minu… · Web viewThe WebTrust sets the standards for security and audit compliance of all...

RECORD OF MINUTES OF PRE-BID MEETING

Procurement Reference NumberCode of Procuring and Disposing Entity

Supplies/Works/Non-consultancy services

Financial year Sequence number

NITA-U/RCIP NCONS 16-17 00010.

Particulars of Procurement

Subject of procurement SUPPLY, CONFIGURATION, CUSTOMIZATION, OPERATION AND MAINTENANCE OF DIGITAL AUTHENTICATION AND ELECTRONIC SIGNATURES SOLUTION FOR THE GOVERNMENT OF UGANDA

Location of Pre-bid Meeting NITA-U, Level III Board Room

Date and time of Meeting 15th August, 2019 at 11:00am

1

Record of Pre-bid Meeting Minutes

Agenda1. Self- Introduction of both the Bidders present and NITA-U team2. Remarks from the Chair3. Background to the procurement4. Question & Answer session

Minute 1: Introduction; Self-introductions were done by all bidders and NITA-U team present

Minute 2: Remarks from the Chair; The Chairperson, welcomed the members and thanked them for their time to participate in this Procurement.

Minute 3: Background to the Procurement: The Chairperson informed the meeting that the procurement is for the Supply, Configuration, Customization, Operation and Maintenance of Digital Authentication and Electronic Signatures (DAES) Solution for the Government of Uganda.

The DAES solution will be a digital authentication solution that allows citizens to utilize their existing smart phones to register for a securely verified Digital Authentication and Electronic Signatures account and later use it to authenticate themselves online for seamless and secure access to a variety of e-services. Citizens will also be able to use advanced electronic signatures to securely sign their documents electronically.

The envisioned mobile application for citizens will not need a special purpose hardware (such as smart-card readers or Trusted Platform Module chips) or special purpose SIM-cards. The Digital Authentication & Electronic Signatures SIM-less subscriber mobile app is envisioned to work with regular smart phones that citizens already have and will not require any extra-ordinary permissions.

DAES solution is envisioned to be built by leveraging the Public Key Infrastructure with the aim to provide the following features:(i) High level of security(ii) High level of identity assurance(iii) Non-repudiation of user operations(iv)Strong online authentication service

Bidders were now allowed to submit any further questions and again requested to have the same questions formally submitted by 23 rd August, 2019 to email: [email protected].

2

mailto:[email protected]

Minute 4: Q&A Session

SN Questions Asked Responses to be shared1. Page 4 point # 3

Digital Authentication and Advanced Electronic Signature (DAES) Solution platform (GoU will provide Infrastructure as a service for that). This component shall eventually be owned by the GoU and set up in the GoU’s datacentre.i. Authentication servicesii. Qualified Signatures

Qn: Please confirm if GoU will provide infrastructure for CA Setup

No. GoU shall not provide infrastructure for Certificate Authority (CA) setup.The bidder is expected to already own and operate a CA infrastructure on their premises and offer this as a service to the Government of Uganda.

On the other hand, the Government of Uganda will provide Infrastructure as a service (in the Government cloud) for the Digital Authentication and Advanced Electronic Signature (DAES) Solution platform and the Signing Portal.

2. Qn a)Requesting to provide more information on the requirement of authentication services & Qualified signatures.Need additional information so as to propose relevant solution.Please elaborate if Signatures will be for individual or Bulk.

b) Also need confirmation if signatures will be stored centrally in HSM or by an individual in approved media.Requesting for additional use case for references.

a) Please refer to Page167 -168, section VI part (B) item 2.5 -Use of Digital Authentication and Electronic Signatures for authentication and advanced digital signature, for more information on the requirement of authentication services and Qualified signatures.Signatures will be for individual persons and eSeals for entities

b) Certificates will be stored centrally in a Hardware Security Module (HSM). Please refer to page 176 section VI part (B) DAES014 for details.

3

SN Questions Asked Responses to be shared3. The DAES solution shall also integrate with electronic services , as well

as with the Government of Uganda Systems Integration Platform and Government of Uganda Identification Registers

Qn: Requesting additional information on Electronic Service platforms used by GoU. This information is required for understanding integration nature and complexities.

APIs will be provided for the electronic services by the Government of Uganda for integration

Additional Information on the targeted systems’ platforms is provided. Please see addendum 1. S/N 8.

4. The bidder must demonstrate experience in successfully implementing at least two (2) contracts of similar nature and complexity, demonstrating the capability of the proposed technology solution and be ready to share client references and present a demo version or provide remote access.

Qn: Requesting for acceptance of Foreign Reference. Reference letters and Demo access can be made available on request

The bidder is at liberty to share any form of client reference, local or foreign. The bidder must be ready to share client reference letters and present a demo version or provide remote access.

5. Refer to BID DATA SHEETA. GENERAL 39

PKI as a Service, which will include the following:i. Qualified Certificate Authority Services including generation of advanced digital certificates and creation of advanced electronic signatures for both natural and legal persons in conformity with the Electronic Signatures Act (2011) and Electronic Signatures Regulations (2013) of Ugandaii. Provision of verification services for the advanced digital certificates generated iii. Online Certificate Status Protocol (OSCP) Serviceiv. Directory Servicesv. Digital Certificates for Electronic machine-readable travel documents (eMRTDs) vi. Trusted Time Stamping Services

The advanced digital certificates shall be as specified in the x.509 standards. Please refer to section VI part (B) item 2.6 – Reference Standards for the DAES solution. Page 169.

