Short Form Certificate Policy
Registered Medicare Australia Provider Communityof Interest (CoI) Certificate Policy (CP)
for Individual Certificates issued under theMedicareAustraliaOrganisation CertificationAuthority (Medicare Australia OCA)
v1.5
November 2006
CopyrightNotice:
This document contains information protected by copyright.© Commonwealthof Australia
Thiswork is copyright. Youmay download, display, print and reproduce this material in unaltered form only (retaining this notice) for your personal, non-commercial use or use within your organisation. Apart from any use as permitted under the Copyright Act 1968, all other rights are reserved. Requestsand enquiries concerning reproduction and rightsshould be addressed toTheManager, Media, Marketing and Communications Branch, Medicare Australia National Office, PO Box 1001 Tuggeranong DC ACT2901.
Contact
Medicare Australia
Locked Bag 6666
TuggeranongDC ACT 2901
AUSTRALIA
This Document has been authorised by the MedicareAustralia Policy Management Authority:
Date:
General Manager or nominee, Information Technology Services Division, Medicare Australia
Introduction
This is the Certificate Policyfor individual certificates to be providedto Registered Medicare Australia Providers.The certificates willbe provided on a SecureToken (knownas theHealth ProfessionalCard) and provided to RegisteredMedicare Australia Providers.
The document is structuredand numbered accordingto the GatekeeperShortFormCertificate
Policy Template.
This CPshould be read in conjunction with the Medicare Australia Organisation Certification
Authority Certification Practice Statement (Medicare Australia OCACPS).
Terminology
Registered Medicare Australia Provider Certificatemeans a Certificate issued under this CP to a provider (howeverdescribed) who is registered with Medicare Australiaand has,at registration,been issuedwith a numberor numbersby MedicareAustralia.
Certificate Policy Clauses
CP Identification
Certificates issued under this CP shall bear the PolicyOID:
1.2.36.174030967.1.5.1.1
(where “174030967” is the last 9 digits of Medicare Australia’s Australian Business Number).
1. INTRODUCTION
This is the Certificate Policyfor individual certificates to be providedto Registered Medicare Australia Providers.The certificates willbe provided on a SecureToken (knownas theHealth ProfessionalCard) and provided to RegisteredMedicare Australia Providers.
The meaningof a Registered Medicare Australia Provider Individual Certificate (Provider Certificate) issued in this way is nothingmore and nothing less than a statement expressed ina digital format of the fact that the certificate Subject (the RegisteredMedicare Australia
Provider) has been issuedwith a Registered Medicare Australia Provider Number (however described).
TheRelationship Organisation for this CPis MedicareAustralia.The Relationship Organisation Unit (ROU) isthe programarea inMedicare Australiaresponsible for provider registration.The Relationship OrganisationUnit Operators (ROUOs) are Medicare Australia personnel workingin the ROU.
1.1 PKI Participants
1.1.1Certification Authority
All Certificates issued under this CP shallbe produced by the Medicare AustraliaOrganisation
Certification Authority (Medicare Australia OCA).
Refer to theMedicare Australia OrganisationCertification AuthorityPractice Statement
(Medicare Australia OCA CPS) for further information on applicablepractices andprocedures for
Certificates issued under this CP.
1.1.2. Relationship Organisation
Medicare Australia is theRelationship Organisation (Medicare Australia RO) in the Health Sector
PKI.
1.1.3. Relationship Organisation Unit
Thereare separately identified Relationship Organisation Units (ROUs) within the Medicare Australia RO,usuallyone ROU for eachCommunityof Interest(CoI) in the Health Sector PKI operated by Medicare Australia.
TheROU hasresponsibilities in the CoIinmanaging the Subscribers in that CoI.
1.1.4CertificateControllers
Certificate ControllersareMedicare AustraliaRO personnel with responsibilitiesfor management of Certificates.
All CertificateControllers operating underthis CP are duly authorised representatives of
Medicare Australia.
1.1.5Relationship Organisation Unit Operators
Relationship OrganisationUnit Operators (ROUOs) are Medicare Australia personnel within the
Registered Medicare Australia ProviderCoI.
