Registered Medicare Australia Provider Community of Interest (Coi) Certificate Policy (CP)For

Short Form Certificate Policy

Registered Medicare Australia Provider Communityof Interest (CoI) Certificate Policy (CP)

for Individual Certificates issued under theMedicareAustraliaOrganisation CertificationAuthority (Medicare Australia OCA)

v1.5

November 2006

CopyrightNotice:

This document contains information protected by copyright.© Commonwealthof Australia

Thiswork is copyright. Youmay download, display, print and reproduce this material in unaltered form only (retaining this notice) for your personal, non-commercial use or use within your organisation. Apart from any use as permitted under the Copyright Act 1968, all other rights are reserved. Requestsand enquiries concerning reproduction and rightsshould be addressed toTheManager, Media, Marketing and Communications Branch, Medicare Australia National Office, PO Box 1001 Tuggeranong DC ACT2901.

Contact

Medicare Australia

Locked Bag 6666

TuggeranongDC ACT 2901

AUSTRALIA

This Document has been authorised by the MedicareAustralia Policy Management Authority:

Date:

General Manager or nominee, Information Technology Services Division, Medicare Australia

Introduction

This is the Certificate Policyfor individual certificates to be providedto Registered Medicare Australia Providers.The certificates willbe provided on a SecureToken (knownas theHealth ProfessionalCard) and provided to RegisteredMedicare Australia Providers.

The document is structuredand numbered accordingto the GatekeeperShortFormCertificate

Policy Template.

This CPshould be read in conjunction with the Medicare Australia Organisation Certification

Authority Certification Practice Statement (Medicare Australia OCACPS).

Terminology

Registered Medicare Australia Provider Certificatemeans a Certificate issued under this CP to a provider (howeverdescribed) who is registered with Medicare Australiaand has,at registration,been issuedwith a numberor numbersby MedicareAustralia.

Certificate Policy Clauses

CP Identification

Certificates issued under this CP shall bear the PolicyOID:

1.2.36.174030967.1.5.1.1

(where “174030967” is the last 9 digits of Medicare Australia’s Australian Business Number).

1. INTRODUCTION

This is the Certificate Policyfor individual certificates to be providedto Registered Medicare Australia Providers.The certificates willbe provided on a SecureToken (knownas theHealth ProfessionalCard) and provided to RegisteredMedicare Australia Providers.

The meaningof a Registered Medicare Australia Provider Individual Certificate (Provider Certificate) issued in this way is nothingmore and nothing less than a statement expressed ina digital format of the fact that the certificate Subject (the RegisteredMedicare Australia

Provider) has been issuedwith a Registered Medicare Australia Provider Number (however described).

TheRelationship Organisation for this CPis MedicareAustralia.The Relationship Organisation Unit (ROU) isthe programarea inMedicare Australiaresponsible for provider registration.The Relationship OrganisationUnit Operators (ROUOs) are Medicare Australia personnel workingin the ROU.

1.1 PKI Participants

1.1.1Certification Authority

All Certificates issued under this CP shallbe produced by the Medicare AustraliaOrganisation

Certification Authority (Medicare Australia OCA).

Refer to theMedicare Australia OrganisationCertification AuthorityPractice Statement

(Medicare Australia OCA CPS) for further information on applicablepractices andprocedures for

Certificates issued under this CP.

1.1.2. Relationship Organisation

Medicare Australia is theRelationship Organisation (Medicare Australia RO) in the Health Sector

PKI.

1.1.3. Relationship Organisation Unit

Thereare separately identified Relationship Organisation Units (ROUs) within the Medicare Australia RO,usuallyone ROU for eachCommunityof Interest(CoI) in the Health Sector PKI operated by Medicare Australia.

TheROU hasresponsibilities in the CoIinmanaging the Subscribers in that CoI.

1.1.4CertificateControllers

Certificate ControllersareMedicare AustraliaRO personnel with responsibilitiesfor management of Certificates.

All CertificateControllers operating underthis CP are duly authorised representatives of

Medicare Australia.

1.1.5Relationship Organisation Unit Operators

Relationship OrganisationUnit Operators (ROUOs) are Medicare Australia personnel within the

Registered Medicare Australia ProviderCoI.