The bidder is nevertheless advised to read the Electronic Signatures Act (2011) and Electronic Signatures Regulations (2013) of Uganda and conform the requirements therein during the implementation of the DAES solution. As shown on the NITA-U website https://www.nita.go.ug/laws

4

https://www.nita.go.ug/laws

Qn: Solution support all the OIDs / certificate profile as per x509 standards. Please specify if advance digital certificates differ than the ones specified in the standards, if yes elaborate.

6. Refer BID DATA SHEETE. BID OPENING AND EVALUATION 2.2. Digital Authentication and Advanced Electronic Signature (DAES) solutiona) General DAES Requirementsb) Authentication Servicesc) Qualified SignaturesQn: Requesting additional information on General DAES requirement. This information is required to enable us to propose relevant solution

Please refer to the Technical requirements section VI Table3, DAES001 – DAES005, page175 of the bid document for more details on the general DAES requirement.

7. INTELLECTUAL PROPERTY15. Copyright (GCC Clause 15)GCC 15.5( 143)No software escrow contract is required for the execution of the Contract, but a copy of software and designs should be provided to the purchaser to own, modify, extend, duplicate for back-up purposes and prepare derivative software or materials for use by the Purchaser, subordinate organizational units and legal successors in the normal course of the Purchaser activities.

Qn: Installer Sets and Application architecture for will be provided for Backup.Source code and critical programming information is protected by IP rights, which cannot be replicated due to stringent licensing policy.

Bidder are advised that they will not be expected to handover source code but will need to provide code that was customized for the DAES solution to the purchaser to own for purposes of configuration, modify, extend, duplicate for back-up purposes

8. TABLE 3 – General Functional/Technical Requirements Responsiveness checklistPg 175 DAES001The certificate issuer shall have a Certified Information Security Management System (ISMS) as defined in ISO/IEC 27001:2013. The management system shall, as a minimum, encompass the part of the organization and procedures that relate to the management of the CA

The clause is retained without modification. The bidder is expected to have the ISO/IEC 27001:2013 certification for their current business processes related to CA services. This is a critical component for the assurance of the security posture of the bidder.

5

services. The bidder should submit a certified ISMS by an internationally accredited Management Systems Certification Body

Qn: Requesting for relaxation, Application meets all crietrias defined for ISMS.

9. TABLE 3 – General Functional/Technical Requirements Responsiveness checklist Pg. 176 DAES010The bidder’s solution must able to support integration with a wide variety of CAs and other back office systems

Qn: Requesting for additional information on scope. This information will be helpful in defining workflow.

Please refer to Page 159, Section VI part (B). Fig. 1: High-level architecture of the DAES solution. Also addendum 1. S/N. 8 provides more details on the systems that require integration.

10. TABLE 3 – General Functional/Technical Requirements Responsiveness checklistDAES032Restrictions to access:The Bidder shall ensure verified restricted access to the OCSP service

Qn: OCSP service hosted for relying parties to check certificate status, please provide more information on use cases for usage restriction.

Relying Parties will have access to certificate revocation information made available via Online Certificate Status Protocol (OCSP) and Certificate Revocation Lists (CRLs). These will be publicly available via HTTP and HTTPS protocols.

SN Questions Asked Responses to be shared

6

11. TABLE 3 – General Functional/Technical Requirements Responsiveness checklistDAES033:

Extra access points:In certain contexts, it will be inappropriate to use an OCSP service on the Internet. The certificate issuer shall therefore be able to facilitate alternative OCSP services .

Qn: Please elobrate if 2 OCSP services are required for (Internal & external ) users and application.

In certain contexts, where it will be inappropriate to use an OCSP service on the Internet, the certificate issuer shall be able to facilitate alternative OSCP services via extra access points. The bidder is therefore required to provide a clear and detailed proposal on how to meet this requirement.

12.i. Requesting additional volume details for:

.i)TPS requiredii). Per day OCSP requests that the solution has to adhere toiii). How many certificates expected to be issued per dayiv). Total number of certificates expected to be issuedv). Number of years of archival.vi). Time stamping Per day number of requests expectedvii). Number of documents each user will be signing per day.viii). number of documents each user will be signing per dayThis information is required for Sizing of the application and server

Please refer to Section VI, Table 3, DAES059 –DAES065. Page 183.Certificates shall be stored for a minimum of 5 yearsThe DAES solution should be able process minimum 2 million usersThe DAES solution should be able to handle at least 200 transactions per minuteAuthentication and signing shall not take more than 3 secondsThe signing portal should be able to handle at least 5,000 concurrent active users. Please refer to Section VI, Table 3, DAES165 and DAES166. Page 196.

13. TABLE 3 – General Functional/Technical Requirements Responsiveness checklistDAES054:Accuracy of time-stampsTime-stamps shall have an accuracy of 1 second or more as provided for in ETSI TS 102 023

The bidder is advised that there is no question to this clause, therefore this clause is retained.


7

14. TABLE 3 – General Functional/Technical Requirements Responsiveness checklistDAES061:The solution should be able to process minimum two million users


15. TABLE 3 – General Functional/Technical Requirements Responsiveness checklistDAES061:At least 5000 concurrent active users with maximum response time


16. ITB 28.5 Ability to provide PKI as a service by leveraging their own existing infrastructure. Clarification:

Qn: Kindly clarify if the PKI Infrastructure can be hosted outside of Uganda?

The PKI Infrastructure may be hosted in or outside Uganda.

