The scope of this document is limited to the practices and procedures employed by VillageMall to supply VillageMall
Certification Authority services. This document must be read in conjunction
with the VillageMall Certificate Policy,
and associated Subscribers
and Relying Party Agreements.
The purpose of this document is to describe the certification practices and procedures employed by VillageMall to
supply Certification Authority
services and to exhibit trust by providing evidence of the methods used to manage and
complete tasks associated with the VillageMall Certificate Policy.
2. Scope of VillageMall Certification Authority Services
VillageMall provides public key
certification services to members of the VillageMall network, these include
individuals, organisations and web servers within Australia.
2.2 certification Services The certification services offered by VillageMall
include the following: Authentication, Certificate Issuance, and Certificate
Revocation in support of VillageMall services.
2.3 Usage: A VillageMall authentication certificate may only be used for authentication,
non-repudiation, confidentiality and access control within
the VillageMall network, this network is a closed community. VillageMall
subscribers may not use
the certificate for any purpose outside of the VillageMall network. Parties outside the
VillageMall network are advised that they should not process or rely upon a VillageMall
certificate for any purpose outside of the provision of a VillageMall service.
3. VillageMall Certification Authority Certificate
3.1 Introduction The VillageMall Certification Root
Authority certificate is the highest level certificate in the VillageMall service. It is
used in the path to verify all digital signatures and Certificate Revocation Lists (CRL) issued by
VillageMall. It contains the public key corresponding to the private key used for signing
all subscriber certificates, and CRL's issued by VillageMall.
4. Certificate Application
4.1 Certificate Application Process
4.1.1 Application Forms There is two types of
application forms for VillageMall services, as follows: Application for Personal and for
Organisation Authentication Services.
126.96.36.199 Application for Personal Services An
"Application for Personal Services" is used for individuals who require a
VillageMall certificate for their own personal use within the VillageMall network. A
personal certificate is issued in the applicant's name.
Process - Application for Personal Services An
application for personal services is processed online via the VillageMall registration
188.8.131.52 Application for Organisation Services An
application for organisation services is used for individuals who require a VillageMall
certificate to conduct business on behalf of their organisation.
Process - Application for Organisation Services An
"Application for Organisation Services" is processed online via the VillageMall
Business Registration facility.
5. Identification and Authentication
5.1 Introduction VillageMall provides authentication services for individuals and individuals applying on
behalf of an organisation.
5.2 Identification Requirements All VillageMall identification and authentication processes require
the applicant to provide evidence supporting their application.
5.2.1 Types of authentication VillageMall performs
two types of authentication, as follows: Authentication of individuals, Authentication of
individuals representing an organisation
An individual must
present certain authentication information in order to prove his/her identity.
Authentication - Individuals
Authentication - Individuals Representing an Organisation An individual representing an organisation is authenticated in two
stages. Stage 1 is to verify the identity of the applicant. Stage 2 is to verify the
identity of the organisation. This is referred to as Organisation Authentication.
Certain organisation identification documents must be presented depending on the type of
organisation nominated on the application form.
5.2.2 Verify the Identity of the Organisation The
identity of the organisation is verified against the organisation identification
provided by the applicant. The following table shows the identification documents which
must be presented for each type of organisation as part of the authentication check.
Type of Organisation Documents Required
Sole Trader copy of the Business Registration Certificate showing sole trader as
the owner or A.B.N number.
Company copy of the Certificate of Registration of a Company from the Australian
Securities Commission Original Letter of Authorisation signed by an office holder of the
company or A.B.N or A.C.N number.
Partnership copy of the Business Registration Certificate or Deed of
Partnership Original Letter of Authorisation signed by one of the partners whose name
appears on the Business Registration Certificate or Deed of Partnership, if required
or A.B.N number.
Club / Association copy of the Articles of Incorporation or Articles of
Association Original Letter of Authorisation signed by President or Secretary, if
required or A.B.N number.
Company Trust / Individual Trust copy of the Trustee Seal Original or certified
copy of the Trust Deed verifying trustee status Original Letter of Authorisation
signed by Trustee, if required or A.B.N number.
6. Naming Conventions for Subscribers
Naming Convention The naming convention used by
VillageMall to uniquely identify Subscribers in certificates is: ISO/IEC 9594
(X.500) Distinguished Name (DN).
Distinguished Name Components The VillageMall Distinguished Name comprises the following components:
Component (Prefix) Value
Country (C=) "AU"
State( S=) "QLD"
Organisation (o=) "VillageMall Network"
Locality (l=) "VillageMall"
Common Name (cn=) See "Subscriber Common Name"
Subscriber Common Name The Subscriber Common
Name may take one of the following formats:
Individuals with no desire for anonymity, the Subscriber's: given name, and
Individuals that require anonymity, a VillageMall reference number.
Individuals representing an organisation, either: the Subscriber's name, or the
Subscriber's: given name surname position within the organisation.
7. Valid Certificate
VillageMall defines a valid
certificate as a certificate that: has been issued by VillageMall, is not on the
VillageMall Certificate Revocation List, has not expired, and can be verified by a
valid VillageMall Certification Authority certificate.
7.1 Certificate Revocation
7.1.1 Certificate Revocation Requests
Personal Certificate Revocation Requests A
personal certificate can only be revoked by the subscriber of that certificate. The
certificate subscriber is the person listed on the application form for the certificate.
