LEGAL NOTICE

Unauthorized access to and use of this document is prohibited by law. Any individual attempting unauthorized access, copying, distributing, or exploiting information within this document will be subjected to legal prosecution. The MTNLTRUSTLINE operations, including the policies and procedures, the terms and conditions, shall be governed by relevant Indian Laws in force.

Document Control Matrix

MTNLTRUSTLINE
CERTIFICATION PRACTICE STATEMENT (CPS)

VERSION -1.0 EFFECTIVE DATE: OCTOBER 15, 2003

MAHANAGAR TELEPHONE NIGAM LIMITED

JEEVAN BHARATI, 124 CONNAUGHT CIRCUS, NEW DELHI – 110 001

 

MTNL                                                                                CERTIFICATION PRACTICE STATEMENT

TABLE OF CONTENTS

1 INTRODUCTION ...................................................................................................... 1

1.1 OVERVIEW.......................................................................................................... 2

1.1.1 COMPLIANCE WITH IT ACT............................................................................ 3

1.1.2 ROLE OF THE CPS AND OTHER DOCUMENTS .................................................. 3

1.1.3 RELATIONSHIP WITH CONTROLLER OF CERTIFYING AUTHORITY ...................... 4

1.1.4 OVERVIEW OF CERTIFICATE CLASSES ISSUED BY MTNLTRUSTLINE ................. 5

1.1.4.1 CLASS 1 CERTIFICATES........................................................................................................... 5

1.1.4.2 CLASS 2 CERTIFICATES........................................................................................................... 6

1.1.4.3 CLASS 3 CERTIFICATES........................................................................................................... 6

1.1.5 SERVICES OFFERED BY MTNLTRUSTLINE ........................................................ 7

1.1.6 MTNLTRUSTLINE PKI HIERARCHY.................................................................... 9

1.2 IDENTIFICATION ............................................................................................... 10

1.3 COMMUNITY AND APPLICABILITY ........................................................................ 10

1.3.1 CERTIFYING AUTHORITIES (CAS) ................................................................ 10

1.3.2 REGISTRATION AUTHORITIES (RAS) ............................................................ 11

1.3.3 END ENTITIES............................................................................................. 12

1.3.3.1 SUBSCRIBERS.......................................................................................................................... 12

1.3.3.2 RELYING PARTIES ................................................................................................................... 13

1.3.4 APPLICABILITY............................................................................................ 14

1.3.4.1 SUITABLE APPLICATIONS ...................................................................................................... 14

1.3.4.1.1 SUITABLE APPLICATIONS FOR CLASS 1 CERTIFICATES .............................................. 15

1.3.4.1.2 SUITABLE APPLICATIONS FOR CLASS 2 CERTIFICATES .............................................. 15

1.3.4.1.3 SUITABLE APPLICATIONS FOR CLASS 3 CERTIFICATES .............................................. 16

1.3.4.2 RESTRICTED APPLICATIONS .................................................................................................. 16

1.3.4.3 PROHIBITED APPLICATIONS .................................................................................................. 17

1.4 CONTACT DETAILS.............................................................................................. 17

2 GENERAL PROVISIONS ......................................................................................... 18

2.1 OBLIGATIONS ................................................................................................... 18

2.1.1 CA OBLIGATIONS........................................................................................ 18

2.1.2 RA OBLIGATIONS........................................................................................ 19

2.1.3 SUBSCRIBER OBLIGATIONS......................................................................... 19

2.1.4 RELYING PARTY OBLIGATIONS ..................................................................... 20

2.1.5 REPOSITORY OBLIGATIONS ........................................................................ 22

2.2 LIABILITY ......................................................................................................... 22

2.2.1 CA LIABILITY.............................................................................................. 22

2.2.1.1 WARRANTIES TO SUBSCRIBERS AND RELYING PARTIES........................................................ 22

2.2.1.2 DISCLAIMERS OF WARRANTIES ............................................................................................. 23

2.2.1.3 LIMITATIONS OF LIABILITY .................................................................................................... 23

2.2.1.4 FORCE MAJEURE..................................................................................................................... 23