17. With reference to Figure 1 – High level architecture of the DAES solution – Page 159Clarification

Qn: Kindly clarify if the “Supplier Data Center” can be located outside of Uganda or should this be within Uganda

The Supplier Data Center belongs to the bidder and may be located within or outside Uganda.It should be noted that the DAES solution platform, Registration Authority and the Signing Portal shall be hosted in the Government of Uganda Data Center.

18. SIM-less Subscriber Mobile Application – Page 160ClarificationQn: Should this mobile application be made available on Google Play Store and Apple AppStore?

Qn:Also confirm what OS should this available on – Android, iOS etc?

Yes, this mobile application should be made available on Google Play Store and Apple AppStore. Please refer to section VI part (B) item 2.4, page 161 for details.

The bidder is advised to refer to Section VI, Table 3: DAES106 which clearly states Ability to work with supported android and iOS smart phone operating systems.


8

19. Section 2.4 Subscriber Registration – Page 161ClarificationQn: Confirm that the training on the usage of the mobile application and/or public awareness on the usage will not be the responsibility of the Bidder

The training on the end user usage of the mobile application and/ or public awareness on the usage will be the responsibility of the Government of Uganda.

20. Detailed Description of Method of Onboarding – Page 162Clarification

Qn: Please provide the standard security features of the National ID, Driving License, machine-readable passport, e-Passport for us to consider, while planning for the mobile app development

Please make reference to the ICAO Doc 9303 Machine Readable Travel Documents.More details will be provided during the planning of the mobile app development.

21. Integration with the National ID, Driving License and Passport DatabasesClarification

Qn: Will the Government undertake this portion or is to be done by the Bidder; if by the Bidder, please provide information about these current systems

The Government of Uganda shall provide the APIs for integration with the National ID and Passport Databases. Therefore, the bidder will undertake this portion of integration supported by the Government of Uganda.Please refer to addendum 1. S/N.8 of the bid document.

22. SMS MessagesClarificationThis system requires multiple messages to be sent to a subscriber mobile device at various stages;

Qn: confirm if the cost of sending these messages will be borne by the Government OR is it to be borne by the Bidder

The cost of sending messages shall be met by the Government of Uganda.


9

23. The bidder shall be expected to obtain and pay for the License fee as per the Electronic Signatures Regulations, Statutory Instrument No. 43 of 2013. NITA-U is a licensing authority in this case. Page 172ClarificationQn a) Please provide the details and the costs of securing such a license; Qn b) what is the timeframe?Qn c) Will the Government help the Bidder secure such a license?Qn d) Will the Bidder be required to registered locally within Uganda to apply and secure such a license?

Please refer to the said Instrument.

a) Please refer to the Electronic Signatures Regulations, Statutory Instrument No. 43 of 2013 for the process and costs. https://www.nita.go.ug/laws

b) The successful bidder shall not commence the contract unless they have obtained a license

c) The bidder does not have to be registered locally within Uganda. They will obtain the license as a foreign supplier

24.DAES043 The Bidder’s QCA service should be able to generate and securely provide digital certificates for electronic machine-readable travel documents for the following services. Page 181

ClarificationWe understand that the Govt. of Uganda, a few months ago, commissioned and started the issuance of electronic Passports. Presuming that this system has gone live and ePassports being currently generated,Qn a): kindly explain if the Bidder needs to replace the ePassports CA system?b)If not, how is this scenario being envisaged?

Bidders are advised to restrict their responses to the requirements of the bid document on digital certificates for electronic machine readable travel documents. listed in Section VI, Table 3: DAES 042

25. Refer Pg 42The bidder must demonstrate experience in successfully implementing at least one (1) contract of similar nature and complexity with in the last five (5) years, demonstrating the proposed technology and be ready to present a demo version or provide remote accessNSDL e-Gov as a Certifying Authority (CA) provides e Sign as a service to more than 100 entities in India from various sectors like Banks, Brokers, Insurance companies etc. The service includes integration with

The bidder is advised to provide documented experience as stated in section II, ITB 6.1 (a). Page 42.

10

respective entity and providing technical guidance as well as API’s for integration. The e Sign solution through which we provide these services is developed, maintained and hosted by our In-house technical team.Although we have the complete solution as required in EOI we provide it as a service to various entities from whom we can also get references…Qn: request you to confirm that this will satisfy the criterion…

26. The bidder shall have been in operation for at least five (5) years with an important part of its business being the provision of Public Key Infrastructure serviceQn: We would like to mention that we are in operation for the last 25 years, however we started providing Public Key Infrastructure services (ie e Sign) from 2016. We hope this is sufficient for making us eligible for bidding.

The bidder is advised to provide documented experience as stated in section II, ITB 6.1 (a). Page 42.

27. The DAES solution shall be implemented to accommodate initial 500,000 users and be easily scalable to address future needs

Qn: These 500,000 users will be registered over how much duration in number of hours ? This is required to size the system accordingly.

The bidder is advised that the DAES solution shall be implemented to accommodate initial 500,000 users and be easily scalable to address future needs.The initial 500,000 users shall be registered over 12 months.

28. The bidder shall provide a scalable and cost effective solution because the intention is to roll out the DAES solution to the whole of Government and private sector after the initial 500,000 users at deployment. Therefore, the bidder shall provide a cost tier table indicating how much it will cost per user in the future as per table below:Qn a: These 1000 - 50,000 /50,001 - 250,000/... users will be registered over how much duration in number of hours ? b): This is required to size the system accordingly and arrive at License fees

The bidder is advised to refer to section V1, part (B) item 2.7, Page 171 for details.The system should initially be sized to accommodate 500,000 users.