ROUOs withinthe Registered Medicare Australia Provider CoI are not CertificateControllers. ROUOs operate in accordance with theprocesses and proceduressetout in theMedicare
Australia OCA CPS and this CP.
1.1.6. Subscribers
Each Subscriber under thisCP is a healthcare professional who is currently registered with, and allocated provider number(s) by,Medicare Australiaand is knownto MedicareAustralia as a Registered Medicare Australia Provider (Registered Medicare Australia Provider).
There is a Subscriber agreement underthis CP, known as theHealthProfessionalCard
(RegisteredMedicareAustraliaProviderIndividualKeysandCertificates) TermsandConditionsofUse.
The Subscriber is bound by theseterms and conditions whentheSubscriber conducts his orher first transaction withMedicare Australiausing the Keys and Certificates on his orher Health ProfessionalCard.
1.1.7. Relying Parties
Relying Parties under this CP are:
a)Medicare Australia, as receiver of transactionssecured using the Individual keys and Certificates of the RegisteredMedicare Australia Provider;
b)Registered Medicare Australia Providers conducting transactions with other Registered Medicare Australia Providers orthird parties,as authorised orapproved by MedicareAustralia.
There is noRelying Party Agreement under this CP.
Parties who rely on Certificates issued under this CPand who do not have a written agreement with Medicare Australia relating to transactions undertaken withMedicare Australia or who undertake transactions that are not authorisedorapproved by Medicare Australia, relyon such certificatesat their own risk.
1.2Certificate Use
1.2.1 AppropriateCertificateUse
Key PairsandCertificates issued under this CP are tobe used by RegisteredMedicare Australia Providers to secure transactionswith Medicare Australia, other RegisteredMedicare Australia Providersandthird partiesfor programsand servicesauthorised orapproved byMedicare Australia.
1.2.2Prohibited Certificate Uses
Thereare noprohibited certificate uses.Parties usingIndividual Certificates for any transaction other than anauthorised or approved transaction with Medicare Australia doso at theirown risk.
1.3Definitions and Acronyms
Definitionsand Acronymsare in the Health Sector PKI Glossary at
2. IDENTIFICATIONAND AUTHENTICATION OF USERS
2.1Naming of Subscribers
Subscribers(termed ‘Certificate Subjects’in the x.509definition) under this CP shall be named (and the uniqueness of their namesshallbe assured)according to the MedicareAustralia applicationand registration process forRegisteredMedicare Australia Providers.
2.2Identification and authentication of the Subscriber at registration
Subscribers(Registered Medicare Australia Providers) under this CP will be identified and authenticated at the time of their application for registrationasa Medicare Australia providerby Medicare Australia in accordance with trusted practices that may include, but not be limitedto:
a)receipt of applications for Provider Numbers;
b)assessmentof applicationsand associated documents;
c)processing inassociation with the Department of Health and Ageing (DoHA) (where required);
d)allocationofProvider Number(s)and registration onthe ProviderDirectory System
(PDS);
e)where required, be linked to speciality codes to allowaccess to Medicare benefits.
Note that allocationof a Provider Number does not give accesstoMedicare benefits: forexample, restricted doctorshave Provider Numbers but do not have access to Medicare benefits.
Wherea RegisteredMedicare Australia Provider wishes toaccess Medicare Australia programs using his/herCertificate, Medicare Australia reservesthe right to require thatthe Registered Medicare Australia Providerenters into terms and conditions for participation in that program.
Any such program termsand conditionsare separate from the HealthProfessionalCard
(RegisteredMedicareAustraliaProviderIndividualKeysandCertificates) TermsandConditionsofUse.
2.3Identification and authentication of the Subscriber at renewal
Subscribers(Registered Medicare Australia Providers) under this CP shall be identified and authenticated and the Certificate renewed automatically provided that:
a)the healthcare professionalis a Registered Medicare Australia Provider;
b)the Registered Medicare Australia Provider’s registration status with Medicare
Australia hasnot changed.
Note:all certificate renewals under thisCP involve re-keying.
2.4Identification and authentication of revocation request
Revocation ofcertificates under this CP shall only be requested by:
a)ROUOs in theevent that the Subscriberbecomes ineligible to remain asa
Registered Medicare Australia Provider;or
b)The Subscriber; or
c)Certificate Controllers.
