CP CPS With SSL Cert

1
Issued by: Bank of Italy Type of document: BdI PKI CPS with SSL cert.
Document code: CP_CPS_SSL
Title: Bank of Italy Certificate Practice Statement for the
public-key certification service
Version 1.2

BANCA DITALIA
EUROSISTEMA

Certificate Practice Statement
for the public-key
certification service

Person responsible for the
document: Fabio Bolognesi
Signature

2
Version 1.2
Index

1. GENERAL INFORMATION
1.1. Introduction
1.2. Glossary
1.3. Law provisions

2. IDENTIFICATION DATA
2.1. The Certifier
2.2. The Certificate Practice Statement
2.3. Person responsible for the Certificate Practice Statement

3. OBLIGATIONS OF THE CERTIFIER, INTERESTED THIRD PARTIES
AND APPLICANTS FOR SIGNATURE VERIFICATION
3.1. Obligations of the Certifier
3.2. Obligations of the certificate-holder
3.3. Obligations of the interested third party
3.4. Obligations of applicants for signature verification

4. RESPONSIBILITIES OF THE CERTIFIER
4.1. Responsibilities of the Certifier
4.2. Limitations on compensation and fees

5. USER IDENTIFICATION AND REGISTRATION PROCEDURE
5.1. Filing in of the application for issue
5.2. Registration of users
5.3. User identification and delivery of security devices

6. KEY GENERATION
6.1. Key length
6.2. Algorithms
6.3. Signature keys
6.3.1. Hardware security module for signature operations
6.3.2. Personalization of the hardware security module for signing operations
6.4. Certification keys
6.5. Drawing of the private key from the hardware security module

3
Version 1.2

7. CERTIFICATE ISSUE PROCEDURE
7.1. Information contained in the certificates
7.2. Certificate features
7.3. Generation of certificates and their entry in the Certificate Directory.
7.4. Periods of validity of the keys and related certificates
7.5. Access to the certificate generation system

8. TYPES AND CERTIFICATE EMISSION PROCEDURES
8.1. Types
8.2. Issue procedure

9. CERTIFICATE SUSPENSION AND REVOCATION PROCEDURES
9.1. Suspension of certificates
9.2. Reactivation of suspended certificates
9.3. Revocation of certificates
9.4. Revocation of the certificates for the keys of the Certifying Entity
9.5. Availability of the suspension service
9.6 Updating of the revocation and suspension lists

10. PROCEDURE FOR REPLACEMENT OF KEYS
10.1. Replacement of the holders signature keys
10.2. Replacement of certification keys
10.3. Replacement of time-stamp keys

11. CERTIFICATE DIRECTORY
11.1. Certificate directory management
11.2. Access to the certificate directory

12. PRIVACY PROTECTION MEANS

13. PROCEDURE FOR AFFIXING AND DEFINITION OF THE TIME-STAMP
13.1. Time-stamp keys
13.2. Time-stamps storage and validity
13.3. Time references on the audit log journal

4
Version 1.2
14. VERIFICATION OF DIGITAL SIGNATURES

15. OPERATIONAL PROCEDURE FOR THE GENERATION OF DIGITAL
SIGNATURES
15.1 Document format
15.1.1 Macros
15.1.2 Field codes
15.1.3 Objects
15.1.4 Formulas
15.1.5 Javascript

16. SSL CERTIFICATES

5
Version 1.2

1. GENERAL INFORMATION
1.1. Introduction

This Certificate Practice Statement defines the procedures followed by the Bank
of Italy as Accredited Certifier (hereinafter also Certifier or Certifying Entity) for
the issue and use of qualified certificates.
It is addressed to persons that have dealings with the Certifier as certificate-
holders, interested third parties or applicants for signature verification.
Certificates are issued to employees of the Bank of Italy for needs connected
with working procedures and to specific categories of public and private-sector
persons. Certificates issued to third parties may only be used in dealings with the
Bank of Italy.

1.2. Glossary
The following glossary contains terms and concepts, not necessarily used in
this Certificate Practice Statement, relating to digital certification.

DIGITAL CERTIFICATE: electronic document which binds the identity of the
certificate holder to the information used to verify the digital signature.
QUALIFIED CERTIFICATE: Certificate which meets the requirements laid
down in Annex I of the Directive 1999/93/EC on electronic signatures and is
provided by a Certification Service Provider (CSP) who fulfils the requirements laid
down in Annex II of the same Directive.
CERTIFICATION SERVICE PROVIDER (CERTIFIER): an entity or a legal or
natural person that issues certificates or provides other services related to
electronic signatures.
ACCREDITED CERTIFICATION SERVICE PROVIDER (ACCREDITED
CERTIFIER): certifier who has been officially recognized by the CNIPA (Centro
Nazionale per lInformatica nella Pubblica Amministrazione - the National Centre
for ICT in the Public Administration) as meeting the quality, security, financial
solidity and honourability highest standards.

6
Version 1.2
PRIVATE KEY: the key of an asymmetric key pair used only by the certificate
holder. If the private key is part of a signature pair or an authentication pair it can
be used to sign electronically.
PUBLIC KEY: the key of an asymmetric key pair which can be made public. If
the public key is part of a signature pair or an authentication pair it can be used to
verify the signature given by the matching private key.
ASYMMETRIC KEYS: asymmetric public and private key pair in which the two
keys are interrelated and are used to sign, cipher and authenticate.
AUXILIARY KEYS AUXILIARY CERTIFICATE: encryption key pair and
related certificate, given to the certificate holder together with the signature device
in addition to the digital signature keys, for other kinds of uses.
CERTIFICATION KEYS: key pair used by the Certifier to sign the Certificates,
the Certificate Revocation List and the Certificate Suspension List.
ASYMMETRIC ENCRYPTION: mathematical operation by which, using two
different keys and a specific algorithm, it is possible to decrypt a message
encrypted by a key only using the same algorithm and the other key.
CERTIFICATE REVOCATION LIST (CRL): list of electronic certificates that
have been revoked by the certificate authority that issued them. This list, which is
part of the Certificate Directory, is signed, maintained and updated by the Certifier.
CERTIFICATE SUSPENSION LIST (CSL): list of electronic certificates that
have been suspended by the certificate authority that issued them. This list, which
is part of the Certificate Directory, is signed, maintained and updated by the
Certifier.
HARDWARE SECURITY MODULE: configured hardware security device, part
of the validation system, used as a safe private key storage facility and to generate
electronic signatures.
ELETRONIC SIGNATURE: data in an eletreonic form which are attached to or
logically associated with other electronic data, and which serve as a method of
authentication of that data.
ADVANCED ELETRONIC SIGNATURE: electronic signature obtained through
an electronic procedure which guarantees its unambiguous link with the signatory
and thus its unambiguous electronic authentication. A secure electronic signature
is as an electronic signature that is:
- created using means that the signatory can maintain under his sole control;
- linked to the data to which it relates in such a manner that any subsequent
change of the data is detectable;