11

29. Please clarify whether Training Infrastructure will be provided to bidder or bidder has to cost the same ?

Training Infrastructure will not be provided to the bidder. Please refer to page 172, section VI part (B) item 2.4 on Training for details.

30. What is the number of training sessions to be done ? The bidder is advised to refer to page 172, section VI part (B) item 2.4 on Training for details.

31.What is the number of training duration for each training session ?

The bidder is advised to refer to page 172, section VI part (B) item 2.4 on Training for details.

32.How many trainees needs to be trained in each training session ?

The bidder is advised to refer to page 172, section VI part (B) item 2.4 on Training for details.

33. How many locations needs to be covered for training ? The bidder is advised to refer to page 172, section VI part (B) item 2.4 on Training for details.

Also, please refer to Section 1, ITB 16.2 (c), part (h) where the bidder is required to provide a Training Plan. The training plan must include both the Bidder’s classroom training proposal and the Bidders on-the-job training and technology transfer proposal.

34. Is it ok to provide support and maintenance in onsite-offsite model ? The bidder shall provide local support during implementation and post implementation till the end of the contract so as to provide timely post implementation response. Please refer to page 42, section II, ITB 6.1(a) part (f).

35.How many onsite support personnel are required ?

The bidder is advised to refer to page 49, section II, ITB 16.2 (c) part (m) that requires the bidder to provide a support plan.


12

36. a)Is there requirement for setting up helpdesk ?

b)If yes, then requisite infrastructure of telephone line/email/sitting space/desktop would be provided to bidders ?

The Government of Uganda has a helpdesk that shall be used for first level support for end users. The bidder shall be expected to be an escalation point.

37. Is bidder only required to supply application software or it also has to provide requisite system software and compute/network/storage ?

As per page 39 - 40, section II ITB 1.1, the Government of Uganda shall provide Infrastructure as a service (compute/network/storage) for the DAES solution platform, backend RA system and Signing Portal. Therefore, the bidder shall provide the system and application software.

38. a)Where will the application software be deployed ? b)What is the available infrastructure that needs to be considered while providing the solution ?

a) As per page 39 – 40, section II ITB 1.1, the Government of Uganda shall provide Infrastructure as a service (compute/network/storage) for the DAES solution platform, backend RA system and Signing Portal.

b)The bidder is advised that the DAES solution platform, backend RA system and Signing Portal should be able to operate in a virtualized environment.

39. Where would be Data Center and Disaster Recovery Site for deploying the application software ?

The Data Center and Disaster Recovery Site shall be the Government of Uganda Primary and Disaster Recovery Sites.

40. Pg. 161 Section VI – Sub Section 2.4. Supports remote ID proofing from both electronic and non-electronic ID documents

Qn. Any specific methodology need to be followed by the bidder for doing remote id proofing. If so, please provide more details.

The bidder is advised to refer to pages 161 -167, section VI part (B) item 2.4 on Subscriber Registration.

41. Pg. 161 Section VI – Sub Section 2.4. Employs the latest biometric

authentication features to deliver frictionless, optimized user experience.

Qn. Does this refer to Mobile phone’s biometric based authentication?

Yes, this refers to the smartphone features.Please refer to section VI part (B) item 2.4 on Subscriber Registration for details.


13

42. Pg. 162 Section VI – Sub Section 2.4. The user is prompted to use their smart phone camera to scan their Government issued ID Document and extract data. During this process, the mobile app validates the selected Government ID Document against the standard security features of government issued ID Documents to verify its genuineness.

Qn. What is the mechanism expected by NITA to validate the genuineness of the National ID. And also will it be fine instead of taking a selfie, a video recording for few seconds with user is required to answer two or three questions based on the registration details provided can be considered.

Please refer to page 162 section VI part (B) item 2.4 (4) for details on the mechanism to validate the genuineness of the National ID.The user must take a selfie. Please refer to section VI part (B) item 2.4 on Subscriber Registration for details.

43. Pg. 162. DAES007. User private keys shall be split and independently secured with their respective PIN codes (This is an important point that requires more details from GoU)

Qn. (This is the main point that requires more details from GoU)Please confirm whether does it mean that in case of digital signing use case - an authentication key pair is generated on the Mobile app and then a signing key pair is generated on the HSM for the user. During signing, the DAES application sends authorization request to Mobile application. Post verification of verification code displayed on Service Provider screen as well as mobile, the user will be prompted for the PIN for signing, upon providing correct PIN, the mobile application signs the authorization request with authentication key and sent to the DAES server, the servers then verifies the signed request and based on successful verification, the hash of the document gets digitally signed using the signing private key stored on the HSM created for that user. If our understanding is not correct, request you to provide more details on splitting the private keys.

Please refer to Addendum 1. S/N. 9.

This principle stems from the need for private key security. Essentially, the requirements are for a simless application on the mobile phone which means the solution design cannot rely on simcard based encryption or any portable hardware encryption device on the side of the user for this service. This principle therefore addresses the need for private key security in the absence of hardware based device encryption for the user. The private key is a critical component in ensuring users can safely verify all transactions they make when using this service, therefore its protection is of utmost importance in achieving security and trust in the solution. The Bidders are required to demonstrate with clear description how best their solution meets the principle of protecting the private key given the mobile application is the medium through which a user when authenticating or transacting using this service.The goal is ‘private key protection’


14

44. Pg. 176. DAES002. All sensitive data for all the solution’s electronic communications shall be End-2-End encrypted.

Qn. Whether SSL encryption will suffice this requirement or at the end-points do we need to provide encryption/ decryption modules enabling encryption in transit. Please confirm.

