Provider Institutions receiving eMedNY X.509 certificates agree that they will make reasonable efforts to adhere to this policy. eMedNY assumes no liability for providers policy violations Parties relying on certificates issued by eMedNY as a Certificate Authority (CA )should study this policy and the CA’s Practices Statement to determine if the assurance level and operational practices are sufficient for the needs of their application.
eMedNY has a process in place to securely provision ePACES admin accounts for providers.
eMedNY certificate management relies on the previously provisioned Provider ePACES admin account to request, take receipt of and manage certificates created under this policy.
eMedNY as a Certification Authority (CA) will be able to revoke certificates. eMedNY will issue certificates containing a Certificate Revocation List (CRL) or OCSP distribution point extension. eMedNY will issue CRLs and must update the CRLs and/or OCSP database as specified in the Next Update field of the CRL.
The eMedNY certification authority must understand the significance of the CA’s private key(s) and take action to protect the key(s) appropriately.
eMedNY suggests that the certificate Subject's key-pair be generated by the Subject's Server or Application software. Typically this will be accomplished with software in a standard application but may also be accomplished with an alternative mechanism.
Alternatively, if requested, eMedNY may generate the Subject’s key-pair within the CA and deliver both the private key and the certificate to the Subject. If the eMedNY CA archives the Subject’s private key, the archival procedure must be documented in the CPS.
eMedNY certificates will conform to the basic eMedNY Certificate Profile. Additional fields or extensions will be ignored.
eMedNY certificates may be used for digital signatures, data encryption and key encipherment.eMedNY will escrow certificates to allow for decryption of historical messages.The decryption key escrow process will be described in the associated CPS.
Providers are expected to securely manage their private key and certificate(s). These attest to the identity of the holder and the compromise of said certificates must be reported to eMedNY immediately.
This statement defines the policies and procedures followed by eMedNY in the issuance of Public Key Certificate credentials.
eMedNY issues certificates to Provider Institutions for the sole purpose of enabling the exchange of data, files and messages between the provider and eMedNY. The certificates are not intended to provide a chain of authority to any other party.
Although eMedNY makes its best efforts to ensure that correct credentials are issued to appropriate providers, eMedNY has no actual control over how providers protect their own credentials.UNDER NO CIRCUMSTANCES IS eMedNY RESPONSIBLE FOR THE CONSEQUENCES TO A RELYING PARTY MAKING USE OF CREDENTIALS eMedNY ISSUES. eMedNY OFFERS NO WARRANTY OF ANY KIND AND DISCLAIMS ANY WARRANTY OF MERCHANTABILITY OR OF FITNESS FOR A PARTICULAR PURPOSE. eMedNY CANNOT BE HELD LIABLE FOR ANY DAMAGES OF ANY KIND WHETHER DIRECT, INDIRECT, INCIDENTAL OR CONSEQUENTIAL EVEN IF eMedNY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
The private key for this eMedNY CA is maintained in tamperproof hardware. No more than 4 employees have access to this key and less than 10 employees are in a position to issue certificates signed by this key. eMedNY can make no representation of the strength of that hardware protection, it is a user of technology provided by IBM and cannot provide assurances beyond what IBM has provided.
In general eMedNY verifies the identity of people it issues certificates to in a way that is generally considered proper and appropriate. Specifically:
Certificates issued by this eMedNY CA are valid for no more than 6 months from the date of issuance.
The eMedNY CA does revoke certificates.
The eMedNY CA revokes certificates via a Certificate Revocation List [and/or the use of the On-line Certificate Status Protocol (OCSP)]. A providers ePaces Admin can revoke certificates for the provider. eMedNY will revoke a certificate when informed by the certificate owner that the key associated with the certificate may have been compromised. Certificates that have been idle will eventually expire.
eMedNY does not establish standards for how individual private keys are maintained. It is expected that many keys will be stored in browser preferences files as many end-users obtain their credentials via a web browser. Keys stored on the hard drives of individually owned or maintained computer systems will likely be as secure (or not) as other information stored on such systems.
Some users may have their preferences files stored in the campus distributed file system. The security of such stored files will depend on the security of the distributed file system and the strength of the password/key chosen by the user to protect the stored file.
Questions about this Certificate Policy or Certification Practices Statement should be directed to the eMedNY Provider Services Department at 1-800-343-9000.