2.2.2 RA LIABILITY.............................................................................................. 24

2.2.3 SUBSCRIBER LIABILITY............................................................................... 24

2.2.3.1 SUBSCRIBER WARRANTIES..................................................................................................... 24

2.2.3.2 PRIVATE KEY COMPROMISE ................................................................................................. 25

2.2.4 RELYING PARTY LIABILITY ........................................................................... 25

2.3 FINANCIAL RESPONSIBILITY .............................................................................. 25

2.3.1 INDEMNIFICATION BY SUBSCRIBERS AND RELYING PARTIES......................... 25

2.3.1.1 INDEMNIFICATION BY SUBSCRIBERS ..................................................................................... 25

2.3.1.2 INDEMNIFICATION BY RELYING PARTIES .............................................................................. 26

2.3.2 FIDUCIARY RELATIONSHIPS......................................................................... 26

2.3.3 ADMINISTRATIVE PROCESSES .................................................................... 27

2.4 INTERPRETATION AND ENFORCEMENT ................................................................... 27

2.4.1 GOVERNING LAW ....................................................................................... 27

2.4.2 SEVERABILITY, SURVIVAL, MERGER, NOTICE ............................................... 27

2.4.3 DISPUTE RESOLUTION PROCEDURES ........................................................... 27

2.4.3.1 ROLE OF THE CCA .................................................................................... 28

2.5 FEES................................................................................................................. 28

