Home | Guideline | Download | FAQ | Usage | Contact Us
GOVERNMENT MULTI PURPOSE CARD (GMPC)

PUBLIC KEY INFRASTRUCTURE GUIDELINES

MyKad PKI Guidelines
Version 0.6
ABBREVIATIONS AND ACRONYMS

API Application Programming Interface
CA Certification Authority
CPS Certificate Practice Statement
CRL Certificate Revocation List
GMPC/s Secure Government Multi-Purpose Card
PKI Public Key Infrastructure
RA Registration Authority
RSA Rivest, Shamir & Alderman Algorithm
SAM Secure Access Module
NIST National Institute of Standards and Technology
TABLE OF CONTENT

  EXECUTIVE SUMMARY
  OBJECTIVE
  SCOPE OF POLICY
  POLICY STATEMENT
   
  1.0   MyKad Smart Card
  1.1   Definition
  1.2   Physical Card Requirement
  2.0   PKI Requirement
  2.1   Card Memory Size Allocation
  2.2   Certification Authorities
  2.3   Certificate
  2.4   Key Management
  3.0   Application of Digital Certificate
  3.1   Digital Certificate New Issuance
  3.2   Digital Certificate Application
  3.3   Digital Certificate Issuance
  3.4   Certificate Acceptance and Usage
  4.0   Digital Certificate Renewal
  4.1   Definition
  4.2   Requirements
  4.3   Digital Certificate Expiration
  4.4   Notice prior to Expiration
  4.5   Effect on Digital Certificate Expiration
  4.6   Procedure for Digital Certificate Renewal
  5.0   Digital Certificate Suspension/Revocation
  5.1   Definition
  5.2   Requirements
  5.3   Circumstances for Suspension/ Revocation
  5.4   Who can request Suspension/ Revocation
  5.5   Procedure for Suspension/ Revocation Request
  5.6   Effect of Suspension/ Revocation
  5.7   CRL Issuance Frequency
  5.8   CRL Revocation Status
  5.9   Key and Certificate Deletion
  6.0   Complaints/ Problem Handling
  6.1   Loss of SmartCard
  6.2   Lost/ Forgotten PIN
  6.3   Smart Card Block
  6.4   Faulty Smart Card
  6.5   Key Compromise
  6.6   Replacement of SmartCard
  6.7   Other Complaints
  APPENDICES
   
  Appendix 1   Summary of CPS
  Appendix 2   FIPS-140-1 Specification
  REFERENCES
EXECUTIVE SUMMARY

The MyKad PKI Guidelines shall govern the Certification Authorities and the subscribers in the implementation and usage of digital certificates in MyKad. Among the chapters elaborated in the guidelines shall contain the followings:

Chapter 1
This chapter shall contain MyKad definition requirements and prerequisites.

Chapter 2
This chapter shall contain a brief definition of PKI requirements and the components used in MyKad implementation. Among the components being mentioned is Card Memory size allocation, details of certificate definition and practice, brief information on key management and how it relates to the usage of MyKad.

Chapter 3
This chapter shall focus on the certificate application. A few methods have been detailed out focusing on how the cardholder shall apply for the certificate, the requirements for the new issuance of the certificate; the details of the new issuance form the Certification Authorities on the certificate acceptance and usage by the cardholders.

Chapter 4
This chapter shall explain in details about the certificate renewal. This is including the definition and requirements, the expiration of the digital certificate prior to certificate renewal, the notices for certificate expiration, effects on the certificate expiration and procedures on the certificate renewal.

Chapter 5
This chapter shall focus on the certificate suspension and revocation. This will focus on the definition and requirements, circumstances of the certificate suspension and revocation, the parties that can request for the suspension and revocation and the effects on the request. This chapter shall also include the CRL Issuance Frequency, CRL Revocation Status and the details of the certificate deletion.

Chapter 6
This chapter shall define the responsibilities of the cardholder shall problems arise from the application, usage and errors found during and after the certificate application. Several common problem handling are included in guiding the cardholders on the actions that shall be taken. These problems shall differ from one Certification Authorities to another according to their standard practice, therefore requires the cardholders to always check with the Certification Authorities for a the detailed steps to be taken shall any of the problems related to the digital certificate arise.
OBJECTIVE

The Public Key Infrastructure (PKI) environment and how Certification Authorities behave are governed by the Digital Signature Act, the Digital Signature Regulations, Terms & Conditions of Licensing by the Controller of the Certification Authorities, whereas National Registration Act defines the workings of the National Registration Department. As such, the objectives of this guideline are:

   To define the task and responsibilities of the cardholders and the Certification Authorities in the operating procedures of PKI facilities in MyKad.
   To define the intellectual properties components of PKI in MyKad and the management of key pairs and certificates.
SCOPE OF POLICY

The guideline will serve as an addition to the current legal infrastructure mentioned above, as well as the Certificate Practice Statement of the respective Certification Authorities. Whenever a conflict arises, the highest legal authority and documents will be used.

The guidelines serve to define the security requirement for the key management of MyKad. The main party subjected to this guideline would be MyKad cardholders and the Certification Authorities. Where applicable the additional parties covered under the guideline are the National Registration Department and GMPC Corporation.

The guideline will be considered as a live documentation, binding where applicable, of the parties mentioned above. The guideline will cross-refer other documentation vis-à-vis the scope of MyKad PKI project where applicable.
POLICY STATEMENT

1.0 MyKad Smart Card

1.1 Definition

MyKad is the world’s first National Identification Smart Card, also known previously as the Government Multi Purpose Card. MyKad shall be issued by National Registration Department to every Malaysian citizens and any other individuals deemed fit. MyKad functions integrate identity, citizenship, digital thumbprints and other personal details into a credit-card sized piece of plastic.

