This policy is effective April 26, 2004 and supercedes the Policy on Public Key Infrastructure Management in the Government
of Canada of May 27, 1999. The short title of this policy is Government PKI Policy.
This policy applies to all Departments listed in Schedule I,
Schedule I.1 and Schedule II
of the Financial Administration Act (FAA).
It also applies to:
1. Any commission under the Inquiries Act that is
designated by order of the Governor in Council as a Department for the purposes of the FAA.
2. The Canadian Forces, with the proviso that any reference in this policy to employees
does not include members of the armed forces.
Other agencies and crown corporations can enter into arrangements with the Treasury
Board of Canada Secretariat to adopt the requirements of this policy and apply them to their organization.
Those departments, commissions, agencies, crown corporations and the Canadian Forces who are subject to, or adopt, this policy
are hereafter referred to as "Departments".
The Government of Canada has chosen to use Public Key technology as the preferred means of electronically authenticating the
identity of individuals and of documents. Public
key infrastructures, based on principles associated with public key cryptography permit, the encryption of data and the use of
digital
signatures to enable and facilitate secure electronic business.
One component of a Public Key Infrastructure is a Certification
Authority - an Entity trusted to issue a public and private key pair to a particular individual or Entity. The Certification
Authority will issue keys; revoke keys when the confidentiality of a private key may have been compromised; and provide notice as
to those key pairs that have been revoked.
For the purposes of this policy:
Accreditation Authority (Autorité d'accréditation) - means an individual within a
Department with the authority to permit an Entity to operate one or more Certification Authorities within that Department and to
accept the associated residual risk. The Chief Information Officer of the Government of Canada is responsible for
the Accreditation of the Canadian Federal Public Key Infrastructure Bridge and any Common Certification Authorities.
Authentication (Authentification) - means the act of verifying (i) the validity of
the identity of an individual or an Entity,
or (ii) the integrity of data in electronic form.
Authorization (Autorisation) - means the act of providing, or verifying, permission
for an individual or Entity to do or have something, including accessing, approving or modifying data held in electronic form.
Canadian Federal Public Key Infrastructure Bridge (Charnière fédérale
canadienne de l'Infrastructure à clé publique) - means a Certification Authority that, under the direction of
the Policy
Management Authority, signs and manages cross-certificates
with Departmental or Common top-level Certification Authorities and non-Government of Canada Certification Authorities. The
Canadian Federal Public Key Infrastructure Bridge does not manage Employee or Subscriber
certificates but does facilitate "interoperability" by acting as a bridge between Departmental or Common Certification
Authorities within the Government of Canada Public Key Infrastructure and between the Government of Canada Public Key
Infrastructure and Certification Authorities outside the Government.
Certification Authority (Autorité de certification) - means an Entity that is
responsible for the operation of one or more servers used for the issuance and management of Public
Key Certificates and Certificate
Revocation Lists.
Certificate Policy (Politique de certification) - is a named set of rules that
indicates the applicability of a public key certificate to a particular community and/or class of application with common security
requirements. It indicates whether or not the public key certificate is suitable for a particular application or purpose. A
Certification Authority may adopt more than one Certificate Policy.
Certification Practice Statement (Énoncé de pratiques de certification) - means a
comprehensive statement of the mechanisms and procedures that a Certification Authority employs in issuing and managing Public Key
Certificates in compliance with one or more Certificate
Policies. If a Certification Authority adopts more than one Certificate Policy, the Certification Practice Statement must
either contain, or point to other sources that contain, sufficient information to demonstrate how the requirements contained
within the Certificate Policies are being met.
Certificate Revocation List (Liste de certificats révoqués) - means a list of
Public Key Certificates issued but revoked by a Certification Authority before their natural expiration time.
Chief Information Officer (Dirigeant principal de l'information) - means the Chief
Information Officer for the Government of Canada.
Cross-Certificate (Cocertificat) - means a certificate used to establish a trust
relationship between two Certification Authorities.
Cross-Certification (Cocertification) - means a process undertaken by Certification
Authorities to establish a trust relationship. The Certification Authorities exchange cross-certificates and enable users of
certificates issued by one Certification Authority to interact electronically and securely with users of certificates issued by
the other. When two Certification Authorities are cross-certified, they agree to trust and rely upon each other's Public Key
Certificates and keys as if they had issued them themselves.