2.5.1 CERTIFICATE ISSUANCE OR RENEWAL FEES ................................................. 28

2.5.2 CERTIFICATE ACCESS FEES......................................................................... 28

2.5.3 REVOCATION OR STATUS INFORMATION ACCESS FEES................................. 28

2.5.4 FEES FOR OTHER SERVICES SUCH AS POLICY INFORMATION ......................... 29

2.5.5 REFUND POLICY........................................................................................... 29

2.6 PUBLICATION AND REPOSITORIES ..................................................................... 29

2.6.1 PUBLICATION OF CA INFORMATION.............................................................. 29

2.6.2 FREQUENCY OF PUBLICATION...................................................................... 30

2.6.3 ACCESS CONTROLS.................................................................................... 30

2.6.4 REPOSITORIES ........................................................................................... 31

2.7 COMPLIANCE AUDIT ........................................................................................... 31

2.7.1 FREQUENCY OF COMPLIANCE AUDIT ............................................................. 31

2.7.2 IDENTITY/ QUALIFICATIONS OF AUDITOR..................................................... 31

2.7.2.1 SELF-AUDITS........................................................................................... 31

2.7.3 AUDITOR’S RELATIONSHIP TO AUDITED PARTY.............................................. 31

2.7.4 TOPICS COVERED BY AUDIT ....................................................................... 32

2.7.5 ACTIONS TAKEN AS A RESULT OF DEFICIENCY ............................................... 33

2.7.6 COMMUNICATIONS OF RESULTS .................................................................. 33

2.8 CONFIDENTIALITY POLICY .................................................................................. 33

2.8.1 TYPES OF INFORMATION TO BE KEPT CONFIDENTIAL ...................................... 33

2.8.2 TYPES OF INFORMATION NOT CONSIDERED CONFIDENTIAL............................ 34

2.8.3 DISCLOSURE OF CERTIFICATE REVOCATION/SUSPENSION INFORMATION....... 34

2.8.4 RELEASE TO LAW ENFORCEMENT OFFICIALS..................................................... 34

2.8.5 RELEASE AS PART OF CIVIL DISCOVERY....................................................... 35

2.8.6 DISCLOSURE UPON OWNER’S REQUEST......................................................... 35

2.8.7 OTHER INFORMATION RELEASE CIRCUMSTANCES ......................................... 35

2.9 INTELLECTUAL PROPERTY RIGHTS ........................................................................ 35

2.9.1 RIGHTS IN CERTIFICATES............................................................................ 35

2.9.2 RIGHTS IN THE CP & CPS............................................................................ 35

2.9.3 RIGHTS IN NAMES ...................................................................................... 36

2.9.4 RIGHTS IN KEYS AND KEY MATERIAL............................................................. 36

3 IDENTIFICATION AND AUTHENTICATION ............................................................ 37

3.1 INITIAL REGISTRATION...................................................................................... 37

3.1.1 TYPES OF NAMES ........................................................................................ 37

3.1.2 MEANING OF NAMES.................................................................................... 39

3.1.3 RULES FOR INTERPRETING VARIOUS NAME FORMS ....................................... 39

3.1.4 UNIQUENESS OF NAMES ............................................................................. 39

3.1.5 NAME CLAIM DISPUTE RESOLUTION ............................................................. 39

3.1.6 RECOGNITION, AUTHENTICATION, AND ROLE OF TRADEMARKS ..................... 40

3.1.7 METHOD TO PROVE POSSESSION OF PRIVATE KEY........................................ 40

3.1.8 AUTHENTICATION OF ORGANIZATION IDENTITY ........................................... 40

3.1.8.1 AUTHENTICATION OF ORGANIZATION IDENTITY.................................................................. 40

3.1.8.2 CLASS 2 CERTIFICATES FOR DEVICES .................................................................................. 41

3.1.8.3 CLASS 3 SERVER CERTIFICATES........................................................................................... 41

3.1.8.4 AUTHENTICATION OF THE IDENTITY OF SUB-CAS AND RAS................................... 41

3.1.9 AUTHENTICATION OF INDIVIDUAL IDENTITY ................................................ 42

3.1.9.1 CLASS 1 CERTIFICATES......................................................................................................... 42

3.1.9.2 CLASS 2 CERTIFICATES......................................................................................................... 43

3.1.9.3 CLASS 3 CERTIFICATES......................................................................................................... 43