ROUOs withinthe Registered Medicare Australia Provider CoI are not CertificateControllers. ROUOs operate in accordance with theprocesses and proceduressetout in theMedicare

Australia OCA CPS and this CP.

1.1.6. Subscribers

Each Subscriber under thisCP is a healthcare professional who is currently registered with, and allocated provider number(s) by,Medicare Australiaand is knownto MedicareAustralia as a Registered Medicare Australia Provider (Registered Medicare Australia Provider).

There is a Subscriber agreement underthis CP, known as theHealthProfessionalCard

(RegisteredMedicareAustraliaProviderIndividualKeysandCertificates) TermsandConditionsofUse.

The Subscriber is bound by theseterms and conditions whentheSubscriber conducts his orher first transaction withMedicare Australiausing the Keys and Certificates on his orher Health ProfessionalCard.

1.1.7. Relying Parties

Relying Parties under this CP are:

a)Medicare Australia, as receiver of transactionssecured using the Individual keys and Certificates of the RegisteredMedicare Australia Provider;

b)Registered Medicare Australia Providers conducting transactions with other Registered Medicare Australia Providers orthird parties,as authorised orapproved by MedicareAustralia.

There is noRelying Party Agreement under this CP.

Parties who rely on Certificates issued under this CPand who do not have a written agreement with Medicare Australia relating to transactions undertaken withMedicare Australia or who undertake transactions that are not authorisedorapproved by Medicare Australia, relyon such certificatesat their own risk.

1.2Certificate Use

1.2.1 AppropriateCertificateUse

Key PairsandCertificates issued under this CP are tobe used by RegisteredMedicare Australia Providers to secure transactionswith Medicare Australia, other RegisteredMedicare Australia Providersandthird partiesfor programsand servicesauthorised orapproved byMedicare Australia.

1.2.2Prohibited Certificate Uses

Thereare noprohibited certificate uses.Parties usingIndividual Certificates for any transaction other than anauthorised or approved transaction with Medicare Australia doso at theirown risk.

1.3Definitions and Acronyms

Definitionsand Acronymsare in the Health Sector PKI Glossary at

2. IDENTIFICATIONAND AUTHENTICATION OF USERS

2.1Naming of Subscribers

Subscribers(termed ‘Certificate Subjects’in the x.509definition) under this CP shall be named (and the uniqueness of their namesshallbe assured)according to the MedicareAustralia applicationand registration process forRegisteredMedicare Australia Providers.

2.2Identification and authentication of the Subscriber at registration

Subscribers(Registered Medicare Australia Providers) under this CP will be identified and authenticated at the time of their application for registrationasa Medicare Australia providerby Medicare Australia in accordance with trusted practices that may include, but not be limitedto:

a)receipt of applications for Provider Numbers;

b)assessmentof applicationsand associated documents;

c)processing inassociation with the Department of Health and Ageing (DoHA) (where required);

d)allocationofProvider Number(s)and registration onthe ProviderDirectory System

(PDS);

e)where required, be linked to speciality codes to allowaccess to Medicare benefits.

Note that allocationof a Provider Number does not give accesstoMedicare benefits: forexample, restricted doctorshave Provider Numbers but do not have access to Medicare benefits.

Wherea RegisteredMedicare Australia Provider wishes toaccess Medicare Australia programs using his/herCertificate, Medicare Australia reservesthe right to require thatthe Registered Medicare Australia Providerenters into terms and conditions for participation in that program.

Any such program termsand conditionsare separate from the HealthProfessionalCard

(RegisteredMedicareAustraliaProviderIndividualKeysandCertificates) TermsandConditionsofUse.

2.3Identification and authentication of the Subscriber at renewal

Subscribers(Registered Medicare Australia Providers) under this CP shall be identified and authenticated and the Certificate renewed automatically provided that:

a)the healthcare professionalis a Registered Medicare Australia Provider;

b)the Registered Medicare Australia Provider’s registration status with Medicare

Australia hasnot changed.

Note:all certificate renewals under thisCP involve re-keying.

2.4Identification and authentication of revocation request

Revocation ofcertificates under this CP shall only be requested by:

a)ROUOs in theevent that the Subscriberbecomes ineligible to remain asa

Registered Medicare Australia Provider;or

b)The Subscriber; or

c)Certificate Controllers.