Digital Signature (Signature numérique) - means a result of a transformation of
data by means of a cryptographic key
system such that an individual or Entity who receives the initial data can determine whether the transformation was created using
the key that corresponds to the key of the individual or Entity that performed the transformation; and whether the data has been
altered since the transformation was made.
Entity (Entité) - means an association of two or more individuals, a corporation,
partnership, trust, joint venture or other form of organization.
Employee (Fonctionnaire) - means any individual employed by a Department and, for
greater certainty, does not include Subscribers.
Key (Clé) - means a sequence of symbols that control digital signature and
encryption processes.
Operational Authority (Autorité opérationnelle) - means an individual within a
Department assigned responsibility for the management of one or more Certification Authorities operated by that Department.
Pilot Project (Projet pilote) - means a small-scale test of processes and procedures
to be used on a larger scale if such processes and procedures are demonstrated to be successful in practice.
Policy Management Authority (Autorité de gestion des politiques) - means
the committee consisting of the Chief Information Officer, Departmental representatives and other appointees
constituted to serve as the Government of Canada Public Key Infrastructure
Policy Management Authority.
Public Key Certificate (Certificat de clé publique) - means the public key of a
user, together with other information, digitally signed with the private key of the Certification Authority that issued it. The
certificate format is in accordance with the International Telecommunications Union
- Telecommunications Standard Sector (ITU-T) Recommendation X.509.
Public Key Infrastructure (Infrastructure à clé publique) - means a set of
policies, processes, server platforms, software and workstations used for the purpose of issuing and managing certificates and
keys.
President (Président) - means President of the Treasury Board of Canada.
Registrar of Repositories (Registraire des dépôts) - means, for federal government
repositories, Public Works and Government Services Canada or any other entity appointed by the Standards Council of Canada for the
performance of the functions of Canadian Open Systems Interconnection
Registration Authority.
Relying Party (Partie utilisatrice) - means an individual or Entity, other than the
holder of the Certificate, who acts in reliance on a Certificate signed by a Certification Authority to verify a digital signature
or encrypted data.
Repository (Dépôt) - means a system for storing and accessing certificates or
other information relevant to certificates. An X.500 directory is an example of a repository.
Secretary (Secrétaire) - means the Secretary of the Treasury Board of Canada.
Service Provider (Fournisseur de services) - means an individual or Entity that
offers services in connection with one or more aspects of the operation of a Certification Authority. A Service Provider may be a
Department or a private sector entity.
Subscriber (Abonné) - means an individual or Entity, who is not an Employee, to
whom a certificate is issued.
It is government policy to promote and manage the use of public key cryptography, as a component of the government's common
information management and information technology infrastructure, in order to:
1. Support Government objectives with respect to service transformation and improvement;
2. Facilitate and promote, for the business of the Government of Canada, the implementation and use of Public Key
Infrastructures as the preferred means of authenticating the identity of individuals and documents;
3. Promote and enable the use of Common Certification Authorities
4. Enable and encourage co-operation and collaboration between government Certification Authorities and, on their behalf,
between the government and other Certification Authorities within Canada and internationally; and
5. Encourage the development and use of open standards for commercial products that use public key cryptography;
A Department, other than a Department that uses a Service
Provider, before it issues any Public Key Certificates (including cross-certificates), must:
1. Establish a Certification Authority
2. Ensure that its Certification Authority;
(a) Manages the Public Key Certificates and Certificate Revocation Lists it issues by,
(i) Implementing one or more Certificate Policies and a Certification
Practice Statement with respect to the operation of that Certification Authority; and
(ii) Ensuring compliance with its Certificate Policy(ies) and Certification Practice Statement(s) by any individual or
Entity acting on its behalf
(b) In applicable Certificate Policies, acceptable use policies or subscriber agreements advises Subscribers and Employees as
to the respective rights and obligations of the Certification Authority, Subscribers and Employees.
In addition to the foregoing, a Department, issuing Public Key Certificates (including cross-certificates) outside the
Department, must cross-certify with the Canadian Federal Public Key Infrastructure Bridge and declare annually to the Policy
Management Authority that its operations comply with its Certificate Policy(ies) and Certification Practice Statement
requirements.