3.2 ROUTINE REKEY (RENEWAL) ................................................................................ 44

3.2.1 RENEWAL OF END USER SUBSCRIBER CERTIFICATES ................................... 44

MTNL                                                                                 CERTIFICATION PRACTICE STATEMENT

3.2.2 RENEWAL OF SUB-CA CERTIFICATES............................................................ 44

3.3 REKEY AFTER REVOCATION - NO KEY COMPROMISE .............................................. 44

3.4 REVOCATION REQUESTS ................................................................................... 45

4 OPERATIONAL REQUIREMENTS ........................................................................... 46

4.1 CERTIFICATE APPLICATION ............................................................................... 46

4.1.1 ENROLLMENT FOR END USER SUBSCRIBER CERTIFICATES............................. 46

4.1.2 ENROLLMENT FOR SUB-CA OR RA CERTIFICATES .......................................... 46

4.2 CERTIFICATE ISSUANCE..................................................................................... 47

4.2.1 ISSUANCE OF END USER SUBSCRIBER CERTIFICATES................................... 47

4.2.2 ISSUANCE OF SUB-CA AND RA CERTIFICATES.............................................. 47

4.3 CERTIFICATE ACCEPTANCE................................................................................ 48

4.4 CERTIFICATE SUSPENSION AND REVOCATION .................................................... 48

4.4.1 CIRCUMSTANCES FOR REVOCATION............................................................. 48

4.4.1.1 CIRCUMSTANCES FOR REVOKING END USER SUBSCRIBER CERTIFICATES ........................... 48

4.4.1.2 CIRCUMSTANCES FOR REVOKING SUB-CA OR RA CERTIFICATES..................................... 49

4.4.2 WHO CAN REQUEST REVOCATION ................................................................. 50

4.4.2.1 WHO CAN REQUEST REVOCATION OF AN END USER SUBSCRIBER CERTIFICATE................ 50

4.4.2.2 WHO CAN REQUEST REVOCATION OF A SUB-CA OR RA CERTIFICATE............................ 50

4.4.3 PROCEDURE FOR REVOCATION REQUEST....................................................... 50

4.4.3.1 PROCEDURE FOR REVOCATION REQUEST OF AN END USER SUBSCRIBER CERTIFICATE....... 50

4.4.3.2 PROCEDURE FOR REVOCATION REQUEST OF A SUB-CA OR RA CERTIFICATE .................. 51

4.4.4 REVOCATION REQUEST GRACE PERIOD ......................................................... 51

4.4.5 CIRCUMSTANCES FOR SUSPENSION............................................................. 51

4.4.6 WHO CAN REQUEST SUSPENSION ................................................................. 51

4.4.7 PROCEDURE FOR SUSPENSION REQUEST........................................................ 51

4.4.8 LIMITS ON SUSPENSION PERIOD.................................................................. 51

4.4.9 CRL ISSUANCE FREQUENCY ........................................................................ 52

4.4.10 CERTIFICATE REVOCATION LIST CHECKING REQUIREMENTS ....................... 52

4.4.11 ON-LINE REVOCATION/STATUS CHECKING AVAILABILITY ........................... 52

4.4.12 ON-LINE REVOCATION CHECKING REQUIREMENTS ..................................... 52

4.4.13 OTHER FORMS OF REVOCATION ADVERTISEMENTS AVAILABLE .................... 53 4.4.14 CHECKING REQUIREMENTS FOR OTHER FORMS OF REVOCATION ADVERTISEMENTS ..53

