Skjema for spørsmål og svar angående: Anskaffelse av EAC (Extended Access Control) Saksnr. 200900396 Svar på spørsmål innkomne fram til uke 1 2010 Nr Dokument/document Referanse Spørsmål/question Svar/answer 1 Bilag 1 Kundens Er anskaffelsen er ren anskaffelse av programvare og utstyr som skal fysisk samlokaliseres i eksisterende infrastruktur eller er det aktuelt å kunne tilby PKI/ EAC som en driftet tjeneste i leverandørens sikre lokaler? Det er en ren anskaffelse av programvare og utstyr som skal fysisk samlokaliseres i eksisterende infrastruktur. Det skal etableres i PDMTs lokaler og driftes av PDMTs ansatte. 2 Bilag 1 Kundens Har Politiet en eksisterende PKIleverandør og hvem er i så fall denne? Nei, det er ingen avtale med eksisterende leverandør men det finnes PKI-løsninger pr i dag.
3 Administrative bestemmelser I have been over the documents provide to us in regards to the EAC solution for the Norwegian police and I cant find a date for when you need to know if we will present a proposal to cover the RFP 200900396. I would appreciate if you can confirm that this request to participate is adequate for us to propose a solution and to present any questions before January 8th 2010. Når må man melde sin interesse for tilbudsgiving? Er denne henvendelsen nok for å kunne inngi tilbud, og stille spørsmål innen 8. januar 2010? There is no need for notifying PDMT in advance whether or not the company decides to present a bid/proposal in this tender. There is no prequalification of bidders. The PDMT will base the evaluation on the received bids/proposals that is in by the end of the deadline (18 th of January 2010 at 12 pm local time). All required documents must be a part of the bid/proposal, as there is no room for negotiations. The deadline for presenting questions regarding this bid is 8 th of January 2010. Everyone can present questions, and all questions sent in by deadline will be answered. Questions and answers will be presented as additional information on www.doffin.no. Det er ikke nødvendig å varsle PDMT på forhånd om man ønsker å inngi tilbud eller ikke. Det skal ikke foretas en prekvalifisering av tilbydere. PDMT vil basere sin evaluering på alle tilbud som kommer innen tidsfrist, 18. januar 2010. All påkrevd dokumentasjon må være en del av tilbudet da det ikke er rom for forhandlinger. Tidsfristen for å stille spørsmål angående anbudskonkurransen er satt til 8. januar 2010. Alle har anledning til å stille spørsmål og alle spørsmål sendt innen tidsfrist vil bli besvart. Alle spørsmål og svar legges ut som tilleggsinformasjon på www.doffin.no.
4 Bilag 1 Kundens 5 Bilag 1 Kundens Krav 11 Krav 17 In point 11, it states that the minimum key length should be 4096 in accordance with EAC specification. It should be noted that the EAC specification has a minimum length of 2048 and not 4096, therefore do you still require a minimum key length of 4096? In point 17, we are unsure what you mean by hardware for backup av EAC solution, does this mean the physical backup hardware system or is this just the spare HSM? The requirement extend the EAC specification and it is required to support RSA 4096 with Sha1WithRSA signature algorithm to support existing PKI infrastructure. The supplier shall deliver a solution to backup and restore the keys on the HSM, this can include an spare HSM. All hardware that is not directly related to the HSM are provided by PDMT. If there are specific hardware requirement for backup and restore this must be documented. 6 Bilag 1 Kundens 7 Bilag 1 Kundens Krav 21 Krav 49 In point 21, can the documentation mentioned be in English? In point 49, we are unsure whether there should be any functionality in the solution offered over and above the signing requests and distribution of certificates? Also if the functionality is to support the inspection systems at the local sites or centrally in front of the CA. Yes, the documentation can be delivered in english. The purpose of the solution is to distribute inspection system (IS) certificates to read biometrics from passports. This include support for renewal of IS certificates with DVCA for own or other countries. The renewal should be automatic with autorization by signing the new request with old certificate after an initial manual verification of the IS (or similar verification of new request). The IS will operate on local sites and it is open to suggest centralized or distributed solutions to provide a secure distribution and renewal of certificates.