A Department must designate one or more officials as the Operational
Authority for each Certification Authority the Department operates or employs, who will provide information and/or
documentation to the Government of Canada Policy Management Authority, when requested to do so, as to any aspect of the operation
of the Certification Authority.
The Policy
Management Authority may designate one or more Departmental Certification Authorities as a Common Certification Authority for
the purposes of issuing Public Key Certificates on behalf of other Departments.
A Common Certification Authority must:
1. Operate under the direction of and be accountable to the Policy Management Authority;
2. Cross-certify through the Canadian
Federal Public Key Infrastructure Bridge; and
3. Only operate using Certificate Policies and Certification Practice Statements approved by the Policy Management Authority as
well as agreements and policies meeting terms and conditions, if any, stipulated by the Policy Management Authority.
A Department may procure some or all of the services associated with the operation of a Certification Authority from a Common
Certification Authority.
A Department operating a Common Certification Authority may procure some or all of the services associated with the operation
of a Common Certification Authority.
The Communications Security Establishment shall operate the
Canadian Federal Public Key Infrastructure Bridge. The Canadian Federal Public Key Infrastructure Bridge, for the purposes
of cross-certification or recognition of Certification Authorities, serves as the Government of Canada's
Bridge Certification Authority.
The Canadian Federal Public Key Infrastructure Bridge must only adopt Certificate Policies and a Certification Practice
Statement approved by the Policy Management Authority.
The Canadian Federal Public Key Infrastructure Bridge:
1. Signs and manages the cross-certificates it issues to:
(a) Departmental or Common Certification Authorities; and
(b) Non-Government of Canada Certification Authorities;
2. With respect to the Government of Canada Public Key Infrastructure, advises the Policy Management Authority regarding
compliance with Infrastructure technical requirements.
A Department may procure some or all of the services associated with the operation of a Certification Authority from a Service
Provider.
A Department procuring such services must ensure that:
1. Such policies and practices of the Service Provider deemed relevant by the Policy Management Authority, including
Certificate Policies or Certification Practice Statements, adhere to criteria established by the Policy Management Authority;
2. Subject to law, all copies of private confidentiality keys, Public Key Certificates and all information collected,
maintained or held by a Certification Authority with respect to the issuance, distribution and management, including revocation,
of private keys and Public Key Certificates, will be maintained only in Canada or on the premises of
Canadian diplomatic and consular missions abroad.
3. Any agreement with a Service Provider complies with the requirements of government policy and statutes for contracts for
services and contain such minimum terms and conditions as may be established from time to time by the Policy Management Authority.
4. Any agreement has the appropriate data protection/privacy provisions when personal information is collected, used,
disclosed, or retained.
A Department that has certificates issued on its behalf or that operates a Certification Authority that issues Public Key
Certificates is a member of the Government of Canada Public Key Infrastructure.
A Department that is a member of the Government of Canada Public Key Infrastructure may be represented on the Policy Management
Authority. Membership in the Policy Management Authority must consist of:
1. The Chief Information Officer, as Chair;
2. A Deputy Chair, appointed by the Chief Information Officer;
3. The Operator of the Canadian Federal Public Key Infrastructure Bridge;
4. Each Department operating a Common Certification Authority;
5. Each Department operating a Certification Authority which has cross-certified with the Canadian Federal Public Key
Infrastructure Bridge; and
6. Such Departmental representatives, if any, appointed to serve as Members-at-Large.
Deputy Heads of the Departments in question must name the Departmental representative to serve on the Policy Management
Authority.
Each Department represented on the Policy Management Authority, regardless of the number of Certification Authorities it
operates, shall have one vote.
The Chair and Deputy Chair shall each have a vote. Voting privileges may not be assigned. The Policy Management Authority shall
establish quorum requirements, rules of procedure and terms of reference consistent with the responsibilities assigned in this
Policy and may assign duties and functions to an Executive Committee, drawn from its members, with responsibilities as determined
by such
Terms of Reference
as may be established and amended from time to time by the Policy Management Authority.
6.6.1 Cross-Certification or Recognition
A Department operating a Certification Authority or Common Certification Authority that wishes to cross-certify with a
Certification Authority outside the Department may only do so as a member of the Government of Canada Public Key
Infrastructure.Unless authorized by the Treasury Board of Canada, cross-certification with a Certification Authority must occur
only through the Canadian Federal Public Key Infrastructure Bridge.