3.CERTIFICATE LIFE-CYCLE OPERATIONAL REQUIREMENTS
3.1.Certificate creation
3.1.1. Enrolment process and responsibilities
Wherea healthcare professional is aRegisteredMedicare Australia Provider, he/she may be enrolled automatically for Certificates by CertificateControllers on the basis ofregistrationasa Registered Medicare Australia Provider.
3.1.2. Publication of the certificate by the CA
Certificates issued under this CP will bepublished in the HealthcarePublic Directory
Revocation statusof Certificates issuedunder this CPwill be published in the Healthcare Public
Directory.
3.2.Key Pair and Certificate Usage
3.2.1 Key pair generation and installation
The Subscriber Key Pairsand Certificates issuedunder this CP shallbe generated by an approved process.
3.3.Certificate renewal
Certificates issued under this CP shall be renewedautomatically provided thestatusof the
Registered Medicare AustraliaProviderhas not changed.
Refer to clause 2.3 for details of identificationand authentication.
3.4.Certificate revocation
Certificates issued under this CP may be revoked byMedicare Australia in its absolute discretion, including but not limited to:
a) after loss, destruction or theft of the Card;
b) intheeventofRegisteredMedicareAustraliaProvider’sde-registration(however described);
c) in the event the RegisteredMedicare Australia Provider’s ProviderNumber(s)
are cancelledby MedicareAustralia.
3.5Certificate status services
3.5.1Operationalcharacteristics
Detailsof Operational Characteristicsare not provided.
3.5.2Service availability
Service availability for theCertificateRevocation List(CRL) issubstantially 24 x7 at
3.5.3Optional features
Detailsof Operational Features are notprovided.
4.REGISTRATION OPERATIONAL CONTROLS
4.1Personnelcontrols
All CertificateControllers under this CP shall be authorised representatives ofMedicare
Australia.
4.2Logical and Technological controls
Certificate requests will be processed bythe authorised CertificateControllers ofMedicare
Australia in accordancewith the securityprovisions ofthe Medicare Australia OCA CPS.
4.3Physical controls
Certificate requests will be processed byMedicare Australia Certificate Controllers in accordance with thesecurity provisionsof the Medicare AustraliaOCA CPS.
4.4Business continuity of the RelationshipOrganisation
As MedicareAustralia (theRelationship Organisationunder this CP) is astatutory agency under the MedicareAustralia Act1973,its continuation depends on continuance in force of the Medicare Australia Act1973or by otherActs ofthe Commonwealth Parliament made pursuant to government policy.
Changes in legislation or government policy willprovide for business continuityof the RO in accordance with policy as determined bythe government.
4.5Relationship Organisation termination
As MedicareAustralia isastatutoryagency under theMedicareAustraliaAct1973,its termination or change of entity status is through amendment to the MedicareAustraliaAct1973or by other Acts ofthe CommonwealthParliament made pursuantto changes ingovernment policy.
5. CERTIFICATE, CRL AND OCSP PROFILES
5.1 Certificate profile – Registered Medicare Australia Provider
Encipherment Certificate
Field / Content / Mandatory / Critical*1.X.509v1Field / N/A
1.1.Version / V3 / M
1.2.SerialNumber / Apositiveintegerthatuniquelyidentifies
theCertificate. / M
1.3.SignatureAlgorithm / SHA-1RSA,
SHA-1hashingalgorithmusingtheRSA
signingalgorithm. / M
1.4.IssuerDistinguishedName / M
1.4.1.Country(C) / AU / M
1.4.2.Organization(O) / GOV / M
1.4.3.OrganizationUnit(OU) / MedicareAustralia / M
1.4.3CommonName(CN) / MedicareAustraliaOrganisation
CertificationAuthority / M
1.5.Validity
1.5.1.NotBefore / ThedatethattheCertificateisvalidfrom
(systemtimeatcertificateissuance). YYMMDDHHMMSSZencodedas UTCTimefordatesupto2049and encodedasGeneralizedTimefordatesin
2050orlater. / M
1.5.2.NotAfter / ThedatethattheCertificateisvaliduntil.
2 yearsfromStartValidity,i.e.certificate issuance.