7
Version 1.2
- based on a qualified certificate;
- created using a secure-signature-creation-device
DIGITAL SIGNATURE: a special type of electronic signature based on a key
encryption system with an asymmetric matching pair of keys (public and private)
which allows both the card holder (using the private key) and the recipient (using
the public key) to prove the source and integrity of the electronic document/group
of documents.
HASH FUNCTION: a mathematical function that uses a generic sequence of
binary symbols to convert data into a fingerprint from which it is impossible to trace
the sequence of binary symbols that generated it. The probability of defining two
sequences of binary symbols for which the hash function yields the same
fingerprint is computationally infeasible.
AUDIT LOG JOURNAL: all the records automatically made by the devices
installed at the Certifier each time specific events occur.
PUBLIC KEY INFRASTUCTURE: set of hardware, software, people and
procedures needed to create and manage digital certificates and the signature-
creation devices.
CERTIFICATE PRACTICE STATEMENT: statement of the practices that the
Cerfier uses to perform its activity, defining duties and responsibilities of the
Certifier, the certificate-holder and other relying parties.
TIMESTAMP TOKEN: digital proof that allows time validation
PASS-PHRASE: a string of both alpha-numeric characters and punctuation
marks, known only to the card-holder, who must communicate it to the Help Desk
when requesting the urgent suspension of a certificate in case of loss, thief or in
case security is jeopardized.
PIN: Personal Identification Number
PUK: PIN unlock key
REGISTRATION: collection, verification and storage of the personal data
regarding the applicants for certificates. The registration is a necessary step
before accepting the application for certification.
REGISTRY OF CERTIFICATES: A registry of all the Certificates issued by the
Certification Service Provider, the certificate revocation list and the certificate
suspension list.
CERTIFICATE REVOCATION: operation carried out by Certification Service
Provider consisting in the revocation of the validity of a certificate from a specific
date and time.

8
Version 1.2
APPLICANT: natural person who makes a request to the Certifier, for himself or
for a third party, to obtain a public and private key pair and a certificate. Once the
certificate is issued the applicant becomes the certificate-holder.
TIME REFERENCE: time and date connected to a specific time stamp.
SMARTCARD: security device with an embedded circuit used for storing the
key pair (private and public) and the certificate of the certificate holder.
CERTIFICATE SUSPENSION: operation carried out by a Certification Service
Provider consisting in the suspension of the validity of a certificate for a specific
period of time.
THIRD PARTY: body or legal person that requests the issue of a certificate for
another entity, on whose behalf they operate pursuant to an employment or
agency relationship.
CERTIFICATE HOLDER: natural person that, personally or through a third
party, has requested and been assigned a key pair (public and private) and the
relative certificate.
TIME VALIDATION: result of the computer procedure with which one or more
digital documents are time stamped.

1.3. Law provisions
Directive
1999/93/EC
Directive 1999/93/EC of the European Parliament and of the
Council of 13 December 1999 on a Community framework for
electronic signatures published in the Official Journal of the
European Union the 13 January 2000, L 13.
Law 59/1997
Art. 15, comma
2
Law of 15 March 1997, n. 59
Devolvement to the Government of the conferment of functions
and assignments to regions and other local government bodies, for
the reform of the public administration and administrative
simplification published in the S.O. 56/L of the Gazzetta Ufficiale
n.63 of the 17 march 1997.
Law 229/2003
Art. 10
Law of 29 July 2003, n. 229
Measures regarding regulatory, legislative and codification quality
simplification law 2001, published in the Gazzetta Ufficiale n.196
of 25 August 2003.
L.D. 82/2005 Legislative decree 7 March 2005, n. 82
"Digital administration code" published in the S.O. N. 93/L of the

9
Version 1.2
Gazzetta Ufficiale n.112 of 16 May 2005
1
.
L.D. 159/2006 Legislative decree 4 April 2006, n.159
Supplementary provisions and corrective legislative decree 7
March 2005, n.82, Digital administration code.
DPCM
13.1.2004
Decree of the President of the Council of Ministers of 13 January
2004
Specifications for the creation, transmission, storage, duplication,
reproduction and validation (including time validation) of electronic
documents published in the Gazzetta Ufficiale n.98, 27 April 2004.
Circ.
C.N.I.P.A./C
R/48
C.N.I.P.A. circular 6 September 2005
Deliberation
C.N.I.P.A.
4/2005
C.N.I.P.A.

deliberation 17 February 2005 (n. 4/2005)

2. IDENTIFICATION DATA
2.1. The Certifier

Name Banca d'Italia [Bank of Italy]
Registered office Via Nazionale, 91 00184 ROMA
Legal representative Governor pro tempore
E-mail pki@bancaditalia.it
Website www.bancaditalia.it
Telephone +39 0647921
Fax +39 0647928956

1
The Code, in force since the 1st January, has overridden the D.P.R. 28.12.2000, n.445
provisions regarding electronic signatures, documents and identity cards and the development of Public
Administration information systems.

10
Version 1.2

2.2. The Certificate Practice Statement

This document is version 1.1, dated 1
st
of June 2009, of the Certificate
Practice Statement for the public-key certification service performed by the Bank of
Italy and is available for consultation at www.bancaditalia.it
The version is identified on each page.

This Certificate Practice Statement has been assigned the following Object
Identifier Number (O.I.D.):

1.3.76.38.1.1.1

2.3. Person responsible for the Certificate Practice Statement

The person responsible for the Certificate Practice Statement is:

Given name Fabio
Family name Bolognesi
Telephone +39 06 47926237
E-mail fabio.bolognesi@bancaditalia.it

11
Version 1.2
3. OBLIGATIONS OF THE CERTIFIER, INTERESTED THIRD PARTIES AND
APPLICANTS FOR SIGNATURE VERIFICATION
3.1. Obligations of the Certifier

The Certifier must:
1. adopt every organizational and technical measure to avoid injury to third
parties;
2. identify with certainty the person applying for certification;
3. verify the authenticity of the application;
4. issue, render public and manage the qualified certificate in the manner
prescribed by the technical rules referred to in the decree issued by the
President of the Council of Ministers on 13 January 2004 (the Decree of
13 January 2004) as amended and in compliance with Legislative
Decree 196/2003 as amended;
5. specify in the qualified certificate, at the request of the applicant and with
the consent of the interested third party, the powers of representation or
other professional attributes or titles of the certificate-holder, subject to
verification of the documentation submitted by the applicant attesting to
the existence thereof;
6. comply with the rules referred to in the Decree of 13 January 2004 as
amended;
7. give applicants complete and clear information on the certification
procedure, the requisite technical features for accessing it, the
characteristics of the signatures issued on the basis of the certification
service and the restrictions on the use thereof;
8. not act as depositary of data for the creation of the holders signature;
9. promptly publish the revocation or suspension of a qualified certificate in
case of a request by the holder or the interested third party, or where the
signature device is no longer in the possession of the certificate-holder
or its integrity has been compromised, or judiciary has issued a
measure, or the Certifier has learned of causes limiting the holders
capacity or suspects abuse or falsification, as established by the
technical rules referred to in the Decree of 13 January 2004 as
amended;