MyKad features an intelligent circuit chip, biometrics and encryption technology. For this purpose, MyKad shall be able to adapt with the PKI requirements to materialise the PKI implementation through the usage of digital certificates.

1.2 Physical Card Requirement

Part of the PKI implementation focuses on MyKad physical requirements as set by National Registration Department. All MyKad registered with the identities of every individual shall fit for the registration and usage of the digital certificates. Below defines the characters of the basic requirements, but not limited to, of MyKad:

   Card Operating System[PC1]
   Must supports international standard, compliant with ISO 7816 Part 3 and 4.
   Cryptographic Module
   Higher security features and accelerators.
   Tamper resistant features & PIN Protection.
   Hardware accelerator
   Secure protection of private keys
   Digital signature support
   Minimum of RSA 1024 bit processor
   Certification
   Minimum of common criteria of EAL level 1
   Preferably with federal Information Processing Standard (FIPS) 140-1 Level 2, Security Requirements for Cryptographic Modules. The details of the module are stated in Appendix 2.


2.0 PKI Requirement

2.1 Card Memory Size Allocation

For the implementation of PKI on MyKad, the minimum storage is required for PKI to be able to accommodate up to 10 kilobytes ofthe data and keys. The storage must be able to provide the following: -

   Key pairs generation (two key pairs)
   Two set of certificate
   Overhead for processing


2.2 Certification Authorities

2.2.1 Definition

Certification Authorities are the entities given the authorities to perform certificate management including certificate registration process, issuance, suspension and revocation of the digital certificate.

2.2.2 Roles and Obligations of the Certification Authorities

In Malaysia, Certification Authorities practices are regulated and require licensing under Digital Signature Act 1997. The Certification Authorities have the obligations and responsibilities to ensure the trustworthiness and security by performing several functions are below:

   Ensure the application of digital certificate to be processed at the required time frames.
   Ensuring of trustworthiness and security by the Certification Authorities, their appointed agents and repositories of the digital certificate subscribers.
   Disclosure of appropriate information to subscribers and relying parties.
   Screening of the authenticity of the applicants for issuance and revocation of certificates and undertaking measures for checking proper identification documents of the subscribers.
   Issuance, revocation and publication of certificates.
   Delivery, storage and archiving of certificates and Certification Revocation Lists


2.2.3 Limitation from one Certification Authority to another.

Each Certification Authorities may have different operating procedures to another. These differences shall cover, but not limited to, the following aspects:

   Price
   Reliance Limit
   Key generation
   Repository
   Other differences due to operational matters.


2.3 Certificate

2.3.1 Definition

The certificate format is an open standard, X.509, which is the popular international standard for certificates.

2.3.2 Certificate Types

Certificate type means the class of certificate to be used by the Cardholder set forth by the Certification Authorities to be used with MyKad.

The class of certificate here would depend on the verification process done by the Certification Authorities. At present the Certification Authorities have decided to issue Class 2 certificate for MyKad, which subject to future notices from Controller of Certification Authorities.

The certificate type to be used shall have the most stringent verification process and highest reliance amount provided by the Certification Authorities dependant on the usage of the certificate (i.e. Signing).

2.3.3 Certificate Fees

The fees shall be controlled by the Certification Authorities and approved by the Controller of Certification Authorities.

2.3.4 Certificate Profile/ Properties

The certificate content and properties shall be made common for all the Certification Authorities for certain subject fields: -

   Common Name (Name as per National Registration Identity Card or NRIC)
   MyKad NRIC Number


2.3.5 Certificate Lifetime

The certificate lifetime shall only be valid for a maximum validity of 3 years; which upon expiry the Cardholder shall renew the certificate from any Certification Authorities.

The minimum lifetime of certificate shall be at least 1 year.

2.3.6 Certificate Generation

The certificate generation must be able to be performed only by authorised parties (i.e. Certification Authority).

The generation of keys must be controlled such as a use of security mechanism (SAM) that authenticates the card before certificate is generated.

The used of SAM is needed whenever the secure area of the certificate in the card needs to be accessed.

Certificate Management on MyKad shall be able to be controlled by the Certification Authorities.

2.3.7 Publication and Repository

The publication and repository on the certificate shall be handled by the Certification Authorities based on the Certification Authorities operation and business model.

2.4 Key Management

2.4.1 Definition

The pairs of RSA key (Public and Private) stored within MyKad card must be generated according to open standard requirements and can independently work with any Certification Authorities certificates. With these pairs of RSA key within the MyKad card, Cardholder can have the freedom of choice to request certificate from any Certification Authorities.

2.4.2 Key size

For minimal requirement the key is to be generated with 1024 bits in length, but for future algorithms and extended life expectancy requirements may require longer key lengths (e.g. 2048 bits and greater)

2.4.3 Key pairs

   RSA Key Pairs Format

The key pairs format shall be based on RSA PKCS#1 V2.1 format.
   Number of Key Pairs in GMPC card

For MyKad implementation a minimum of two key pairs, public and private keys are required to be generated by the card.


