Deutsch | English

1. Introduction and Overview

Name of the Certification Authority: "A1-Telekom-Austria-AG-IssuingCA01-Gold"
Purpose: This issuer statement describes the policies and practices of the certification authority "A1 Telekom Austria AG Gold".

Scope:
The certificates issued by "A1-Telekom-Austria-AG-IssuingCA01-Gold" are primarily used for securing and authenticating highly sensitive internal Tier 0 systems within the company infrastructure, including LDAPS, KDC, and Host Guardian Service. These certificates are also used for authentication, encryption, and security protocols across critical systems.
These certificates ensure that connections are secure and encrypted, and only authorized devices or users can access critical network systems. The certificates primarily serve the following purposes:

• Client Authentication:
  Securely authenticates devices and users within sensitive internal networks.
• Server Authentication:
  Used for authenticating servers in highly secure environments.
• LDAPS (LDAP Secure):
  Secures LDAP traffic using SSL/TLS.
• KDC (Kerberos Key Distribution Center):
  Provides secure communication for the KDC infrastructure.
• SmartCard Authentication:
  Enables secure logon and authentication using SmartCard technology.
• Code Signing:
  Ensures the integrity and authenticity of signed software code.
• Encrypted File System (EFS):
  Enables secure encryption and decryption of sensitive files.
• Recovery Agent:
  Allows recovery of encrypted data by authorized personnel.
• Host Guardian Service (HGS):
  Secures communication for systems involved in the protection of virtualized environments.
• OCSP Signing:
  Ensures the integrity and authenticity of OCSP responses for certificate revocation checks.
• NDES (Network Device Enrollment Service):
  Automates certificate issuance for ILO/RIB systems with hardware management interfaces.

2. Trust Level and Usage

"A1 Telekom Austria AG Gold" is responsible for issuing certificates at the highest "Gold" trust level. Gold certificates are reserved for the most sensitive systems within the A1 Telekom Austria AG infrastructure.
These certificates are intended for:

• Client Authentication
• Server Authentication
• Remote Desktop Authentication
• Code Signing
• File Encryption (EFS)
• Key Recovery Agent
• LDAPs
• KDC
• SmartCard Logon
• Host Guardian Service
• OCSP Signing

3. CA Responsibilities

• Ensuring the security of the CA's private key.
• Verifying the identity of all applicants before issuing certificates.
• Publishing and managing the CRL (Certificate Revocation List) and/or OCSP (Online Certificate Status Protocol).
• For manually requested certificates, CA Manager approval is required before issuance.

4. Responsibilities of Certificate Holders

• Ensuring the secure storage of the certificate's private key.
• Using the certificate only for its authorized purpose.
• Immediate notification of the CA in case of suspected key compromise or misuse.

5. Technical Details

• Key Length: 2048-bit RSA (or higher if available)
• Certificate Format: X.509 Version 4
• Certificate Lifetime: up to 24 months
• Allowed Algorithms: RSA - SHA 256
• Cryptographic Providers: Strongest cryptographic providers are enabled in templates.
• Extended Key Usage (EKU):
  Client Authentication (1.3.6.1.5.5.7.3.2)
  Server Authentication (1.3.6.1.5.5.7.3.1)
  KDC Authentication (1.3.6.1.5.2.3.5)
  SmartCard Logon (1.3.6.1.4.1.311.20.2.2)
  Remote Desktop Authentication (1.3.6.1.4.1.311.54.1.2)
  Code Signing (1.3.6.1.5.5.7.3.3)
  Time Stamping (1.3.6.1.5.5.7.3.8)
  Document Signing (1.3.6.1.4.1.311.10.3.12)
  Key Recovery (1.3.6.1.4.1.311.21.6)
  Encrypting File System (EFS) (1.3.6.1.4.1.311.10.3.4)
  OCSP Signing (1.3.6.1.5.5.7.3.9)

6. Revocation and Recovery

A certificate may be revoked under the following conditions:

• Compromise or suspected misuse of the private key.
• False information provided in the certificate application.

Certificates are marked as revoked in the CRL or via OCSP.
CRL URL: CRL RootCA
CRL URL: CRL IssuingCA01
OCSP URL: OCSP Responder URL

7. Audit and Monitoring Procedures

"A1 Telekom Austria AG Gold" undergoes regular internal and external audits to ensure compliance with certificate policies.
Compliance: ISO 27001:2013 and ISO 20000:2018 certified.

8. Liability and Legal Notices

• Liability: The CA assumes no liability for damages resulting from improper use of the certificates.
• Governing Law: In the event of disputes, Austrian law applies.
• Jurisdiction: Commercial Court of Vienna

9. Contact Information

For technical support or questions regarding certificate usage, please contact:
Email: Servicedesk (A1 Telekom Austria)
Phone: +43 50 664 08 664 800