4.4.15 SPECIAL REQUIREMENTS REGARDING KEY COMPROMISE.............................. 53

4.5 SECURITY AUDIT PROCEDURES .......................................................................... 53

4.5.1 TYPES OF EVENTS RECORDED ..................................................................... 53

4.5.1.1 EVENTS RECORDED BY MTNLTRUSTLINE CA ...................................................... 53

4.5.1.2 EVENTS RECORDED BY MTNLTRUSTLINE RAS............................................................... 54

4.5.2 FREQUENCY WITH WHICH AUDIT LOGS ARE PROCESSED .......................................... 55

4.5.3 PERIOD FOR WHICH AUDIT LOGS ARE KEPT .......................................................... 56

4.5.4 PROTECTION OF AUDIT LOG ............................................................................. 56

4.5.5 AUDIT LOG BACKUP PROCEDURES .................................................................... 56

4.5.6 AUDIT LOG ACCUMULATION SYSTEM (INTERNAL OR EXTERNAL) ................................ 56

4.5.7 NOTIFICATION TO EVENT-CAUSING SUBJECT ....................................................... 56

4.5.8 VULNERABILITY ASSESSMENTS.......................................................................... 56

4.6 RECORDS ARCHIVAL............................................................................................. 57

4.6.1 TYPES OF EVENT RECORDED............................................................................. 57

4.6.2 RETENTION PERIOD FOR ARCHIVE ..................................................................... 57

4.6.3 PROTECTION OF ARCHIVE................................................................................ 58

4.6.4 ARCHIVE BACKUP PROCEDURES........................................................................ 58

4.6.5 REQUIREMENTS FOR TIME-STAMPING OF RECORDS ................................................ 58

4.6.6 ARCHIVE COLLECTION SYSTEM (INTERNAL OR EXTERNAL) ....................................... 58

4.6.7 PROCEDURES TO OBTAIN AND VERIFY ARCHIVE INFORMATION................................. 58

4.7 KEY CHANGEOVER ................................................................................................ 59

4.8 COMPROMISE AND DISASTER RECOVERY.................................................................... 59

4.8.1 COMPUTING RESOURCES, SOFTWARE, AND/OR DATA ARE CORRUPTED....................... 60

4.8.2 ENTITY PUBLIC KEY IS REVOKED........................................................................ 60

4.8.3 ENTITY KEY IS COMPROMISED .......................................................................... 60

4.8.4 SECURE FACILITY AFTER A NATURAL OR OTHER TYPE OF DISASTER............................ 60

4.9 CA TERMINATION................................................................................................. 61

5 PHYSICAL, PROCEDURAL, AND PERSONNEL SECURITY CONTROLS .................................. 63

5.1 PHYSICAL SECURITY CONTROLS .............................................................................. 63

5.1.1 SITE LOCATION AND CONSTRUCTION................................................................. 63

5.1.2 PHYSICAL ACCESS ........................................................................................ 64

5.1.3 POWER AND AIR CONDITIONING........................................................................ 64

5.1.4 WATER EXPOSURES ....................................................................................... 64

5.1.5 FIRE PREVENTION AND PROTECTION................................................................... 64

5.1.6 MEDIA STORAGE ........................................................................................... 65

5.1.7 WASTE DISPOSAL.......................................................................................... 65

5.1.8 OFF-SITE BACKUP ......................................................................................... 65

5.2 PROCEDURAL CONTROLS........................................................................................ 65

5.2.1 TRUSTED ROLES ............................................................................................ 65

5.2.2 NUMBER OF PERSONS REQUIRED PER TASK ......................................................... 66

MTNL                                                                                 CERTIFICATION PRACTICE STATEMENT

5.2.3 IDENTIFICATION AND AUTHENTICATION FOR EACH ROLE ........................................ 67

5.3 PERSONNEL SECURITY CONTROLS ............................................................................ 67

5.3.1 BACKGROUND, QUALIFICATIONS, EXPERIENCE, AND CLEARANCE REQUIREMENTS ......... 67

5.3.2 BACKGROUND CHECK PROCEDURES ................................................................. 67

5.3.3 TRAINING REQUIREMENTS AND TRAINING PROCEDURES ......................................... 68

5.3.4 RETRAINING FREQUENCY AND REQUIREMENTS ...................................................... 69

5.3.5 JOB ROTATION FREQUENCY AND SEQUENCE......................................................... 69

5.3.6 SANCTIONS FOR UNAUTHORIZED ACTIONS ......................................................... 69

5.3.7 CONTRACTING PERSONNEL REQUIREMENTS ......................................................... 69

5.3.8 DOCUMENTATION SUPPLIED TO PERSONNEL ......................................................... 70

6 TECHNICAL SECURITY CONTROLS............................................................................... 71

6.1 KEY PAIR GENERATION AND INSTALLATION ................................................................ 71

6.1.1 KEY PAIR GENERATION AND INSTALLATION.......................................................... 71

6.1.2 PRIVATE KEY DELIVERY TO ENTITY .................................................................... 71

6.1.3 PUBLIC KEY DELIVERY TO CERTIFICATE ISSUER.................................................... 71

6.1.4 CA PUBLIC KEY DELIVERY TO USERS ................................................................. 72

6.1.5 KEY SIZES ................................................................................................... 72

6.1.6 PUBLIC KEY PARAMETERS GENERATION............................................................... 72

6.1.7 PARAMETER QUALITY CHECKING ....................................................................... 72

6.1.8 HARDWARE OR SOFTWARE KEY GENERATION ....................................................... 73

6.1.9 KEY USAGE PURPOSES ................................................................................... 73

6.2 PRIVATE KEY PROTECTION...................................................................................... 74

6.2.1 STANDARDS FOR CRYPTOGRAPHIC MODULES....................................................... 74

6.2.2 PRIVATE KEY ‘N OUT OF M’ MULTI-PERSON CONTROL .............................................. 74

6.2.3 PRIVATE KEY ESCROW ................................................................................... 75

6.2.4 PRIVATE KEY BACKUP .................................................................................... 75

6.2.5 PRIVATE KEY ARCHIVAL................................................................................... 75

6.2.6 PRIVATE KEY ENTRY INTO CRYPTOGRAPHIC MODULE.............................................. 75

6.2.7 METHOD OF ACTIVATING PRIVATE KEY................................................................ 76

6.2.7.1 END USER SUBSCRIBER PRIVATE KEYS............................................................................................ 76

6.2.7.2 CA/SUB-CA PRIVATE KEYS ......................................................................................................... 77