2.4.4 Key Generation requirements

   In the context of MyKad, the keys have to be generated within the chip of the card.
   The key generation must be able to be generated by only the authorised parties (i.e. Authorised Certification Authorities or the Cardholder).
   The generation of keys must be controlled such as the Certification Authorities authenticates the cardholders while the use of security mechanism (SAM) that authenticates the cards before keys are generated.
   The use of SAM is needed whenever the secure area of the keys in the card needs to be accessed.
   Key pair generation on MyKad shall be able to be controlled accordingly.


3.0 Application of Digital Certificate.

3.1 Digital Certificate New Issuance

3.1.1 Definition

This section shall describe the procedure for the application, issuance, acceptance and the usage of a digital certificate. These procedures shall enable the cardholder to be identified while transacting over the digital environment. It shall also include the requirements and obligations of the digital certificate management to comply with in accordance to Digital Signature Act 1997 and Digital Signature Regulations 1998.

3.1.2 Requirements

Prior to providing public-key certification services to the cardholders, the Certification Authorities shall ensure that these cardholders are well informed about digital certificates; the scope of the digital signature legislation; its certificates policies and practices; obligations and limitations of its services and the responsibilities of the cardholders. This shall reflect the publication and maintenance of an up-to-date Certification Authority’s Certificate Practice Statement (CPS) in a publicly accessible repository or web site of the Certification Authorities.

A cardholder applying for the digital certificate shall comply with all the Certification Authorities requirements. The Certification Authorities Neutral Design adopted by the Government shall enable the cardholder to apply for the digital certificate at any of the Certification Authorities the cardholder insisted.

In order to materialise the requirements by the Certification Authorities; the cardholder shall provide the following, but not limited to, information to be included in the digital certificate, as standard information required by the Certification Authorities:

   Cardholder’s full name as in NRIC.
   The new National Registration Identity Card (NRIC) Number


These information shall be incorporated in the digital certificate issued by both Certification Authorities and the details has been agreed by both Certification Authorities as part of the design for the MyKad digital certificate requirements thus shall not restrict the cardholder to the particular Certification Authorities.

This shall be obtained through fulfilling the application form during the application level. The cardholders shall be advised that not all the information requested should appear in the digital certificate. In this case, all the information not included in the digital certificate shall be kept confidential between the Certification Authorities and the cardholder and never to be disclosed to the third parties at any time without the consent of the cardholder.

The method of identification and verification shall also be different depending on the Certification Authorities chosen by the cardholder. The Certificate Practise Statement (CPS) of each Certification Authorities shall govern the policy and regulations of the digital certificate application and usage.

3.1.3 Mode of establishing application

   Only natural persons with Malaysian nationality issued with MyKad may apply for the digital certificates.
   All the digital certificate application shall be issued with Class 2 digital certificates.
   The validity period of the digital certificate shall vary from a minimum of one (1) year, to the maximum of three (3) years. (Depending on the requirements, usage and application by the cardholder).
   Cardholder can obtain a Class 2 certificate from Certification Authorities by being:

* Online application – Internet Certificate Purchase. * Physically present at the outlet/office of the Certification Authorities or its appointed Agents, whichever most convenient to the cardholder; or
   Key pairs generated are securely stored in:

· ISO 7816 compliant smart card - Key pairs shall be generated at by the cardholders beforehand at the time of the smart card issuance.


3.2 Digital Certificate application

The following section shall outline the procedures in applying for and reviewing of the certificate application. It shall specify the requirements for obtaining digital certificates and briefly describes the certificate application process to comply with the digital certificate policies and procedures within the Government and Certification Authorities requirements.

   MyKad, upon key pairs generation, shall contain an unpersonalised RSA private-public key pair. These key pairs shall be used by the Certification Authorities upon the issuance of the digital certificate.
   The Certification Authorities, upon receiving the application of digital certificates from MyKad cardholders, must accept the application for digital certificates without any prejudice, unless due to any reasons stated in Section 3.3.2 that will cause the refusal to issue digital certificates by the Certification Authorities.
   Each cardholder shall voluntarily approach any of the Certification Authorities in order to apply for the digital certificate.
   The application of digital certificate shall be charged with digital subscription fees depending on the Certification Authorities’ authorised fees approved by the Controller of Certification Authorities. Methods of payment shall be based on the Certification Authorities requirements and acceptance. The cardholder is advised to acquire the payment modes from the Certification Authorities before applying for the certificate.
   The cardholder applying for the digital certificate shall complete the application form provided by the Certification Authorities and follow all the steps and instructions for the application and issuance of the digital certificate to take place.
   All the certificate registration shall be accompanied by the supporting documentation as part of the verification requirements. The supporting documents required from the CA shall differ from one to another. The cardholder is advised to provide the supporting documentation according to the instruction provided by the Certification Authorities upon the certificate application.
   The Certification Authorities shall inform the cardholders of the mandatory fields’[1] usage for the implementation of multiple certificate application. The Application Providers are advised to use the mandatory fields as to maximise the usage of MyKad.


In order to initiate the certificate application, the cardholder requiring the digital certificate shall be responsible to initiate an application request at any of the appointed Certification Authorities. There shall be two (2) modes of digital certificate registration:

   Online Registration – Internet Certificate Purchase
   Physical Registration – walk in to the CA offices and its appointed agents for the digital certificate purchase.


3.2.1 Online Registration

The objective of the Online Registration module offered to the cardholders is to provide the convenient of the registration to the Malaysian citizens to apply for the digital certificate. This shall enable the cardholders to apply for the digital certificate directly with the Certification Authorities without being physically present to the CA offices. In order for the cardholder to initiate an application, the cardholder shall first have a smart card reader with the Client API ready and installed at the cardholder workstation.