YYMMDDHHMMSSZencodedas
UTCTimefordatesupto2049and encodedasGeneralizedTimefordatesin
2050orlater / M
1.6.Subject
1.6.1.Country(C) / AU / M
1.6.2.State(St) / <STATE> / M
1.6.3.Organization(O) / <Health> / O
1.6.4.CommonName(CN) / <FirstMiddleLastName>:RANumber / M
1.7.SubjectPublicKeyInfo / RSAPublicKeyof1024bits. / M
2.X.509v3Extensions
2.1.AuthorityKeyIdentifier / M / Non- Critical
2.1.1.KeyIdentifier / SHA-1hash(60bits)oftheIssuer's
publickey.
2.1.2.AuthorityCertIssuer / Notpresent
2.1.3.AuthorityCertSerialNumber / Notpresent
2.2.SubjectKeyIdentifier / SHA-1hash(60bits)oftheSubject's
publickey. / M / Non- Critical
2.3.KeyUsage / M / Critical
2.3.1.DigitalSignature / NOTSET
2.3.2.NonRepudiation / NOTSET
2.3.3.KeyEncipherment / SET
2.3.4.DataEncipherment / NOTSET
2.3.5.KeyAgreement / NOTSET
2.3.6.KeyCertificateSignature / NotSelected
2.3.7.CRLSignature / NotSelected
2.4.ExtendedKeyUsage / Notapplicable / Non- Critical
Non- Critical
2.5.CertificatePolicies
2.5.1.PolicyIdentifier / 1.2.36.174030967.1.5.1.1
2.5.1.1.PolicyQualifierID / UserNotice
2.5.1.2.UserNotice / CertificatesissuedunderthisCPmustbe
reliedonbyentitieswithinthe
Communityof Interest,unlessotherwise agreed,andnotforpurposesotherthan
thosepermittedbythisCP.
2.5.1.3.PolicyQualifierID / CPSURI
Field / Content / Mandatory / Critical*
2.5.1.4.CPSURI /
2.6.SubjectAlternateNames / Non- Critical
2.6.1.rfc822Name / <emailaddress> / O
2.7.BasicConstraints
2.7.1.SubjectType / NotCA / Critical
2.7.2.PathLengthConstraint / Notpresent
2.8.AuthorityInformationAccess
2.8.1.AccessDescription / Notpresent
2.8.1.1.AccessMethod / On-lineCertificateStatusProtocol
(1.3.6.1.5.5.7.4.1) / Non- Critical
2.8.1.2.AlternativeName / URL=
australia.com.au/maoca.pkx
2.9CRLDistributionPoint
2.9.1URL /
australia.com.au/cgi-bin/getcrl_health.pl?DN=cn%3DMedicare
%20Australia%20Organisation
%20Certification%20Authority%2Co
%3DMedicare%20Australia%2Cc%3DAU / Non- Critical
3.0OtherFields-Generic1
3.0.1 GenericIA5String:
RANumber
(OID=1.2.36.73665175.1.10009) / RANumber / M
3.0.2 GenericIA5String:
ProviderStemNumber
(OID=1.2.36.174030967.0.2)
3.0.3 GenericIA5String: PrescriberNumber
(OID=1.2.36.174030967.0.3)
3.0.4 GenericIA5String: HealthcareProviderIdentifier
(OID=1.2.36.174030967.0.4)
3.0.5 GenericIA5String: MedicareIdentifier
(OID=1.2.36.174030967.0.5) / ProviderStemNumber
PrescriberNumber
HealthcareProviderIdentifier
MedicareIdentifier / O
O OO
5.2 Certificate profile – Registered Medicare Australia Provider
Signing Certificate
Field / Content / Mandatory / Critical*1.X.509v1Field / N/A
1.1.Version / V3 / M
1.2.SerialNumber / Apositiveintegerthatuniquelyidentifies theCertificate. / M
1.3.SignatureAlgorithm / SHA-1RSA,
SHA-1hashingalgorithmusingtheRSA
signingalgorithm. / M
1.4.IssuerDistinguishedName / M
1.4.1.Country(C) / AU / M
1.4.2.Organization(O) / MedicareAustralia / M
1,4,3,OrganizationUnit(OU) / MedicareAustralia / M
1.4.4CommonName(CN) / MedicareAustraliaOrganisation
CertificationAuthority / M
1.5.Validity
1.5.1.NotBefore / M
ThedatethattheCertificateisvalidfrom
(systemtimeatcertificateissuance). YYMMDDHHMMSSZencodedas
1TheseCertificate extensionOIDreferences and may haveapplicability to this CoI.
