raf charter

W W W . R A F . C O . Z A

R O A D A C C I D E N T F U N D

R E G I S T R A T I O N A U T H O R I T Y C H A R T E R

S T A N D A R D P O L I C Y

V E R S I O N : 2 . 0

E F F E C T I V E D A T E : 1 1 O C T O B E R 2 0 1 0

ROAD ACCIDENT FUND

L@Wtrust

Page 1 of 11

RAF Registration Authority Charter

Version 2.0 applicable from 11 October 2010

ROAD ACCIDENT FUND

38 Ida Street, Menlo Park,

SOUTH AFRICA, 0081

Phone +27 (0)12 – 429 5000 • Fax +27 (0)11 – 429 5500 Website: http://www.raf.co.za/

http://www.raf.co.za/





V E R S I O N : 2 . 0


ROAD ACCIDENT FUND

L@Wtrust

Page 2 of 11

Table of Contents

Introduction .............................................................................................................. 3

Index of Acronyms ..................................................................................................... 3

Scope....................................................................................................................... 3

Appointment ............................................................................................................. 4

Document Name and Publication ................................................................................. 4

Applicant and Subscriber ............................................................................................ 4

Domain of Use (Eligibility for Certification) .................................................................... 4

Purpose of Certification .............................................................................................. 5

Ownership of Charter ................................................................................................. 5

Private Key Infrastructure Hierarchy ............................................................................ 6

Certificate Content ..................................................................................................... 6

Application for a RAF Certificate................................................................................... 6

Advising on the Outcome of the Application .................................................................. 7

Process of Enrolment and Request Verification .............................................................. 7

Certificate Use Verification .......................................................................................... 8

Acceptance of Certificate ............................................................................................ 8

Revocation of Certificates ........................................................................................... 8

Revocation Processes ................................................................................................. 9

RAF Certificate Suspension ......................................................................................... 9

RAF Certificate Renewal & Re-key .............................................................................. 10

RAF-RA Annual Audit ................................................................................................ 10

References .............................................................................................................. 10





V E R S I O N : 2 . 0


ROAD ACCIDENT FUND

L@Wtrust

Page 3 of 11

Introduction

Road Accident Fund is focussed on administering the system of compensation defined in the Road Accident Fund Act (Act no 56 of 1996) in a manner that is timeous, cost effective and appropriately delivers on their mandate.

In order to deliver on their strategic objectives, Road Accident Fund will make use of technology solutions in the electronic environment including the Internet and Information Systems. Road Accident Fund needs to provide their employees, contractors, suppliers and clients with a secure electronic environment to facilitate the exchange of information and documents, electronic communications, and a secure user community. In order to preserve high levels of confidentiality and integrity in this public medium, and to align with the regulations and provisions of the Electronic Communications and Transactions Act, Road Accident Fund has chosen to use an internationally established standard in secure communication, namely, the Entrust Public Certification Services.

The terms contained in this Charter are subject to the terms and conditions contained in the L@Wtrust Certification Practice Statement. Combined, this Charter and the L@Wtrust Certificate Practices Statement specify the digital certification process and provide the required trust in Road Accident Fund as a digital certificate issuer. All persons are required to adhere to the terms and conditions contained in the L@Wtrust CPS as well as any other requirements imposed by Road Accident Fund that do not conflict with the L@Wtrust Certificate Practices Statement.

Index of Acronyms

The following acronyms will be used throughout this document:

Certificate Authority CA Certificate Practices Statement CPS Policy Authority PA Road Accident Fund RAF Road Accident Fund Registration Authority RAF-RA

Scope

This document is part of the RAF Information Security Management System and is applicable to RAF as well as to all parties taking part in the RAF digital certification process. The RAF IT Security Manager is the final authority on all RAF IT related security within the RAF sphere of IT operations.





V E R S I O N : 2 . 0


ROAD ACCIDENT FUND

L@Wtrust

Page 4 of 11

Appointment

L@Wtrust appoints the RAF as a Registration Authority (RAF-RA) to:

1. Accept applications for RAF Certificates.

2. Perform authentication of identities and verification of information submitted by applicants when applying for the issuance of a digital certificate by the L@Wtrust CA in terms of the provisions of this Charter, which has been approved by the L@Wtrust PA.

3. Where such authentication and verification is successful, submit the request to the L@Wtrust CA, in accordance with the provisions of this Charter and the L@Wtrust CPS.

The RAF-RA is appointed exclusively for the purposes of authenticating the identity and verifying supporting and ancillary information of applicants using the services provided by RAF.

Document Name and Publication

This document is called the Road Accident Fund Registration Authority Charter. The latest and authoritative version of the Charter may be accessed at the L@Wtrust website https://www.lawtrust.co.za/repository.

Applicant and Subscriber

In this Charter a natural person applying for a RAF Certificate shall be described as an “applicant” until the application for the RAF Certificate has been granted. Once a RAF Certificate has been issued the natural person to whom it has been issued shall be referred to as a “subscriber”.

