1. eMedNY Certificate Policy

   Provider Institutions receiving eMedNY X.509 certificates agree that they will make reasonable efforts to adhere to this policy. eMedNY assumes no liability for providers policy violations Parties relying on certificates issued by eMedNY as a Certificate Authority (CA )should study this policy and the CA’s Practices Statement to determine if the assurance level and operational practices are sufficient for the needs of their application.

   1. User Identity

      eMedNY has a process in place to securely provision ePACES admin accounts for providers.

      eMedNY certificate management relies on the previously provisioned Provider ePACES admin account to request, take receipt of and manage certificates created under this policy.

      1. Entities identified in eMedNY certificates are authenticated by the Providers ePACES Admin.
      2. Subject names in the certificate must uniquely map to a unique entity (Server or Application) for the validity period of the certificate. Furthermore, it is strongly recommended that Subject names uniquely map to the individual in perpetuity regardless of the certificate’s validity period but this is not required. A Relying Party must examine the associated CPS before making any assumptions about the persistent binding of a certificate Subject name.
      
      
   2. Certificate Revocation

      eMedNY as a Certification Authority (CA) will be able to revoke certificates. eMedNY will issue certificates containing a Certificate Revocation List (CRL) or OCSP distribution point extension. eMedNY will issue CRLs and must update the CRLs and/or OCSP database as specified in the Next Update field of the CRL.

   3. CA Private Key Protection

      The eMedNY certification authority must understand the significance of the CA’s private key(s) and take action to protect the key(s) appropriately.

   4. Subject Key-pair Generation and Private Key Protection

      eMedNY suggests that the certificate Subject's key-pair be generated by the Subject's Server or Application software. Typically this will be accomplished with software in a standard application but may also be accomplished with an alternative mechanism.

      Alternatively, if requested, eMedNY may generate the Subject’s key-pair within the CA and deliver both the private key and the certificate to the Subject. If the eMedNY CA archives the Subject’s private key, the archival procedure must be documented in the CPS.

   5. Certificate Profile

      eMedNY certificates will conform to the basic eMedNY Certificate Profile. Additional fields or extensions will be ignored.

   6. Certificate Usage

      eMedNY certificates may be used for digital signatures, data encryption and key encipherment.eMedNY will escrow certificates to allow for decryption of historical messages.The decryption key escrow process will be described in the associated CPS.

   7. Certificate Management

      Providers are expected to securely manage their private key and certificate(s). These attest to the identity of the holder and the compromise of said certificates must be reported to eMedNY immediately.

2. eMedNY Certification Practices Statement
   1. CPS Introduction

      This statement defines the policies and procedures followed by eMedNY in the issuance of Public Key Certificate credentials.

      eMedNY issues certificates to Provider Institutions for the sole purpose of enabling the exchange of data, files and messages between the provider and eMedNY. The certificates are not intended to provide a chain of authority to any other party.

   2. NO WARRANTY

      Although eMedNY makes its best efforts to ensure that correct credentials are issued to appropriate providers, eMedNY has no actual control over how providers protect their own credentials.UNDER NO CIRCUMSTANCES IS eMedNY RESPONSIBLE FOR THE CONSEQUENCES TO A RELYING PARTY MAKING USE OF CREDENTIALS eMedNY ISSUES. eMedNY OFFERS NO WARRANTY OF ANY KIND AND DISCLAIMS ANY WARRANTY OF MERCHANTABILITY OR OF FITNESS FOR A PARTICULAR PURPOSE. eMedNY CANNOT BE HELD LIABLE FOR ANY DAMAGES OF ANY KIND WHETHER DIRECT, INDIRECT, INCIDENTAL OR CONSEQUENTIAL EVEN IF eMedNY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

   3. CA Private Key Protection

      The private key for this eMedNY CA is maintained in tamperproof hardware. No more than 4 employees have access to this key and less than 10 employees are in a position to issue certificates signed by this key. eMedNY can make no representation of the strength of that hardware protection, it is a user of technology provided by IBM and cannot provide assurances beyond what IBM has provided.

   4. Authentication upon Registration

      In general eMedNY verifies the identity of people it issues certificates to in a way that is generally considered proper and appropriate. Specifically:

      • Providers requesting ePACES access are issued a pass phrase which is printed and mailed to them via a postal mail. This pass phrase is required in order to authenticate to a certificate issuing website.
      • Providers receive their pass phrases at the mailing address on record for their remittances.
      • Providers use the pass-phrase in addition to a second piece of uniquely identifying information to establish an ePACES Admin account and password.
      • ePACES Admin signs into an HTTPS protected web application and uploads a certificate request document.
      • Certificates is issued to ePACES Admin.
      • ePACES Admin secures and provisions the certificate the sites SOAP application.
      • The possession of a certificate issued by this eMedNY CA implies that at some point eMedNY believed that the possessor was a valid provider Admin. However the mere possession of a certificate should not be construed by relying parties that possessor has a current association with eMedNY or that possessor my legally bind eMedNY in any form of negotiation.eMedNY assumes that the provider will properly notify eMedNY if the Admin account is no longer valid or has been compromised.
      
      
   5. Lifetime of Issued Credential

      Certificates issued by this eMedNY CA are valid for no more than 6 months from the date of issuance.

   6. Revocation

      The eMedNY CA does revoke certificates.

      The eMedNY CA revokes certificates via a Certificate Revocation List [and/or the use of the On-line Certificate Status Protocol (OCSP)]. A providers ePaces Admin can revoke certificates for the provider. eMedNY will revoke a certificate when informed by the certificate owner that the key associated with the certificate may have been compromised. Certificates that have been idle will eventually expire.

   7. End-User Private Key Protection

      eMedNY does not establish standards for how individual private keys are maintained. It is expected that many keys will be stored in browser preferences files as many end-users obtain their credentials via a web browser. Keys stored on the hard drives of individually owned or maintained computer systems will likely be as secure (or not) as other information stored on such systems.

      Some users may have their preferences files stored in the campus distributed file system. The security of such stored files will depend on the security of the distributed file system and the strength of the password/key chosen by the user to protect the stored file.

Questions about this Certificate Policy or Certification Practices Statement should be directed to the eMedNY Provider Services Department at 1-800-343-9000.