3.CERTIFICATE LIFE-CYCLE OPERATIONAL REQUIREMENTS

3.1.Certificate creation

3.1.1. Enrolment process and responsibilities

Wherea healthcare professional is aRegisteredMedicare Australia Provider, he/she may be enrolled automatically for Certificates by CertificateControllers on the basis ofregistrationasa Registered Medicare Australia Provider.

3.1.2. Publication of the certificate by the CA

Certificates issued under this CP will bepublished in the HealthcarePublic Directory

Revocation statusof Certificates issuedunder this CPwill be published in the Healthcare Public

Directory.

3.2.Key Pair and Certificate Usage

3.2.1 Key pair generation and installation

The Subscriber Key Pairsand Certificates issuedunder this CP shallbe generated by an approved process.

3.3.Certificate renewal

Certificates issued under this CP shall be renewedautomatically provided thestatusof the

Registered Medicare AustraliaProviderhas not changed.

Refer to clause 2.3 for details of identificationand authentication.

3.4.Certificate revocation

Certificates issued under this CP may be revoked byMedicare Australia in its absolute discretion, including but not limited to:

a) after loss, destruction or theft of the Card;

b) intheeventofRegisteredMedicareAustraliaProvider’sde-registration(however described);

c) in the event the RegisteredMedicare Australia Provider’s ProviderNumber(s)

are cancelledby MedicareAustralia.

3.5Certificate status services

3.5.1Operationalcharacteristics

Detailsof Operational Characteristicsare not provided.

3.5.2Service availability

Service availability for theCertificateRevocation List(CRL) issubstantially 24 x7 at

3.5.3Optional features

Detailsof Operational Features are notprovided.

4.REGISTRATION OPERATIONAL CONTROLS

4.1Personnelcontrols

All CertificateControllers under this CP shall be authorised representatives ofMedicare

Australia.

4.2Logical and Technological controls

Certificate requests will be processed bythe authorised CertificateControllers ofMedicare

Australia in accordancewith the securityprovisions ofthe Medicare Australia OCA CPS.

4.3Physical controls

Certificate requests will be processed byMedicare Australia Certificate Controllers in accordance with thesecurity provisionsof the Medicare AustraliaOCA CPS.

4.4Business continuity of the RelationshipOrganisation

As MedicareAustralia (theRelationship Organisationunder this CP) is astatutory agency under the MedicareAustralia Act1973,its continuation depends on continuance in force of the Medicare Australia Act1973or by otherActs ofthe Commonwealth Parliament made pursuant to government policy.

Changes in legislation or government policy willprovide for business continuityof the RO in accordance with policy as determined bythe government.

4.5Relationship Organisation termination

As MedicareAustralia isastatutoryagency under theMedicareAustraliaAct1973,its termination or change of entity status is through amendment to the MedicareAustraliaAct1973or by other Acts ofthe CommonwealthParliament made pursuantto changes ingovernment policy.

