The Australian Taxation Office (ATO) operates a Public Key Infrastructure (PKI) to support its initiatives in promoting electronic communications with its clients. This PKI provides Keys and Certificates to authorised client staff, through the operation of Certification Authorities (CAs). The use of these Keys and Certificates provide both the ATO and the client with greater assurance that the electronic communication, conducted only between the two parties, remains between them and that information is not corrupted in transit.
In the initial stages of operation of the Australian Taxation Office Public Key Infrastructure (ATO PKI), Keys and Certificates were issued to Certificate Holders who were authorised for this purpose by the Entities that they represented. This meant that each Certificate Holder was authorised to use any or all of the facilities offered to Certificate Holders by the ATO.
The ATO has recognised that many Entities have a requirement that selected staff would operate limited facilities in their relationship with the ATO. To support this requirement, the ATO has introduced a 2-tier system of certificates. Primary Certificate Holders will have:
- unlimited access to the online service capabilities that ATO provides to the Entity;
- the ability to renew their Keys and Certificates and to revoke their Certificates;
- the ability to identify to the system Secondary Certificate Holders whose identity and entitlement to a Secondary Certificate they have established;
- the ability to change their own functionality to that of a Secondary Certificate Holder;
- the ability to request Keys and Certificates on behalf of Secondary Certificate Holders corresponding with the same Entity; and,
- the ability to limit or expand the functional capabilities of any given Secondary Certificate Holder corresponding with the same Entity to the extent permitted by ATO.
Secondary Certificate Holders will only be able to access the ATO online service capabilities to which they have been authorised, and to renew their Keys and Certificates and revoke their certificates.
The information contained in this document is intended for personnel charged with the management and operation of Secondary Certificates issued by the Australian Taxation Office Organisation Certification Authority (ATO OCA), and associated Keys, under the Australian Taxation Office Certification Authority (ATO CA) as part of the ATO PKI. This document is also applicable to Entities and Secondary Certificate Holders who hold Secondary Keys and Certificates issued under this CP to enable communications with the ATO. Certificate Holders, who hold Primary Certificates, should refer to PO01: Certificate Policy for ATO Primary Certificates.
Keys and Certificates issued under the ATO’s Secondary Certificate Policy (CP) are issued to Entities for the purpose of communication with the ATO.
|
Any person who uses a Key or Certificate for a purpose other than for communication with the ATO or relies on communications signed using the Private Key associated with one of these Certificates does so at their own risk and the ATO disclaims all liability to such persons.
|
The framework in which the ATO CA operates, and its possible relationships with other proposed developments are shown in Figure 1.
Figure 1
The ATO PKI includes the ATO Policy Management Authority (PMA), the ATO CA and the ATO OCA. The ATO PKI must ensure that it maintains the trust of those who have been issued with Certificates by the ATO OCA.
In accordance with the definition of an Electronic Signature in the Income Tax Assessment Act 1936 (Cth), the Commissioner of Taxation has determined that the ATO will accept electronic Business Activity Statements (BAS) for the collection of the Goods and Services Tax (GST) and other documents that need to be lodged with the ATO if they contain an Electronic Signature created using Keys and Certificates issued by the ATO OCA and in accordance with this CP. The Certificates issued under this CP are ATO Secondary Gatekeeper approved Certificates.
The ATO intends to authorise other Gatekeeper accredited Certification Authorities or Certification Authorities that are recognised by Gatekeeper to issue Keys and Certificates to Entities for the purpose of communicating with the ATO. (See the ATO PKI Web Site in Appendix C for details).
The information contained in the CP is intended to inform those who are issued with Secondary Keys and Certificates under this CP of their rights and obligations. It also sets out how the ATO OCA will discharge its obligations to those persons.
The responsible officer (the Secondary Certificate Holder once this person has been issued with Secondary Certificates) of an entity that is the holder of an Australian Business Number issued under the A New Tax System (Australian Business Number) Act 1999 (Cth) (the Entity) is entitled to hold Keys and Certificates issued under this CP where the Entity and the Secondary Certificate Holder have agreed to the Conditions of Use that apply to those Keys and Certificates.
When the Entity signs documents using its Authentication Private Key issued under this CP, the ATO will accept that the Secondary Certificate Holder has authority to sign documents sent on behalf of the Entity.
The ATO PKI allows Primary Certificate Holders to sponsor potential Secondary Certificate Holders into the system by registering them and requesting Keys and Certificates on their behalf. To start this process, the Primary Certificate Holder accesses the ATO’s web site to register a potential Secondary Certificate Holder. The Primary Certificate Holder enters the details of the potential Secondary Certificate Holder, and confirms he/she has established the identity of the potential Secondary Certificate Holder based on the ATO’s policy for EOI/POI, signs the request and sends it to the ATO OCA.
The ATO OCA checks the signature and validates the request. If valid, the ATO OCA generates Keys and Certificates and distributes them as described in section 4.2.1 Certificate Issue Process.
The ATO PKI supports Key Pairs being generated by the ATO OCA, and also supports end user generation of Key Pairs by the Secondary Certificate Holder to replace valid Keys and Certificates which have not yet expired. Primary Certificate Holders may opt to become Secondary Certificate Holders, when replacing valid Keys and Certificates which have not yet expired. When replacement Keys have been generated on the Certificate Holder’s computer, the Private Keys are held encrypted on that computer and each Public Key is attached to a copy of the Certificate information which is extracted from the existing Primary or Secondary Certificates. Only the Certificate Holder is allowed to update the e-mail address and only this field is able to be amended. The Certificate information and the Public Keys are formulated into Secondary Certificate requests for Authentication and Confidentiality Certificates. These Secondary Certificate requests are included in a single document which is signed and encrypted by the Certificate Holder’s currently valid Keys and Certificates and then sent to the ATO OCA from the Certificate Holder’s computer.
The Certificates and Public Keys from the currently valid Keys and Certificates (which may be Primary Keys and Certificates, when a Primary Certificate Holder has opted to replace valid Primary Keys and Certificates with Secondary Keys and Certificates, or Secondary Keys and Certificates, when a Secondary Certificate Holder is replacing valid keys and Certificates which have not yet expired) are verified by the ATO OCA to ensure that the document containing the two Certificate requests originated from a legitimate Certificate Holder. Also the ATO OCA checks that the Keys and Certificates used to sign and encrypt the document are still valid.
The ATO OCA takes the Certificate information and Public Keys and converts them into signed Secondary Certificates (Authentication and Confidentiality Certificates respectively). It keeps a copy of the Secondary Certificates in the Oracle based certificate database with X.500 directory format and sends the signed Secondary Certificates (which includes the respective Public Keys) back to the Secondary Certificate Holder.
The signed Secondary Certificates are integrated into a PKCS#12 file from which they are imported into the ATO Client Software. The replaced Keys and Certificates are used to submit a revocation request for the replaced Keys and Certificates, which is sent to the ATO OCA by the Certificate Holder.
This CP does the following:
- Includes at Appendix A the Conditions of Use that apply to the use of Secondary Keys and Certificates issued under the CP.
- Describes the policies employed by the ATO OCA to ensure the security and integrity of the ATO OCA’s operations and the Keys and Certificates at Appendix B.
- Has at Appendix C a list of relevant web sites.
This CP has been produced in accordance with the Commonwealth Government's policy and guidelines on the protection of information and information technology environments.
The ATO OCA is operated under the ATO PKI in accordance with the ATO Certification Practice Statement (CPS). The ATO has been granted Gatekeeper Accreditation by AGIMO for the provision of certification and registration services. For information concerning AGIMO see Appendix C.
The Conditions of Use at Appendix A set out the conditions that apply to use, on behalf of an Entity, of Keys and Certificates issued under this CP to a Secondary Certificate Holder.
The Entity and Secondary Certificate Holder agree that the use of the Keys and Certificates issued under this CP is limited to the Secondary Certificate Holder communicating with the ATO on behalf of the Entity and that use for any other purpose is not authorised.
Any person who uses a Key or Certificate issued under this CP for a purpose other than for communication with the ATO or relies on communications signed using the Private Key associated with one of those Certificates does so at their own risk and the ATO disclaims all liability to such persons.
The Certificate Policy in respect of Keys and Certificates that are issued to Secondary Certificate Holders for the purposes of communicating with the ATO is comprised by the contents of this document, including Appendix B.
The function of the Certificate Policy is to provide guidelines for the following:
- Central generation and issuing of Keys, Secondary Certificate Holder generation of Keys, central creation, signing and issuing of associated Secondary Certificates, operational use, compromise, expiry, and revocation of Certificates issued under this CP.
- Security, mutual consistency, and effectiveness of the ATO OCA’s operations.
- Maintenance of the logical and physical elements of the ATO’s PKI.
This CP is also complemented by an annotated statement of the policy that appears in the Certificates issued by the ATO OCA. That statement is known as the policy qualifier (see Appendix B, table in section 1.3.1.2.3 ATO OCA Certificates Issued). This CP is also supported by a number of supporting documents that are referenced throughout Appendix B. Unless otherwise stated, those documents are publicly available from the web sites indicated. You may down load and copy that material to understand your obligations under the Conditions of Use but for no other purpose.
The glossary, published at www.ato-pki.ato.gov.au, contains definitions of the terms used in this CP.
Some ATO PKI policy and practice documents are available via the Internet. See Appendix C for web site information.
In the remainder of this document, the repository for those documents is referred to as the ATO PKI Web Site.
The ATO OCA is operated for the purpose of issuing Certificates to entities that have been issued with an Australian Business Number (Entities). In some circumstances the ATO OCA issues Keys to the person; in other circumstances, Keys are generated by the user of the Keys. Where the ATO OCA generates a Key Pair, it has put in place arrangements to ensure that it does not have access to the Private Key of an ATO client.
Where Secondary Certificate Holders are in possession of currently valid Keys and Certificates, they can locally generate new Authentication and Confidentiality Key Pairs. The Private Keys remain encrypted and do not leave the end user’s computer. The Certificate information is extracted from the current Secondary Certificates, the e-mail address is edited if required, and each Public Key generated by the end user is included in a separate Secondary Certificate request which is sent to the ATO OCA.
The ATO OCA verifies that the Certificate requests originated from the Secondary Certificate Holder and creates and signs Certificates which are then sent back to the Secondary Certificate Holder. The Secondary Certificate Holder then sends a revocation request for the Secondary Certificates that are to be replaced, confirming receipt of the new certificates. The old Certificates are then revoked.