The cardholder shall follow the instruction to set-up the Smart Card Reader and Client API at the workstation before starting the application of digital certificate over the Internet.

The cardholder shall assure that the Internet connectivity is available and the smart card reader is installed at the workstation. The cardholder shall initiate the digital certificate purchase process via the cardholder workstation by inserting the smart card into the smart card reader and get to the specific website of the Certification Authorities to initiate the application.

The cardholder shall fill in the required information on the registration page. At this level, the cardholder is advised to follow all the instructions provided and assure that all the fields required being filled accordingly. The Certification Authorities shall advise payment modes for the online registration accordingly during the application.

Upon the completion of the certificate application and clearance of payment, the digital certificate shall be installed in the smart card and is ready for usage.

3.2.2 Physical Presence Registration.

The application for this method shall require the cardholder to be physically presence to the Certification Authorities offices or its appointed agents, whichever most convenience to the cardholder. Please be advised that methods of registration shall differ between the Certification Authorities, therefore shall reflect the instructions and requirements of the application and verification procedures to take place.

Generally, the cardholder that presents himself before the Personnel of the Certification Authorities or its appointed agents shall:

   Fill-up an application form.
   Present MyKad.
   Present identification documents and the photocopies (if applicable).
   Make payment by using one of the following method (whichever applicable):

* Cash
* Credit card
* Cheque
* Postal order
* Other modes of payment deemed fit by the Certification Authorities.


The issuance of digital certificate for physical presence registration shall be immediate after all the requirements are completed and the verification is successfully performed.

3.2.3 Validation of Certificate application

The validation of cardholder’s requirements for the digital certificate application shall differ between the Certification Authorities. The level of validation detail is commensurate with the level of trust guaranteed by the certificate.

Should the validation of the application fail at any stage due to reasons outside of the Certification Authorities' control, the Certification Authorities shall have the right to refuse or reject the application. Please refer to 3.3.2 for reasons of certificate refusal.

Shall the application is refused or rejected, the Certification Authorities shall make necessary steps to inform the cardholder of this matter and shall ask the cardholder to apply again.

Upon receipt of the digital certificate applications from the cardholder, the relevant Registration Personnel at the Certification Authorities shall perform the validation requirements to identify the cardholder.

The Certification Authorities shall confirm that:

   The cardholder is the person applying for the digital certificate and the details of the information provided are to be listed in the digital certificate issued by the Certification Authorities.
   The cardholder has agreed to be bound by the Terms and Conditions of the Cardholders Agreement.
   The information provided by the cardholder is accurate as per the NRIC of the cardholder.
   The cardholder has represented the supporting documents as part of the application verification.


3.3 Digital Certificate Issuance

3.3.1 Certificate Issuance Process

The Certification Authorities shall be responsible to assure the digital certificate application shall be fully verified, accepted and further be processed accordingly. The Certification Authorities are to comply with the rules and regulations as described in the Certification Authorities’ CPS and based on each Certification Authorities’ operational methods.

Upon satisfactorily verification of the cardholder’s identity within the application, the Certification Authorities shall ensure that the certificate will not contain any factual misrepresentations and no errors shall be made on the data entries upon acceptance of application and certificate generation/ issuance.

The Certification Authorities shall take all the information submitted by the cardholder as true and accurate after verification has been performed accordingly by the Certification Authorities prior to the certificate issuance. The Certification Authorities shall not be responsible to investigate and monitor for the accuracy confirmation of the information after the certificate issuance. Shall there are any inaccuracy or changes that affected information, or even some of the information has no longer been applicable to the certificate information, the certificate shall be revoked accordingly based on the cardholder revocation initiated and the new digital certificate shall be applied at the cardholder’s cost.

The Certificate Issuance Process shall reflect the operational matters of the Certification Authorities and each Certification Authorities shall issue the digital certificate accordingly.

3.3.1.1 Online Registration.

The cardholder shall follow all the requirements set for the certificate issuance.

   The cardholder shall initiate the certificate purchase process via cardholder workstation. The cardholder shall be advised to place the smart card to the smart card reader at all time during the digital certificate issuance.
   Upon getting requests from the cardholders, the Certification Authorities shall receive the application information and check it against the details extracted from the NRIC database in MyKad.
   The Certification Authorities shall notify the cardholder to attach/ send the documentation via online and fill in the payment information. The methods of payment shall differ depending on the Certification Authorities and the cardholder shall follow the instruction on the payment methods for the digital certificate to be issued.
   Upon acceptance and clearance of the subscription fees payment, the Certification Authorities shall notify the cardholder on this matter and the certificate issuance process shall start. The cardholder shall be advised to place the smart card to the smart card reader at all time during the digital certificate issuance.
   The cardholder shall be instructed to perform authentication and proceed with the certificate issuance online.
   At the cardholder workstation upon receiving the smart card responses, it is now authorised to load or renew the digital certificate to the smart card. It will proceed with the certificate purchase operation.
   Once the digital certificate has been successfully installed, the cardholder is able to use the digital certificate accordingly.


3.3.1.2 Physical Registration.

The cardholder shall follow all the instruction for digital certificate application via physical presence.