5. CERTIFICATE, CRL AND OCSP PROFILES

5.1 Certificate profile – Registered Medicare Australia Provider

Encipherment Certificate

Field / Content / Mandatory / Critical*
1.X.509v1Field / N/A
1.1.Version / V3 / M
1.2.SerialNumber / Apositiveintegerthatuniquelyidentifies
theCertificate. / M
1.3.SignatureAlgorithm / SHA-1RSA,
SHA-1hashingalgorithmusingtheRSA
signingalgorithm. / M
1.4.IssuerDistinguishedName / M
1.4.1.Country(C) / AU / M
1.4.2.Organization(O) / GOV / M
1.4.3.OrganizationUnit(OU) / MedicareAustralia / M
1.4.3CommonName(CN) / MedicareAustraliaOrganisation
CertificationAuthority / M
1.5.Validity
1.5.1.NotBefore / ThedatethattheCertificateisvalidfrom
(systemtimeatcertificateissuance). YYMMDDHHMMSSZencodedas UTCTimefordatesupto2049and encodedasGeneralizedTimefordatesin
2050orlater. / M
1.5.2.NotAfter / ThedatethattheCertificateisvaliduntil.
2 yearsfromStartValidity,i.e.certificate issuance.
YYMMDDHHMMSSZencodedas
UTCTimefordatesupto2049and encodedasGeneralizedTimefordatesin
2050orlater / M
1.6.Subject
1.6.1.Country(C) / AU / M
1.6.2.State(St) / <STATE> / M
1.6.3.Organization(O) / <Health> / O
1.6.4.CommonName(CN) / <FirstMiddleLastName>:RANumber / M
1.7.SubjectPublicKeyInfo / RSAPublicKeyof1024bits. / M
2.X.509v3Extensions
2.1.AuthorityKeyIdentifier / M / Non- Critical
2.1.1.KeyIdentifier / SHA-1hash(60bits)oftheIssuer's
publickey.
2.1.2.AuthorityCertIssuer / Notpresent
2.1.3.AuthorityCertSerialNumber / Notpresent
2.2.SubjectKeyIdentifier / SHA-1hash(60bits)oftheSubject's
publickey. / M / Non- Critical
2.3.KeyUsage / M / Critical
2.3.1.DigitalSignature / NOTSET
2.3.2.NonRepudiation / NOTSET
2.3.3.KeyEncipherment / SET
2.3.4.DataEncipherment / NOTSET
2.3.5.KeyAgreement / NOTSET
2.3.6.KeyCertificateSignature / NotSelected
2.3.7.CRLSignature / NotSelected
2.4.ExtendedKeyUsage / Notapplicable / Non- Critical
Non- Critical
2.5.CertificatePolicies
2.5.1.PolicyIdentifier / 1.2.36.174030967.1.5.1.1
2.5.1.1.PolicyQualifierID / UserNotice
2.5.1.2.UserNotice / CertificatesissuedunderthisCPmustbe
reliedonbyentitieswithinthe
Communityof Interest,unlessotherwise agreed,andnotforpurposesotherthan
thosepermittedbythisCP.
2.5.1.3.PolicyQualifierID / CPSURI
Field / Content / Mandatory / Critical*
2.5.1.4.CPSURI /
2.6.SubjectAlternateNames / Non- Critical
2.6.1.rfc822Name / <emailaddress> / O
2.7.BasicConstraints
2.7.1.SubjectType / NotCA / Critical
2.7.2.PathLengthConstraint / Notpresent
2.8.AuthorityInformationAccess
2.8.1.AccessDescription / Notpresent
2.8.1.1.AccessMethod / On-lineCertificateStatusProtocol
(1.3.6.1.5.5.7.4.1) / Non- Critical
2.8.1.2.AlternativeName / URL=
australia.com.au/maoca.pkx
2.9CRLDistributionPoint
2.9.1URL /
australia.com.au/cgi-bin/getcrl_health.pl?DN=cn%3DMedicare
%20Australia%20Organisation
%20Certification%20Authority%2Co
%3DMedicare%20Australia%2Cc%3DAU / Non- Critical
3.0OtherFields-Generic1
3.0.1 GenericIA5String:
RANumber
(OID=1.2.36.73665175.1.10009) / RANumber / M
3.0.2 GenericIA5String:
ProviderStemNumber
(OID=1.2.36.174030967.0.2)
3.0.3 GenericIA5String: PrescriberNumber
(OID=1.2.36.174030967.0.3)
3.0.4 GenericIA5String: HealthcareProviderIdentifier
(OID=1.2.36.174030967.0.4)
3.0.5 GenericIA5String: MedicareIdentifier
(OID=1.2.36.174030967.0.5) / ProviderStemNumber
PrescriberNumber
HealthcareProviderIdentifier
MedicareIdentifier / O
O OO

5.2 Certificate profile – Registered Medicare Australia Provider

Signing Certificate

Field / Content / Mandatory / Critical*
1.X.509v1Field / N/A
1.1.Version / V3 / M
1.2.SerialNumber / Apositiveintegerthatuniquelyidentifies theCertificate. / M
1.3.SignatureAlgorithm / SHA-1RSA,
SHA-1hashingalgorithmusingtheRSA
signingalgorithm. / M
1.4.IssuerDistinguishedName / M
1.4.1.Country(C) / AU / M
1.4.2.Organization(O) / MedicareAustralia / M
1,4,3,OrganizationUnit(OU) / MedicareAustralia / M
1.4.4CommonName(CN) / MedicareAustraliaOrganisation
CertificationAuthority / M
1.5.Validity
1.5.1.NotBefore / M

ThedatethattheCertificateisvalidfrom

(systemtimeatcertificateissuance). YYMMDDHHMMSSZencodedas

1TheseCertificate extensionOIDreferences and may haveapplicability to this CoI.