12
Version 1.2
10. provide a secure and prompt service for the revocation and suspension
of electronic certificates and ensure the efficient, timely and secure
functioning of the lists of issued, suspended and revoked signature
certificates;
11. ensure the precise determination of the date and time of issue,
revocation and suspension of electronic certificates;
12. retain records of all the information concerning qualified certificates for at
least twenty years from the time of their issue, inter alia in order to
provide proof of the certification in judicial proceedings;
13. not copy and not conserve the private signature keys of the certificate-
holder;
14. prepare all the necessary information, in particular the exact terms and
conditions governing the use of certificates, including restrictions on their
use, on permanent media and make such information available to
applicants for the certification service;
15. use reliable systems for the management of the Register of Certificates,
with procedures ensuring that only authorized persons can make
additions and changes, that the authenticity of the data can be verified,
that certificates are accessible for consultation by the public only in the
cases permitted by the holder, and that the authorized person will
become aware of any event that jeopardizes security. Pertinent items of
information may be made accessible on request to third parties that rely
on the certificate.
16. in the event of the cessation of its activity, notify holders at least sixty
days in advance that all certificates not expired at the time of cessation
will be revoked and effectively revoke them in due course;
17. record the issue of qualified certificates in the audit log journal,
specifying the date and time of generation; the moment of generation of
certificates is attested to by means of a time reference;
18. generate a qualified certificate for each of the electronic signature keys
that the CNIPA uses for signing the Public List of certification-service
providers and publish it in its own Register of Certificates;
19. provide or indicate at least one system that permits signature verification
and ensures its interoperability;
20. keep a copy of the list, signed by the CNIPA, of the certificates for
certification keys and make it electronically accessible;

13
Version 1.2
21. revoke or suspend a qualified certificate upon learning that the integrity
of the private key or of the signature-creation device has been
compromised;
22. adopt security measures for the treatment of personal data pursuant to
Legislative Decree 196/2003;
23. ensure the interoperability of the verification product of electronic
documents signed with a digital signature referred to in Article 10 of the
Decree of 13 January 2004.

3.2. Obligations of the certificate-holder
The certificate-holder is required to ensure the safekeeping of the signature
device and to adopt every organizational and technical measure to avoid injury to
third parties and to use the signature device personally.
The certificate-holder must also:
1. provide all the information requested by the Certifying Entity, guaranteeing
its reliability under his or her own responsibility;
2. notify the Certifying Entity of any changes to the information provided at
the time of registration: personal data, residence, telephone numbers,
e-mail address, etc.;
3. conserve the device containing the private key and secret codes (PIN,
PUK and pass-phrase) received from the Certifying Entity separately and
with the utmost diligence, in order to ensure their integrity and maximum
confidentiality;
4. not use the pair of keys for functions or purposes other than those for
which the certificate was issued;
5. transmit suspension, reactivation and revocation requests to the Certifying
Entity by the procedures specified in this Certificate Practice Statement;
6. immediately request suspension of the qualified certificates for the keys
contained in devices that are defective or no longer in his or her
possession;
7. notify the Certifying Entity of loss or theft of the security device.

In summary, certificate-holders are responsible for the correct utilization of
certificates and safekeeping of the devices containing them; certificate-holders
must use them only for the purposes for which they were issued, keep them in their

14
Version 1.2
own exclusive possession and inform the Bank of Italy, by the prescribed
procedures, of every event that might compromise their functionality.

3.3. Obligations of the interested third party
The interested third party is required to request the suspension and revocation
of certificates, by the procedures specified in this Certificate Practice Statement,
whenever the premises on which a certificate was issued to the holder no longer
exist or in case of the cessation of its own activity (as a result of merger,
liquidation, etc.).
In addition, without prejudice to the obligations and responsibilities of the
certificate-holder, the third party, as the entity in whose interest the certification
service is provided, must adopt every precaution and organizational measure
serving to ensure utilization of the certificates in conformity with the rules
established by law and by this Certificate Practice Statement.
The interested third party is also required to notify the Certifier promptly of every
change in the circumstances indicated at the time of issue of certificates that is
relevant for the purposes of its utilization.

3.4. Obligations of applicants for signature verification

Addressees of digitally signed electronic documents must verify:
1. the validity of the certificate;
2. the fact that the certificate is not entered on the Certificate Revocation List
(CRL) and Certificate Suspension List (CSL);
3. the existence of and compliance with any restrictions on the use of the
certificate used by the certificate-holder.

15
Version 1.2
4. RESPONSIBILITIES OF THE CERTIFIER
4.1. Responsibilities of the Certifier
The Certifier is responsible for fulfilling all the obligations established by law and
referred to in this Certificate Practice Statement.
The Certifier will also be liable, if it fails to prove that it acted without fraud or
negligence, for losses incurred by those who reasonably relied on:
the exactness and completeness of the data needed to verify the signature
contained in the certificate at the date of issue and on their completeness with
respect to the requirements established for qualified certificates;
the guarantee that at the time of issue of the certificate the signatory possessed
signature-creation data corresponding to the signature verification data
contained or identified in the certificate;
the guarantee that the signature creation data and signature verification data
can be used in a complementary manner where the Certifier generates both.
In addition, the Certifier will also be liable for injuries caused to third parties as a
result of the non-registration or delayed registration of the revocation of certificates
or the delayed suspension of certificates.
The Certifier will not be liable for:
the consequences deriving from failure of the certificate-holder to comply with
the operating procedures and methods specified in this Certificate Practice
Statement;
the consequences deriving from a use of a certificate other than that permitted
and, in particular, for losses deriving from the use of a certificate in excess of its
limits;
failure to fulfill its obligations for causes beyond its control.

4.2. Limitations on compensation and fees
No limits are set on compensation and no fees are charged.

16
Version 1.2
5. USER IDENTIFICATION AND REGISTRATION PROCEDURE
This section describes the procedure for the initial issue of certificates, which
includes registration and identification of the applicant.
Without prejudice to the requirements of law, this procedure may be modified for
employees of the Bank of Italy.