The bidder is advised to provide a clear and detailed proposal on how to meet this requirement.

45. Pg. 177. DAES004. The bidder’s solution must support Qualified Electronic Signatures, Qualified Electronic Seals and Qualified Time Stamp services that are eIDAS Compliant. The bidder must provide proof of compliance (which must not be more than two years old) issued by an accredited Conformity Assessment Body (CAB)

Qn. Please confirm whether adherence of the solution to eIDAS will also suffice.

The bidder is advised to provide a clear and detailed proposal on how to meet this requirement.

46. Pg.176. DAES005. The Bidder should support a scheme shall for application developers/innovators using an application programme interface to integrate PKI functionality.

Qn. Does this mean that the Bidder has to provide Open APIs that can be used by application developers to interface with PKI functionality

Yes, this means that the bidder should provide open APIs to be used by developers.

47. Pg. 176. DAES007. User private keys shall be split and independently secured with their respective PIN codesQn. 1. Request you to provide more details on the splitting the key. It is found that, there is a remote probability that if first of key is compromised then it is possible to rebuild other half of the key.2. Please confirm whether the bidder is allowed to suggest an alternate model.

Please refer to response under item no.43

48. Pg. 176. DAES010. The bidder’s solution must able to support integration with a wide variety of CAs and other back office systems

Qn. When the bidder is going to setup CA Services on the cloud or GoU DC, then why is it required to integrate with other CAs. Please clarify.

CA services will be provided by the bidder as a service to the Government of Uganda. Therefore, this service will be required to integrate with the backend office systems concerned with the DAES solution in the

15

Government of Uganda Data Center and other Government subordinate CAs.

49. Pg. 176. DAES011. The CA solution must be able to the following cryptographic algorithms:i. Minimum RSA 3072 bitsii. ECC: NIST P-256, P-384, P-521

Qn. Please confirm for initial go-live, GoU will use RSA or ECC?

The CA solution must be able to support both the following cryptographic algorithms:i. Minimum RSA 3072 bitsii. ECC: NIST P-256, P-384, P-521

The particular cryptographic algorithms for go-live shall be decided upon by the Government of Uganda with the successful bidder during the design stage.

50. Pg. 176. DAES013. Ability to enforce compliance of third party service providers at all point in the lifecycle of the Mobile authentication and digital signature service

Qn. Enforcing compliance does it mean that Bidder has to to carry out audit of the third party service provider on regular basis or this has to be handled at the application level.

The bidder is expected to handle compliance at application level.Please refer to addendum 1. S/N.11.

51. Pg.180. DAES037. The certificate issuer shall offer a directory of issued certificates.

Qn. For this requirement, whether the bidder can propose open source LDAP such as OpenLDAP.

The bidder may propose open source LDAP if it meets the stated requirement.

52. Pg. 181. DAES043. The Bidder’s QCA service should be able to generate and securely provide digital certificates for electronic machine-readable travel documents for the following services:a) Country Signing Certificate Authority (CSCA) according to the International Civil Aviation Authority (ICAO) Doc 9303 Public Key Infrastructure for Machine Readable Travel Documents

The bidder is advised to meet the requirement as per section VI, Table 3: DAES043 on digital certificates for electronic machine readable travel documents.The bidder is required to generate and securely provide digital certificates for electronic machine-readable documents. The bidder is not required to host these

16

b) Country Verifying Certificate Authority (CVCA)

Qn. Please confirm whether bidder has to create and host CSCA and CVCA Certificates for GoU.

digital certificates for GoU.

53. Pg. 181. DAES045. The Bidder’s QCA service should be able to integrate their Directory service to the ICAO Public Key Directory (PKD)

Qn. Please confirm whether NITA would be providing required guidance and access for integration with ICAO

As a requirement DAES045 is removed. Please refer to addendum 1. S/N.16.

54. Pg. 181. DAES047. Trusted Time Stamping Service

Qn. Please confirm whether the bidder has to the timestamping solution or it should connect to external TSA service provider for timestamping?

The bidder can use whichever of the options that enables them to meet this requirement.

55. Pg. 185. DAES073. Operations made by the administrative users shall be logged in the audit log for accountability of the operations and stored for a minimum of five years

Qn. Please confirm whether it is also required to generate tamper proof logs.

Bidders are advised that logs are expected to be tamper proof to enable a proper audit trail.

56. Pg. 187. DAES094. PIN Management

Qn. Is this related to PINs set by Users to secure the key pair on the mobile.

Yes, this is related to PINs set by users to secure the key pair on the mobile as per section VI, Table 3, DAES094. The RA solution should be able to offer the end user a more extensive and convenient user experience.

57. Pg. 188. DAES095. The RA backend system must allow for deactivating the certificate on the CA or deactivate specific keys.

Qn. 1. Does a four-eye principle need to be followed for user certificate

de-activation

2. Please confirm whether a provision to re-activate the certificate

1. The bidder is advised to propose a clear and detailed description on how to meet this requirement.

2. No, a provision to re-activate the certificate needs

17

need to be provided. not to be provided. The requirement is for de-activation.

58. Pg. 188. DAES097. Role based access control and TLS protocol of the communications shall be required to secure operations in the administration interfaces and as well guarantee integrity of the system configuration.

Qn. In the role based access, what are different types of roles expected in the RA System?

The different types of roles expected in the RA System shall be the Administrator and Helpdesk roles.