Keys and Certificates issued under this CP are designed primarily for the collection of the GST and other related revenue lines from ATO business clients. For transactions relating to the collection of the GST, Keys and Certificates must as a minimum have a Gatekeeper classification of ATO Primary or Secondary. The ATO’s full requirements for digital signatures are set out at the ATO PKI Web Site (see Appendix C).
Secondary Certificates issued under this CP are owned by the ATO and may only be used for the purpose of communicating with the ATO. If they are used for any other purpose, the ATO may revoke the Certificates.
The composition and functions of the ATO PMA are set out in the ATO Policy Management Authority document published at the ATO PKI Web Site, see Appendix C.
Changes to this CP or any other document which forms the basis of the Gatekeeper Accreditation of the ATO, are only implemented with the approval of the General Manager, Australian Government Information Management Office (GM, AGIMO).
As new standards emerge, or policy matters are identified for improvement, this CP including the Appendices will be amended.
After an amendment to the Conditions of Use, or the ATO Secondary Certificate Policy in Appendix B, has been approved, the ATO PKI will do the following:
- Publish at the ATO PKI Web Site (see Appendix C) any amended documents.
- Advise Entities with Keys and Certificates of the effect of the change and the date of effect.
- Cancel Keys and Certificates where the Entity or Secondary Certificate Holder indicates that it no longer wishes to abide by the new arrangements.
If an existing document requires amendment, the change process employed is the same as for initial publication, as described above. Note that a new Object Identifier (OID) will be issued for a new document.
The naming convention for amendment notices shall be:
XXX
|
where XXX represents a sequential number beginning with 000
|
YYYY
|
indicating the year the amendment was issued
|
Appendix A - Conditions of use for
1.1
|
The Entity as the holder of an Australian Business Number (the Entity) is required to, or wishes to, use Keys and Certificates issued under ATO’s Certificate Policy (CP) for ATO Secondary Certificates to communicate with the ATO.
|
1.2
|
The ATO has established the ATO Public Key Infrastructure (ATO PKI) to facilitate Internet-based electronic service delivery.
|
1.3
|
Details of the ATO PKI are set out in a number of CPs, the ATO Certification Practice Statement (CPS) and other relevant documents which are published at the ATO PKI Web Site (http://www.ato-pki.ato.gov.au/), and these Conditions of Use should be read in conjunction with these documents.
|
1.4
|
Authentication and Confidentiality Key Pairs are generated under the CP for ATO Secondary Certificates (the Secondary CP), and except in circumstances described in clause 1.7, the ATO OCA generates all Key Pairs.
|
1.5
|
Where Key Pairs are generated by the ATO OCA, the ATO does not have access to, and does not hold, the Private Key.
|
1.6
|
ATO has established a two tier system of Keys and Certificates for access to its online services such that Primary Certificate Holders (governed by the CP for ATO Primary Certificates) shall have:
a. unlimited access to the online service capabilities that ATO provides to the Entity;
b. the ability to identify to the system Secondary Certificate Holders whose identity and entitlement to a Secondary Certificate they have established;
c. the ability to change their own functionality to that of a Secondary Certificate Holder;
d. the ability to request Keys and Certificates on behalf of Secondary Certificate Holders corresponding with the same Entity;
e. the ability to limit or expand the functional capabilities of any given Secondary Certificate Holder corresponding with the same Entity to the extent permitted by ATO.
This approach has been adopted in order to provide Entities with the ability to limit the functional abilities of their Secondary Certificate Holders.
|
1.7
|
Before a Secondary Certificate Holder’s Certificate is due to expire, the Secondary Certificate Holder may generate new Key Pairs, and when this occurs, the Private Keys do not leave the Secondary Certificate Holder’s local computer or other trustworthy computer system.
|
1.8
|
After the Secondary Certificate Holder generates the Key Pairs, Certificate information and the Public Keys are sent to the ATO OCA for conversion into signed Secondary Certificates, which are then returned to the Secondary Certificate Holder.
|
1.9
|
Keys and Certificates operate on the Certificate Holder’s computer system through ATO Client Software.
|
1.10
|
By using the Keys and Certificates issued under the Secondary CP, the Entity and the Secondary Certificate Holder agree to be bound by the Secondary CP, the CPS and these Conditions of Use.
|
2.1
|
A description of the ATO services which may be delivered using the Keys and Certificates is located at the ATO PKI Web Site (http://www.ato-pki.ato.gov.au/). These services may be updated by the ATO from time to time.
|
2.2
|
The Keys and Certificates are to be used for the purpose of communication on behalf of the Entity with the ATO. It is intended that only the ATO rely on the Electronic Signature created by the use of the Secondary Certificate Holder's Authentication Private Key. Any person who relies on or uses a Key or Certificate for a purpose other than communication with the ATO or relies on communications signed using the Private Key associated with one of those Certificates does so at their own risk and the ATO disclaims all liability to such persons.
|
2.3
|
Business Activity Statements (BAS) and other documents lodged electronically with the ATO by the Entity must be signed and encrypted using the Keys and Certificates which operate through the ATO Client Software.
|
2.4
|
The Entity agrees that use of the Secondary Certificate Holder’s Private Authentication Key to sign a communication with the ATO will have the same binding effect as a written signature on paper of a legally appointed officer of the Entity.
|
The Entity warrants that true, complete and accurate information has been provided to the ATO in relation to Keys and Certificates issued under the Secondary CP in the name of the Secondary Certificate Holder. The Entity undertakes to promptly notify the ATO in the event that any part of that information changes.
4.1
|
The Entity warrants that the Secondary Certificate Holder has full authority to use the Keys and Certificates on the Entity’s behalf. If that is no longer the case, or a Private Key has been compromised, the Entity must immediately request the ATO to revoke the Certificates used by that Secondary Certificate Holder.
|
4.2
|
The Entity acknowledges that it may be held responsible for the contents of any transmission, message, or other document signed using the Secondary Certificate Holder’s Private Authentication Key.
|
4.3
|
The Secondary Certificate Holder must not disclose their Private Keys to any other person.
|
5.1
|
The Entity acknowledges that the ATO owns the intellectual property rights in the Keys and Certificates the ATO creates. The ATO licenses the Entity and the Secondary Certificate Holder to reproduce and publish in unaltered form these Secondary Certificates, but only for the purposes of use in the ATO PKI and in accordance with these Conditions of Use.
|
5.2
|
The ATO hereby assigns to the Entity any intellectual property it may have in the Private Keys issued to the Secondary Certificate Holder.
|
5.3
|
The ATO acknowledges that the Entity owns the intellectual property (if any) in the Key Pairs the Secondary Certificate Holder creates.
|
5.4
|
The Entity grants to the ATO an irrevocable, perpetual, royalty free licence to reproduce and publish the Secondary Certificate Holder’s Public Key for the purposes of use in the ATO PKI and in accordance with these Conditions of Use.
|
5.5
|
The Entity and the Secondary Certificate Holder agree that the ATO has the right to use the distinguished name assigned by the ATO OCA (which will include the Entity's and Secondary Certificate Holder’s names) for the purposes of the ATO PKI.
|
5.6
|
ATO licenses the Entity and the Secondary Certificate Holder (‘them’) to exercise any of ATO’s rights in or to the ATO Client Software that are required to enable ‘them’ to do whatever is required to use Keys and Certificates to communicate with the ATO.
|
6.1
|
The Entity will indemnify the ATO against any loss arising from:
a. the Secondary Certificate Holder’s failure to ensure the safety and integrity of the Private Keys;
b. use of the Keys and Certificates otherwise than in accordance with these Conditions of Use and the Secondary CP; or
c. any wilful, negligent or unlawful act or omission by the Entity or the Secondary Certificate Holder in relation to use of the Keys and Certificates.
|
6.2
|
The Entity’s liability under this indemnity is reduced to the extent that any wilful, negligent or unlawful act or omission by the ATO or its officers, employees or agents has contributed to its loss.
|
The ATO OCA may alter these Conditions of Use and the terms and conditions of the Secondary CP from time to time by notice to the Entity in accordance with section 8.3 Amendment Procedure of the Secondary CP.
8.1
|
The Entity and Secondary Certificate Holder agree to the provisions relating to revocation set out in section 4.4 Certificate Revocation of Appendix B of the Secondary CP.
|
8.2
|
The ATO OCA may revoke a Secondary Certificate where:
a. it suspects that the corresponding Private Key has been compromised;
b. the Keys and Certificates have been misused; or
c. in the other circumstances described in section of Appendix B of the Secondary CP.
|
8.3
|
The Entity and the Secondary Certificate Holder must not use the Keys and Certificates for any purpose after the Certificates have been revoked.
|
Except as set out in these Conditions of Use and the Secondary CP, the ATO gives no implied or express warranties in relation to the Keys and Certificates or their use by the Entity or the Secondary Certificate Holder. All statutory warranties are to the fullest extent permitted by law expressly excluded.
10.1
|
The ATO acknowledges that it is bound by, and is required to operate fully in accordance with, the requirements of the Privacy Act 1988, including the Information Privacy Principles set out in that Act.
|
10.2
|
The Entity and Secondary Certificate Holder consent to the disclosure of the personal information that is provided to the ATO specifically for the purposes associated with the ATO or any ATO approved or Gatekeeper accredited Certification Authority creating a Certificate and the associated use of that Certificate and information it contains by any person.
|
The personal information details that appear in a Certificate are set out in the table in section 1.3.1.2.3 ATO OCA Certificates Issued of Appendix B of the Secondary CP.
The ATO acknowledges that it is bound by confidentiality and secrecy provisions, including specific statutory secrecy provisions that protect any tax related information of an Entity or Certificate Holder. The ATO will conduct its ATO PKI at all times in compliance with any applicable confidentiality and statutory secrecy provisions.
12.1
|
These Conditions of Use are governed by, and are to be construed in accordance with, the laws from time to time in force in the Australian Capital Territory.
|
12.2
|
Section 2.4.3 Dispute Resolution Procedures of Appendix B of the Secondary CP sets out how disputes between the persons referred to in these Conditions of Use are to be resolved, and the parties agree that those requirements apply to the extent that the dispute concerns the use of the Keys and Certificates.
|
12.3
|
The terms that commence with capital letters will, unless there is a contrary intention, have the meaning applied to them in the Glossary published at http://www.ato-pki.gov.au
|
Appendix B
The ATO CA is a self signing Certification Authority primarily established to facilitate secure, electronic communication between the ATO clients including Entities who have registered for and received an Australian Business Number (ABN) and the ATO. The ATO OCA has been established to issue ATO Primary and Secondary Certificates to these ATO clients.