The President may in his or her discretion, and upon recommendation of the Secretary, recognize a Certification
Authority outside the Government, where it is not appropriate on policy or technical grounds for a cross-certification to be initiated.
The President, pursuant to authority provided by Order in Council, may enter into or terminate any such agreement or
arrangement. Before recognizing a Certification Authority, the President shall verify that it has the capacity to issue
certificates in a secure and reliable manner within the context of paragraphs 48(a) to (d) of the Personal
Information Protection and Electronic Documents Act S.C. 2000, c. 5. Such Certification Authorities that are recognized
by the President of the Treasury Board shall be listed on the website of the Treasury Board of Canada Secretariat.
Cross-certification with, or recognition of, a Certification Authority outside of the Government must only be done following
the execution of an agreement or arrangement between the Government and the operator of the Certification Authority.
The Secretary shall provide a recommendation to the President as to the appropriate form and content of such an agreement or
arrangement.
The Policy Management Authority shall advise the Secretary as to the form and content, including appropriate terms and
conditions, of any proposed agreement or arrangement.
Where a Department has established a Certification Authority that has cross-certified with the Canadian Federal Public Key
Infrastructure Bridge and intends to cross-certify that Certification Authority with another of its Certification Authorities that
has not cross-certified with the Canadian Federal Public Key Infrastructure Bridge, then the Department must inform the Policy
Management Authority. Where the Policy Management Authority is of the opinion that this cross-certification may adversely affect
the Government of Canada Public Key Infrastructure, then the Policy Management Authority may take appropriate action, including
downgrading or revoking the cross-certificate of the Certification Authority that has cross-certified with the Canadian Federal
Public Key Infrastructure Bridge.
6.6.2 Exemption from Cross-Certification
Each time a Department proposes to have one or more of its Certification Authorities cross-certify with a Certification
Authority outside the Department ("external Certification Authority"), it may apply to the Treasury Board of Canada for
an exemption from the requirement to cross-certify with that external Certification Authority through the Canadian Federal Public
Key Infrastructure Bridge.
A Department that issues Public Key Certificates outside the Department for a specified purpose may apply to the Treasury Board
of Canada for an exemption from the requirement to cross-certify with the Canadian Federal Public Key Infrastructure Bridge.
Any request to exempt a Certification Authority from the requirement to cross-certify with the Canadian Federal Public Key
Infrastructure Bridge must indicate facts that:
1. the request for an exemption has a purpose that substantially meets the policy statement set out in Section 5 and
2. the operational or policy requirements of the Government of Canada would not be prejudiced if the Certification Authority in
question does not exchange cross-certificates with the Canadian Federal Public Key Infrastructure Bridge.
Certain classes of Certification Authorities are specifically exempt from a requirement to cross-certify through the Canadian
Federal Public Key Infrastructure Bridge and Departments need not make an application for an exemption to the Treasury Board of
Canada.
These classes consist of Certification Authorities:
1. Operating in a closed environment where there is no need for Subscribers to interact with other Subscribers or Relying
Parties outside the domain of the Certification Authority and where it can be demonstrated that there is no benefit from
cross-certifying with the Canadian Federal Public Key Infrastructure Bridge; or
2. Operating for reasons of national security where it can be demonstrated that there is no benefit from cross-certifying with
the Canadian Federal Public Key Infrastructure Bridge;
3. Established as Pilot
Projects, provided that such Certification Authorities must cross-certify with the Canadian Federal Public Key Infrastructure
Bridge no later than the second anniversary of the date that they first issue certificates for use in applications; or
4. Operated by or on behalf of Statistics Canada solely to safeguard data collected under the authority of the Statistics Act.
The Policy Management Authority will determine whether a Certification Authority falls within an
enumerated class for the purposes of exemption from a requirement to cross-certify through the Canadian Federal Public Key Infrastructure Bridge.
The Policy Management Authority may request the Treasury Board of Canada to designate other classes for exemption.
A Department, when it issues or causes to be issued Public Key Certificates to Subscribers, must:
1. Develop, implement, and communicate, or cause to be communicated to such Subscribers, the terms and conditions for the
appropriate use of and reliance on Public Key Certificates; and
2. Obtain, or cause to be obtained, their signed agreement, in written or electronic form, to the terms and conditions.
Departments must, in the establishment of terms and conditions of use by Subscribers, include such minimum terms and conditions
of use as established from time to time by the Policy Management Authority.