Domain of Use (Eligibility for Certification)

RAF employees and third-party suppliers of services and products to the RAF can be digitally certified under the following conditions:

1. The subscriber has an existing or potential business relationship with RAF.

2. The subscriber has a valid e-mail account.

3. The subscriber has a valid cellular phone number.

https://www.lawtrust.co.za/repository





V E R S I O N : 2 . 0


ROAD ACCIDENT FUND

L@Wtrust

Page 5 of 11

4. The subscriber is in good standing with RAF.

5. The subscriber is fully aware of the responsibilities regarding the care and use of digital certificates and keys (as contained in the L@Wtrust CPS, this Charter, RAF Certificate Acceptable Use Agreement and any other RAF governance policies).

Purpose of Certification

Digital certification is to be used to provide the subscribers with trusted identity credentials for, amongst other uses:

1. Secure e-mail.

2. Digital signature capability to send and receive secure e-mail to and from the Internet.

3. Authentication to RAF business systems.

4. File encryption.

5. Digitally sign documents or transactions

The above will ensure authentication, privacy, message integrity and non-repudiation. The subscriber may only use the RAF digital certificate for legitimate business purposes.

Ownership of Charter

The RAF IT Security Manager is responsible for the upkeep of this Charter. Changes to this Charter are to be authorised by the RAF IT Security Manager and approved by the L@Wtrust PA.

The RAF IT Security Manager takes full responsibility for the upkeep and content of this Charter, but limits its liability to the use of this Charter as described in the L@Wtrust CPS, this Charter and any other RAF governance policies.

The day to day business operations related to certificate lifecycle would be executed by the RAF Management.

The technical operations related to certificate lifecycle would be executed by the RAF Governance Risk & Architecture Department.





V E R S I O N : 2 . 0


ROAD ACCIDENT FUND

L@Wtrust

Page 6 of 11

Private Key Infrastructure Hierarchy

The trust hierarchy is as follows:

۰ Entrust.net (2048) – Secure Server Certification Authority – Root Certification Authority

۰ LAWtrust2048 CA – Local Certification and Issuing Authority

۰ RAF-RA – Local Registration Authority

The root key hierarchy is as follows:

۰ Entrust.net – Secure Server Certification Authority – ROOT CA

۰ LAWtrust2048 CA (RAF Certificates to be signed by this CA) – ISSUING CA

Certificate Content

۰ Common Name (Surname & First Name)

۰ RAF User ID

۰ E-mail address

۰ Issuing Authority: LAWtrust2048 CA

۰ Organisation: Road Accident Fund RA

Application for a RAF Certificate

The RAF-RA shall be entitled to accept and process applications for natural persons for the issue of a RAF Certificate.

The RAF Senior Security Manager or delegate of the RAF Senior Security Manager, appointed by the RAF-RA, shall require from the natural person applicant:

۰ A duly completed and signed RAF Certificate Request Form authorised by a RAF Line Manager.

۰ A duly completed and signed RAF Certificate Acceptable Use Agreement.

۰ Copy of the applicant’s ID, Passport or Driver’s License.

The RAF Physical Security Manager shall perform the following:





V E R S I O N : 2 . 0


ROAD ACCIDENT FUND

L@Wtrust

Page 7 of 11

۰ Physical verification of the applicant’s identity with face-to-face verification against the user’s ID, Passport or Driver’s License and the submitted RAF Certificate Request Form.

۰ Approve the RAF Certificate Request Form.

۰ Scan in the RAF Certificate Request Form, digitally sign the scanned form and send the form via e-mail to the RAF-RA Certificate Administrator.

۰ Forward hardcopies of the Certificate Application documentation to the RAF-RA archive.

The RAF-RA shall retain the application together with all of the documentation relevant to the authentication of the identity of the applicant as well as the verification of supporting information securely, in conformance with the requirements of the L@Wtrust Policy Authority, at the outsourced archive at MetroFile for a period of 3 (three) years after the expiry or revocation of the RAF Certificate.

Advising on the Outcome of the Application

If the application (new certificate creation, certificate revocation or certificate suspension) is refused the RAF-RA shall give the applicant notice of the refusal by the RAF-RA to issue a certificate to the applicant. The notice shall be addressed to the e-mail address provided in the application, failing which in the manner deemed most expedient by the RAF-RA and shall provide the reasons for the refusal. If the application is granted the RAF-RA within 10 (ten) days of the receipt of the application by the RAF-RA, will advice the applicant and by notice addressed to the e-mail address provided in the application.

Process of Enrolment and Request Verification

Online electronic enrolment will be done and the following enrolment fields are compulsory:

1. CN = Full Name (First name & surname)

2. Serial Number = RAF User ID

3. E = E-mail Address

4. O = Road Accident Fund The RAF-RA Certificate Administrator, who falls under the authority of the RAF Governance Risk & Architecture Department, will perform the following steps to issue a certificate:

1. Receive a request (RAF Certificate Request Form), which has been authorised.





V E R S I O N : 2 . 0


ROAD ACCIDENT FUND

L@Wtrust

Page 8 of 11

2. Register the subscriber and create the reference code and authorisation code on the Certificate Management System.

3. Inform the subscriber via e-mail, at the e-mail address supplied on the RAF Certificate Request Form, that a certificate has been issued. This e-mail will contain the reference code that will be required to initiate the download of the certificate. The authorisation code that is required to complete the download of the certificate will be sent via email to the RAF Physical Security Manager or his delegated representative who will subsequently provide the code to the subscriber.