Keys and Certificates are issued under this CP to ATO Secondary Certificate Holders who act on behalf of Entities. Keys and Certificates issued to ATO Primary certificate Holders are issued under “PO01: Certificate Policy for ATO Primary Certificates“.
This Certificate Policy (CP) has been written expressly to comply with the Commonwealth Government's Gatekeeper strategy for Public Key technology use in government (May 2000) as amended. Gatekeeper endorses a number of types of Certificates.
The ATO CA uses 2048 bit Keys to sign the ATO OCA’s Certificate and where the ATO OCA Issues Keys for Entities under this CP, it issues 1024 bit Keys. Where a Certificate Holder in possession of currently valid Keys and Certificates uses End User generation of Key Pairs on the local computer or other trustworthy computer system, the Keys created are 1024 bit.
The Certificates issued under this CP to Entities are categorised as ATO Secondary Certificates and they may be issued to an Entity who is required to have an Australian Business Number under the A New Tax System (Goods and Services Tax) Act 1999 (Cth) where that Entity has:
a. Appointed an individual (a Secondary Certificate Holder) to use Keys to sign documents on the Entity's behalf; and
b. Agreed to be bound by this CP including the Conditions of Use at Appendix A.
The infrastructure supporting this CP is made up of the ATO CA, ATO OCA and PKI Subordinate Elements. Registration Authority (RA) functions are performed by the ATO.
Keys and Certificates created for the purpose of this CP comprise two types of key pairs:
- Authentication Key Pairs
- Confidentiality Key Pairs
Each Key Pair consists of a Private Key and a Public Key.
The Authentication Key Pair is used for authentication. The Private Key is used to digitally sign a message, and the Public Key is used to verify the Electronic Signature by the recipient.
The Confidentiality key pair is used to protect by encryption the confidentiality of a message. The sender uses the intended recipient's Public Key to encrypt the contents of a message and the recipient uses its Private Key to decrypt the message.
This CP is largely based on the Internet X.509 Public Key Infrastructure Certificate Policy and Certification Practices Framework; see Appendix C for web site details.
Where that document does not provide for sufficient detail, this CP will differ in so far as it is necessary for clarity.
Definitions used in this document are contained in the Glossary published at the ATO PKI Web Site; see Appendix C for web site details.
These definitions are based on the ISO Glossary of IT Security Technology.
It should be noted that not all terms or acronyms which appear in the Glossary have been used in this document. However the list as presented is consistent across the ATO PKI documentation suite.
The authority for all objects identified originates from the ATO CA.
Specified elements under this CP have been assigned an X.500 Object Identifier (OID).
The ATO has published the hash of the Authentication Certificate for the ATO CA and the ATO OCA on the ATO PKI Web Site; see Appendix C for web site details. ATO clients will also receive written notification from the ATO of the hash of the Authentication Certificate for the ATO CA. They will also be informed of the hashes for any other ATO PKI Servers engaged in electronic service delivery.
In operational use, the Entity’s ATO Client Software uses this hash to check the validity of digital signatures originating from the ATO CA.
The OID for the ATO CA is:
The OID for the ATO OCA is:
The OID for this CP is:
1.2.36.824753556.1.0.200.2.1
|
The Commissioner of Taxation has determined that a digital signature created by a Key issued under this CP is an Electronic Signature for the purposes of the definition of Electronic Signature in the Income Tax Assessment Act 1936 (Cth) and a signature properly created is binding upon the Entity. That definition applies across the other taxation laws administered by the ATO, including the A New Tax System (Goods and Services Tax) Act 1999 (Cth).
This CP is applicable to:
- ATO CA;
- ATO OCA.
- Entities and Secondary Certificate Holders.
The General Manager AGIMO is the Gatekeeper Competent Authority; The Competent Authority manages the accreditation of organisations under the Gatekeeper PKI Strategy. It establishes and maintains the criteria for Gatekeeper Accreditation. The Gatekeeper Competent Authority accredits Certification Authorities to offer services to Commonwealth Agencies and/or to those organisations and entities with which Commonwealth agencies transact business once the CA service providers have been accredited. The Competent Authority may be contacted at: Australian Government Information Management Office.
The composition and functions of the ATO PMA are set out in the ATO Policy Management Authority document published at the ATO PKI Web Site, see Appendix C.
Contact details for the ATO PMA are set out at the ATO PKI Web Site, see Appendix C.
The Commissioner for Taxation has overall responsibility for the activities of the ATO PKI and may delegate responsibilities down to the level of Assistant Commissioner.
The ATO CA functions include the following:
- Generating its own keys and issuing a self signed Certificate, publishing the Public Key of the ATO CA with the hash that establishes the ATO CA as the highest point of trust in the ATO PKI.
- Publishing each CP under which it issues Keys and Certificates, and the CPS for the ATO PKI, at the ATO PKI Web Site, see Appendix C.
- Certifying the Public Key of the ATO OCA.
- Operating the ATO CA in an efficient and trustworthy manner and in accordance with:
- The terms of the accreditation of the ATO CA by the GM, AGIMO
- The ATO Concept of Operations
- The CPs that it issues Certificates under
- The CPS
- The ATO PKI System Security Plan and other associated security documents
- Documented internal operational procedures
- Issuing Keys and Certificates in accordance with the ATO CA CP.
- Revoking Certificates it has issued on receipt of an authenticated signed revocation request or when Certificates have been compromised.
- Posting revoked Certificates in the directory services CRL.
- Conducting regular audits and facilitating external audits including those required for the purpose of maintaining Gatekeeper Accreditation.
The contact details for the ATO CA are located on the ATO PKI Web Site, see Appendix C.
The ATO OCA has the following functions:
- Publishing this CP and other CPs for Certificates issued by the ATO OCA.
- Issuing Certificates to Secondary Certificate Holders for Entities in accordance with this CP, whether the OCA has issued the Key Pairs, or the Key Pairs have been generated by the Secondary Certificate Holder.
- Maintaining an Oracle based certificate database with X.500 directory format for the internal use of the ATO to which it will post Certificate information. (See section 2.6.3 Access Controls).
- Monitoring compliance with this CP.
As per the ATO CA above at 1.3.1.1.2 ATO CA Contact Details.
Under this ATO CP, the ATO OCA will issue an ATO Secondary Certificate to a Secondary Certificate Holder sponsored by a Primary Certificate Holder as an authorised representative of an Entity.
The Authentication Certificate will contain:
Field
|
Value
|
Version
|
V3
|
Serial Number
|
An integer that acts as a unique identifier
|
Signature
|
Contains the algorithm identifier for the algorithm used by the ATO OCA to sign the Certificate. The signature is generated using RSA encryption and the SHA-1 hashing algorithm.
|
Issuer
|
c=au, o=Australian Taxation Office, cn=ATO OCA
|
Validity (From)
|
The date the Secondary certificate is valid from.
|
Validity (To)
|
The date the Secondary certificate is valid until.
|
Subject
|
Distinguished Name of Secondary Certificate Holder (John Citizen), for example, c=AU, o=XYZ Company, cn=John Citizen
|
Subject Public Key Info
|
Indicates the algorithm used: RSA 1024 bit and provides the value of the Public Key in hexadecimal.
|
Authority Key Identifier
|
The key identifier is the hash of the issuer's (ATO OCA's) Public Key.
|
Subject Key Identifier
|
The key identifier is the hash of the Subject's Public Key.
|
Key Usage -Authentication
|
The Authentication Certificate is used for: Electronic Signature, Non-repudiation.
|
Certificate Policies
|
Certificate Policy OID: 1.2.36.824753556.1.0.200.2.1
CPS URI: http://www.ato-pki.ato.gov.au/
Policy qualifier: Keys and Certificates issued under this CP are issued to Secondary Certificate Holders only for use in communicating with the ATO.
|
Subject Alternative Name
|
The Secondary Certificate Holder's e-mail address.
|
Private Extensions
|
|
OID of ABN field, 1.2.36.824753556.10000.1
|
The ABN for the Entity. An eleven digit field.
01234567891
|
OID of CAC field, 1.2.36.824753556.10000.2
|
The Client Activity Centre (CAC) value, a three digit value.
001
|
OID of CARN field, 1.2.36.824753556.10000.3
|
The CA Reference Number (CARN) assigned to this Secondary Certificate Holder. A ten digit field. 0123456789
|
Signature Algorithm
|
Contains the OID for the cryptographic algorithm used by the ATO OCA to sign this certificate.
|
Signature Value
|
The ATO OCA Electronic Signature.
|
The Confidentiality Certificate will contain:
Field
|
Value
|
Version
|
V3
|
Serial Number
|
An integer that acts as a unique identifier
|
Signature
|
Contains the algorithm identifier for the algorithm used by the ATO OCA to sign the Certificate. The signature is generated using RSA encryption and the SHA-1 hashing algorithm.
|
Issuer
|
c=au, o=Australian Taxation Office, cn=ATO OCA
|
Validity (From)
|
The date the Secondary certificate is valid from.
|
Validity (To)
|
The date the Secondary certificate is valid until.
|
Subject
|
Distinguished Name of Secondary Certificate Holder (John Citizen)
for example, c=AU, o=XYZ Company, cn=John Citizen
|
Subject Public Key Info
|
Indicates the algorithm used: RSA 1024 bit and provides the value of the Public Key in hexadecimal.
|
Authority Key Identifier
|
The key identifier is the hash of the issuer's (ATO OCA's) Public Key.
|
Subject Key Identifier
|
The key identifier is the hash of the Subject's Public Key.
|
Key Usage - Confidentiality
|
The Confidentiality Certificate is used for: Encryption.
|
Certificate Policies
|
Certificate Policy: OID: 1.2.36.824753556.1.0.200.2.1
CPS URI: http://www.ato-pki.ato.gov.au/
Policy qualifier: Keys and Certificates issued under this CP are issued to Secondary Certificate Holders only for use to in communicating with the ATO.
|
Subject Alternative Name
|
The Secondary Certificate Holder's e-mail address.
|
Private Extensions
|
|
OID of ABN field, 1.2.36.824753556.10000.1
|
The ABN for the Entity. An eleven digit field.