5.1. Filling in of the application for issue
Persons external to the Bank of Italy who apply for the issue of certificates must
be designated by the entities (interested third parties) on whose behalf they
operate pursuant to an employment or agency relationship.
The designation letter, signed by the entitys legal representative or other duly
appointed person, must:
contain personal data of the person designated, the type of certificates to be
issued (signature and auxiliary), and the purposes for which the certificates are
being requested;
contain a declaration in which the third party attests that it is informed of the
contents of this Certificate Practice Statement and undertakes to fulfill the
obligations established for it herein;
have attached the certificate application, drawn up and signed by the
designated person, which must:
a) indicate the applicants identification data, tax identification number,
telephone number (landline or cellular) and e-mail address;
b) contain a declaration in which the applicant attests that the information
provided is accurate and undertakes to notify every change therein;
c) contain a declaration attesting that the applicant has received the
information note referred to in Article 13 of Legislative Decree 196/2003;
d) be accompanied by a copy of a valid identification document of the applicant
and of the card containing his or her tax identification number.
The above-mentioned documentation must be sent, possibly by fax, to the
Branch of the Bank of Italy having competence for the place where the applicant
resides or is domiciled or works; the certificate-holder must be identified and collect
the smartcard and secret codes at such Branch.
5.2. Registration of users
After performing the checks within its competence, the Branch will forward the
application for certificates to the Head Office, which will insert all the necessary
data for the issue of the certificates in the registration archive.

17
Version 1.2
When an application is not accepted, the Branch will notify the interested third
party of this fact.
5.3. User identification and delivery of security devices
The Branch, after receiving the envelopes
2
containing the smartcard and the
secret codes (PIN, PUK and pass-phrase)
3
, will invite the certificate-holder to come
to the Branch for the purpose of identification. Identification must be based on a
currently valid document from among the following:
1) passport;
2) personal identification card pursuant to Article 1 of Presidential Decree
851/1967, issued by central government departments to their current
and retired civilian and military employees and the relatives of such
employees;
3) gun permit;
4) post-office identification card;
5) driving licence;
6) Italian identity card;
7) identity card issued by an EU member state;
8) watercraft licence;
9) pension account book;
10) heating plant operators licence.

After performing identification, the Branch will deliver the envelopes containing
the smartcard and secret codes and make a copy of this Certificate Practice
Statement available to the applicant.
A record will be made of the delivery. It will be drawn up in two copies and
signed by the person appointed to make the delivery and the certificate-holder, to
whom a copy will be issued.
Following delivery, the certificates are activated.

2
The envelopes are sent to the Branch by separate carriers.
3
The PIN must be entered in order to carry out signature and other operations connected with the use of
auxiliary certificates and may be changed by the holder the first time he or she uses the device. The PUK
serves to unblock the smartcard after the wrong PIN has been entered a pre-determined number of times.

18
Version 1.2
6. KEY GENERATION
As a certification service provider the Bank of Italy can generate 4 types of keys:
- certifying keys;
- signature keys;
- timestamp keys;
- auxiliary keys
4
.
The key pairs (public and private) are generated using devices and procedures
that guarantee in compliance with the current scientific and technological
knowledge - the uniqueness and the solidity of the generated key pair and the
secrecy of the private key. The key generation system guarantees:
the correspondence of the pair to the requirements due to the generation
and verification algorithms used;
the same probability of generation of all the possible keys;
the identification of the person who starts the generation procedure.

The following signature keys are generated in the hardware security module:
1. certification keys: used by the Certification Service Provider to sign the
certificate-holders certificate and the revocation and suspension lists;
2. certificate-holder keys: signature keys given by the Certification Service
Provider to the certificate holder.

Each key pair can be used only for the type of operations it has been created
for.
The type of operation which can be performed with the key pair is indicated in
the certificate.
6.1. Key length
The Certification Service Provider certifying keys are 2048 bit long.
The signature, timestamp and auxiliary keys are 1024 bit long.

6.2. Algorithms

4
The same procedure is followed to issue and manage the keys and the certificates both auxiliary
and signature. The law provision, though, pertain to the latter.

19
Version 1.2
The algorithm used for the generation and verification of the digital signatures is
the following:
RSA (Rivest-Shamir-Adleman algorithm).

The function used for the generation of the hash is:
SHA-1 (Dedicated Hash Function 3).
6.3. Signature keys
The signature key pair gives proof of the source and integrity of the electronic
document/group of documents.
Each key pair is assigned to one and only certificate holder.

6.3.3. Hardware security module for signature operations
The private signing key of the certificate holder is stored in the hardware
security module (smartcard).
All the certificates assigned to the same certificate holder are in the same
hardware security module and have the same expiration date.
During signing operations and other operations connected to the use of auxiliary
certificates the security module never communicates externally the private keys of
the certificate holder.
The certificate-holders access to the private key is protected by a PIN code.
The duplication of private keys or of the hardware security modules that host
them is not allowed.
The signing devices used by the certificate-holders are certified with Common
Criteria EAL4+ (protection Profile CWA14169).
Such devices can:
generate asymmetric key pairs with the same generation probability of all
the possible key pairs;
protect the private key from non-authorized accesses; do cipher
cryptographic elaborations.

6.3.4. Personalization of the hardware security module for signing
operations
The following operations take place during the security module personalization:

20
Version 1.2
acquisition of the certificate-holders identification data in the security
module and matching to the holder;
registration, in the security module, of the identification data held by the
Certification Service Provider;
registration of the certificate holder signing key in the security module.

6.4. Certification keys
The Certification Service Provider uses its certification keys to electronically sign
the certificate-holders certificates and the certificate revocation and suspension
lists.
The device which contains the private certification key meets the E4 security
requirements criteria and the HIGH ITSEC mechanism strength requirements.
The certificate which contains the public certification key is generated in the ISO
9594-8 format and is registered in the certificate directory with the conditions here
indicated for the certificate-holders.
The certification keys are valid for 10 years. The certificates signed with such
keys are valid for a period shorter than the validity of the certifying keys.

6.5. Drawing of the private key from the hardware security module
The certificate-holders private key cannot be drawn, at the current technological
level, from the hardware security modules (smart cards) in which they are lodged.
During the certifying key generation process, the private keys are cloned on
recovery modules with the same authorization features as the original ones and
are stored in safe premises.
These copies can be used in circumstances in which, due to malfunctioning or
impossibility to use the original key, the continuity of the service cannot be
guaranteed using the production plants and systems.

7. CERTIFICATE ISSUE PROCEDURE
A certificate links the public key of a pair of asymmetric keys to a dataset that
identifies a person (certificate-holder) who possesses the corresponding private
key.
This link is guaranteed by the signature affixed to the certificate by the Certifying
Entity with its private certification key.