UTCTimefordatesupto2049and

areexpectedto be commontoall

CoI Certificate Policies,

Field / Content / Mandatory / Critical*
encodedasGeneralizedTimefordatesin
2050orlater.
1.5.2.NotAfter / ThedatethattheCertificateisvaliduntil.
2 yearsfromStartValidity,i.e.certificate issuance.
YYMMDDHHMMSSZencodedas
UTCTimefordatesupto2049and encodedasGeneralizedTimefordatesin
2050orlater / M
1.6.Subject
1.6.1.Country(C) / AU / M
1.6.2.State(St) / <STATE> / M
1.6.4.Organization(O) / <Health> / O
1.6.6.CommonName(CN) / <FirstMiddleLastName>:RANumber / M
1.7.SubjectPublicKeyInfo / RSAPublicKeyof1024bits. / M
2.X.509v3Extensions
2.1.AuthorityKeyIdentifier / M / Non- Critical
2.1.1.KeyIdentifier / SHA-1hash(60bits)oftheIssuer's
publickey.
2.1.2.AuthorityCertIssuer / Notpresent
2.1.3.AuthorityCertSerialNumber / Notpresent
2.2.SubjectKeyIdentifier / SHA-1hash(60bits)oftheSubject's
publickey. / M / Non- Critical
2.3.KeyUsage / M / Critical
2.3.1.DigitalSignature / SET
2.3.2.NonRepudiation / SET
2.3.3.KeyEncipherment / NOTSET
2.3.4.DataEncipherment / NOTSET
2.3.5.KeyAgreement / NOTSET
2.3.6.KeyCertificateSignature / NotSelected
2.3.7.CRLSignature / NotSelected
2.4.ExtendedKeyUsage / Notapplicable / Non- Critical
Non- Critical
2.5.CertificatePolicies
2.5.1.PolicyIdentifier / 1.2.36.174030967.1.5.1.1
2.5.1.1.PolicyQualifierID / UserNotice
2.5.1.2.UserNotice / CertificatesissuedunderthisCPmustbe
reliedonbyentitieswithinthe
Communityof Interest,unlessotherwise agreed,andnotforpurposesotherthan
thosepermittedbythisCP.
2.5.1.3.PolicyQualifierID / CPSURI
2.5.1.4.CPSURI /
2.6.SubjectAlternateNames / Non- Critical
2.6.1.rfc822Name / <emailaddress> / O
2.7.BasicConstraints
2.7.1.SubjectType / NotCA / Critical
2.7.2.PathLengthConstraint / Notpresent
2.8.AuthorityInformationAccess
2.8.1.AccessDescription / Notpresent
2.8.1.1.AccessMethod / On-lineCertificateStatusProtocol
(1.3.6.1.5.5.7.4.1) / Non- Critical
2.8.1.2.AlternativeName / URL=
australia.com.au/maoca.pkx
2.9CRLDistributionPoint
2.9.1URL /
australia.com.au/cgi-bin/getcrl_health.pl?DN=cn%3DMedicare
%20Australia%20Organisation
%20Certification%20Authority%2Co
%3DMedicare%20Australia%2Cc%3DAU / Non- Critical
3.0OtherFields-Generic2

2TheseCertificate extensionOIDreferencesare expectedto be commontoall CoI Certificate Policies, and may haveapplicability to this CoI.