A Department, before it issues or causes to be issued Public Key Certificates to employees for use in their employment, must
develop, implement, and communicate to those employees, policies and procedures concerning the use of such certificates. In
establishing such policies and procedures, Departments shall consider relevant business, operational and legal requirements and
include such minimum terms and conditions of use as established from time to time by the Policy Management Authority.
A Department that establishes a Certification Authority must ensure that:
1. Its Public Key Certificates and Certificate Revocation Lists are published in a Repository
that is accessible for the purposes of verifying the validity of such lists;
2. Any information concerning its Public Key Certificates and Certificate Revocation Lists in the Repository is current,
accurate and conforms to the requirements of applicable Certificate Policies; and
3. The Repository:
(a) Conforms to such standards established, or designated as applicable, by the Policy Management Authority;
(b) Is interoperable with other repositories associated with Certification Authorities subject to this Policy; and
(c) Is registered with the Registrar
of Repositories.
A Department must establish policies and procedures to manage information created in the course of its operation of a
Certification Authority. Such information includes personal information about Employees, Subscribers and Relying Parties, and must
be managed in accordance with the Privacy Act, the
Access to Information Act and, to the extent applicable, with the
Library
and Archives Act and other relevant government legislation and policies.
A Department must retain a copy of Employees' private confidentiality keys for data recovery purposes; notify Employees that
their private confidentiality keys are backed up; and, notify Employees when the Department accesses their private confidentiality
keys.
A Department must not:
1. Back up the private confidentiality keys of Subscribers without their consent;
2. Access or disclose the private confidentiality keys of Subscribers except with their prior consent, or where required by law
or judicial authorization;
or
3. Retain or have retained, under any circumstances, a copy of private digital signature keys. For the purposes of the Policy,
storage of private digital signature keys on Departmental servers but under the control of the Subscriber or Employee is not
retention by a Department.
A Department may, in the management and use of Public Key Certificates, engage in such practices as import, export or
replication of public keys or the replication of Public Key Certificates. Such practices have both initial and residual risks and
a Department must actively manage the risk associated with such activities.
In the adoption of one or more Certificate Policies governing Public Key Certificates issued by a Certification Authority it
operates, a Department must:
1. Establish and communicate, or cause to be communicated, to relevant parties, including Subscribers and Relying Parties, any
limits for any judgement, award or settlement made against it by reason of the use of such Public Key Certificates;
2. Where it is a member of the Government of Canada Public Key Infrastructure, comply with the procedures and rules as
established from time to time to determine the allocation of financial responsibility and accountability for any judgement, award
or settlement among such members.
The Treasury Board of Canada Secretariat shall monitor compliance with this Policy through reports provided by Operational
Authorities to the Policy Management Authority.
Where not otherwise described in this Policy, the following states the respective responsibilities of those within the
Government responsible for the management of, generally, authentication
using Public Key Certificates and, specifically, the Government of Canada Public Key Infrastructure.
7.1.1 President of the Treasury Board
Pursuant to authority provided by Order in Council, the President, on the recommendation of the Secretary,
is responsible for entering into and terminating written agreements or arrangements for cross-certification with, or recognition
of, Certification Authorities outside the Government.
7.1.2 Secretary, Treasury Board of Canada Secretariat
The Secretary is responsible for establishing and coordinating direction and policy within the Government for authentication
management using Public Key Certificates.
With respect to authentication management using Public Key Certificates, the Secretary carries out this responsibility by:
1. Recommending to the President the terms and conditions of cross-certification or recognition agreements or arrangements, and
the withdrawal from, or termination of, cross-certification or recognition arrangements;
2. Identifying requirements and recommending policies for adoption by Treasury Board of Canada;
3. Providing advice to the Treasury Board of Canada and Departments; and
4. Establishing and maintaining the Policy Management Authority for the Government of Canada Public Key Infrastructure.
7.1.3 Chief Information Officer for the Government of Canada
The Chief Information Officer:
1. Serves as Chair of the Policy Management Authority;
2. Appoints a Deputy Chair of the Policy Management Authority and selects Departments to be represented by Members-at-Large;
3. Is responsible for the Accreditation of the Canadian Federal Public Key Infrastructure Bridge and Common Certification
Authorities; and
4. Supports the Secretary and the Policy Management Authority with respect to their respective responsibilities for the
direction and management of the Government of Canada Public Key Infrastructure.