01234567891
|
OID of CAC field, 1.2.36.824753556.10000.2
|
The Client Activity Centre (CAC) value, a three digit value.
001
|
OID of CARN field, 1.2.36.824753556.10000.3
|
The CA Reference Number (CARN) assigned to this Secondary Certificate Holder. A ten digit field. 0123456789
|
Signature Algorithm
|
Contains the OID for the cryptographic algorithm used by the ATO OCA to sign this certificate.
|
Signature Value
|
The ATO OCA Electronic Signature.
|
The Keys and Certificates will comply with the international X.509 V3 standard, which is required by Gatekeeper.
Secondary Certificates carry with them a policy qualifier which is used to bring out the major points of this CP. The purpose of the policy qualifier is to provide the person relying upon the Secondary Certificates with an abbreviated message signifying a policy issue that the Relying Party must be aware of:
|
Keys and Certificates issued under this CP are issued to Certificate Holders only for use in communicating with the ATO.
|
The ATO OCA will establish the identity of the Entity and Secondary Certificate Holder, through assurances given by the Primary Certificate Holder when entering the Secondary Certificate Holder’s details (name, address and e-mail address) to the system for registration purposes. (See section 3.1 Initial Registration for further information and section 1.3.1.2.3 ATO OCA Certificates Issued for details of the contents of a Certificate).
The key length of a Secondary Certificate Holder’s Authentication and Confidentiality keys to be issued under this CP will be fully compliant with the Gatekeeper requirements.
Where a Secondary Certificate Holder’s Key Pairs are generated by the ATO OCA, the ATO CA has put in place arrangements to ensure that the ATO OCA will not have access to Secondary Certificate Holder’s Private Keys, as described in the AD01: Certification Authority Operations Manual for ATO CA and ATO OCA.
Where a Secondary Certificate Holder generates its own Authentication and Confidentiality Key Pairs, the Private Keys remain encrypted on the Secondary Certificate Holder’s computer and do not leave the Secondary Certificate Holder’s computer.
The following Secondary Certificate Holder contact details may be published in a Secondary Certificate Holder's Public Key Certificate in compliance with X.509 standards:
- Entity name and Secondary Certificate Holder’s name in the End Entity's Distinguished Name in the Subject field.
- The Entity's e-mail address in the Subject Alternative Name field.
Entity contact information is maintained by the ATO as taxpayer information.
Certain details relating to an Entity may be available in the Register of Australian Business Numbers. The information in the Register is in accordance with the applicable legislation.
Secondary Certificates issued under this CP are used to support the secure exchange of information between the ATO and clients of the ATO.
This CP is administered by the ATO PKI.
Enquiries or other communications about this document should be addressed to the ATO CA, see section 1.3.1.1.2.
The Gatekeeper Competent Authority in the Australian Government Information Management Office (AGIMO) is in position to determine CP suitability for the policy.
This section covers the obligations of the ATO and the ATO PKI to Entities and Secondary Certificate Holders who have Keys and Certificates issued under this CP.
The ATO CA will be the highest point of trust within the ATO PKI.
ATO OCA shall provide a secure message infrastructure that enables the operation of Keys and Certificates using Public Key cryptographic methods.
Changes to this CP can only be made at the direction of the ATO PMA. Factors that will normally result in change requests include, but are not limited to:
- A mandated change to a Gatekeeper Accreditation requirement.
- A change in the technology supporting the PKI.
- A change required to ensure compliance with published international and Australian standards.
The ATO PMA will consult with AGIMO before making any change to this CP. ATO PMA may advise ATO PKI of any changes that need to be made to this CP.
The ATO CA shall:
- Issue Keys and Certificates to itself
- Receive and verify requests for a set of Keys and Certificates in accordance with the relevant CP
- Issue Keys and Certificates to the ATO OCA
- Comply, and ensure that its employees and contractors comply with, the conditions set out the relevant CP and the practices set out in the CPS
- Maintain Certificate information in a designated Oracle based certificate database with X.500 directory format, including posting CRLs as required
- Action revocation requests
- Issue new Keys and Certificates in accordance with the relevant CP
The ATO CA discharges its obligations by:
- Providing CA, interacting with RA and other PKI services.
- Making reasonable efforts to ensure it conducts an efficient and trustworthy operation. Reasonable efforts includes but does not limit the ATO CA to operating in compliance with:
- Documented internal operational procedures
- The CPS
- Within applicable law
- Maintaining the CPS and enforcing the practices described within it.
- Publishing its Self Signing CA Hash on the ATO PKI Web Site (see Appendix C) and other nominated web sites and in written notification to the Entities and Certificate Holders.
- Issuing Certificates that are factually correct from the information known to it at the time of issue, and that are free from data entry errors.
The ATO OCA shall:
- Receive and verify requests for Keys and Certificates in accordance with this CP
- Perform the Registration Authority function in relation to Entities and Secondary Certificate Holders
- Issue Keys and Certificates that are factually correct from the information known to it at the time of issue, and that are free from data entry errors
- After authenticating the Certificate Holder’s request, generate and issue Certificates where the Certificate Holder has locally generated the Authentication Key Pair and the Confidentiality Key Pair and has sent two Certificate requests containing the respective Public Keys to the ATO OCA. These Certificate requests are signed by the currently valid Keys held by the Certificate Holder
- Comply, and ensure that its employees and contractors comply with, the conditions set out in this CP and the practices set out in the CPS
- Maintain Certificate information in a designated Oracle based certificate database with X.500 directory format, including posting CRLs as required
- Action revocation requests
- Issue Certificates, and where required by this CP, Keys, to a Secondary Certificate Holder in accordance with this CP
Entities and Secondary Certificate Holder’s obligations are set out in the Conditions of Use at Appendix A.
The ATO is the only intended relying party on communications signed with a Certificate Holder’s Private Authentication Key. It is not intended that any other person rely on the Certificate Holder’s digital signature or Public Key Certificate. None of the ATO’s PKI directories will be available to external parties. The CRL will only be made available to the ATO in its capacity as Relying Party. Any person who uses a Key or Certificate for a purpose other than for communication with the ATO or relies on communications signed using the Private Key associated with one of these Certificates does so at their own risk and the ATO disclaims all liability to such persons.
The ATO Repository functions are performed by the Oracle based certificate database with X.500 directory format. This repository is restricted to access by ATO personnel.
The ATO PKI provides and maintains the operational infrastructure for the Oracle based certificate database with X.500 directory format.
A CRL is derived from the Oracle based certificate database with X.500 directory format on a six hourly basis.
- An entity (the first-mentioned entity) operating within a Public Key infrastructure that was established, and is controlled, by another entity is not liable for any loss or damage caused by the first-mentioned entity to the extent to which the first-mentioned entity was operating in accordance with that other entity’s instructions, or pursuant to a contract, except if that first-mentioned entity acted negligently in carrying out that requirement.
- Where a party described in this CP is legally liable to compensate another party, the liability of the first-mentioned party will be reduced proportionally to the extent that any negligent act or omission on the part of the other party contributed to the relevant liability, loss, damage, cost or expense.
Notwithstanding any other provisions of this CP:
a. the Commonwealth makes no representations, and offers no warranties or conditions, express or implied, in relation to:
i. the activities or performance of any of the PKI Entities which are carried out under, or in relation to, this CP; or
ii. if relevant, the services or products of a particular PKI Entity; and
b. the PKI Entities acknowledge and agree that except to the extent that a Commonwealth agency is carrying out the role of a PKI Entity (in which case the liability of the Commonwealth will be determined in accordance with the provisions set out in this section 2.2), the Commonwealth is not liable in any manner whatsoever for any loss or damage caused to, or suffered by, any person, including a PKI Entity as a result of:
i. an entity described in this CP carrying out, or omitting to carry out, any activity described in, or contemplated by, the Approved Documents;
ii. the Commonwealth carrying out, or omitting to carry out, any activity related to the Gatekeeper Accreditation process;
iii. a negligent act or omission of the Commonwealth; or
iv. any matter related to the use of ATO issued Keys and Certificates and the information that they contain for the purpose of making or facilitating an application for any non ATO issued Key or Certificate.
An entity referred to in this CP is not liable for any loss or damage arising from any delay or failure to perform its obligations described in this CP if such delay is due to Force Majeure.
If a delay or failure by such an entity to perform its obligations is due to Force Majeure, the performance of that entity’s obligations is suspended for a period in which the Force Majeure is in effect up to a maximum period of 30 days.“
The ATO PKI has introduced a number of measures to manage risk. They include the following:
- Inhibit misuse of those resources by authorised personnel
- Prohibit access to those resources by unauthorised individuals
- These measures include but are not limited to:
- Identifying contingency events and appropriate recovery actions in a Disaster Recovery and Business Continuity Plan
- Performing regular system data backups
- Performing a backup of the current operating software and certain software configuration files
- Storing all backups in secure local and offsite storage
- Maintaining secure offsite storage of other material needed for disaster recovery
- Periodically testing local and offsite backups to ensure that the information is retrievable in the event of a failure
- Periodically reviewing its Disaster Recovery and Business Continuity Plan, including the identification, analysis, evaluation and prioritisation of risks
- Periodically testing uninterrupted power supplies
No stipulation
Issuing Keys and Certificates in accordance with this CP does not make the ATO an agent, fiduciary, trustee, or other representative of an Entity or Certificate Holder.
No Stipulation
This CP is governed by the laws in force in the Australian Capital Territory.
In the event that any one or more of the provisions of the CP is for any reason be held to be invalid, illegal, or unenforceable at law, such unenforceability shall not affect any other provision, but this CP shall then be construed as if such unenforceable provision or provisions had never been contained herein, and in so far as possible, construed to maintain the original intent of this CP.
If a contractual relationship between PKI Entities expires or is terminated for any reason, any provisions of that contract that are necessary for those Entities to effectively exercise their rights and discharge their obligations and responsibilities to each other will survive that termination or expiration.
If the Private Key corresponding to the Public Key that is contained in a Certificate is compromised, or the expiration date of a Certificate is reached or passed, then the rights and obligations of the entities described in this CP are those described in this CP, the CPS and any other legally enforceable agreement between the entities.
