DCA Root Service
DCA Root CA G1
Trusted Certificate Service TCS
Request your instant cert now
Guide and tools
Production CA (MS)
Overview
Manage Your Certificates (for non-TCS users)
Find a local registrar
Classic interface
Help with your request
Host certificate requests
Submit your request
Download your certificate
Renew your certificate
Request revocation
Reliance information
Policy Statement
Reliance Information
NL e-Infra Zero (training services)
Documentation
Legacy Cert Request Guide
Change a passphrase
RA OpsGuide
OpenSSL for Windows
eToken Guide
Links
EUGridPMA
IGTF
Privacy Policy
|
Tele-meeting verification process for RAs and random signature code generation
... this information is valid from April 22nd onwards ...
Suitable trained and qualified registration authorities may perform
tele-meeting verification of applicant registration forms and photo-ID
documents, provided they comply with the CP/CPS requirements, listed
on this page, below the unique pseudorandom number.
What the RA must collect
The RA must collect, during the tele-meeting with the applicant, the
following information, and forward this information directly to the
CA operation staff, either by (signed) email or through
a SURFfilesender
upload:
- date and time of the tele-meeting with the applicant
- tele-meeting mechanism used (SURFvideobellen,
CERN Vidyo, Skype, Zoom, &c)
- the Unique Code to be given to the applicant during the meeting this time should be (note: changes if you refresh this page, and is specific to you as the viewer, so record it now):
541394798
- the phone number used for call-back or sending the unique code (this number is on the form already, not new personal data)
- the organisational affiliation of the applicant based as per the existing business relationship
Send this data (soon) after the meeting to ca @ dutchgrid . nl from your own RA email address and via your regular institutional mail server to expedite processing
Once the electronic CSR has been received from the applicant (or after we get the mail from you as the RA), the CA operator will invite the applicant to upload the application form using SURFfilesender, using the institutional email address provided during request upload.
RA tele-meeting process and requirements
The RA must follow the processes as detailed in section 3.1.9 of the
Certificate Practice Statement of the Legacy DutchGrid CA.
Allowed is a video-supported tele-meeting in which the applicant meets
with the RA, during which the photo-ID document is presented and
verified for authenticity.
In addition, all of the following checks must be made and conditions met:
- the RA and the applicant must have a pre-existing business relationship,
- the RA must initiate the tele-meeting, and the tele-meeting shall have at least a resolution and quality sufficient to verify the authenticity details of documents and read documents shown in front of the camera, and be over secure channels when traversing the public internet,
- the RA shall only authenticate documents of which the RA is familiar with their physical form and authenticity properties, and verify such properties, including holographic and transparency elements,
- unless deemed infeasible by the RA, the applicant shall demonstrate authenticity of photo-ID documents by showing - on video during the meeting - their real-time read-out via NFC, e.g. using the ReadID app, and show the serial number thus read-out to the RA over video,
- the application form, including the digest of the public key pair information, shall be completely filled by the applicant and shown legibly to the RA during the tele-meeting,
- the RA shall, to the extent possible, confirm the liveness of the applicant and the likeness with the image on the presented photo-ID,
- the applicant shall sign the application form during the tele-meeting,
- the RA shall generate (invent) a one-time unique code of at least 8 digits, and communicate this to the applicant during the tele-meeting by calling or sending a text message to the phone number written on the vetting record, and verify that the applicant writes this code in lieu of the signature of the RA on the vetting record. (see above for what is needed, including a random code for the RA)
The unique code will be checked by the CA contacting the RA, or vice versa, using independent means before issuance. The digest of the public key pair information (POP challenge) will be checked against the electronically submitted CSR following the standard procedure. When the application form is submitted electronically using Filesender as per section 2.1.2, the CA shall in addition validate the email address as provided on the application form via this method.
Submitting the application form electronically
The certificate application form may be submitted electronically
through the SURFfilesender service, provided that:
- the address of record of the applicant is verified by initiating the
transfer by the CA operator and sending an 'upload voucher' to the applicant.
The validity period of the voucher shall not exceed 8 days,
- the applicant uploads the document(s) using the voucher URL provided
- if initial identity vetting of the applicant was via tele-meeting only,
the CA - at its own discretion - may demand that the uploaded documents
be encrypted with a secret that is communicated to the applicant by telephone
or text message using the number provided on the vetting record
(section 9 application form), thereby verifying the phone number
- Otherwise, the applicant may opt to encrypt the transfer and send the secret
to the CA by other means, to allow the CA operator to decrypt the
submitted documentation
After receipt, the document(s) will be printed by the CA operator and removed
from all electronic storage. The document(s) will be removed from SURFfilesender
following the period set by the applicant, but at most after 21 days.
|