The Policy Management Authority is responsible to the Secretary for the direction and management of the Government of Canada
Public Key Infrastructure. It makes recommendations to the Secretary with respect to membership in the Government of Canada Public
Key Infrastructure and the cross-certification or recognition of Certification Authorities.
The Policy Management Authority carries out its responsibility by:
1. Advising the Secretary on recommendations to the President concerning cross-certification or recognition agreements or
arrangements including the withdrawal from, or termination of, such agreements or arrangements;
2. Designating one or more Departments to act as Common Certification Authorities;
3. Establishing policies, procedures (including registration procedures) and operating standards for Common Certification
Authorities;
4. Establishing and approving appropriate mechanisms, controls and reporting structures, including operational standards and
guidelines, for the management of the Canadian Federal Public Key Infrastructure Bridge and Certification Authorities within the
Government of Canada Public Key Infrastructure;
5. Where required, directing the Canadian Federal Public Key Infrastructure Bridge to issue, downgrade or revoke
cross-certificates;
6. Representing the Government with external organizations for any purpose related to the promotion of authentication using
Public Key Certificates and the better operation of the Government of Canada Public Key Infrastructure, including participation in
other Bridge Certification Authorities operated by or with entities outside the Government;
7. Establishing and approving Certificate Policies for the Canadian Federal Public Key Infrastructure Bridge or any Common
Certification Authorities and making them available for use by Departmental Certification Authorities;
8. Administering the Electronic Authentication and Authorization Policy,
or any successor policy, to the extent it applies to the management and use of Public Key Certificates and keys by Departments;
9. Appointing decision-makers in the event of disputes between Certification Authorities, and establishing dispute resolution
procedures;
10. Ensuring government-wide interoperability with respect to authentication using Public Key Certificates;
11. Ensuring the Government of Canada is informed of developments in authentication using Public Key Certificates, public key
technology and infrastructures, including standards and industry practices; and
12. Promoting awareness of the role of authentication using Public Key Certificates in enabling secure service delivery, public
administration and communications.
The Communications Security Establishment manages and operates the Canadian Federal Public Key Infrastructure Bridge. As such,
it signs and manages the cross-certificates of external, Departmental and Common Certification Authorities that cross-certify with
the Canadian Federal Public Key Infrastructure Bridge.
As the cryptology and information technology security technical authority for the Government of Canada Public Key
Infrastructure, the Communications Security Establishment is responsible to:
1. Develop operational standards and technical documentation, with respect to system certification and accreditation, risk and
vulnerability analysis, product evaluation, system and network security analysis, in consultation with the Policy Management
Authority and Departments, as they relate to the Government of Canada Public Key Infrastructure and related applications;
2. Provide advice and assistance to the Policy Management Authority and Departments on operational standards and technical
documentation;
3. Provide strategic security engineering services and expert technical advice to support the design, implementation and
operation of the Government of Canada Public Key Infrastructure and related critical infrastructure elements;
4. Develop and provide specialized training, especially with respect to network vulnerabilities and appropriate mitigation
strategies, and conduct related technical research and development;
5. Under Policy Management Authority direction,
(a) Maintain and advise on the overall system architecture of the Government of Canada Public Key Infrastructure; and
(b) Represent the Government of Canada on national and international technical committees pertaining to Public Key
Infrastructures.
The Communications Security Establishment also manages and operates the Secure Emerging Technologies Testbed, which is used to
support interoperability testing between various secure emerging technology applications and the Government of Canada Public Key
Infrastructure.
This policy is issued pursuant to the Financial Administration Act,subsection 7(1).
This policy should be read in conjunction with the following Treasury Board policies:
These policies are available at http://www.tbs-sct.gc.ca/.
See the Treasury Board of Canada Secretariat, Chief Information Officer web site at http://www.tbs-sct.gc.ca/
for up-to-date information related to authentication using Public Key Certificates.
Enquiries concerning the intent and implementation of this policy should be directed to:
Chief Information Officer Branch
Treasury Board Secretariat
Facsimile:(613) 946-9893
e-mail: pki-icp@tbs-sct.gc.ca
|