A notice, consent, request or any other communication required to be provided under this CP may be sent in one of the following approved forms:
a. to the Secondary Certificate Holder on behalf of the Entity:
i. electronically – and sent to the Secondary Certificate Holder’s email address specified in the Subject Alternative Name field on the Certificate; or
ii. in writing – provided that the notice is left at, or sent by prepaid post (airmail if posted to, or from, a place outside Australia) to, the recorded address of the Secondary Certificate Holder; or
b. to the ATO OCA, ATO ECI Server or any other server nominated by the ATO OCA (the ATO Notice Recipient), whichever is relevant:
i. electronically – and sent to the relevant ATO Notice Recipient; or
ii. in writing – provided the notice is left at, or sent by prepaid post (airmail if posted to, or from, a place outside Australia) to, the recorded address of the ATO Notice Recipient.
A notice, consent, request or any other communication is deemed to be received:
- Electronically – at the time that the notice is received by the recipient's host machine.
- If left at the recorded address of a party – at the time it is left.
- If sent by prepaid post – three business days after posting (seven, if posted to or from a place outside Australia).
Notices will be issued by the ATO OCA for the following events:
- Establishment of a new CP that replaces this CP (including Conditions_of_Use)
- Change or alteration of existing CP (including Conditions_of_Use)
- Any change that affects the Gatekeeper Accreditation of the ATO
Specific acknowledgment of notices or other communications is not required except as otherwise provided for under this CP.
The dispute resolution provisions shall be taken to cover any area covered by this CP. This includes but is not limited to contractual matters supported by this CP including the Conditions of Use.
The disputes relating to taxation legislation and its administration are to be dealt with in accordance with the normal requirements of the law (including administrative law) and reference should be made to the relevant ATO business line in the first instance.
If a dispute arises in connection with this CP, the parties undertake in good faith to use all reasonable endeavours to settle the dispute by negotiation or mediation.
If the parties are not able to resolve a dispute within 7 days from the date the dispute first arose, then the parties shall agree to jointly appoint an independent mediator, having appropriate qualifications and practical experience (mediator), for the purpose of resolving the dispute and agree to be bound by the decision of that mediator.
If the parties are not able to agree on a mediator within 14 days from the date the dispute first arose, then the parties agree to appoint the person nominated by the President for the time being of the Australian Institute of Arbitrators. Either party may request the President of the Australian Institute of Arbitrators to make such a nomination.
The parties will promptly furnish to the mediator (imposing appropriate obligations of confidence) all information reasonably requested by the mediator relating to the dispute.
The mediator will use all reasonable endeavours to render a decision within 30 days following receipt of the information or if this is not possible, as soon as practical thereafter, and the parties agree to co-operate fully with the mediator to achieve this objective.
The parties will share equally the fees and expenses of the mediator.
If a Party does not think that the process described above is appropriate, the Parties can agree a different process that is more suitable to the circumstances of the dispute.
Disputes between the ATO PKI and other government agencies will be resolved in accordance with arrangements agreed between the relevant parties.
No Fees will be payable for the initial issue of Keys and Certificates by the ATO PKI. Fees may be payable by an Entity in respect to the further issue, renewal, or revocation of Keys and Certificates and other services.
The ATO OCA will inform Entities prior to the imposition of any fees.
This CP is published under the International Standard Book Number (ISBN) system.
This CP is published electronically on the ATO PKI Web Site, see Appendix C.
Newly approved versions of this CP will be published promptly.
Access to Certificate information (including CRLs) within the Oracle based certificate database with X.500 directory format is limited to a single name search enquiry by officers within the ATO.
Appropriate Access Controls are used to ensure that only authorised personnel have the ability to write to or modify these items.
This CP must be published. There are no Access Controls on the reading of this CP. The ATO CA will publish this CP at the ATO PKI Web Site, see Appendix C.
As stipulated in CPS.
The ATO has been granted Gatekeeper Accreditation by the GM, AGIMO in accordance with the Gatekeeper criteria and following successful evaluation by a team of AGIMO authorised independent evaluators.
The evaluation criteria have been defined by AGIMO and are published on the AGIMO web site, see Appendix C.
The ATO PKI will be audited from time to time in accordance with the terms of the Gatekeeper Head Agreement between the ATO and AGIMO to ensure compliance with the policies documented in this CP.
Any person engaged to perform an audit on the ATO PKI will have sufficient experience in the application of PKI and cryptographic technologies. Where audits are required under the conditions of Gatekeeper Accreditation the auditors will be selected by the ATO from the Gatekeeper Compliance Audit Panel.
Aside from the audit function, the auditor and audited party shall not have any current or planned financial, legal or other relationship that could result in a conflict of interest.
Topics covered by audit will include, but will not necessarily be limited to, the following, and will be set against the background of Gatekeeper policy and criteria, the ATO’s Approved Documents and industry and Australian standards:
- Physical Security.
- Documentation and process.
- Vetting of operations personnel.
- Technology.
- Privacy, including compliance with Information Privacy Principles set out in section 14 of the Privacy Act 1988.
Copies of the audit report must be submitted in confidence to both of the following:
- The Commissioner of Taxation
- The General Manager, AGIMO
When irregularities are found or in response to directions from the Gatekeeper Competent Authority (in accordance with the terms of the Memorandum of Agreement), the Commissioner of Taxation shall promptly oversee or implement appropriate corrective action to maintain compliance with Gatekeeper accreditation as well as trust in the operation of the ATO PKI, and report publicly on matters as appropriate.
The results of a Gatekeeper audit are confidential and will be communicated by the auditor only to authorised representatives of AGIMO and the ATO. While most aspects of the audit results will be made public by the ATO afterwards in consultation with AGIMO, some material may be confidential information. This will only apply to a limited amount of information. However the normal restrictions upon the release of ATO clients' information will apply as appropriate.
- The ATO is subject to the information security requirements of the Commonwealth’s Protective Security Manual. That manual requires information in the hands of agencies to be classified depending on the damage that release of that information would do to the Commonwealth and certain other entities. In this CP, the type of information that is able to be transmitted is information that receives an X-IN-CONFIDENCE classification (applies to non-national security information). Examples of types of X-IN-CONFIDENCE markings include Staff-in-Confidence, Security-in-Confidence, Commercial-in-Confidence and Audit-in-Confidence.
- The category of information “Commercial-in-Confidence“ is the type of information that entities are concerned to protect in the context of their business transactions. For the purposes of this CP, this category of information is called “Confidential Information“.
- Each entity must protect all categories of information it holds against unauthorised disclosure in accordance with the requirements of the Protective Security Manual.
Personal Information, as defined in the Privacy Act 1988 (Cth) (The Act) provided to the ATO is regulated by the Information Privacy Principles as set out the Act. The ATO is bound by, and is required to operate fully within, the requirements of the Act.
No stipulation.
The requirements for the confidentiality and privacy of registration information are dealt with at section 2.8.1.1 of this CP, and in accordance with the secrecy provisions set out in legislation administered by the ATO.
At the time a registration record is created, information collected will include Personal Information.
Some of that information will, pursuant to the ITU - T Recommendation X500 (1993) ISO/IEC 9594-1:1993, Information technology - Open Systems Interconnection - The Directory: Overview of Concepts, Models and Services, and in accordance with the Distinguished Name conventions approved by Gatekeeper, be included in the Certificate Holder’s Certificate (see section 1.3.1.2.3ATO OCA Certificates Issued).
All other information concerning the registration record will be considered confidential to the ATO clients and will not be disclosed.
The requirements for the confidentiality and privacy of Certificate Information are dealt with in accordance with the privacy and confidentiality requirements that apply to the ATO. These requirements are described in sections 2.8.1.1, and 2.8.1.3. The following Certificate Holder contact details may be published in a Certificate Holder's Public Key Certificate in compliance with X.509 standards:
- Entity name and Certificate Holder’s name in the End Entity's Distinguished Name in the Subject field.
- The Entity's e-mail address, or Universal Resource Location (URL), in the Subject Alternative Name field.
Entity contact information is maintained by the ATO as taxpayer information.
Certain details relating to an Entity may be available in the Register of Australian Business Numbers. The information in the Register is in accordance with the applicable legislation.
Information embodied in a Certificate in accordance with this CP is not considered to be confidential. All other information will be considered confidential to the relevant ATO client.
The ATO will inform potential Entities and Secondary Certificate Holders that the information included in the Certificates that identifies the Entity and the Secondary Certificate Holder will not be treated as confidential by the ATO PKI.
Certificate revocation information relating to Entities and their Secondary Certificate Holders, including information leading to a decision to revoke, will be kept confidential and not be publicly disclosed. A Certificate Revocation List will be released to ATO relying parties
As a general principle, no document or record belonging to or held within the ATO PKI shall be released to law enforcement agencies or officials except where both of the following conditions are met:
- A properly constituted warrant is produced or the information is otherwise legally required to be disclosed; and
- The law enforcement official is properly identified.
If officers of the ATO need to obtain access to similar information, they must document the reason for access to the satisfaction of the relevant Assistant Commissioner with overall responsibility for the ATO PKI within the ATO (use contact details for the ATO CA at section 1.3.1.2ATO OCA) in accordance with the requirements determined by the ATO PKI.
|
Despite anything above, the ATO PKI will not hold a copy of a Certificate Holder's Private Keys and accordingly it will not be able to make them available to any officer of the ATO or any law enforcement agency.
|
As a general principle, no document or record belonging to or held within the ATO PKI shall be released to law enforcement agencies or officials except where both of the following conditions are met:
- A properly constituted instrument that has emanated from a court having jurisdiction or an authority having legal jurisdiction requiring production of the information is produced; and
- The person requiring production is a person authorised to do so.
If officers of the ATO need to obtain access to similar information, they must document the reason for access to the satisfaction of the relevant Assistant Commissioner with overall responsibility for the ATO PKI within the ATO (use contact details for the ATO CA at section 1.3.1.1.2) in accordance with the requirements determined by the ATO PKI.
|
Despite anything above the ATO PKI will not hold a copy of a Certificate Holder's Private Keys and accordingly it will not be able to make them available to any officer of the ATO or any law enforcement agency.
|
An Entity shall have full access to any information that it has provided to the ATO PKI, and shall be empowered to authorise release of that information to another person in accordance with the normal arrangements approved by the Commissioner of Taxation or under the Freedom of Information Act 1982 (Cth). Similarly, a Certificate Holder will have access to their information. However an Entity or Certificate Holder will not have access to any other person's registration record unless proper authorisation is given by the subject of that record.