6.2.8 METHOD OF DEACTIVATING PRIVATE KEY............................................................ 77

6.2.9 METHOD OF DESTROYING PRIVATE KEY............................................................... 78

6.3 OTHER ASPECTS OF KEY PAIR MANAGEMENT............................................................... 78

6.3.1 PUBLIC KEY ARCHIVAL ................................................................................... 78

6.3.2 USAGE PERIODS FOR THE PUBLIC AND PRIVATE KEYS............................................ 78

6.4 ACTIVATION DATA ............................................................................................. 79

6.4.1 ACTIVATION DATA GENERATION AND INSTALLATION ..................................... 79

6.4.2 ACTIVATION DATA PROTECTION .................................................................. 79

6.4.3 OTHER ASPECTS OF ACTIVATION DATA ........................................................ 80

6.5 COMPUTER SECURITY CONTROLS ....................................................................... 80

6.5.1 SPECIFIC COMPUTER SECURITY TECHNICAL REQUIREMENTS .......................... 80

6.5.2 COMPUTER SECURITY RATING...................................................................... 80

6.6 LIFE CYCLE SECURITY CONTROLS....................................................................... 81

6.6.1 SYSTEM DEVELOPMENT CONTROLS .............................................................. 81

6.6.2 SECURITY MANAGEMENT CONTROLS................................................................. 81

6.6.3 LIFE CYCLE SECURITY RATINGS................................................................... 81

6.7 NETWORK SECURITY CONTROLS ........................................................................ 81

6.8 CRYPTOGRAPHIC MODULE ENGINEERING CONTROLS .......................................... 82

7 CERTIFICATE AND CRL PROFILES ........................................................................ 83

7.1 CERTIFICATE PROFILE ....................................................................................... 83

7.1.1 VERSION NUMBER(S) SUPPORTED................................................................ 84

7.1.2 CERTIFICATE EXTENSIONS.......................................................................... 84

7.1.2.1 BASIC CONSTRAINTS ............................................................................................................ 85

7.1.2.2 EXTENDED KEY USAGE .......................................................................................................... 85

7.1.3 ALGORITHM OBJECT IDENTIFIERS.................................................................. 86

7.1.4 NAME FORMS.............................................................................................. 86

7.1.5 NAME CONSTRAINTS .................................................................................. 86

7.1.6 CERTIFICATE POLICY OBJECT IDENTIFIER..................................................... 86

7.1.7 USAGE OF POLICY CONSTRAINTS EXTENSION ............................................... 86

7.1.8 POLICY QUALIFIERS SYNTAX AND SEMANTICS............................................... 87

7.1.9 PROCESSING SEMANTICS FOR THE CRITICAL CERTIFICATE POLICY EXTENSION            87

7.2 CRL PROFILE..................................................................................................... 87

7.2.1 VERSION NUMBER(S) SUPPORTED................................................................ 87

7.2.2 CRL AND CRL ENTRY EXTENSIONS ............................................................... 87

8 SPECIFICATION ADMINISTRATION ...................................................................... 88

8.1 SPECIFICATION CHANGE PROCEDURES............................................................... 88

8.1.1 ITEMS THAT CAN CHANGE WITHOUT NOTIFICATION.......................................... 88

8.1.2 ITEMS THAT CAN CHANGE WITH NOTIFICATION .............................................. 88

8.1.2.1 LIST OF ITEMS......................................................................................................................... 88

8.1.2.2 NOTIFICATION MECHANISM .................................................................................................. 88

8.1.2.3 COMMENT PERIOD.................................................................................................................. 89

MTNL                                                                                 CERTIFICATION PRACTICE STATEMENT

8.1.2.4 MECHANISM TO HANDLE COMMENTS................................................................................................ 89

8.1.3 CHANGES REQUIRING CHANGES IN THE CERTIFICATE POLICY OID............................ 89

8.2 PUBLICATION AND NOTIFICATION POLICIES ............................................................... 89

8.2.1 ITEMS NOT PUBLISHED IN THE CPS.................................................................... 89

8.2.2 DISTRIBUTION OF THE CPS ............................................................................. 90

8.3 CPS APPROVAL PROCEDURES ................................................................................ 90

9 LIST OF TERMS ....................................................................................................... 91

9.1 LIST OF ACRONYMS............................................................................................... 91

9.2 DEFINITIONS ....................................................................................................... 92

ANNEXURE 1 - MTNLTRUSTLINE SUBSCRIBER AGREEMENT............................................. 117

ANNEXURE 2 - MTNLTRUSTLINE RELYING PARTY AGREEMENT ....................................... 125

1 INTRODUCTION

 

This document is the Certification Practice Statement (CPS) of MTNLTRUSTLINE, a service of Mahanagar Telephone Nigam Limited (MTNL). It states the practices that MTNLTRUSTLINE employs in providing Digital Certificates and related services that include, but are not limited to, Certificate Application, Approval, Issuance, Revocation, Renewal, and use in accordance with the specific requirements of the MTNLTRUSTLINE Certificate Policy (CP). The CP is the principal statement of policy governing MTNLTRUSTLINE and establishes conformance to the requirements of the IT-Act 2000.