The subscriber must make a formal request to VillageMall to revoke their certificate. The
request must be made using one of the following methods: Sending a paper Certificate
Revocation Request form to VillageMall. The form must be signed with the same signature as
on the original application for the certificate, or Requesting revocation over the
telephone by quoting the password nominated on the original application form for the
certificate, or On-Line Submission of a digitally signed Certificate Revocation Request
Organisation Certificate Revocation Requests A
certificate used on behalf of an organisation can be revoked by the subscriber of the
certificate or a person nominated as an Organisation Signatory for the organisation. The
subscriber of the certificate is the person listed on the application form for the
certificate. The Organisation Signatory for an organisation is the person whose signature
appears on the letter of authorisation provided at the application stage. The subscriber
or Organisation Signatory must make a formal request to VillageMall to revoke the
certificate. A revocation request made by the subscriber of the certificate must be made
using one of the following methods: Sending a paper Certificate Revocation Request
VillageMall. The request must be signed with the same signature as on the original
application for the certificate, or Requesting revocation over the telephone by quoting
approperate authentication information.
Where to Obtain Forms A Certificate Revocation
Request form may be downloaded and printed from the VillageMall internet site.
7.2 Certificate Revocation Process
7.2.1 Revoking a Certificate From a Telephone Request The
following table describes the process for revoking a certificate originating from a
A) The subscriber telephones VillageMall to request revocation of their certificate.
B) The subscriber must provide the VillageMall operator authentication
C) The operator verifies the request by checking the authentication
Note: If the revocation request is not verified,
VillageMall forwards a message to the originator of the certificate revocation request,
informing them that their request was not processed. The message includes the reasons why
it was not verified.
D) The certificate is revoked.
E) A new CRL is generated and signed by VillageMall.
F) The new CRL is published.
G) VillageMall notifies the subscriber that their certificate has been revoked via
email, or fax or mail.
7.3 Certificate Revocation Policies
When a Certificate Status Becomes "Revoked" A certificate will be revoked when
it is included in the next Certificate Revocation
Date of Revocation Revocation Requests will
specify the date and time from which the revocation will take effect.
Revocation Due to Subscriber Death or Organisation Dissolution
VillageMall revokes certificates: upon receiving a certified copy of the
subscriber's death certificate, or upon presentation of documents verifying the
dissolution of a subscriber's organisation, or upon confirming by other evidence that the
subscriber's organisation has been dissolved or has ceased to exist.
CRL Update period VillageMall will update its CRL monthly unless the CRL is
Publishing CRL's VillageMall will publish its CRL(s) as
indicated within the VillageMall CA certificate, this will be via a CRL
distribution point, identified within each VillageMall CA certificate.
8. VillageMall Operations
8.1 Cessation of VillageMall Operations
Actions Upon Cessation of Operations either Wholly or in Part
VillageMall will take the following actions upon cessation of operations
either wholly or in part: where the cessation so requires, revoke all valid certificates,
and where required, preserve all databases, archives and records
8.2 VillageMall Certification Authority Key Compromise
Actions in the Event of VillageMall Key Compromise
VillageMall will perform the following actions in the event of the VillageMall
Certification Authority systems or the VillageMall Certification Authority private keys
being, or suspected of being, compromised: revoke the VillageMall Certification Authority
certificate, generate a new VillageMall Certification Authority key pair and certificate,
revoke all valid
certificates issued by the compromised systems generate, issue new keys and
certificates for all affected subscribers, at no cost to the subscriber.
8.3 Record Retention
records documenting issuance of all certificates in accordance with legislative and
taxation requirements and Information Privacy Principles (Commonwealth Privacy Act 1988).
These records include: copies of documentation authenticating subscribers application
forms certificate revocation request forms change of address forms
Retention Period The period for retaining
VillageMall records will be seven years. VillageMall will take all reasonable steps to
ensure the security of these records.
Access to Retained Records Access to the
retained records will be via nominated and duly authenticated representatives of
8.4 Auditing of VillageMall
VillageMall Auditing The operations of
VillageMall are not independently audited.
In This Chapter This chapter describes the
security environment of the VillageMall Service Centre. The chapter includes the
following: Protection of VillageMall's Private Cryptographic Keys Protection Of
VillageMall's Systems and Data Physical Security of the VillageMall Service Centre
9.1 Protection of VillageMall's Private Cryptographic Key
Cryptographic Security Device
generates its Private Cryptographic Keys using a hardware security module rated
at FIPS 140-1 level 2.
VillageMall Private Key The VillageMall Private
Key is stored on combination of smart cards and a hardware security module
(HSM). The HSM is rated at FIPS 140-1 level 2.
VillageMall CA Private Key Size A
minimum of 2048bits.
9.2 Protection of VillageMall Systems and Data
Protection of VillageMall Systems The VillageMall Systems (other than key and certificate generation
systems) are protected from unauthorised access from external sources by a firewall
between the VillageMall network and all external networks. All VillageMall
network servers require a hardware security token to become part of the VillageMall
Physical Security of the VillageMall Service Centre The
VillageMall centre that houses the Certification Authority computers, has
multi-zone physical and electronic barriers.
Physical Access to the VillageMall Service Centre Physical access to the VillageMall Certificate Authority
system is by high security locks and controlled keys. Operational access to all
VillageMall Certification Authority computers requires a controlled smart card
to logon. All access must take place at the physical CA system, using as a minimum
two factor authentication.
Token Issuance VillageMall issues tokens to
VillageMall Subscribers under the terms and conditions contained within the Subscribers
Token Initialisation and Personalisation Only
authorised personal can perform token initialisation and personalisation.
Authorisation is via the issuance of a VillageMall certificate with the
designated privileges required for token initialisation and personalisation.
11. Terms and Conditions
Use of VillageMall Services The terms and
conditions for the use of VillageMall services including the Certification Authority
service can be found on the VillageMall internet site.