59. Pg. 188. DAES100. The RA Channel for online/ remote onboarding should be purely mobile application based without relying on a phone’s simcard.

Qn. Will it be only Mobile app based onboarding of the subscriber or any other modes of on-boarding is envisaged by NITA.Can bidder in its response suggest other modes of on-boarding subscribers

Please refer to section VI part (B) item 2.4 and Table3: DAES100. The RA channel for online / remote onboarding shall be purely application based. No other modes of on boarding are envisaged.

60. Pg. 189. DAES107. The subscriber mobile application should support SMS OTP channels during the onboarding process

Qn. Please confirm whether NITA will provide SMS Gateway.

The Government of Uganda shall provide the SMS gateway where requiredAlthough, the bidder is advised that this requirement is removed. Please refer to addendum 1. S/N.20.

61. Pg. 190. DAES119. The certificate issuer shall provide a service for the renewal of certificates and keys, e.g. at the expiry of their period of validity, upon revocation of a certificate, or in the case of loss of key carrier/protective mechanism. It shall be specified how this service is offered to the certificate holder.

Qn. What is the expected subscriber certificate validity period?

The validity of the subscriber certificate shall be 5 years.

SN Questions Asked Responses to be shared62. Pg. 190. DAES120. The service shall be capable of offering automatic

18

initiation of renewal.

Qn. During renewal, whether a new key pair has to be generated or re-certify the existing key pair?

The bidder is advised to provide a clear and detailed proposal on how to meet this requirement. The solution should be able to support renewal of certificates as per section VI table3: DAES119 and DAES120.

63. Pg. 192. DAES134. SIGNING PORTAL

Qn. Hope NITA will provide email exchange and SMS Gateway for integration with signing portal

The Government of Uganda shall provide the SMS gateway and mail exchange for integration with the signing portal.

64. Pg. 194. DAES153. The Signing portal shall support browsing and selection of existing users (one or more) for the purpose of sharing documents. Drag and drop functionalities shall be preferred along with quick search options.

Qn. Please confirm whether the signing portal should support workflow where in the user uploads the document and defines signatories on the document so that they can sign the document using signing service in a workflow

Yes, the signing portal should be able to support workflows for uploading of documents and defining signatories to the documents. Drag and drop functionalities are preferred. The bidder is advised to propose a clear and detailed description on how to meet this requirement.

65. Pg. 195. DAES159. The Signing portal shall allow the user to indicate signing sequencing/order for documents that require more than one user to sign.

Qn. Whether it will be only PDF document or is it expected to sign even MS Word document.

The signing portal should support the signing of the following minimum document standards: PDF, Word, ASiCE, ADoc as per section VI, Table 3 DAES145

66. Pg. 194. Document Signing Requirements.

Qn.1. What is the maximum size of document that can be uploaded for signing?2. Does the portal should store both original as well as signed file in its database?3. If so, what should be the retentation period?4. Please confirm whether time stamping of the document is mandatory?

The bidder is advised to refer to Section VI, Table 3: DAES177 for details.

1) The maximum size of document that can be uploaded is 100 MB.

2) Yes, the portal should store both original as well as signed file in its database

3) Retention period is 5 years4) Yes, time stamping on all documents is mandatory.

19

5. Does the signing portal also need to provide delegate signing option?6. What will be the validity of the user accounts created on signing portal?7. What are the various roles expected in the signing portal?

The bidder is advised to refer to section VI Table3: DAES177

5) No, the signing portal should not provide the delegate option.

6) The validity of the accounts created on the signing portal is 5 years.

7) These roles will be defined as per the policies to be developed by the Government of Uganda

67. Pg. 178. DAES023, point III. Users shall authorize each operation involving private keys by authenticating themselves. Electronic components shall, as a minimum, satisfy the requirements in FIPS 140-2 or an equivalent standard, relevant to the product in question.

Qn. There is a minor contradiction. If the key need to be stored on FIPS certified device, then in that case a part of key is also stored on mobile app which may not be FIPS certified? Is it required that mobile app store should also be FIPS certified.

The bidder is advised to refer to section VI Table3: DAES023: Protection of private keys for details, in this case, the electronic components (Hardware Security Module) are those that are part of the bidders’ Certificate Authority Service.

68. Pg. 181. DAES046. The Bidder’s QCA service should be able to securely transfer generated certificates to the GoU Agency’s Hardware Security Module

Qn. Please confirm whether GoU will provide an interface/API to securely pass the certificate?

The Government of Uganda shall provide the API for the digital certificates for electronic machine readable travel documents as per section VI Table3, DAES046

69. Pg. 193. DAES145. The signing portal should support the signing of the following minimum document standards: PDF, Word, ASiCE, ADocQn. For signing of MS Word, ASiCE and ADoc, PKCS#11 attached signature based signing approach can be followed?

No, attached signature based signing approach may not be followed. Please refer to section VI table 3, DAES144 for details. The Signing portal should be integrated with the DAES platform to support the use of Advanced Electronic Signatures.

SN Questions Asked Responses to be shared70. Pg. 213. Points 1-3. Setup of the PKI section

20

I. Provide HSM to be hosted in the GoU’s Datacenter ii. Configure and provide Qualified Certificate Authority Services iii.Provide overall secure datacenter environment (in or outside Uganda) to host the HSM and managed services

Qn. 1.Please confirm whether Qualified Certificate Authority need to be deployed in GoU's datacentre only or any cloud outside Uganda. Also whether the CA Certificate used for issuing end user certificates will be a self-signed certificate or signed by any licensed Certifying Authority and also does this setup need to undergo webtrust audit?2. Whether the bidder has to bear the hosting, subscription and maintenance charges.