The Indian Information Technology Act – 2000 (IT-Act 2000) provides legal recognition for transactions carried out by means of electronic data interchange and other means of electronic communication, commonly referred to as "electronic commerce", which involve the use of alternatives to paper-based methods of communication and storage of information, to facilitate electronic filing of documents.

To facilitate the authentication of electronic documents the IT-Act 2000 provides legal recognition¹ to Digital Signatures created using Digital Certificates issued by Certifying Authorities duly licensed by the ‘Controller of Certifying Authorities’.

1 5. Legal recognition of Digital Signatures.

“Where any law provides that information or any other matter shall be authenticated by affixing the signature or any document shall be signed or bear the signature of any person then, notwithstanding anything contained in such law, such requirement shall be deemed to have been satisfied, if such information or matter is authenticated by means of digital signature affixed in such manner as may be prescribed by the Central Government.” – IT Act 2000.

MTNLTRUSTLINE is Certifying Authority (CA) set up by Mahanagar Telephone Nigam Limited (MTNL) to provide Digital Certificates and related services to entities including Individuals, Organizations, Servers, Network Devices, and ‘legal persons’.

Within the framework of the IT Act 2000, MTNLTRUSTLINE is recognized as a Certifying Authority in the Public Key Infrastructure set up by the CCA for the country. MTNLTRUSTLINE is recognized as Certifying Authority under which Sub-CAs and RAs are operating. As far as the Controller of Certifying Authorities (CCA) is concerned, operations of issuance, renewal, and revocation of Certificates are carried out by MTNLTRUSTLINE as a CA.

While the MTNLTRUSTLINE CP sets forth requirements that MTNLTRUSTLINE PKI Participants must meet, this CPS describes the practices that MTNLTRUSTLINE employs for:

·          Securely managing the core infrastructure that supports the MTNLTRUSTLINE.

·     Issuing, managing, revoking, and renewing certificates with legal validity under the IT-Act.

 

1.1 OVERVIEW

 

This CPS is applicable to MTNLTRUSTLINE including all Certifying Authorities (CAs) and Sub-Certifying Authorities (Sub-CAs) operating under the MTNLTRUSTLINE brand umbrella.

This CPS also governs the use of services by all individuals and entities identified as MTNLTRUSTLINE PKI Participants in CPS § 1.3.

In accordance to the guidelines of IT-Act, the CP defines three distinct Classes of Certificates: Class 1, Class 2, and Class 3. Each Class of Certificate is associated with specific security features and corresponds to a specific level of trust. MTNLTRUSTLINE Subscribers and Relying Parties choose which Classes of Certificates they need.

While the CP (CP §§ 1.1.4, 1.2, 1.3.4, 3.1.8, 3.1.9) describes in detail how these three classes correspond to three classes of Applications with common security requirements, this CPS describes how MTNLTRUSTLINE meets the CP and IT-Act requirements for each class of certificates.

The CPS, as a single document, covers practices and procedures concerning the issuance, revoking, and renewing certificates of all three classes.

1.1.1 COMPLIANCE WITH IT ACT

The practices specified in this CPS have been designed to meet or exceed the requirements of the Indian IT-Act 2000.

As required by the IT-Act this CPS conforms to the framework provided in RFC 2527 (Internet X.509 Public Key Infrastructure Certificate Policy and Certification Practices Framework), [http://www.ietf.org/rfc/rfc2527.txt] in order to make policy mapping and comparisons, assessment, and interoperation easier for persons using or considering using MTNL