   The cardholder shall present physically to the Certification Authorities or any other appointed agents for the certificate application.
   Only the cardholder shall be able to apply for the digital certificate. At no time shall the cardholder appoint any other individuals to apply for the digital certificate on their behalf. The Certification Authorities have the right to refuse the application shall this matter arise.
   The mode of physical application shall differ from one Certification Authorities to another. Where applicable, the cardholder shall refer to the Certification Authorities on the procedures to apply physically.
   As part of the verification requirement, the Certification Authorities shall verify the cardholder with MyKad presented during the application.
   The issuance of the digital certificate upon physical presence of the cardholder shall be immediate, unless being informed accordingly by the Registration Personnel of the Certification Authorities due to circumstances that cannot be avoided.


For both registration methods, the cardholder shall set own PIN/ password for the digital certificate usage. The details of PIN/ password requirement shall be reflected in Part 2.3.

3.3.2 Refusal to issue a certificate

An application can be refused under the following conditions:

   The cardholder is blacklisted
   The cardholder has knowingly or unknowingly provided false or misleading information in the application
   The information contained within the application has changed in such a manner that it shall be grossly inaccurate to allow the certificate to be issued without the information being updated
   Violation of the DSA or the DSR
   The cardholder provides incomplete, falsified or fraudulent information.
   The identity of the cardholder cannot be verified.
   The cardholder failed to make payment (e.g. defaulted cheque).
   MyKad contains certificates issued by other Certification Authorities.
   Due to any of the above combinations.
   Any other reasons deemed fit for the Certification Authorities to refuse the application.


If application is refused/cancelled, the cardholder shall be notified of this fact and the Certification Authorities shall advise the cardholder to reapply for the digital certificate.

3.3.3 Time of certificate issuance

The Certification Authorities will make reasonable efforts to adhere to the following time-schedule of the certificate application and information confirmation in issuing certificates. However, no guarantees can be provided as circumstances beyond the control of Certification Authorities may inhibit such adherence. In particular, the timeliness of the following schedule will depend on the amount of co-operation received from the cardholder, including but not limited to payment, and the provision of accurate and complete information. Incomplete application forms will invariably cause the application to be delayed or rejected.

All time frames quoted depend upon the receipt of the confirmation to proceed with the application from the cardholder.

3.3.4 Certificate validity and operational periods

All the digital certificates shall be valid and operational upon the day of the issuance and the acceptance of the digital certificate by the cardholders.

The standard operational period for all the digital certificates issued by the Certification Authorities shall have a minimum validity period of one (1) year, to the maximum of three (3) years, unless for certain circumstances such as earlier termination of the operational period due to suspension or revocation.

Digital certificates issued by the Certification Authorities must be renewed periodically. The cardholder shall refer to the Renewal procedures listed Part 4.4 on how to renew the digital certificate.

3.4 Certificate Acceptance and Usage

This section outlines the certificate acceptance requirements by the cardholders, methods of certificate acceptance and cardholder’s representation upon the certificate acceptance.

3.4.1 Methods of certificate acceptance

The cardholder shall indicate the digital certificate acceptance upon receiving the digital certificate in MyKad and upon the first usage of the digital certificate.

3.4.2 Cardholder Representation upon Acceptance

The cardholder shall be deemed to certify and accept the digital certificate issued to them. By accepting the digital certificate, the cardholder shall agree to:

   Be bound to the obligation, duties and responsibilities imposed by Terms and Conditions, agreements and the Certificate Practise Statement (CPS) between the Certification Authorities and the cardholder.
   Certify that all the information submitted to the Certification Authorities during the application and identity verification is true. The cardholder shall also ensure that all the information listed in the digital certificate is true.
   Hold the private keys corresponding to the public keys listed in digital certificate and ensure that no unauthorised person at any time shall have access to the private key corresponding to the digital certificate.
   The certificates containing public key that is intended for verifying digital signature created using the corresponding private key, shall only be used for its intended usage.
   Digital certificates shall not be used in an illegal or discriminatory manner including, but not limited to, trafficking of illegal material, engaging in activities that compromise national security and utilising the certificate for accessing illegal material.
   The cardholder acknowledges the recommended Reliance Limit for the digital certificate purchased. Further information of Reliance Limit of the digital certificate can be obtained from the CPS of the Certification Authorities.


3.4.3 Digital Certificate Usage.

The implementation of PKI capability into MyKad along with the usage of Digital Certificates shall provide a few key benefits. There shall be two (2) sets of digital certificates in MyKad. Each certificate shall have their own functions to be performed in accordance to Digital Signature Act 1997 and Digital Signature Regulations 1998. Below sets the usage of each digital certificate to the following benefits:

   First set of digital certificate – digital signature (the cardholder use their private key to carry out their function)
   Second set of digital certificate – authentication and encryption (the cardholder use the public key to carry out their function)


4.0 Digital Certificate Renewal

4.1 Definition

This section shall describe the cardholder’s obligations to handle digital certificate expiration and certificate renewal. It shall detailed out what the cardholder shall receive prior to the digital certificate expiration and the procedures to be taken to initiate the digital certificate renewal.

4.2 Requirements

The digital certificate renewal process shall differ from one Certification Authorities to another. The cardholder shall be advised to consult with the Certification Authorities on the procedure of the certificate renewal in addition to referring to this documentation. The requirements shall also reflect the CPS of the Certification Authorities.

4.3 Digital Certificate Expiration

The entire digital certificate issued shall impose a certain validity period and the date of certificate expiry shall be specified in the digital certificate. Upon reaching the end of the certificate validity period, the cardholder shall be acknowledged of the digital certificate expiration by the Certification Authorities.