21
Version 1.2

7.1. Information contained in the certificates
In conformity with CNIPA Resolution 4/2005, where applicable, a certificate
contains:
the indication that the certificate is a qualified certificate;
serial number or other identification code of the certificate;
name of the Certifying Entity and country in which it is established;
holders identification code at the Certifying Entity;
holders given name, family name, tax identification number (for residents
abroad, the tax identification number issued by the tax authority of the
country of residence or similar identification number) and date of birth;
certificates term of validity;
Certifying Entitys digital signature;
public key number;
usable generation and verification algorithms;
certificate signature algorithm;
type of the pair of keys according to their assigned use.
A qualified certificate may contain the following information at the request of the
holder or interested-third party, where the information is pertinent to the purpose
for which the certificate is requested:
specific qualifications of the holder, such as membership of professional
associations or boards, the title of public official, listing in registers or other
professional certifications, and powers of representation;
restrictions on the use of the certificate, including those deriving from the
holding of the qualifications and representative powers referred to in the
preceding point;
limits on the value of the unilateral acts and of the contracts for which the
certificate may be used.
If a certificate is intended for a pair of certification keys, the use of such keys for
certification will be indicated.
Without prejudice to the foregoing, identification of the holder will be
implemented by means of the Distinguished Name (DN) as provided for in
ISO 9594-1 (1997).
The personal data contained in the certificate may be used solely to identify the
holder in relation to the transactions that he or she is authorized to carry out.

22
Version 1.2
The Certifying Entity will retain the information concerning the certificate for not
less than twenty years from the certificates expiration or revocation date.

7.2. Certificate features
The features of the certificates conform with ISO/IEC 9594-8:2001 as amended.

7.3. Generation of certificates and their entry in the Certificate Directory.
Certificates are generated at the competent Head Office departments of the
Bank of Italy with a dedicated system housed in appropriately protected premises.
After a certificate is generated, it will be entered in the Certificate Directory; the
date and time of issue will be memorized in the audit log journal.
The following will have been registered on the holders smartcard at the
completion of the process:
the certificates requested and the related private keys;
the certificates for the Certifiers certification keys.
The certificates may be consulted with the procedures described in this
Certificate Practice Statement.

7.4. Periods of validity of the keys and related certificates
The signature certificates issued to holders are valid for up to 3 years.

7.5. Access to the certificate generation system
Only authorized operators may access the certificate generation system, and
only for their assigned functions.

23
Version 1.2

8. TYPES AND CERTIFICATE EMISSION PROCEDURES
8.1. Types
The digital certificates are generated from the asymmetric keys generated as
described in the preceding paragraphs.
The digital certificates issued by Banca dItalia are signed with Banca dItalia
certification keys and conform with the standard X. 509 v3, which allows for a data
structure with fixed or variable fields according to the use for which the certificate is
meant. These certificates also conform with the CNIPA deliberation 4/2005 of the
17.2.2005 on interoperability. Following the same classification as the key pairs
they generate, the certificates can be:
- CA certificate: relative to the certifying key used for signing the signature
certificates and the CRL;
- ROOT-TSA certificate: relative to the certification key used to sign time logging
certificates;
- timestamp certificate: relative to the timestamp keys;
- signature certificate: relative to digital signature keys;
- auxiliary certificates: relative to key pairs used for other purposes.
8.2. Issue procedure
The personal details of the certificate-holders are drawn from the registration
information. For each certificate the type of operation (certification, time logging,
signature, other purposes) that it is possible to carry out with the key pair
associated to it must be specified. It is forbidden to use a certificate for other
purposes than the ones it has been issued for. These purposes are indicated in the
certificate.
Revoked or suspended certificates are registered in the revocation and
suspension lists published in the same system that implements the Certificate
Directory.
The digital certificates issued by Banca dItalia are unambiguously identified by
a certificate serial number, while the certificate holders are identified by an
unambiguous identification number.

24
Version 1.2
9. CERTIFICATE SUSPENSION AND REVOCATION PROCEDURES
The Certifier suspends or revokes certificates by entering their serial number in
the lists of suspended or revoked certificates.
5

The suspension or revocation of a certificate takes effect from the time of the
certificates entry in the aforesaid lists.
When a certificate is suspended, its validity is interrupted temporarily.
When a certificate is revoked, it validity is terminated in advance.
In the case of suspension or revocation of a signature certificate, any auxiliary
certificates resident on the same security device will also be suspended or
revoked.
The revocation, suspension and subsequent reactivation of certificates will be
entered in the audit log journal with an indication of the date and time of the
operations execution.
Certificates may be suspended or revoked by the Bank of Italy in the cases
provided for in Article 36 of Legislative Decree 82/2005.
9.1. Suspension of certificates
The holder or interested third party may request that a certificates validity be
suspended for the causes listed in the following table. In the case of Bank of Italy
employees, the request is to be made by the unit to which the employee belongs or
by the employee. Where the Certifier becomes aware of suspected abuse,
falsification or negligence, it may suspend certificates after notifying the certificate-
holders, except as a matter of urgency.

5
The two lists are currently presented for consultation as a single list including both suspended and revoked
certificates distinguished by different causes.

25
Version 1.2

PERSON SUBMITTING
THE REQUEST

CAUSE
HOLDER
(external person or
employee)
INTERESTED
THIRD-PARTY
(for external
persons)
BANK OF ITALY
(employees)
LOSS OF SMARTCARD

X -- --
THEFT OF SMARTCARD
X -- --
BREACH OF SECURITY
6

X -- --
PROLONGED ABSENCE OF THE
HOLDER
-- -- X
OTHER
7

X X X

Where the cause indicated is other, suitable reasons must be provided.
In case of loss, theft or breach of security of the smartcard, the holder must
contact the Help Desk for urgent suspension.
Where the smartcard is recovered, reactivation of the suspended certificate
may be requested.
Where on the contrary the theft or loss is confirmed, the holder must submit a
request for revocation.
In the other cases, the suspension request must be sent by e-mail and signed
with a digital signature.
8

6
Breach of security must be taken to mean the occurrence of any event that makes it less than certain that
the use of the smartcard is attributable to the legitimate holder (e.g. the PIN or PUK is know by other
persons).

7
Any cause other than those specified.
8
Requests made by e-mail must be sent to the functional e-mail address of the competent Branch. No
document need be attached if the request is made by the holder.

26
Version 1.2
In the event that use e-mail is not possible, the request must be presented to
the competent Branch on paper, or sent by regular mail or by fax, with a valid
identification document attached.
Where the request is submitted by the interested third party, it must be signed
by the entitys legal representative or other duly appointed person.
The Branch that receives the request, upon verifying its authenticity, will initiate
the suspension procedure.
The Branch will notify the holder and the interested third party, where possible
by e-mail, of the suspension of the certificate, specifying the date and time from
which the certificate is no longer valid.