1. The Qualified Certificate Authority shall be in the bidder’s datacenter which may be located in or outside Uganda. The qualified digital certificates shall be issued by a Qualified Certificate Authority.

2. The bidder is advised that they will provide PKI as a service and therefore bear the costs of hosting, subscription and maintenance charges of the Qualified Certificate Authority.

71. Pg. 212. Policy and Regulation. Licensing of the Service Provider (to be done by NITA-U), Service Provide will apply for the license and will meet the cost as required.

Qn. Please provide more details on licensing of the Service provider and what kind of license do the service provider need to get and what would be the price?

The bidder is advised to refer to Section 6 on ‘Recognition of foreign certification service providers’ of the Electronic Signatures Regulations, 2013 (found on the NITA-U website (https://www.nita.go.ug/laws).

72. Pg. 213. Point IV. Setup DAES solution platform - point IV –Integrate DAES solution with the National Identification Register

Qn. For integration with National ID register, Does national ID register provides open APIs that can be used by external applications.

The bidder is advised that the Government of Uganda shall provide the APIs.

73. Pg. 216. Point i. Develop and implementation of signing portal - Point (i) Integrate DAES solution with GoU Systems Integration Platform

Qn. 1. Request you to provide more details on whether GoU SI Platform has Open APIs which can be used by DAES and the purpose. 2. Will this SI Platform act as a gateway to connect to other Service Providers?

The Government of Uganda shall provide the APIs to support the integration of the DAES solution with the Government of Uganda Systems Integration Platform.

21


74. P176 / DAES006 – QCA. Qualified Certificate Authority Services

Qn. 1. As per our knowledge the required ""Certified Qualified CA"" in hosted mode could lock the tender to a limited number of vendors.2. The service is requiring a Advanced Electronic Signature, which would not require a Certified Qualified CA. 3. There will be limited value for money for the client to acquire a Certified Qualified CA if the solution only requires Advanced Signature.4. The process and regulations governing of certification is region specific.

Could you please reconsider allowing bidder to propose Qualified CAs which are not certified ?

It should be noted that the bid document does not require the CA to be certified but Qualified. Please refer to section VI. Table3: DAES006 to DAES023 that addresses the requirement of Qualified Certificate Authority Services. This ensures that a number of CAs are eligible for this bid.

75. p176 / DAES007 - Split key. User private keys shall be split and independently secured with their respective PIN codes

Qn. 1. As per our knowledge the required ""key split"" mechanism is a proprietary un-proven technology that could lock the tender to a limited number of vendors. 2. There are only one or two references of successfull deployment of split key technology globally.3. The available technologies have advanced and evolved, the split key requirement will limit vendors to propose alternatives which provide advanced security capability.Could you please consider allowing other technologies also?

Please refer to response under item no.43

SN Questions Asked Responses to be shared76. DAES035 Availability of the OCSP service. The OCSP service shall be

available 24 hours a day, 7 days a week and 365/6 days a year. On This has been noted and availability is revised to 99.9%. Please refer to addendum 1. S/N.15.

22

average, over the course of a year, the OCSP service shall have a minimum uptime of 99.999 %.

Qn. 99.999 is a really high availability target which is around 6minutes unplanned downtime per year and is usually associate with mission critical services, which has major cost implications. Could you please adjust the SLA targets to a level suitable?

The OCSP is a key service for obtaining the verification status of digital certificates.

77. Pg. 53

Qn. Could you please describe the mission of the adjudicator and the estimate of time spent ?

The purpose of the adjudicator is to take on the role of informal contract dispute mediator as described in GCC clause 6.

78. Licensing

Qn. What is the prefered licensing model ?

Please refer to page 235 section VII.A license shall include: provision of qualified digital certificates, time stamping services, operations and maintenance of the DAES platform & signing portal, onboarding of additional entities onto the DAES platform.

79. Budget: Total Cost of Ownership

Qn. What is the target price for the whole solution for the total project duration (TCO target ?)

This information is not provided to bidders as per procurement guidelines. Bidding is conducted using the International Competitive Bidding (ICB) procedures specified in the World Banks’s Guidelines: Procurement under IBRD Loans and IDA credits, edition of January 2011 revised July 2014 as documented in the Invitation for Bids (IFB)As per section I, Instruction to Bidders part (5),the bidder should provide the total cost of ownership for five (5) years thus breaking down all cost elements including licenses, annual software subscription & support and any other elements.

23

80. DAES 134: SIGNING PORTAL

Qn. Do we also need to provide a Document Management System to store the signed documents?

No, the bidder does not need to provide a Document Management System to store the signed documents. Please refer to section VI, Table 3: DAES134 to DAES223 for details on this requirement.

81. DAES 107: The subscriber mobile application should support SMS OTP channels during the onboarding process

Qn. Could you elaborate how SMS OTP Channel would be used? - There have been a lot of SIM-swap attacks. SMS-OTP should not be relied on for security.

The bidder is advised to refer to page 161, Section VI part (B) item 2.4 on Subscriber Registration for details.


82. DAES 094: The RA solution should be able to offer the end user a more extensive and convenient user experience by supporting the following;

i. On-board key generation

Qn. The onboard key generation on the mobile is not secure, due to lack of proper enthropy during key generation. Could you consider allowing the backend generated keys too?

This is noted, and has been changed to key generation.Please refer to addendum 1. S/N.19.

83. DAES 022: Qualified certificates. A certificate containing an advanced electronic signature must be a qualified certificate, and marked as such.