UTCTimefordatesupto2049and
areexpectedto be commontoall
CoI Certificate Policies,
Field / Content / Mandatory / Critical*encodedasGeneralizedTimefordatesin
2050orlater.
1.5.2.NotAfter / ThedatethattheCertificateisvaliduntil.
2 yearsfromStartValidity,i.e.certificate issuance.
YYMMDDHHMMSSZencodedas
UTCTimefordatesupto2049and encodedasGeneralizedTimefordatesin
2050orlater / M
1.6.Subject
1.6.1.Country(C) / AU / M
1.6.2.State(St) / <STATE> / M
1.6.4.Organization(O) / <Health> / O
1.6.6.CommonName(CN) / <FirstMiddleLastName>:RANumber / M
1.7.SubjectPublicKeyInfo / RSAPublicKeyof1024bits. / M
2.X.509v3Extensions
2.1.AuthorityKeyIdentifier / M / Non- Critical
2.1.1.KeyIdentifier / SHA-1hash(60bits)oftheIssuer's
publickey.
2.1.2.AuthorityCertIssuer / Notpresent
2.1.3.AuthorityCertSerialNumber / Notpresent
2.2.SubjectKeyIdentifier / SHA-1hash(60bits)oftheSubject's
publickey. / M / Non- Critical
2.3.KeyUsage / M / Critical
2.3.1.DigitalSignature / SET
2.3.2.NonRepudiation / SET
2.3.3.KeyEncipherment / NOTSET
2.3.4.DataEncipherment / NOTSET
2.3.5.KeyAgreement / NOTSET
2.3.6.KeyCertificateSignature / NotSelected
2.3.7.CRLSignature / NotSelected
2.4.ExtendedKeyUsage / Notapplicable / Non- Critical
Non- Critical
2.5.CertificatePolicies
2.5.1.PolicyIdentifier / 1.2.36.174030967.1.5.1.1
2.5.1.1.PolicyQualifierID / UserNotice
2.5.1.2.UserNotice / CertificatesissuedunderthisCPmustbe
reliedonbyentitieswithinthe
Communityof Interest,unlessotherwise agreed,andnotforpurposesotherthan
thosepermittedbythisCP.
2.5.1.3.PolicyQualifierID / CPSURI
2.5.1.4.CPSURI /
2.6.SubjectAlternateNames / Non- Critical
2.6.1.rfc822Name / <emailaddress> / O
2.7.BasicConstraints
2.7.1.SubjectType / NotCA / Critical
2.7.2.PathLengthConstraint / Notpresent
2.8.AuthorityInformationAccess
2.8.1.AccessDescription / Notpresent
2.8.1.1.AccessMethod / On-lineCertificateStatusProtocol
(1.3.6.1.5.5.7.4.1) / Non- Critical
2.8.1.2.AlternativeName / URL=
australia.com.au/maoca.pkx
2.9CRLDistributionPoint
2.9.1URL /
australia.com.au/cgi-bin/getcrl_health.pl?DN=cn%3DMedicare
%20Australia%20Organisation
%20Certification%20Authority%2Co
%3DMedicare%20Australia%2Cc%3DAU / Non- Critical
3.0OtherFields-Generic2
2TheseCertificate extensionOIDreferencesare expectedto be commontoall CoI Certificate Policies, and may haveapplicability to this CoI.