9.2. Reactivation of suspended certificates
Suspended certificates will be entered in the Certificate Suspension List,
published in the Register of Certificates.
The reactivation of a certificate must be requested by the same person who
submitted the suspension request, by sending the Certifier a reactivation request
containing the identification data of the certificate-holder.
The reactivation request must be submitted in the same manner and by the
same procedure described above for suspension requests other than urgent
suspension requests.
The Certifier will reactivate the certificate by cancelling it from the Certificate
Suspension List.
The Certifier will notify the holder and the interested third party of the
reactivation of the certificate, specifying the date and time from which the
certificate is newly active.

9.3. Revocation of certificates
The holder or the interested third party may request the competent Branch of
the Bank of Italy to revoke a certificate for the causes listed in the following table.
For Bank of Italy employees, the request is to made by the employee or by the unit
to which the employee belongs. Where the Certifier becomes aware of suspected
abuse, falsification or negligence, it may revoke certificates after notifying the
certificate-holders, except as a matter of urgency.

27
Version 1.2
PERSON SUBMITTING
THE REQUEST

CAUSE
HOLDER
(external person or
employee)
INTERESTED THIRD
PARTY
BANK OF ITALY
(employees)
LOSS OF SMARTCARD (after
suspension)
X -- --
THEFT OF SMARTCARD (after
suspension)
X -- --
BREACH OF SECURITY (after
suspension)
X -- --
DETERIORATION OF SMARTCARD
X X X
CHANGE OF HOLDERS
POSITION
9

-- X X
OTHER
10

X X X

For requests where the caused indicated is other, suitable reasons must be
given.
The revocation request must be submitted to the competent Branch, possibly by
regular mail or by fax, accompanied by a valid identification document; it may also
be sent by e-mail, signed with a digital signature.
11

Where the request is submitted by the interested third party, it must be signed
by the entitys legal representative or other duly appointed person.
The Branch that receives the request, upon verifying its authenticity, will initiate
the revocation procedure.
The Branch will notify the holder and the interested third party of the suspension
of the certificate, specifying the date and time from which the certificate is no
longer valid.
Except in cases of loss or theft, the holder is required to return the smartcard in
his or her possession directly or have it delivered to the Branch after rendering it
unfit for use by cutting the microcircuit.

9
Cause to be cited where, for example, the holder ceases to work.
10
Any other cause; for example, requests for revocation that interested third parties must submit in the event
of cessation of their activity as a result of merger, liquidation, etc.
11
Where a digital signature is used, no document need be attached.

28
Version 1.2
Where the holder comes directly to the Branch, a record will be made of the
withdrawal of the smartcard. It will be drawn up in two copies and signed by the
representative of the Branch and by the holder; a copy will be given to the holder.
Following the revocation of a smartcard due to loss, theft, breach of security or
deterioration, the Bank of Italy, acting on its own authority, will initiate the
procedure for renewal of the certificate.

9.4. Revocation of the certificates for the keys of the Certifying Entity
The Certifying Entity will revoke the certificate for the pair of certification keys
exclusively in the following cases:
breach of security of the private key, i.e. an event compromising the
reliability of its security features;
cessation of the activity.
The revocation is implemented by inclusion of the certificate in the Certificate
Revocation List.
The CNIPA and all holders of qualified certificates issued by the Certifying Entity
that are signed with the private key belonging to the revoked pair will be notified of
the revocation within twenty-four hours.
Where the revocation is due to breach of security of the Certifying Entitys
private key, the Certifying Entity, acting on its own authority, will revoke all the
certificates signed with said key.

9.5. Availability of the suspension service
The availability of the suspension service provided by the Certifier depends on
the way suspension requests are transmitted:
- for suspension requests due to theft, loss or breach of security (urgent
requests) to be made by telephone, the Help Desk (+39 06 47929361) is
available around the clock on all business days and holidays;
- in other cases, the service is available during office hours (8.30-16.30).
For urgent suspension requests, the certificate-holder, at the request of the
operator, must prove his or her identity and give the pass-phrase.
Where the identity of the person submitting the request is not established, the
certificate will be suspended on a precautionary basis. Within the subsequent 24

29
Version 1.2
hours the person submitting the request must provide elements enabling him or
her to be identified.

9.6 Updating of the revocation and suspension lists

The revocation and suspension lists are updated following every request.
The lists are published at least every 24 hours.

30
Version 1.2
10. PROCEDURE FOR REPLACEMENT OF KEYS
10.1. Replacement of the holders signature keys
Signature keys are valid for three years; where auxiliary certificates are also
issued to the holder, all the certificates are resident on the same device.
When the expiration of certificates approaches, the Branches will ask interested
third parties whether, for each holder, it is necessary to issue a set of certificates
(signature and auxiliary certificates) identical to that expiring (so-called renewal).
If the answer is affirmative, the interested third party must send the competent
Branch a note by e-mail, signed by its legal representative or other duly appointed
person, indicating the particulars of the holder and the purposes for which renewal
is requested; the holders application for the issue of certificates, signed by the
holder with a digital signature, must be attached to such note. Alternatively, the
interested third party may submit the note by regular mail or by fax, attaching the
holders application accompanied by a copy of the identification document.
Requests will be processed with the procedure described for the initial issue and
at the end of the procedure the holder will be asked to visit the competent Branch
for delivery of the new smartcard containing the renewed certificates and related
secret codes; on such occasion the smartcard containing the expiring certificates
will be withdrawn after they have been rendered unfit for use by cutting the
microcircuit.
A record will be made of the above-mentioned transactions. It will be drawn up
in two copies and signed by the person appointed to make the delivery and the
certificate-holder, to whom a copy will be issued. Delivery of the new smartcard
and the related secret codes will give rise to the subsequent activation of the
certificates.

10.2. Replacement of certification keys
Ninety days before a certificate for a certification key is due to expire the
Certifier will initiate the replacement procedure by generating a new pair of keys.
In addition to the (self-signed) certificate for the new pair of certification keys
referred to above, the Certifier will generate:
- a certificate for the new public key, signed with the private key of the old
pair;
- a certificate for the old public key, signed with the new private key.

31
Version 1.2
The certificates so generated will be sent to the CNIPA, which updates the list
of the certificates of certification keys contained in the Public List of certification-
service providers.

10.3. Replacement of time-stamp keys
Time-stamp keys will be replaced after they have not been used for more than
one month, as provided for in Article 46.2 of the Decree of 1 January 2004.

