution provisions

In the event of a dispute or disagreement between Fina and other participants due to actions and/or procedures regarding provision of time-stamping service regulated by this QTPS document, the participants shall try to reach an amicable solution. Otherwise, the matter shall be resolved by the competent court in Zagreb by application of Croatian law.

Participants may file a complaint to Fina if they believe there exist a discrepancy in the content of services in relation to the published terms and conditions of service provision. Fina shall reply to a complaint. A written complaint is filed in the form of paper or electronic form to addresses specified under Section 9.11 of this QTPS document.

9.15. Governing law

Fina provides Qualified Time-Stamp Services within the scope of this Policy in accordance with the provisions of Regulation (EU) No 910/2014 [1], Act Implementing Regulation (EU) no. 910/2014 [2] and standardization documents ETSI EN 319 401 [4] and ETSI EN 319 421 [5].

9.16. Compliance with applicable law

This Policy and qualified time-stamping services provision covered in this QTPS document is in compliance with the regulations referred to in Section 9.15 of this Policy document.

All participants mutually agree with the application of Croatian law for interpretation of the applied provisions.

9.17. Miscellaneous provisions

Fina publishes Policy [20], this QTPS document and time-stamping services terms and conditions publicaly.

The time-stamping services terms and conditions are communicated through a document in paper form or document in electronic form whose integrity is protected.

Before concluding a qualified time-stamping service agreement, Subscribers are informed about time-stamping services terms and conditions. Acceptance of the time-stamping services terms and conditions is a prerequisite for electronic time-stamp issuance.

Before concluding a time-stamping services service agreement, Subscribers are informed about time-stamping services terms and conditions.