4.4 Notice prior to Expiration

Upon the digital certificate expiry, the Certification Authorities shall make a reasonable effort to provide an Expiration Notice to the cardholder on the expiry date. Such notices are intended for the cardholders’ convenience to renew their digital certificate prior to certificate expiration.

The cardholders are to be reminded that the expiration notice templates, modes of notice delivery and the frequency of the digital certificate expiration shall differ between the Certification Authorities, depending on the operational requirements and practices of the Certification Authorities.

4.5 Effect on Digital Certificate Expiration

All the expired certificates will not be revoked or removed. Upon expiration of the certificate, the cardholders can either:

   Cease to be a cardholder; or
   Renew the expired certificate.


However, the expiry of the digital certificates shall not affect the duties and obligations of the cardholder and the Certification Authorities incurred under and in relation to the expired digital certificates.

4.6 Procedure for Digital Certificate Renewal

The procedures for certificate renewal shall be similar to initial certificate application process. The cardholder needs to submit a new application form and confirm a proof of identification (e.g. NRIC) upon the renewal application. Supporting documents need not be submitted for the renewal process. Please refer to Part 3.2 for Certificate Application.

5.0 Digital Certificate Suspension/Revocation

5.1 Definition

Revocation can be described, as the cardholder shall no longer be able to use the digital certificate after the certificate being terminated while certificate suspension shall be referred as putting the certificate on hold for some period of time before being able to use it again. The section shall describe the circumstances for the digital certificate to be revoked or suspended. It shall also detailed out the common revocation or suspension reasons, procedures to initiate revocation and suspension, and certificate deletion upon requests from the Suspension or Revocation of certificates can occur due to the reasons specified in Part 5.3.

5.2 Requirements

In the event that Certification Authorities believes or has reason to believe, due to reliable evidence or while acting in good faith, that a certificate should be suspended or revoked, the Certification Authorities will take all necessary steps to do so even if this is without the consent of the cardholder.

In most instances, the suspension or revocation occurs when there is a security breach of the private key or the certificate will materially affect the truth of the information reflected in the certificate and thus possibly mislead a person relying on that information.

In the event that the cardholder requested for a revocation or suspension, the Certification Authorities shall take all necessary precautions to verify the identity of the cardholder. Suspension and Revocation shall not proceed without the verification that the requested party is indeed the cardholder.

5.3 Circumstances for Suspension/ Revocation

Revocation of the digital certificate shall be initiated by either the cardholder or the Certification Authorities due to, but not limited to the following reasons:

   Certificate became unreliable due to:

* A change of affiliation of the certificate subject
* Breach of the private key’s security including unauthorised use
* The certificate and/or private key (including the media in which the only copy is stored e.g. smart card) is lost, theft, corrupted or damaged
* Other reasons
* The certificate holder ceases to exist (including death); or
* The cardholder failed to collect the certificate within a specified time limit. Breach of the private key’s security including unauthorised use;
* The media / token containing the private is loss or damaged
   Certificate revocation could be initiated by CA when one or a combination of the following conditions has occurred:

* Upon such instruction from the Controller or upon the requirements of an applicable law.
* The certificate was not issued in accordance with the requirements of Section 29 and 30 of DSA;
* Certificates become unreliable due to the following:
* Breach of the private key’s security including unauthorised use;
* The information contained within the certificate as supplied by the cardholder has changed in such a manner that it will be grossly inaccurate to allow the certificate to continue to be operative without it being withdrawn and updated;
* The applicable obligations, terms and conditions under this CPS have been materially breached by the certificate holder; or
* A material fact contained in the certificate is misstated or known to be misstated.


The above list is not meant to be exhaustive but merely to highlight the more common cases of suspension or revocation. Shall the suspension/ revocation be carried out; a notice of revocation will be sent to the cardholder.

The Certification Authorities shall notify the cardholder via email or other means of communication deemed appropriate. The contact information of the cardholder that was submitted during the application stage or that was subsequently updated in the digital certificate will be used as the destination for the transmission of this notice.

5.4 Who can request Suspension/ Revocation

The following parties can initiate digital certificate revocation with regards to the MyKad shall be:

   The owner of the digital certificate – the cardholder initiated.
   Certification Authorities/ Controller initiated


5.5 Procedure for Suspension/ Revocation Request

The practices and procedures in applying and processing for digital certificate suspension/ revocation shall differ from one Certification Authorities to another. The cardholder shall be advised to refer to the related Certification Authorities to initiate suspension or revocation in addition to these guidelines to get a clear view on how the certificate suspension/ revocation can be performed.

The cardholder shall have choice whether to perform:

   Walk in to the Certification Authorities or any of the Certification Authorities appointed agents premises and fill in the Suspension/ Revocation of Certificate Form or
   Request for suspension/ revocation online.


For the walk in request, The Certification Authorities Personnel shall positively identify the requestor via the NRIC or any other documentation as proof of identity. Photocopies of the national identity card shall not be accepted as proof of identity.

For online request, the cardholder shall follow the instructions provided by the Certification Authorities.

Upon satisfactorily verify the request, the Personnel shall perform the suspension/ revocation accordingly. The cardholder shall be informed upon successfully suspension/ revocation of the digital certificate.

5.5.1 Reinstatement of the digital certificate being suspended.

In order for the suspended digital certificate to be effective, the digital certificate shall first be reinstated. Digital certificate Reinstatement shall be described as the termination of suspension initiated by request. By terminating the suspension of the digital certificate, the cardholder shall be able to use the digital certificate for the purposes described in Part 3.4.