11. CERTIFICATE DIRECTORY
The certificate directory contains:
- all the Certificates issued by the Certifying Entity;
- the suspension and revocation lists.
11.1. Certificate directory management
One or more copies (directory shadows) are made of the Certificate Directory
(directory master).
All the operations that modify the contents of the directory are registered in the
audit log journal.
The directory is updated every time a certificate is issued, suspended or
revoked.
The directory shadows are copies of the contents of the directory master in
various sites.
At least one shadow is in the main site; other shadows can contain a copy of all
or a part of the contents of the directory.
The shadows are updated each time the directory master is updated.

11.2. Access to the certificate directory
The certificate directory, impossible to access from the outside, is located on a
safe system located in safe premises and accessible only from the system that
generates the certificates which registers on it the issued certificates and the lists
of suspended or revoked certificates.

32
Version 1.2
The access to the shadow directories takes place according to the LDAP
protocol, as defined in the public specifications RFC 1777 and the following
updates, that is to say by means of indicating the URL, as defined in the RFC 2255
norm.
Such access is possible at the website: www.bancaditalia.it.

12. PRIVACY PROTECTION MEANS
Banca dItalia guarantees the protection of the privacy of the information
handled during the certifying service.
All the information contained in the certification database is protected.
Data is handled in mainly automatic processes by authorized personnel that
have access to the data on the basis of authentication systems and specific
security policies.
The safety measures conform with the minimum safety measures for the
handling of personal data according to the L.D. 196/2003.

33
Version 1.2
13. PROCEDURE FOR AFFIXING AND DEFINITION OF THE TIME-STAMP

The service provided by the Certifier of issuing time-stamps to be associated
with digital documents is reserved to users in possession of digital signature
certificates issued by the Bank of Italy.
Certificate-holders use the time-stamping service by means of an application,
provided by the Certifier and installed on the users workstation, and the Banks
Internet site, which can be reached with a secure protocol. The service is
performed in the following manner:
1. the certificate-holder, through the above-mentioned application, produces
and digitally signs the request for time-stamping of the digital document;
2. the request is transmitted by secure procedure to the Certifiers system;
3. the Certifiers system verifies the authenticity of the request and
authorization of the holder;
4. the Certifiers system generates the time-stamp, with a response time of not
more than one minute; the issue is notated in the operating register;
5. the certificate-holder returns the time-stamp by secure procedure for
subsequent utilization.
The time-stamping service also permits verification of time-stamps.
The instrument conforms with IS0 9000. The document imprint is generated with
a hash algorithm corresponding to the SHA-1 function, in accordance with Article
51.3 of the Decree of 13 January 2004.

13.1. Time-stamp keys
The time-stamp keys are used for the generation and the verification of the time
stamps (art. 4, comma 4, lett. C, of the DPCM 13.1.2004).
A time stamp is a signed computer proof, containing the following information
(art. 45, comma 1, DPCM 13.1.2004):
- issuer identification;
- serial number of the time-stamp;
- signature algorithm of the time-stamp;
- identification number of the certificate relative to the time-stamp verification
key;

34
Version 1.2
- date and time of the generation of the time-stamp;
- hash algorithm identification (SHA-1) used to create the time-stamped digital
print;
- validity of the digital print.
Each key pair used for time-stamping is unambiguously associated to the time
validation system (art. 46, comma 1, DPCM 13.1.2004).

13.2. Time-stamps storage and validity
All the time stamps issued by the validation system are stored in a specific
digital archive which cannot be modified before a 5 year period has eclipsed.
The time stamps are valid for the whole storage period.
13.3. Time references on the audit log journal
The time references in the audit log journal derive from a system fed from an
external source (ETS, External Time Source) supplied by the National Institute of
Standards and Technology (NIST Colorado, USA). Such references correspond
to the UTC(IEN) time scale with a time lag not above the minute.

35
Version 1.2
14. VERIFICATION OF DIGITAL SIGNATURES

In accordance with Article 10 of the Decree of 13 January 2004, the Certifier
makes available to holders and users a system with which to verify digital
signatures (with file extension .p7m). The system can be downloaded free of
charge from the website www.bancaditalia.it, where instructions for installing the
product are also posted.
The digital signature verification system, to be used with an Internet connection
established, makes it possible to:
- verify the validity of the signatorys certificate and the issuers qualification
as accredited certifier;
- ascertain the integrity of the signed document.
Devices such as smartcards and their readers do not have to be available in
order to perform verification.

15. OPERATIONAL PROCEDURE FOR THE GENERATION OF DIGITAL
SIGNATURES

Digitally signing a document implies the following operations:
- calculation of the print of the document using the mathematical function called
hash;
- ciphering of the print thus obtained using an asymmetric algorithm RSA that
uses the private key of the certificate holder lodged in the smart card.
The certificate holder carries out these operations in a transparent way using
the signing software and the smart card given by the Certifier.
The software allows to select the document which needs to be signed and
allows the certificate-holder to see a preview of it before signing it.
When the certificate-holder decides to sign the document, the software asks for
a confirmation of the intention to sign the previewed electronic document.
In case of an affirmative answer, it is necessary to insert the card in the reader,
type the PIN code in and thus produce the digital document with file extension
.p7m.

36
Version 1.2
15.1 Document format
Office automation has introduced the use of document formats that enrich the
contents of the document with macros o executable codes that are aimed, for
example, at increasing the reuse of the document (es. forms, data fields, page
numbering, text format) or performing mathematical calculations..
The code elements interpreted by the software package (Microsoft Office, for
example) could alter the original contents of the document, thus altering acts,
facts o the data contained in the document (DPCM 13.1.2004, art.3, comma 3)
when signing.
It is thus advisable to use static formats, such as:
text .txt;
picture .tif;
Portable Document Format .pdf (if without form fields or javascript).

When it is necessary to use formats like .doc, .dot, .rtf, .xls, before signing the
document it is necessary to identify any dynamic field. You will find here some
suggestions to single out variable objects and fields in the documents.

15.1.1 Macros
A macro is a procedure, written in a specific programming language, which
allows the automatic running of a sequence of operations when using Microsoft
Office
products.
To control the macro security level in MS Word
or MS Excel
select the Macro

Security command from the Tools menu then choose the Security tab. The
following box will appear:

High levels of macro security prevent the macros from running even if they remain
in the document.

37
Version 1.2

15.1.2 Field codes
Field codes are objects which allow dinamic values such as page numbers,
indexes, cross-references,etc., to be inserted in the document To see which field
codes are in a document choose Options from the Tools menu. Make sure that in
the View tab Hidden text, object anchor and field code are selected and that
Field shading: always.
In this way it will be possible to see all the control codes in the document to
verify if these codes can modify the contents of the document after it has been
signed.

15.1.3 Objects
To test for the presence of external references in a MS Word
document, like,
for example, an MS Excel
sheet, choose Structure from the menu View.

15.1.4 Formulas
To view the Formulas in MS Excel
,
choose Options from the Tools menu.
Select Formulas from the View tab.