8 Bilag 1 Kundens 9 Bilag 1 Kundens 10 Bilag 1 Kundens Are we to deliver a "complete" solution with: Microsoft licenses Oracle licenses Hardware including basic servers Does the scope of the supply include the Inspection Systems that generate the certification request to the Document Verifier Certificate Authority to produce the IS certificate? Does the scope of supply include the provision of EAC enabled RFID Readers that can perform biometric verification? All needed licenses for the provided solution shall be included except for the operating system. Related to hardware see requirement 9 and 17 and the former clarification for requierement 17 (backup to other HSM module). Yes, the scope of the supply include software to generate certification request and provide the certificate for IS readers. No, there will be a procurement for inspection system readers within 2010.
11 Bilag 1 Kundens 12 Bilag 1 Kundens Does the scope of supply include the provision Inspection System keys together with X509.3 Certificates for Passive Authentication and CVC Chains to EAC enabled RFID Readers? If so, what geographic locations (e.g. Airports, Seaports, Land) and environments (Secure Premises, Public Locations, Remote Countryside) is fingerprint verification of the emrtd holder to take place? Is there a requirement to perform fingerprint verification with an emrtd holder where the reliability of the communications infrastructures can not be guaranteed? If applicable, will this EAC capability be performed on RFID devices solely for biometric verification of the emrtd holder or is there a requirement for additional fingerprint identification? Will there be other applications running on these devices that the Police Officers will use? Yes. Geographic locations are all border controls in Norway for non schengen access, airports, seaports and land. This can be public locations that are controlled, for example an egate for automatic border control. The communications infrastructure can not be guaranteed for reliability. The verification will only be for the purpose of determining the identity of the emrtd holder.
13 Bilag 1 Kundens 14 Bilag 1 Kundens 15 Bilag 1 Kundens 16 Bilag 1 Kundens 17 Bilag 1 Kundens Krav 12 Krav 15 Does the scope of supply include the distribution and collection of Document Signer Certificates and Certificate Revocation Lists from the ICAO Global Public Key Directory? Are the technology components to be used within a dedicated and separate secure infrastructure or are there elements, e.g. Network, Directories, Windows Servers etc that must be reused and integrated into the solution? Please confirm that you do not require us to provide the Inspection System. Please explain this requirement since we assume that it is not intended to import or export of plain text private keys. If you do intend to do this please can you explain why this is necessary. Please can you explain the planned use of the requested smart cards since we do not normally provide smart cards as part of the EAC PKI solution. Yes, the solution will have to handle the flow of certificate requests and certificates from ICAOs PKD. The EAC infrastructure will be a dedicated, separate and secure system. When IS renewal are online the current police network will be used for distributing IS certificates. Network communication to IS system will then be thru CVCA/DVCA DMZ The Inspection Systems will be provided by PDMT in a different procurement. The purpose of this requirement is to backup and restore the keys if option for redundant solution are not selected. There is also a need to import existing CSCA keys dependent on brand of HSM cards. The purpose of the smart card are to use them to store private keys for decrypting in application servers using pkcs#11 (requirement 16).
18 Bilag 1 Kundens 19 Bilag 1 Kundens Krav 17 Krav 43 Is the hardware referenced just HSM and smart card hardware or are you requiring other components such as servers, firewalls, intrusion detection systems, network components, etc? We interpret this to mean that you require the supplier to provide and implement a tool for monitoring of the EAC PKI system. Do you have tools that you use for monitoring other Windows based systems that might be adapted to monitor the EAC PKI system? If so which tool(s) do you use? 20 Administrative bestemmelser I have the following documents that we need to submit The RFP Bilag 1 Bilag 2 Bilag 4 Bilag 5 Bilag 7 Bilag 9 Bilag 10 Bilag 11 Are we missing 3 and 6 or are they not part of the process PDMT will provide hardware such as servers, firewalls etc. The EAC PKI solution will be in a separate environment with no connection to other monitoring solutions, the monitoring are a solution trace events (system down, up, key management, users acitivities, monitoring activities and so on) and provide a mechanism to show logs and events. Bilag 3 and 6 are not a part of the process. As many of the documents are not to be filled out by bidder, the only required documents for submission of tender are: Bilag 1 Bilag 2 Bilag 11 Bilag 7 For more information see point 6.1.1. in Konkurransegrunnlagets administrative bestemmelser.