Field / Content / Mandatory / Critical*3.0.1 GenericIA5String:
RANumber
(OID=1.2.36.73665175.1.10009) / RANumber / M
3.0.2 GenericIA5String:
ProviderStemNumber
(OID=1.2.36.174030967.0.2)
3.0.3 GenericIA5String: PrescriberNumber
(OID=1.2.36.174030967.0.3)
3.0.4 GenericIA5String: HealthcareProviderIdentifier
(OID=1.2.36.174030967.0.4)
3.0.5 GenericIA5String: MedicareIdentifier
(OID=1.2.36.174030967.0.5) / ProviderStemNumber
PrescriberNumber
HealthcareProviderIdentifier
MedicareIdentifier / O
O OO
5.3 Medicare Australia OCA CRL Profile
Field / Content / Mandatory / Critical*1.X.509v1Field / N/A
1.1.Version / V2 / M
1.2.SignatureAlgorithm / sha1RSA / M
1.3.IssuerDistinguishedName / M
1.3.1.Country(C) / AU / M
1.3.2.Organization(O) / GOV / M
1.3.3.OrganisationalUnit(OU) / MedicareAustralia
1.3.3.CommonName(CN) / MedicareAustraliaOrganisation
CertificationAuthority / M
1.4Validity / M
1.4.1EffectiveDate
1.4.2NextUpdate
1.5CRLNumber / M
2.X.509v3Extensions
2.1.AuthorityKeyIdentifier / M / Non- Critical
2.1.1.KeyIdentifier / SHA-1hash(60bits)oftheIssuer’s
publickey
Frequencyofissuing / 60minutes
GracePeriod / 60minutes
5.4 Medicare Australia OCA OCSP Profile
Field / Content / Mandatory / Critical*1.X.509v1Field / N/A
1.1.Version / V3 / M
1.2.SerialNumber / UniquevalueassignedbytheIssuing
CA / M
1.3.SignatureAlgorithm / SHA-1withRSASignature / M
1.4.IssuerDistinguishedName / M
1.4.1.Country(C) / AU / M
1.4.2.Organization(O) / GOV / M
1.4.3.OrganisationalUnit(OU) / MedicareAustralia
1.4.4.CommonName(CN) / MedicareAustraliaOrganisation
CertificationAuthority / M
1.5.Validity / 5years
1.5.1.NotBefore / Issuedate / M
Field / Content / Mandatory / Critical*
1.5.2.NotAfter / Expirydate / M
1.6.Subject
1.6.1.Country(C) / AU / M
1.6.2.Organization(O) / GOV / M
1.6.3.OrganizationalUnit(OU) / MedicareAustralia
1.6.4.CommonName(CN) / MedicareAustraliaOCAOCSP
Responder / M
1.7.SubjectPublicKeyInfo / PublicKeyencodedinaccordance
withRFC2459& PKCS#1-1024bits / M
2.X.509v3Extensions
2.1.AuthorityKeyIdentifier / SHA-1hash(60bits)oftheIssuer’s
publickey / M / Non- Critical
2.1.1.KeyIdentifier / TheKeyIdentifieroftheIssuerof this
Certificate–60bit
2.1.2.AuthorityCertIssuer / Notpresent
2.1.3.AuthorityCertSerialNumber / Notpresent
2.2.SubjectKeyIdentifier / SHA-1hash(60bits)oftheSubject's
publickey / M / Non- Critical
2.3.KeyUsage / M / Critical
2.3.1.DigitalSignature / SET
2.3.2.NonRepudiation / NotSelected
2.3.3.KeyEncipherment / NotSelected
2.3.4.DataEncipherment / NotSelected
2.3.5.KeyAgreement / NotSelected
2.3.6.KeyCertificateSignature / NotSelected
2.3.7.CRLSignature / NotSelected
2.4.ExtendedKeyUsage / Non- Critical
2.4.1.OCSPSigning / 1.3.6.1.5.5.7.3.9
2.5.CertificatePolicies
2.5.1.PolicyIdentifier / Notpresent
2.5.1.1.PolicyQualifierID / Notpresent
2.5.1.2.UserNotice / Notpresent
2.5.1.3.PolicyQualifierID / Notpresent
2.5.1.4.UserNotice / Notpresent
2.6.SubjectAlternateNames / Non- Critical
2.6.1.rfc822Name / NA
2.7.BasicConstraints
2.7.1.SubjectType / EndEntity / N/A
2.7.2.PathLengthConstraint / Notpresent
2.8.AuthorityInformationAccess
2.8.1.AccessDescription / Notpresent
2.8.1.1.AccessMethod / Notpresent / Non- Critical
2.8.1.2.AlternativeName / Notpresent
3.NoCheckExtension(genericextension)