15.1.5 Javascript
PDF documents can contain Javascript code that adds dinamic functions to
validate forms, access local databases and control multimedia objects.
Javascript code in Adobe
Reader is enabled by default; to disable it choose

Preferences from the Modify menu; select Javascript from the column on the left
and deselect the option Enable Acrobat Javascript (the following picture refers to
Adobe
Reader version 7).

38
Version 1.2
16. SSL CERTIFICATES
In addition to the above mentioned certificates, the Certifier provides also digital
certificates for web servers, network appliances or application servers (e.g. SSL
certificates).
In order to request a SSL certificate, the system owner of the application or
system must send a formal letter to the Certifier providing the following details:

- the infrastructure or application name and the logical name of hosts and
equipments;
- security reasons that recommend the use of a digital certificate;
- the certificate type to be issued;
- the common name of the certificate to be issued.

After approval of the request, the system owner generates a key pair and sends
a Certificate Signing Request to the Certifier, according to the PKCS#10 standard.
The certificate is issued by the Certifier according to the requirements specified
in the formal letter and then is sent to the system owner.
Finally, the system owner gets the certificate to be installed to the target system.

FORMS

Annex 1 Application for issue of electronic certificates
To the BANK OF ITALY
Branch/Department:
Subject: Application for issue of electronic certificates
I the undersigned.. hereby request that the following
certificates be issued in my name:
[ ] authentication [ ] encryption [ ] signature
For this purpose I provide the required information below and undertake promptly
to communicate every change therein.
Company data
Individual code (for employees)
Unit (for employees)
Identification number of entity
12
(for external persons)
Name of entity (for external persons)
Personal data
Family name
Given name
Sex
Date of birth
Municipality (or foreign country) of birth
Province of birth
Tax identification number
13

Identification document

12
Indicate the ABI identification code number for credit and financial intermediaries. No identification
number needs to be given for other entities.
13
For residents abroad, indicate the tax identification number or similar identification number issued by the
tax authority of the country of residence.

Residence
Country
Municipality
Province
Address
Postal code

Contacts
Telephone (including country code)
Fax (including country code)
Cell (including country code)
e-mail address at company
I attach a photocopy of (indicate the essential data of the identification document)
.
I declare, moreover, that I:
- am informed of the conditions for using the certificates in question,
specified in the Certificate Practice Statement and supplementary
provisions issued by the Bank of Italy, and undertake not to use them for
functions or purposes other than those established by the Bank of Italy;
- am aware that from the time I receive the smartcard I will be able to
communicate with the Bank of Italys Help Desk only during the hours and
on the days specified in the Certificate Practice Statement, excluding
whatsoever liability of the Bank of Italy in this regard;
- have received the information note referred to in Article 13 of Legislative
Decree 196/2003 concerning the data given above.
Date

Annex 2 Information note pursuant to Article 13 of Legislative Decree 196/2003

In conformity with the requirements of Legislative Decree 196/2003, you are
informed that the Bank of Italy processes the personal data that you provide upon
applying for the issue of electronic certificates.
The data are necessary for the issue and management of electronic certificates by
the Bank of Italy.
The data are processed with IT procedures and logics strictly correlated to the
above-mentioned purposes and with the use of security measures that ensure the
confidentiality of personal data and prevent access to such data by unauthorized
third parties or personnel.
The data are not communicated to third parties, nor are they disseminated.
The data may become known to:
1) in their capacity as persons responsible for processing, the Manager of the
Branch/Head of the . Department to which the
application was submitted; the Head of the Organization Department, which
operates the certification service and authorizes the requests relative to the life
cycle of certificates; and the Head of the Information Technology Department,
which produces the certificates and performs the Help Desk activity;
2) in their capacity as assigned persons, the personnel of the units assigned, case
by case or permanently, to perform the above-mentioned activities.

You may apply to the Bank of Italy (Organization Department), via Nazionale 91,
00184 ROME, Head of Processing, or to the persons responsible for processing
indicated above, to exercise your right to access your personal data and the other
rights recognized by Article 7 of Legislative Decree 196/2003, including: the right
to know the origin of the data and the purposes for and manner in which it is
processed; to have the data updated, corrected or supplemented; to obtain the
deletion, transformation into anonymous form or blocking of the data that are
processed in violation of the law; to object in whole or in part, for legitimate
reasons, to processing.

Annex 3 Request for suspension of electronic certificates

Branch/Department:

Subject: Request for suspension of electronic certificates
The undersigned ....

as holder
14
/interested third party, requests the suspension of the following
certificates issued in his or her name/issued in the name of (indicate the given
name and family name of the holder) :

for the following reason:
[ ] loss
[ ] other (specify)..

Attached is a photocopy of the (indicate the essential data of the identification
document)..

Date

14
The holder must indicate: date and place of birth, residence and tax identification number (for residents
abroad, indicate the tax identification number or similar identification number issued by the tax authority
of the country of residence).

Annex 4 Request for reactivation of suspended electronic certificates

Branch/Department:

Subject: Request for reactivation of suspended electronic certificates

The undersigned
...
as holder
15
/interested third party, requests the reactivation of the following

[ ] recovery of smartcard

Attached is a photocopy of the (indicate the essential data of the identification
document)..

Date

15

Annex 5 Request for revocation of electronic certificates

Branch/Department:

Subject: Request for revocation of electronic certificates

The undersigned
...
as holder
16
/interested third party, requests the revocation of the following

[ ] theft
[ ] loss
[ ] breach of security of the device
[ ] deterioration of the device
[ ] change of position of the holder
17


Date

16
17
Only for requests submitted by the interested third party.

Annex 6 Request for renewal of electronic certificates

Branch/Department: .

Subject: Request for renewal of electronic certificates
I the undersigned ., born in ,
resident in , tax identification number
18
,
as holder of the following certificates issued by the Bank of Italy:
stored on smartcard no. , request the renewal of such certificates.
For this purpose I:
[ ] confirm all the personal identification data transmitted to the Bank of Italy on
the occasion of the application for issue of above-mentioned certificates;
[ ] report the following changes to the information transmitted to the Bank of
Italy on the occasion of the application for issue of the above-mentioned
certificates:

I attach a photocopy of (indicate the details of the identification
document)
I declare, moreover, that I am aware of the conditions of use of the certificates in
question and undertake not to use them for functions or purposes other than those
established by the Bank of Italy.

Date

18
For residents abroad, indicate the tax identification number or similar identification number issued by
the tax authority of the country of residence.

CP CPS With SSL Cert

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

CP CPS With SSL Cert

Uploaded by

Copyright:

Available Formats

1

select the Macro

sheet, choose Structure from the menu View.

Reader is enabled by default; to disable it choose

Reader version 7).

You might also like