Participant Technical Reference Manual - IESO
Participant Technical Reference Manual - IESO
Participant Technical Reference Manual - IESO
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
<strong>Participant</strong> <strong>Technical</strong> <strong>Reference</strong> <strong>Manual</strong><br />
2. <strong>Participant</strong> Workstation, Network & Security<br />
used at a market participant. The access to each user's directory must be limited to the<br />
user/owner of the certificate files stored within each directory and, where required, to<br />
authorized administrative personnel. The management of certificates is up to the market<br />
participant within the restrictions of the "Certificate Subscriber Agreement". This does<br />
not imply that lost or corrupt EPF and P12 files will result in critical loss of service<br />
since the <strong>IESO</strong> and its CA can securely enable recovery or re-creation of any<br />
Certificate Subscriber‟s certificates as per the procedures documented in the "Identity<br />
Management Operations Guide". However, there is a procedural time component for<br />
„recovery‟ or re-creation, which may result in longer loss of access time than<br />
anticipated for the user.<br />
116 Each current EPF file must be stored in one and only one location to prevent potential<br />
automatic update conflict problems when used within the MPI or Portal. Multiple<br />
copies of an EPF file spread over and actively used at several workstations will result<br />
in problems when automatic update is required and will result in de-activation of the<br />
certificates until recovery is requested and achieved.<br />
117 The certificate user (i.e. an individual person, computer application) must have<br />
read/write access to their certificate EPF and P12 files for access and create/update<br />
purposes, but no access to another user's certificate files. As discussed, this can be a<br />
local floppy drive, a secure network directory location or other form of secure<br />
read/write capable media etc. Read/write access to the files is required only by the<br />
market participant user (or in the case of certificates used for access to the market<br />
systems via the MIM API, the application/custodian) who 'owns' them. This read/write<br />
access does not provide outside parties, such as the <strong>IESO</strong> or the <strong>IESO</strong>'s Certification<br />
Authority, access to the market participant's certificates, servers or workstations<br />
through the MPI, Portal or API except those privileges granted by the user during login<br />
for downloading the applet etc. All communications between the market participant's<br />
systems accessing the <strong>IESO</strong> secure servers is encrypted within a SSL v3 session for<br />
each user.<br />
118 Only a small, limited amount of disk space is required for storage of digital certificate<br />
files. Each EPF file typically takes about 10 to 15KB initially upon creation, while the<br />
P12 file takes about 4KB in size. Over time, with each updating event, these files will<br />
grow as they will contain key and certificate update history. A reasonable storage space<br />
requirement for certificate files in any directory / media location is about 100 KB for a<br />
single user. Any change to this is easily manageable.<br />
119 MOSMIM and/or the Portal‟s identity management components will check for data<br />
integrity, authenticity, and authorization. When bids or offers are uploaded to<br />
MOSMIM or an application hosted in the Portal, the Individual or Application<br />
Subscriber digitally signs (via the Internet Explorer browser and MIM MPI Applet,<br />
TruePass applet or the MIM Programmatic API Application) and submits the bid/offer<br />
data and the associated unique digital signature of the data to the <strong>IESO</strong>. Upon receipt of<br />
the uploaded bid/offer data the MOSMIM Web Server or Portal Truepass component<br />
takes the data and re-computes the hash of the data. MOSMIM or the Portal hosted<br />
application then takes the received digital signature created automatically by user with<br />
their private signing key and the MPI Applet, TruePass applet or MIM API and<br />
recreates the hash of the data from the signature (a signature is just an encrypted one<br />
way hash) using the Individual or Application Subscriber‟s public verification key. If<br />
the two independently derived hashes agree, this ensures the data sent and received is<br />
identical and was not tampered with in transit. For the MPI and MIM API to ensure the<br />
signer is the authenticated user, the user is identified from the SSL (Secure Socket<br />
Issue 21.1 – March 15, 2010 - estimated Public 41