Singapore Government Online Homepage
Salient Features of the Security Guidelines for Certification Authorities

Introduction 

  1. The security guidelines establish the security criteria for the management, systems and operations of certification authorities (CAs). The guidelines are aimed at protecting the integrity, confidentiality and availability of certification services, data and systems.
        
  2. CAs that intend to be licensed by the Controller of Certification Authorities (CCA) are required to comply with the mandatory criteria stated in the security guidelines. The guidelines supplement the provisions in the Electronic Transactions Act and its Regulations.

Overview of Guidelines

  1. The guidelines address the security criteria for the following certificate management functions performed by the CA:
    1. identification and authentication of registration, suspension and revocation requests;
    2. generation, issuance, suspension and revocation of certificates; and
    3. publication and archival of certificates and their suspension or revocation information.
         
  2. The main topics covered in the security guidelines are:
    1. overall management and obligations of a CA;
    2. certificate management;
    3. key management;
    4. systems and operations; and
    5. application integration. 

Overall Management and Obligations of a CA

  1. As the CA performs a trusted role where digital certificates derive legitimacy, the CA must be managed with high levels of integrity and security.
     
  2. The CA must disclose adequate information to its subscribers and relying parties on the assurance level(s) of the certificates that it issues and the limitations of its liabilities. This is to enable the users to make informed choices on the types of certificates that meet their usage requirements.
     
  3. Security and risk management controls must be instituted to ensure that security policies and safeguards are in place. Such controls include personnel security and incident handling measures to prevent fraud and security breaches.

Certificate Management

  1. To ensure the integrity of its digital certificates, the CA must implement appropriate security controls in the certificate management processes, i.e. certificate registration, generation, issuance, publication, renewal, suspension, revocation and archival.
     
  2. The CA must enforce an adequate authentication method to verify the identity of the applicant of a digital certificate. The identity authentication method shall commensurate with the level of assurance accorded to the certificate.
      
  3. The CA must implement suspension and revocation procedures to suspend or revoke certificates once such requests have been verified to be valid. Suspension and revocation information must be published within the time interval specified in the Certificate Practice Statement (CPS) of the CA.
      
  4. The CA must ensure the continued accessibility and availability of its certificate repository to its user community, i.e. its subscribers and relying parties.
      
  5. The CA must maintain a secure archive of its subscribers' certificates and registration information for the minimum period stipulated in the Regulations to facilitate verification of digital signatures after the certificates have expired.

Key Management

  1. The cryptographic keys provide the basis for the functions of the digital certificates, e.g. authentication and digital signature. Hence the keys must be adequately secured at each phase of their life cycle, i.e. key generation, distribution, storage, usage, backup, archival and destruction.
     
  2. As the cryptographic components of the CA systems are highly sensitive and critical, the components must be subjected to an independent expert review to ensure their integrity and assurance.
     
  3. The CA must establish procedures to immediately revoke the affected subscribers' certificates in the event of a compromise of its own digital signature private key.
     
  4. Adequate backup measures must be implemented to ensure the continued availability of cryptographic keys in the event of loss or corruption of the keys.

Systems and Operations

  1. Access and integrity controls must be implemented for the CA systems that store and process the subscribers' information and certificates.
       
  2. Physical security measures must be put in place to protect the CA systems and related assets from physical security threats.
      
  3. Controls to monitor the CA operations must be implemented and audit logs must be reviewed regularly to detect any anomaly in the system and network activities.

Application Integration

  1. In enabling applications to use digital certificates, the integration of the cryptographic and certificate functions must be secure to protect the confidentiality of the users' private keys and ensure integrity of the digital signatures generated.
     
  2. The applications must enable relying parties to verify the authenticity and validity of certificates and digital signatures.

Conclusion

  1. CAs play a vital role in facilitating secure electronic transactions as they provide the infrastructure for transacting parties in an electronic environment to authenticate each other's identities and ensure non-repudiation of electronic transactions through the use of digital signatures.
      
  2. The security guidelines are tailored for the CA systems and operations to facilitate the provision of secure CA services. Users will have added confidence and assurance in using the services of CAs that comply with the guidelines.