The cardholders shall be advised that the operational modes for the certificate suspension shall differ from one Certification Authorities to another, thus the Certification Authorities shall be referred for further clarification.

The cardholder shall perform the reinstatement by performing online request or being physically presence to the Certification Authorities or any of their appointed agents to fill in the Suspension/Reinstatement and perform some identification for verification.

Upon successfully verified the cardholder; the Personnel of Certification Authorities shall reinstate the digital certificate accordingly.

Upon successfully reinstated the digital certificate, the cardholder shall be able to perform certificate usage as described in Part 3.4.

5.6 Effect of Suspension/ Revocation

Upon revocation, the operational period of the digital certificate shall be immediately considered terminated. For certificate suspension, the operational period of the certificate shall be immediately considered terminated temporarily until the certificate is reinstated.

The certificate shall be suspended/ revoked within a 24 hour time period. The Certificate Revocation List (CRL) shall also be updated within 24 hours to reflect this revocation. Where time permits, the updated CRL shall be published at the end of the business day or at the latest by the end of the next business day.

5.7 CRL Issuance Frequency

All suspension/ revocation shall be updated in the CRL automatically within 24 hours after the suspension/ revocation at the system. The Certification Authorities shall publish the CRL in its repository and other recognised repository (if available) immediately after the certificate being suspended/ revoked with revoked certificates are allowed to reapply for a new certificate at the discretion of CA.

Under no circumstances can the revoked certificate be reinstated to its original state after revocation.

For the certificate suspension, the digital certificate shall be removed from the CRL upon certificate reinstatement practice.

5.8 CRL Revocation Status

The Certification Authorities shall keep and maintain a Certificate Revocation List that shall contain a list of all the certificates revoked and temporarily suspended by the Certification Authorities together with the date and time of the certificate revocation.

Status of revocation will be made available in a publicly accessible Certificate Revocation List (CRL). The Certification Authorities shall publish the revocation status in the website, which the Certification Authorities deemed appropriate.

5.9 Key and Certificate Deletion

Key and certificate deletion can be described as removing the old key pairs and digital certificate from the smart card whereby the x.509 certificate inserted via SAM would be removed via SAM. The key deletion is to initiate the new key pair generation for the application of new digital certificates.

Digital certificate deletion shall be initiated by the cardholder due to, but not limited to the following reasons:

   The cardholder wishes to switch the service from one Certification Authority to another.
   The cardholder wishes to terminate the service of one Certification Authorities by initiating the revocation and requesting for the digital certificate to be deleted from the smart card.
   Due to other reasons deemed fit and agreed by the cardholder and Certification Authorities.


In order to remove the old key pairs, the cardholder can apply for the new key pair generation from any Certification Authorities without referring to the Certification Authorities which managed the generation of old key pairs. Upon the cardholder’s application of the new certificate, the Certification Authorities shall proceed with the digital certificate issuance as described in Section 3.2. Shall the application goes to the same Certification Authority as per previous application, the respective Certification Authority need only be overwrite the old key pairs with the new keys. Shall the application goes to the different Certification Authority for new application, the Certification Authorities shall have no obligations in informing each other on overwriting the key pairs to issue new certificates. The certificates shall be issued accordingly to the respective Certification Authority’s operation and business model.

In the event where the cardholder holds a digital certificate from the current Certification Authority, and wishes to overwrite his/her digital certificates, the new Certification Authorities is obliged to inform the cardholder of the digital certificate and public/private key replacement.

It is the sole responsibilities of the cardholder to assure that the current digital certificates resided in MyKad; before the new certificate application; are properly revoked before applying for the new certificates from the different Certification Authorities to avoid the possibilities of disputes and frauds to occur in the future. Further representation of certificate revocation shall be reflected in Section 5.0.

6.0 Complaints/ Problem Handling

This section shall describe the procedures for handling complaints and problems related to the management of digital certificates by the cardholder. This shall include the actions to be taken by the cardholder shall problems arise, varying from the smart cards to the digital certificates management. Below subchapters shall guide the cardholder on how to manage the problems accordingly.

6.1 Loss of SmartCard

Shall any of these happened, the cardholder shall perform the followings:

   The cardholder shall follow the procedures similar to the current procedures of the loss of NRIC.
   The cardholder shall check with the respective Certification Authorities for further revocation. It is the sole responsibility of the cardholder, at all time; to assure that the digital certificate is revoked immediately.
   The Certification Authorities shall not be responsible for any disputes and liabilities due to the negligence of the cardholders. Shall
   The cardholder shall be advised by the Certification Authorities to reapply the digital certificates at the cardholder’s cost. Certification Authorities shall not cover any digital certificate cost due to the cardholder’s negligence.


6.2 Lost/ Forgotten PIN

Please refer to Section 2.5.3 for PIN Reset. The cardholder shall always check with the Certification Authorities on methods to handle the PIN Reset.

6.3 Smart Card Block

All smart cards shall have some security features to prevent the smart card form being illegally used by unauthorised person. For security purposes, the smart card shall be blocked after three (3) continuous wrong attempts.

The cardholder shall refer to the Certification Authorities for PIN Unblocking procedures in order to proceed with the certificate usage.