Field / Content / Mandatory / Critical*
3.0.1 GenericIA5String:
RANumber
(OID=1.2.36.73665175.1.10009) / RANumber / M
3.0.2 GenericIA5String:
ProviderStemNumber
(OID=1.2.36.174030967.0.2)
3.0.3 GenericIA5String: PrescriberNumber
(OID=1.2.36.174030967.0.3)
3.0.4 GenericIA5String: HealthcareProviderIdentifier
(OID=1.2.36.174030967.0.4)
3.0.5 GenericIA5String: MedicareIdentifier
(OID=1.2.36.174030967.0.5) / ProviderStemNumber
PrescriberNumber
HealthcareProviderIdentifier
MedicareIdentifier / O
O OO

5.3 Medicare Australia OCA CRL Profile

Field / Content / Mandatory / Critical*
1.X.509v1Field / N/A
1.1.Version / V2 / M
1.2.SignatureAlgorithm / sha1RSA / M
1.3.IssuerDistinguishedName / M
1.3.1.Country(C) / AU / M
1.3.2.Organization(O) / GOV / M
1.3.3.OrganisationalUnit(OU) / MedicareAustralia
1.3.3.CommonName(CN) / MedicareAustraliaOrganisation
CertificationAuthority / M
1.4Validity / M
1.4.1EffectiveDate
1.4.2NextUpdate
1.5CRLNumber / M
2.X.509v3Extensions
2.1.AuthorityKeyIdentifier / M / Non- Critical
2.1.1.KeyIdentifier / SHA-1hash(60bits)oftheIssuer’s
publickey
Frequencyofissuing / 60minutes
GracePeriod / 60minutes

5.4 Medicare Australia OCA OCSP Profile

Field / Content / Mandatory / Critical*
1.X.509v1Field / N/A
1.1.Version / V3 / M
1.2.SerialNumber / UniquevalueassignedbytheIssuing
CA / M
1.3.SignatureAlgorithm / SHA-1withRSASignature / M
1.4.IssuerDistinguishedName / M
1.4.1.Country(C) / AU / M
1.4.2.Organization(O) / GOV / M
1.4.3.OrganisationalUnit(OU) / MedicareAustralia
1.4.4.CommonName(CN) / MedicareAustraliaOrganisation
CertificationAuthority / M
1.5.Validity / 5years
1.5.1.NotBefore / Issuedate / M
Field / Content / Mandatory / Critical*
1.5.2.NotAfter / Expirydate / M
1.6.Subject
1.6.1.Country(C) / AU / M
1.6.2.Organization(O) / GOV / M
1.6.3.OrganizationalUnit(OU) / MedicareAustralia
1.6.4.CommonName(CN) / MedicareAustraliaOCAOCSP
Responder / M
1.7.SubjectPublicKeyInfo / PublicKeyencodedinaccordance
withRFC2459& PKCS#1-1024bits / M
2.X.509v3Extensions
2.1.AuthorityKeyIdentifier / SHA-1hash(60bits)oftheIssuer’s
publickey / M / Non- Critical
2.1.1.KeyIdentifier / TheKeyIdentifieroftheIssuerof this
Certificate–60bit
2.1.2.AuthorityCertIssuer / Notpresent
2.1.3.AuthorityCertSerialNumber / Notpresent
2.2.SubjectKeyIdentifier / SHA-1hash(60bits)oftheSubject's
publickey / M / Non- Critical
2.3.KeyUsage / M / Critical
2.3.1.DigitalSignature / SET
2.3.2.NonRepudiation / NotSelected
2.3.3.KeyEncipherment / NotSelected
2.3.4.DataEncipherment / NotSelected
2.3.5.KeyAgreement / NotSelected
2.3.6.KeyCertificateSignature / NotSelected
2.3.7.CRLSignature / NotSelected
2.4.ExtendedKeyUsage / Non- Critical
2.4.1.OCSPSigning / 1.3.6.1.5.5.7.3.9
2.5.CertificatePolicies
2.5.1.PolicyIdentifier / Notpresent
2.5.1.1.PolicyQualifierID / Notpresent
2.5.1.2.UserNotice / Notpresent
2.5.1.3.PolicyQualifierID / Notpresent
2.5.1.4.UserNotice / Notpresent
2.6.SubjectAlternateNames / Non- Critical
2.6.1.rfc822Name / NA
2.7.BasicConstraints
2.7.1.SubjectType / EndEntity / N/A
2.7.2.PathLengthConstraint / Notpresent
2.8.AuthorityInformationAccess
2.8.1.AccessDescription / Notpresent
2.8.1.1.AccessMethod / Notpresent / Non- Critical
2.8.1.2.AlternativeName / Notpresent
3.NoCheckExtension(genericextension)