Formal authorisation by the subject of a registration record may take two forms:
- A properly constituted electronic authorisation providing that the request is electronically signed by the subject’s valid Private Key; or
- By authorisation in writing.
No other release of information is permitted unless authorised by the person, the subject of the information, or unless required by law.
The use of this document in the preparation of this CP is gratefully acknowledged: Chokhani and Ford, RFC2527: Internet X.509 Public Key Infrastructure Certificate Policy and Certification Practices Framework, 1999 (© The Internet Society 1999).
The ATO warrants that it owns, or holds licences to, all relevant software which enables it to issue Keys and Certificates to Certificate Holders, and for the use of hardware and software in support of this CP.
The ATO warrants that:
a. it is the owner of any software; or
b. it is authorised to sub-licence any software;
c. it provides to an Entity/Certificate Holder, to be used to generate the Certificate Holder’s Key Pairs, and conduct communications with the ATO.
The ATO hereby licences, or sub-licences, as the case requires, the Entity and Certificate Holder to reproduce and use any software or other Intellectual Property the ATO provides to the Entity/Certificate Holder to enable the Entity and Certificate Holder to conduct any activity it is required, or authorised, to conduct under this CP.
The use of the PKIX IETF Guideline for drafting CP is acknowledged.
Unless stated otherwise in any contract between the ATO and Baltimore Technologies Limited (UK) (now part of Cybertrust Pty Ltd), all intellectual property rights including all copyright in all software or documents created by Cybertrust Pty Ltd (electronic or otherwise) belongs to and will remain the property of Cybertrust Pty Ltd. The ATO has licences to use the software and documentation required to operate the ATO PKI.
The use of the Cybertrust Pty Ltd standard certificate policy template is acknowledged.
Cybertrust Pty Ltd has licensed the ATO to use it’s background intellectual property.
The ATO holds the copyright in this CP.
Copyright in the Object Identifiers (OID) for this CP vest in the ATO.
Intellectual property rights in the Keys and Certificates issued to an Entity or Secondary Certificate Holder or in Keys generated by the Secondary Certificate Holder, are dealt with in the Conditions of Use
Information relevant to the initial registration of an Entity is contained in the requirements for the registration of an Australian Business Number (ABN). The identity of the Secondary Certificate Holder is confirmed by the Primary Certificate Holder that sponsors the Secondary Certificate Holder to the system by entering their details and requesting Keys and Certificates on their behalf.
Once the Primary Certificate Holder (whose identity and relationship with the entity has previously been established by the ATO), has entered the details of the potential Secondary Certificate Holder to the system and has requested Keys and Certificates on their behalf, and the ATO has validated such a request, finding the Primary Certificate Holder to be a holder of unexpired keys, the ATO will issue the Secondary Certificate Holder with the ATO Client Software and their Keys and Certificates.
Information relevant to the registration by ATO OCA is contained in the CPS.
Entities making their initial application for a Certificate under this CP are provided with the following information:
- A copy of the Conditions of Use.
- An explanation of the nature, purpose and effect of the use of Keys and Certificates.
- The web site addresses for this CP and the CPS.
The application shall involve 3 functions as listed below:
- Collection of information via the application for an ABN;
- Entry to the system of the Secondary Certificate Holder’s details by a Primary Certificate Holder; and
- Registration of the Entity under the A New Taxation System (Australian Business Number) Act 1999 (Cth).
All Entities and Certificate Holders require a distinguished name that is in compliance with the X.500 standard for Distinguished Names.
The ATO PKI approves naming conventions for the creation of distinguished names for Certificate applicants. Different naming conventions may be used in different policy domains.
Distinguished Names for Certificates must be meaningful. Pseudonymous names may not be used. Anonymous Certificates are not supported.
The normal operation of Certificate generation requires the insertion of the Entity’s name as part of the Distinguished Name.
Distinguished Names shall be unambiguous and unique.
Any dispute regarding a Distinguished Name will be resolved in terms of section 2.4.3.1 Process.
Recognition, Authentication and the role of trademarks is a commercial issue. Nothing in this CP shall prevent the use of a trademark in a Distinguished Name.
The means by which the ATO PKI establishes, at the time the Certificate is issued to an Certificate Holder, that the Certificate Holder is in possession of the Private Key corresponding to the Public Key included in the Certificate, are described in the section 4.2.1
The ATO OCA supports two Certificate issuing processes as follows:
- The ATO OCA generates the Keys and Certificates and delivers these to the Certificate Holder
- The Certificate Holder uses End User Key generation software to generate its own Key Pairs and then requests the ATO OCA to create, sign and deliver the associated Certificates.
Where the ATO OCA generates and delivers the Keys and Certificates, Certificate issue involves the down-loading of Keys and Certificates from a secure Internet site and the use of a Personal Identification Code (PIC). In some cases Keys and Certificates can be delivered on diskette.
In the case of End User Key generation, the currently valid Keys and Certificates in the Certificate Holder's possession ensure the security and integrity of this kind of Key replacement process. The Certificate Holder down loads the Key Renewal applet from the secure ATO OCA web site and uses End User generation software to generate Key Pairs on the local machine. The Key Renewal applet sends Certificate requests and Public Keys via the Internet to the ATO OCA. The ATO OCA creates and signs the Certificates and delivers them to the Certificate Holder via the Internet.
To process an application for Keys and Certificates by an Applicant on behalf of an Entity, ATO PKI must:
a. verify the identity of the Organisation, under section 3.1.8;
b. verify the identity of the Applicant, under section 3.1.9; and
c. verify the authority of the Applicant to apply on behalf of the Organisation, under section 3.1.10.
An Entity’s identity is to be authenticated by reference to the Register of Australian Business Numbers and to the records of the ATO.
Please note that taxpayer information cannot be supplied to other persons.
A Secondary Certificate Holder’s identity is authenticated by the Primary Certificate Holder that sponsors the Secondary Certificate Holder to the system, by applying for Keys and Certificates on behalf of the Secondary Certificate Holder and, as a part of that process, identifying the Secondary Certificate Holder to the system.
A Secondary Certificate Holder's organisational status in term of holding and using Keys and Certificates on behalf of an Entity is to be verified by checking the Primary Certificate Holder vouches for the identity and status of the secondary certificate holder – can simply be by means of a signed certificate request or may require additional information to be provided.
Secondary Certificate Holders may request that the ATO OCA issue new Keys and Certificates at the end of their operational period provided that:
- The request is made prior to the expiry of the current Keys and Certificates.
- With exception of the Certificate Holder's e-mail address, the Certificate information has not changed.
- The current Keys and Certificates have not been revoked.
If any of these conditions are not met, the Entity must apply for new Keys and Certificates, and agree to be bound by the Conditions of Use.
Certificates are issued at the discretion of the ATO OCA. If a Certificate request is rejected, the ATO OCA must promptly inform the applicant. The ATO OCA is under no obligation to disclose the reason for the rejection of any Certificate request, except where required by law or government regulation.
Certificate Holders may generate on their local personal computer or other computer systems they trust replacement Authentication and Confidentiality Key Pairs using ATO Client Software provided that the conditions listed at Section 3.2 above are met.
If any of these conditions are not met, the Entity must apply for new Keys and Certificates, and again agree to be bound by the Conditions of Use.
Rekey is not permitted after Certificate revocation. A Secondary Certificate Holder requiring Keys and Certificates after revocation must again be sponsored to the system by a Primary Certificate Holder.
As stipulated in section 4.4.
A Primary Certificate Holder may apply for a Secondary Certificate for them selves. When renewing a Primary Certificate, the Primary Certificate Holder has the option of choosing to be renewed as a Secondary Certificate Holder. If the Primary Certificate Holder takes up this option, the Secondary Certificates issued as a result will be governed by this CP and by the Conditions of Use at Appendix A.
However, the Primary Certificate Holder will cease to be a Primary Certificate Holder only when their Primary Keys and Certificates have been revoked. Therefore it is possible for an individual to be both a Primary and a Secondary Certificate Holder (although this would normally only be for a short period of time).
An application for registration conducted by a Primary Certificate Holder on behalf of an individual will be taken as an application for a Gatekeeper ATO Secondary Certificate which is to be issued in accordance with this CP.
A Secondary Certificate shall be issued to the Secondary Certificate Holder on the Entity's behalf only after completion of the registration process. See section 3.1 Initial Registration. On completion of the registration process, the Secondary Certificate Holder will be issued with Private Keys and associated Certificates. A set of Keys and Certificates shall have a maximum validity period of:
The expiry date shall be calculated as the second anniversary of the date on which the ATO OCA generated the Keys and Certificates.
Keys and Certificates issued by the ATO OCA will be issued and distributed in accordance with AD01: Certification Authority Operations Manual for ATO CA and ATO OCA.
The Keys issued for Entities by the ATO OCA are produced and supplied through systems that ensure that the ATO will not be able to access the Certificate Holder’s Private Keys, as described in AD01: Certification Authority Operations Manual for ATO CA and ATO OCA.
Keys and Certificates issued by the ATO OCA will be distributed over the Internet.
Web distribution ensures the integrity of a Certificate Holder’s Keys and Certificates which are issued by the ATO OCA, when they are initially down loaded by the client over the Internet. Web distribution has the following main features:
- A random 8 character password for web access is generated
- A randomised web location is created
- An electronic mail message is generated and sent to the Certificate Holder to notify the web location where the Private Keys and Certificates are located
- The password for web access and a personal identification code for decryption of the Private Keys and Certificates is posted to the Certificate Holder via Australia Post
- The Secondary Certificate Holder connects to the ATO PKI web site and goes to the web location where the Private Keys and Certificates are located and enters a password in order to down load the Keys and Certificates
- Once the Secondary Certificate Holder has successfully down loaded the Private Keys and Certificates file, the copy on the web server is deleted. An audit log of deleted Private Keys and Certificates is maintained and checked periodically by an ATO PKI operator
- The Secondary Certificate Holder uses the personal identification code that was mailed to get access to, and decrypt, the Private Keys and Certificates that were down loaded.
Certificates are issued at the discretion of the ATO OCA. If a Certificate request is rejected, the ATO OCA will promptly inform the applicant. The ATO OCA is under no obligation to disclose the reason for the rejection of any Certificate request, except where required by law or government regulation.