6.4 Faulty Smart Card

Smart cards faulty can occur due to the followings:

   Before and during the digital certificate application
   Shall the problem occur, the cardholder shall be advised to check with the National Registration Department for further action.

o   Physical damage
   The cardholder shall observe the following when assessing whether the cards have been tampered with or are physically damaged:
o   a damaged IC (integrated circuit) chip - evidence of attempted chipping, peeling, cutting or removal of the chip shall be considered as tampering;
o   a broken card;
o   evidence of exposure to corrosive chemicals or high temperatures (the card may be partially melted);
o   scratches on the IC chip; or
o   foreign material on the IC chip such as glue, paint, shellac etc. (this may prevent the IC chip from contacting the reading point in the smart card reader).


Shall any of these happened, the cardholder should check with the respective Certification Authorities for further revocation and shall be advised by the Certification Authorities to reapply at the cardholder’s cost. Certification Authorities shall not cover any digital certificate cost due to the cardholder’s negligence.

6.5 Key Compromise

The reasons for Key compromise is as follows:

   Lost of Card.
   Error in first time generation
   Any other reasons that would lead to key compromise.


As the operational methods of handling key compromise shall differ from one Certification Authority to another, the cardholders are advised to refer to the Certification Authorities for further action.

6.6 Replacement of SmartCard

The replacement of smart card can occur due to, but not limited to, the followings:

   Mandatory change of the NRIC set by National Registration Department.
   Change of smart card due to additional information/ data to be added to the smart card.
   Any other reasons deemed fit by the National Registration Department and /or Certification Authorities.


6.6.1 Mandatory change

The National Registration Department shall require the cardholder to change the smart card due to the mandatory change as set in the Fee Charges of Jadual Keenam by National Registration Department.

Due to this, shall the cardholder still hold the digital certificate in the smart card; Certification Authorities shall be charging minimum fees on the reissuance the digital certificates in the smart card.

The reissuance fees imposed shall be at least 50% of the digital certificate’s cost, subject to approval from the Government, Certification Authorities and the Controller of CA.

The cardholder shall refer to the respective Certification Authorities on how to claim the digital certificates accordingly.

6.6.2 Change of smart card due to additional information/ data being added.

There are a few cases where the smart card shall be changed due to the additional data to be included in the smart card; for example new Driving License obtained.

Due to this, shall the cardholder still hold the digital certificate in the smart card; Certification Authorities may be charging minimum fees on the reissuance the digital certificates in the smart card.

The reissuance fees imposed shall be at least 50% of the digital certificate’s cost, subject to approval from the Government, Certification Authorities and the Controller of CA.

The cardholder shall refer to the respective Certification Authorities on how to claim the digital certificates accordingly.

6.7 Other Complaints

Shall the cardholder have problems with the digital certificate; the cardholder shall contact the Certification Authorities Customer Service for further action. Shall these problems resulted to revocation and reissuance due to cardholder’s negligence, the cardholder shall bear the cost of the new digital certificate.
APPENDICES

Appendix 1 - Summary of CPS

Certification Practice Statement (CPS) is described as a set of rules and regulations set for all the digital certificate subscribers to follow upon. CPS shall advise the potential subscribers to ensure their rights and liabilities the potential subscribers shall rely on upon the application and usage of a digital certificate. Above all, the CPS shall govern the rights, duties and responsibilities of the Certification Authority, subscribers and all the parties involved in the usage of the digital certificates.

CPS shall include a statement of service and duties provided by the Certification Authority including:

   Fees and charges.
   Standard Operating Procedures.
   Certificate management inclusive of the certificate application, issuance, suspension and revocation of different classes of certificates available.
   Recommended Reliance Limit.
   Protection and use of data obtained from the customers.
   Repository and Certificate Revocation List.


CPS shall include the determination and advice on the duties and responsibilities of the customers with respect to:

   The key pair generation.
   Private key security.
   Certificate acceptance before the usage.
   Notification to the Certification Authorities on the compromise of subscriber’s public key.


Further representation of the CPS practices can be obtained in detail from the CPS of Certification Authorities available in their website.


Appendix 2 – FIPS-140-1 Specification

Security Level 2

Security Level 2 improves the physical security of a Security Level 1 cryptographic module by adding the requirement for tamper evident coatings or seals, or for pick-resistant locks. Tamper evident coatings or seals, which are available today, would be placed on a cryptographic module so that the coating or seal would have to be broken in order to attain physical access to the plain text cryptographic keys and other critical security parameters within the module. Pick-resistant locks would be placed on covers or doors to protect against unauthorised physical access. These requirements provide a low cost means for physical security and avoid the cost of the higher level of protection involving hard opaque coatings or significantly more expensive tamper detection and zerorisation circuitry.

Level 2 provides for role-based authentication in which a module must authenticate that an operator is authorised to assume a specific role and perform a corresponding set of services.

Level 2 also allows software cryptography in multi-user timeshared systems when used in conjunction with a C2 or equivalent trusted operating system. The ratings C2, B1 and B2 ratings are in accordance with the TCSEC (see Appendix C). Many security experts feel that a trusted operating system is needed in order for software cryptography to be implemented with a level of trust comparable to hardware cryptography. This enables multi-user timeshared systems to implement cryptographic functions in software when this level of security is cost effective.
REFERENCES

  1.   Digital Signature Act 1997
  2.   Digital Signature Regulations 1998
  3.   Certification Practise Statement
  4.   MSC Trustgate.com Sdn. Bhd.
  5.   DIGICERT Sdn. Bhd.
  6.   RSA PKCS-1V2-1D2
 
Home | Guideline | Download | FAQ | Usage | Contact Us

© Copyright MSC Trustgate.com Sdn. Bhd., 2012 (CA License No.: LK 0022000).
All rights reserved. Legal Notices