TELIA COMPANY CA

Customer's Responsibilities

Customer Administrator acts in the role of Registration Officer when registering users for certificate application and when delivering private keys and certificates to users. This document includes Registration Officer instructions with the related responsibilities and obligations.

INSTRUCTIONS FOR REGISTRATION OFFICERS

These instructions are intended for use in the organizations of Telia Company's Customers that act in the role of Registration Authority. The Customer shall appoint one or several Registration Officers that have the right to register Users in the organization for certificate application. Every Registration Officer shall familiarize himself with these instructions and perform his duties accordingly.

Instructions for the software tools used by Registration Officers will be delivered separately.

1. REGISTRATION OFFICER CERTIFICATE

   
   

   The Customer's Administrative Contact Person named in the contract between Telia Company and the Customer shall appoint one or more Registration Officers and order him/them access to the registration system using a subscription form. Telia Company will deliver instructions to the Registration Officer describing how to sign in to the system and obtain a software certificate.

   The Customer's Registration Officer has the right, upon the requirement from the Administrative Contact Person, to define new Registration Officers into the system and order/apply access rights to them.

   The Registration Officer shall protect his authentication credentials, his workstation and keep his PIN code only to himself. A Registration Officer is in person responsible for any operations made using his access rights.

   When the Customer is using an application programming interface (API) supplied by Telia Company for User registration, the Registration Officer shall authenticate to the system with his own credentials.

2. REGISTRATION OF USERS

   
   

   A Registration Officer is entitled to register only Users that belong to his own organization or have contractual relationships with his organization. The Users shall have authorization from the Customer's Administrative Contact Person to apply for a certificate.

   It is essential that a certificate will be issued to the authenticated User. The Registration Officer shall ensure that the name information included in the certificate is correct and the certificate is delivered to correct address. The certificate application process shall be discontinued if a mistake occurs in those information. If a mistake is detected afterwards the certificate containing incorrect information shall be revoked and a new certificate request with correct information shall be submitted.

   Information recorded earlier about a User by his company or organization may be used for User identification. When this is not appropriate the User applying for a certificate shall prove his identity by presenting an identity card.

   If the User's name in the certificate is a pseudonym the Registration Officer shall maintain information of the genuine identity of the User. The User's identity shall be available when necessary during the whole validity period of the certificate.

3. DELIVERY OF CERTIFICATE, KEYS AND PASSWORDS FOR CERTIFICATE APPLICATION

   
   

   A Registration Office shall ensure the delivery of the certificate and the associated private key to the rightful User and attend to their proper protection before delivery.

   When a one-time password is delivered to the user for application and creation of a software certificate the Registration Officer shall ensure that the password is kept secret. If the Registration Officer applies/creates a software certificate on behalf of the User, to be delivered via e-mail, he shall deliver the PIN code via a separate channel.

4. GUIDANCE TO USERS

   
   

   Registration Officers shall give adequate guidance to the Users about the usage purposes of their certificates and how to use their private keys. As certificates are a part of the system used to protect the information systems of the organization the Users shall be advised to follow the security instructions and policies of the organization also regarding certificates and private keys. The following security requirements for applying and using certificates shall be emphasized:

   - When a User gets a private key into his possession he is from that moment on responsible for protection of his private key and shall prevent it from being lost or compromised or accessible by others.

   - The private key shall be protected by a PIN code. A PIN code associated with a software certificate shall comprise at least eight characters including alphabetic, numeric and special characters.

   - A PIN code associated with a private key shall be kept secret.

   - The User is in person responsible for any operations made using the private key associated with the certificate issued to him, irrespective of if made by the User or by someone else, either without the User's permission or after receiving the PIN code and private key from the User.

   The Users shall be advised to submit a notification directly to Telia Company's Revocation Service or to the Registration Officer of the User's organization immediately when a User has reason to believe that his private key has been lost or become accessible to someone else, or his PIN code has been compromised, or if the certificate includes information that is no more valid (e.g. User's name has been changed).

5. REVOCATION OF CERTIFICATES

   
   

   When a User requires revocation of his certificate the Registration Officer shall always submit a notification for revocation of the certificate to Telia Company's Revocation Service. The same applies when the Customer's Administrative Contact Person requires revocation of a User's certificate.

   The notification shall be submitted also when the Registration Officer has reason to believe that the User's private key or PIN code is not in his sole possession, or it the User does not follow the instructions given to him, based e.g. on this document, concerning usage of certificates and private keys.

   A notification for revocation shall be submitted also if it is known that the information in a certificate is no more valid, or if the contract between the User and the Customer or between the Customer and Sonera changes or terminates so that the prerequisites for certificate usage cease to exist.

   The notification for certificate revocation shall always be submitted immediately upon reason for it becomes evident.

6. REVOCATION OF REGISTRATION OFFICER CERTIFICATES

   
   

   A Registration Officer shall immediately submit a notification for revocation of his certificate when he has reason to believe that his private key has been lost or become accessible to someone else, or his PIN code has been compromised, or if the certificate includes information that is valid no more (e.g. User's name has been changed).

   A Registration Officer shall submit a notification for revocation of the certificate of another Registration Officer when required by the Customer's Administrative Contact Person.

7. USE OF COOKIES

   
   

   This Telia Company site uses cookies for improved customer experience. By continuing to use this site, you agree to the use of cookies.

I accept these instructions for Registration Officers and undertake to comply with them.