All Certificates begin their operational period on the date of issue unless otherwise stated on the Certificate. The operational period of a Certificate is governed by this CP.
The expiry date of issued Certificates must not result in an operational period greater than that permitted by the above instruments. In the event that a Certificate is issued with a greater than permitted operational period, the Certificate will be revoked by the ATO OCA.
By using the Private Keys and Certificates, the Secondary Certificate Holder and the Entity agree to be bound by the continuing responsibilities, obligations and duties imposed on them by Conditions of Use, and this CP.
The ATO OCA will revoke Certificates used in accordance with this CP if any of the events listed in section 4.4.1 occur and will inform relevant Entities of that fact at the earliest opportunity.
Where the ATO OCA proposes to initiate action to revoke a Certificate, the Entity will be advised of the proposed revocation by the ATO OCA in writing and given an opportunity to oppose that action.
In the event that the revocation subsequently proves unjustified, the ATO OCA will issue new Keys and Certificates to the Certificate Holder or Holders as required.
Certificates shall be revoked by the ATO OCA where any one of the following circumstances arises:
- The associated Private Keys are compromised.
- Media holding the associated Private Keys are compromised.
- The Entity ceases to hold an Australian Business Number.
- The Certificate Holder ceases to represent the Entity.
- There has been improper or faulty issue of the Keys and Certificates.
- The Certificate information becomes inaccurate.
- The ATO CA or ATO OCA ceases to operate.
- The ATO OCA believes that it is appropriate in the circumstances.
- The ATO OCA receives a request from the Entity or the Certificate Holder in accordance with 4.4.3 Procedure for Revocation Request.
Certificate revocation may be initiated by:
- The ATO OCA.
- The Certificate Holder who is named in the Certificate.
- The Entity who is named in the Certificate.
- Authorised third parties.
Authorised third parties may request Certificate revocation through the ATO OCA. Such authorised parties include, but are not limited to:
- Third parties with Power of Attorney from the Entity or the Certificate Holder, in which case the ATO OCA must verify the Power of Attorney and the identity of the relevant person.
- A Tax Agent with written authority signed by the Public Officer or other person authorised to act on behalf of the Entity.
- An Australian court with jurisdiction to require that the ATO OCA take such action or a person authorised by such a court to administer the affairs of an Entity, in which case the ATO OCA must confirm the validity of the court order.
A court order for Certificate revocation may be served directly on the ATO OCA.
To process a revocation request, ATO OCA must do all of the following:
- Receive and authenticate the signed request.
- Determine whether the Certificate should be revoked.
- If the Certificate Holder's Certificate is revoked, publish notice of revoked Certificates in the ATO OCA CRL for use within the ATO.
- If the Certificate is revoked, issue a notice confirming the revocation of the Certificate, and the date and time that Certificate is revoked, to the Entity and the Certificate Holder. The notice need not include the reason for revocation.
Revoked Certificates are not deleted from the ATO OCA Oracle based certificate database until they are archived in accordance with this CP.
The Certificate Holder who has had a Certificate revoked should do either of the following:
- Continue to safeguard the Private Keys associated with the revoked Certificate until the date of Certificate expiry; or
- Securely destroy the Private Keys associated with the revoked Certificate.
The revocation request grace period is 28 days.
No stipulation.
No stipulation.
No stipulation.
No stipulation.
As stipulated in CP.
No stipulation.
No stipulation
No stipulation.
No stipulation.
No stipulation.
No stipulation.
The ATO PKI is required to maintain adequate records and maintain archives of information pertaining to the operation of the ATO OCA.
Records that are required to be kept include:
- Registration records.
- Key generation requests.
- Certificate generation requests.
- Certificate issuance records, including CRLs.
- Audit records including security related events.
- Revocation records.
- .Successive versions of this CP (including the Conditions of Use) and the CPS.
Processing of logs shall be undertaken on the following frequency:
Annually, Monthly, Weekly and Daily.
Audit logs shall be maintained on site for a minimum period of three months and a maximum period of twelve months. The audit log shall be retained in archives for a minimum period of seven years or such other time (not exceeding ten years) as required to meet the National Archives of Australia (NAA) requirements, and then transferred to the NAA.
Audit logs are protected by a special user account and password known only to the officer carrying out audit duties. Audit logs will not be modified, and deleted without backup.
The ATO PKI shall establish and maintain a backup procedure for audit logs.
The ATO PKI audit collection system is a combination of automated and manual processes performed by the CA or RA operating system, the CA or RA application, and by operational personnel.
ATO PKI operations personnel shall notify the ATO PKI security administrator when a process or action causes a critical security event or discrepancy in accordance with the procedures put in place to meet the requirements of SE01: Security Policy.
A Protective Security Risk Review (PSRR) has been completed for the ATO PKI. This PSRR covered the overarching risks and threats that may impact the ATO PKI.
The ATO PKI shall maintain an archive of relevant records described in this CP.
The following information shall be archived by the ATO PKI:
- Audit logs of the ATO OCA.
- Certificate request information.
- Certificates, including CRLs generated.
- Complete back up records.
- Copies of e-mail logs.
- Formal correspondence.
- Previous versions of this CP and the CPS.
Certificate Holders' Private Keys are never held within the ATO PKI or by the ATO.
Certificates issued by the ATO OCA under this CP shall be archived for a minimum period of seven years from the date when they expire, unless another period is specifically required in accordance with arrangements put in place with the National Archives of Australia.
Audit trail information shall be kept for a minimum period of seven years from the date of generation, unless a longer period is specifically agreed to by the ATO PKI.
Archive media shall be protected by Physical Security, either alone or in combination with cryptographic protection. It is also protected from environmental factors such as temperature, humidity, and magnetism. The archive will be protected against modification and unauthorised deletion.
Archive back up procedures have been established by the ATO PKI to ensure complete restoration of current service or verification.
Trusted third party time stamping is not supported under this CP, but nothing in this CP will operate to prevent a third party from offering that service outside of this CP.
Archiving shall be done by the ATO OCA. Detailed procedures for back-ups, archiving and storage have been set out in the ATO PKI Protective Security Plan.
The integrity of the archives shall be verified in accordance with the criteria set out in the ATO PKI Protective Security Plan:
- Annually at the time of the programmed security audit.
- At any time when a full security audit is required.
- At the time that the archive has been prepared.
ATO OCA Key changeovers shall:
- Be effected by the ATO PKI in such a manner as to cause minimal disruption to Certificate Holders and Entities
- Require a minimum notice period of three months to Entities and Certificate Holders.
The ATO PKI shall, in accordance with the requirements in the CPS, maintain detailed documentation covering:
- Contingency planning and disaster recovery.
- Configuration baseline of the ATO OCA.
- Back-up, archiving and offsite storage.
These plans will be made available to those persons responsible for conducting a security audit of the ATO PKI and to persons responsible for conducting these tasks.
The Configuration Baseline plan, Back-up plan, Archiving plan, and Disaster Recovery and Business Continuity plan shall provide direction for identifying component failure, and subsequent service restoration.
The ATO OCA has a Key and user compromise plan that addresses the actions to be taken in the event that the ATO OCA Private Key is compromised or Certificate is revoked.
No stipulation.
Backup, archive and offsite storage shall be managed in accordance with the configuration baseline and associated back-up, archiving and offsite storage plan.
The ATO PKI has a Disaster Recovery and Business Continuity Plan that addresses, in accordance with the outline in the CPS, the actions to be taken in order to restore core business operations as quickly as practicable when systems operations have been significantly and adversely impacted by fire, strikes, and so on.
If the operation of the ATO OCA is terminated for any reason, the ATO OCA will endeavour to give Entities as much warning as possible and put in place alternative arrangements.
The ATO is committed to providing a secure process that will enable Entities and Certificate Holders to discharge their obligations in a cost effective and efficient manner.
The primary site location of the ATO PKI shall be in a secure operating environment at the ATO Computer Centre at Bruce in the ACT.
A second, alternative site location of the ATO PKI shall be in a secure operating environment at the EDS Computer Centre at Burwood in Sydney, NSW. The site will become operable if recovery of the primary site from a disaster cannot be achieved within a specified timeframe
The ATO PKI shall be operated within secure physical environments within the areas that meet the standards required by ACSI 33 CR2 as required by the Defence Signals Directorate (DSD). The security of the location has been reviewed by ASIO T4.
The ATO shall permit entry to their secure operating areas only to authorised personnel, and to authorised visitors under the constant supervision of an authorised person. The number of personnel authorised to enter the area shall be kept to a minimum and a log shall be maintained of all Accesses.
The secure operating areas are connected to a standard power supply. All critical components are connected to uninterrupted power supply (UPS) units, to prevent abnormal shutdown in the event of a power failure.
The areas have an air conditioning system to control the heat and humidity that is independent of the building air conditioning system.
The secure operating areas are protected against water exposure by being located on an above ground floor of an office building that shall not be in a flood zone, and shall have a built-in raised floor.
Suitable fire extinguishers are maintained in the secure operating areas, to guard against the possibility of fire.
All magnetic media containing ATO OCA information, including backup media, are stored in containers, cabinets or safes with fire protection capabilities and are located either within the service operations areas or in secure off-site storage areas.
Paper documents and magnetic media containing the ATO OCA Private Key or commercially sensitive or confidential information are securely disposed of by:
- In the case of magnetic media – physical damage to, or complete destruction of, the asset; and
- In the case of printed material – shredding, or destruction by an ATO approved service.
Certificate Holders are encouraged to follow similar procedures.
ATO endorsed off site storage agents are used for the storage and retention of backup ATO PKI software and data.
The off site storage:
- Shall be available to authorised personnel 24 hours per day seven days per week for the purpose of retrieving software and data.
- Has appropriate levels of Physical Security in place and staff in Positions of Trust.
In order to ensure that one person acting alone cannot circumvent the entire system, the area where the servers and work stations required to operate the ATO PKI are located in a declared no lone zone where two people are required to carry out an operation.
To gain access to a machine, two Keys are required to be inserted and turned simultaneously to open the cabinet securing the machine. All actions carried out in the vicinity of a cabinet containing a machine is captured on video tape.
Staff are vetted for Positions of Trust in accordance with section 5.2.3 Identification and Authentication for Each Trusted Position.