4. Create and send the SMS and e-mails containing the relevant information.

5. The RAF-RA Certificate Administrator shall, if required by the subscriber, provide telephonic assistance to the subscriber in the activation of the RAF Certificate.

Certificate Use Verification

۰ The certificate validity can be verified in the L@Wtrust CRL [website: http://crl.lawtrust.co.za/lawtrust.crl].

۰ The CRL profile will be a full CRL.

۰ The certificate is valid for a maximum period of one year from date of issue.

Acceptance of Certificate

After the issuance of the RAF Certificate and notification addressed to the subscriber, the subscriber shall check that the content of the RAF Certificate is correct.

Unless notified to the contrary by the subscriber of any inaccuracies in the RAF Certificate, the RAF Certificate shall be deemed to have been accepted by the subscriber and the information contained in the RAF Certificate deemed to be accurate.

Revocation of Certificates

RAF Certificates may be revoked under authority from the RAF IT Security Manager under the following circumstances:

1. Subscriber’s request.

2. Subscriber’s formal relationship with RAF ends.

http://crl.lawtrust.co.za/lawtrust.crl





V E R S I O N : 2 . 0


ROAD ACCIDENT FUND

L@Wtrust

Page 9 of 11

3. Subscriber’s role change in RAF (certificate requirement no longer necessary).

4. Any changes in information contained in the RAF Certificate issued to the subscriber.

5. Breach by subscriber of any terms of the L@Wtrust CPS or the RAF Acceptable Use Agreement entered into with the subscriber.

6. Loss, compromise, or suspected compromise, of a subscriber’s private key or workstation.

7. Issue or use of the certificate not in accordance with the L@Wtrust CPS.

8. The L@Wtrust CA or Entrust CA expires.

9. Any other reason that the L@Wtrust CA or the RAF-RA reasonably believes may affect the integrity, security or trustworthiness of a RAF Certificate.

Revocation Processes

A RAF Certificate Revocation Request (RAF Certificate Request Form) may be submitted by a subscriber, the RAF-RA or the LAWtrust2048 CA if any of the above occurs. The RAF-RA shall authenticate a request for revocation of a RAF Certificate and upon verification send a revocation request to the LAWtrust2048 CA. The LAWtrust CA shall within 24 hours of receiving a revocation request, post the serial number of the revoked RAF Certificate to the CRL in the L@Wtrust repository. The RAF-RA shall make a commercially reasonable effort to notify the subscriber by e-mail if the subscriber’s RAF Certificate is revoked. Revocation of a RAF Certificate shall not affect any of the subscriber’s contractual obligations under the L@Wtrust CPS or the RAF Acceptable Use Agreement entered into by the subscriber.

RAF Certificate Suspension

The RAF-RA may suspend a RAF Certificate if:

1. The subscriber is not in good standing with the RAF-RA or LAWtrust2048 CA.

2. The subscriber fails to adhere to the provisions of the L@Wtrust CPS or the RAF RA Charter.





V E R S I O N : 2 . 0


ROAD ACCIDENT FUND

L@Wtrust

Page 10 of 11

3. Temporary suspension of the subscriber’s role that requires the use of a RAF Certificate.

The RAF-RA may request the LAWtrust2048 CA to suspend a RAF Certificate (RAF Certificate Request Form) without prior notice to the subscriber. The RAF-RA shall make a commercially reasonable effort to notify the subscriber of the suspension by sending an e-mail to the e-mail address provided in the certificate application.

RAF Certificate Renewal & Re-key

The RAF Certificate will be renewed on the approach of the expiry date for the certificate. This renewal process will be automated and will only require the subscriber to confirm the renewal process. During the certificate renewal request the subscriber will undergo a re-key and the new public key information will be included in the new certificate. As the subscriber will be logged into the certificate profile no further verification of the subscriber details will be required.

RAF-RA Annual Audit

The RAF-RA shall be audited once per calendar year for compliance with the practices and procedures set out in this Charter and the L@Wtrust CPS. If the results of an audit report recommend remedial action, the RAF-RA shall initiate corrective action within 30 (thirty) days of receipt of such audit report. Failing to implement corrective actions by the RAF-RA will result in the termination of the RAF-RA by the LAWtrust2048 CA.

References

1. All RAF Related Legislation

2. ECTA (Electronic Communications and Transactions Act No.25 of 2002)

3. ISO 17799:2005 & 27001:2005 – Information Technology – Code of Practice for Information Security Management

4. SANS 21188: Public key infrastructure for financial services - Practices and policy framework

5. RAF Certificate Request Form





V E R S I O N : 2 . 0


ROAD ACCIDENT FUND

L@Wtrust

Page 11 of 11

6. RAF Acceptable Use Agreement

7. L@Wtrust Certificate Practices Statement (https://www.lawtrust.co.za/repository)

https://www.lawtrust.co.za/repository

Documents

raf charter