Once access is gained to the work station, one person performs the task while the other audits the task performance to ensure it is done properly. All keystrokes with the exception of passwords typed on a keyboard attached to a machine are captured and recorded in an audit log.
At a minimum, the following roles are established at each location:
- System Administrator.
- Security Administrator.
Separate individuals fill each of the roles described above. This provides the maximum security and affords the opportunity for the greatest degree of checks and balances over system operation. However:
- A single individual may assume the role of the System Administrator; and
- The Security Administrator shall always remain separate from the System Administrator in order to provide an independent review of the audit log; and
- Any task requiring the creation, backup or importation into a database of the ATO OCA’s Private Key shall involve two trusted persons, one performing the function and the second fulfilling a security monitoring role.
Persons filling trusted roles undergo a formal vetting process conducted by the Australian Security Vetting Service, designated Position of Trust.
The recruitment and selection practices for ATO PKI services personnel take into account the background, qualifications, experience and clearance requirements of each position, which is compared against the profiles of potential candidates.
Background checks are conducted on all persons selected to take up a trusted role in accordance with the designated security screening procedure for a Position of Trust (see section 5.2.3Identification and Authentication for Each Trusted Position above), prior to the commencement of their duties.
All ATO PKI services personnel staff are trained in:
- Basic PKI concepts.
- The use and operation of the certification authority, organisation certification authority and registration authority software, as certified by DSD. See Appendix C for details of the DSD web site.
- Documented ATO OCA procedures.
- Privacy legislation and practices within the ATO.
- ATO's confidentiality requirements for the protection of taxpayer information including the requirements in the taxation legislation and the Crimes Act 1914 (Commonwealth).
- Computer security awareness and procedures.
- The meaning and effect of this CP, and the CPS. required for the operation of the ATO PKI.
ATO PKI services personnel staff receive a security briefing update at least once a year.
Training in the use and operation of the certification authority, organisation certification authority and registration authority software is provided when new versions of the software are installed.
Remedial training is completed as required or when recommended by audit comments.
The ATO PKI may implement formal job rotation practices (for example through formal reliefs). Where formal job rotation is not implemented, cross-training activities are conducted to ensure operations continuity.
Unauthorised actions by ATO PKI services personnel staff are submitted to appropriate authorities including, but not limited to, the Security Administrator for further investigation and any appropriate action.
ATO PKI services personnel (management or operational) may be contractors who are appointed in writing and given written notification of the terms and conditions of their position. They are normally assigned full-time to their responsibilities.
ATO PKI services personnel have access to the relevant:
- Hardware and software documentation.
- Policy documents, including this CP.
- Operational practice and procedural documents, including the CPS required for the operation of the ATO PKI
Initial Keys and Certificates will always be generated for the Certificate Holder by the ATO OCA. Subsequently, the Certificate Holder will have the option to generate Key Pairs locally and send Certificate information and the Public Keys to the ATO OCA for authentication and creation of signed Certificates containing the tightly bound Public Keys which is sent back to the Certificate Holder.
See section 4.2.1 Certificate Issue Process.
See section 4.2.1 Certificate Issue Process4.2.1.
The ATO OCA’s Public Key is available from the ATO PKI Web Site, see Appendix C.
Keys for Entities that have been generated by the ATO OCA will be made available in accordance with the requirements of section 4.2.1 Certificate Issue Process.
Keys issued by the ATO OCA under this CP will be a minimum of 1024 bits.
Where the Certificate Holder uses End User Key Pair generation the keys generated will be a minimum of 1024 bits.
The parameters used to create Public Keys shall be generated by the ATO OCA. This is irrespective of whether the ATO OCA generates the Public Keys or the Certificate Holder uses End User Key Pair generation.
The quality of Public Key parameters shall be automatically checked by the CA software operated by the ATO OCA.
ATO OCA key generation shall be performed in hardware or software as prescribed by the DSD certification requirements and the Gatekeeper Accreditation requirements.
Entities' Keys may be used for the purposes and in the manner described in section 1.3.4 Applicability.
Cryptographic modules that may be in use from time to time as part of the operations of the ATO OCA comply with DSD certification requirements and Gatekeeper Accreditation requirements.
Keys used by the ATO OCA are generated and stored in software evaluated to Gatekeeper standards (up to ITSEC E3 certification).
The ATO OCA's Private Keys are under multi-person control.
Private Key escrow is not supported by the ATO PKI.
The ATO OCA's Private Keys are stored in an encrypted database, which is backed up under further encryption with backup copies maintained on site and in secure off site storage.
The ATO does not hold copies of Private Keys issued to Certificate Holders or Entities.
See section 4.6.2.1 Secure Maintenance of Keys.
A Certificate Holder's Private Key is generated in the cryptographic software.
The software supplied to an Entity by the ATO is designed to ensure that the Private Keys will be activated by the software issued to the Entity.
The software supplied to an Entity by the ATO is designed to ensure that the Private Keys will be de-activated when the Entity software application is terminated.
The software supplied to an Entity is designed to ensure that the Private Keys in memory are destroyed by overwriting them with zeros when the software shuts down.
The ATO OCA shall archive its Public Key. The public keys for archival will be stored on suitable electronic media, and archived in accordance with relevant clauses in Section 4.6.2 and 4.6.3.
The usage period for the ATO OCA Private Key and Public Key is six years.
No activation data other than Access Control mechanisms shall be required to operate the cryptographic software supplied to an Entity.
No activation data other than Access Control mechanisms will be required to operate the cryptographic software supplied to an Entity.
No stipulation.
The ATO PKI has established a System Security Plan that incorporates computer security technical requirements for the operation of the ATO PKI.
The ATO PKI has established a System Security Plan that incorporates computer security ratings for the operation of the ATO PKI.
ATO PKI operational software has been developed in a controlled environment employing appropriate quality controls.
System security management is controlled by the privileges assigned to operating system accounts, and by the trusted roles described in section 5.2.1 Trusted Roles.
The ATO PKI has established a Protective Security Risk Review that identifies and addresses all high or significant life cycle security threats.
The ATO PKI has established a Protective Security Risk Review that identifies and addresses all high or significant network security threats.
The ATO PKI has established a Protective Security Risk Review that identifies and addresses all high or significant cryptographic module engineering security threats.
The ATO PKI supports and uses X.509 Version 3 Certificates, which contain V.3 in the version field.
The ATO PKI supports and uses X.509 Version 3 Certificate extensions. The Certificate issued to the Secondary Certificate Holder uses the following Standard Extensions:
Extension
|
Status
|
Usage
|
Key Usage
|
Critical
|
Distinguishes between Authentication and Confidentiality Certificates
|
Certificate Policies
|
non-critical
|
Provides: OID for CP; URL for CPS and policy qualifier text
|
Subject Alternative Name
|
non-critical
|
Contains Secondary Certificate Holder's e-mail address
|
The Certificate issued to the Secondary Certificate Holder uses the following Private Extensions:
Extension
|
Status
|
Usage
|
ABN
|
non-critical
|
Australian Business Number of the Entity
|
CAC
|
non-critical
|
Client Activity Centre
|
CARN
|
non-critical
|
CA Reference Number
|
The status assigned to an extension determines how the Certificate is treated by an application validating the Certificate:
- If the validating process does not recognise an extension designated as critical, the Certificate will be rejected
- If the validating process does not recognise an extension designated as non-critical, the extension may be ignored and the Certificate accepted
OIDs may be allocated to algorithms supported and used within the ATO PKI.
Algorithm Type
|
Algorithm
|
Object Identifier
|
Encryption
|
RSA
|
1.2.840.113549.1.1.1
|
Encryption
|
Message Digest 5 (MD5) with RSA
|
1.2.840.113549.1.1.4
|
Encryption
|
Secure Hash Algorithm-1 (SHA-1) with RSA
|
1.2.840.113549.1.1.5
|
Encryption
|
Triple DES
|
1.3.6.1.4.1.4929.1.6
|
Hashing
|
SHA-1
|
1.3.14.3.2.26
|
Hashing
|
MD5
|
1.2.840.113549.2.5
|
Padding
|
PKCS#1
|
1.2.840.113549.1.1
|
Web Encryption
|
RC2
|
RFC 2268
|
Web Encryption
|
RC4
|
1.2.840.113549.3.2
|
The use of multiple algorithms within the same hierarchy will be supported.
Certificates issued by the ATO OCA contain the full X.500 distinguished name of the ATO OCA and Primary Certificate Holder.
Anonymous or Pseudonymous names will be not supported.
The OID of this CP is carried in the standard extension field of X.509 Certificates and is published in this CP.
The ATO OCA supports the use of the Policy Constraints extension.
The ATO OCA supports the use of syntax and semantics policy qualifiers.
See the extensions used by Certificates issued by the ATO OCA section 1.3.1.2.3 ATO OCA Certificates Issued.
The ATO PKI supports and uses X.509 Version 2 CRL entry extensions for CRLs that are publicly available.
The ATO PKI supports and uses X.509 Version 2 CRL entry extensions for CRLs that are publicly available under the relevant CP.
The ATO PKI has a Policy Management Authority (PMA) which has the responsibility for setting Certificate Policy direction for the ATO PKI. Changes to Evaluated Documents are approved by the GM, AGIMO. For contact details for the ATO PMA see section 1.3.0.2.
Each CP operated within the ATO PKI has been allocated an OID. The OID provides a unique identification for the CP and includes a policy version number. Details of the OID are at section 1.2.3 OID for this CP.
See paragraph 8 at the beginning of this CP.
The CPS is published on the ATO web site as in Appendix C.
The CPS is evaluated and approved by a member of Gatekeeper Legal Evaluation Panel.
Appendix C
- ATO PKI Certificate Policy and Certification Practice Statement Documents
There is a requirement for this and other ATO PKI Certificate Policy and Certification Practice Statement documents to be available via the Internet. To access these documents do the following:
Go to: http://www.ato-pki.ato.gov.au/
In this document the repository for the ATO PKI Certificate Policy and Certification Practice Statement documents and the instructions above are referred to as the ATO PKI Web Site.
- Australian Government Information Management Office (AGIMO)
- Defence Signals Directorate (DSD)
- Web Site for Cybertrust Pty Limited
- Internet X.509 Public Key Infrastructure Certificate Policy and Certification Practices Framework
- Web Sites for Further Information About PKI
ATO Secondary Gatekeeper approved issued by ATO OCA.
Last Modified: Friday, 27 April 2007
Subscribe