Qn. X509 Certificates do not contain Advanced Electronic signatures attribute. Generally a certificate generated by a Qualified CA is treated as a Qualified Certificate.

This is noted and an amendment to the bidding document made. Please refer to addendum 1. S/N.13.

Qualified certificate refers to a certificate that is issued by a qualified certificate authority.

SN Questions Asked Responses to be shared84. DAES 014: Only the CA shall store certificates and corresponding keys

in a high performance certified hardened, tamper-resistance HSM appliances on the provider’s premise

Please refer to page 176 section VI part (B) Table 3: PKI as a Service Requirements. Whereas, the primary HSM will located in the bidders’ datacenter, secondary

24

Qn. Does it mean the CA Certs? For performance reasons it would be better that the authentication solution also stores the user certificates.

backup HSM shall be hosted in the Government of Uganda Datacenter as per page 197, section VI part (B) Table 3, DAES168. The bidder is expected to provide both the primary and secondary Hardware Security Modules.

85. DAES 009: Ability to use push notifications to ensure that relying parties are notified of any credential changes – revocations, suspensions, updates

Qn. Usually the push messages are sent to end-users, not to RPs. Could you elaborate the usecase?

This is noted and an amendment to the bidding document made. Please refer to addendum 1. S/N.10.

Ability to push notifications to ensure that subscribers are notified of any credential changes- revocations, suspensions, updates.

86. DAES 137: The web based signing portal solution should support the following authentication methods Digital Authentication and Electronic Signatures integrated to the subscriber mobile application

Qn. Could there be a typo or incomplete sentence?

This is clarified and an amendment to the bidding document made. Please refer to addendum 1. S/N.21.The signing portal shall support authentication and signing through the DAES solution platform.

87. p138 / 7. Scope of the System (GCC Clause 7): (iii) Registration Authority (RA) Requirements:

i. Backend RA Solution (GoU will provide Infrastructure as a service and setup in the GoU datacentre).This component shall be owned by the bidder.

Qn. Please clarify RA ownership: indeed as per our understanding the deployment within GoU datacenter is contradictory with bidder ownership.

The Government of Uganda (GoU) shall provide infrastructure as a service for the Backend RA Solution in the National Data Center. This is to ensure the solution achieves high performance in country. This does not affect ownership of the solution, the RA shall be owned by the bidder.

88. p189 / DAES113: Minimum iOS and Android supported devices

Qn. Please clarify the expected number of supported devices per OS (Android and IOS) in the initial solution scope, and the future yearly evolution (add / replace).

Please refer to page 189 section VI, Table 3 – DAES113. This requires that the solution is compatible with devices that are supported by iOS and Android. Both iOS and Android publish the versions of OS they individually support.

89. p51 / ITB 28.5: e) Ability to provide PKI as a service by leveraging their own existing infrastructure.

ITB 28.5 part (e) guides that Bidders should be able to leverage their Public Key Infrastructure to provide the required CA services as provided for in section VI,

25

Qn. Could you please authorise bidders sourcing the PKI as a service to trusted PKI providers ?

Table 3 of the Bidding Document.The bidder may be a joint venture.

90. p46 / ITB 14.4: CIP Incoterm 2010

Qn. Could you please confirm CIP (NITA Kampala Premises) Incoterm (2010) ? i.e. : Bidder, as per CIP, shall bear the export clearance and transport until Destination Airport. Then unloading, and final transportation are organised and beared by Customer.

The bidder shall bear all costs up to Entebbe airport if air and Nakawa Kampala transport goods if goods are transported by sea. NITA will do the clearing and forwarding activities up to the stores.

91. The DAES solution shall be implemented to accommodate initial 500,000 users and be easily scalable to address future needs.The bidder shall provide a scalable and cost effective solution because the intention is to roll out the DAES solution to the whole of Government and private sector after the initial 500,000 users at deployment. Therefore, the bidder shall provide a cost tier table indicating how much it will cost per user in the future as per table below:

Question: We understand that a bidder needs to quote for License fees for the

different bands of users shown in the table below.

The bidder is expected to fill out the cost tier table. However, the bidder’s price bid shall include only the costs of the initial 500,000 users.

26

Item

NoNumber of users

License fees

Amount in USD

1.1 1,000 – 50,000

1.2 50,001 – 250,000

1.3 250,001 – 500,000 Should only this price be included in the bid total? - NO

1.4 500,001 – 1,000,000

1.5 1,000,001 – 1,500,000

1.6 1,500,001 – 2,500,000

1.7 2,500,001 – 5,000,000

1.8 5,000,001 – 10,000,000

1.9 Above 10,000,000

Please confirm if a bidder should only include license fees for up to 500,000 users in the price schedule and our “bid price total”, since the first rollout of the DAES solution shall be implemented to accommodate initial 500,000 users only ?

92. B) User training

The bidder shall provide training to system administrators, technical managerial staff and train- the trainer

Question – Please advise if any Overseas training will be required? If overseas training is to be given, then do we need to factor costs for the Per diems, Air tickets, transport and accommodation for each staff that will be going for the training overseas. As a bidder, we would like to only quote for the part of the actual training sessions delivered overseas and let NITA pay for all expenses mentioned, directly to NITA staff. Please note that payment of airfares, per diem, accommodation or such expenses by a bidder or a contractor contravenes compliance laws like UK Antibribery Act, USFCPA etc.

Please refer to section VI part (b) item 2.4 on Training.

The bidder will be required to include cost of the professional training services at the training centers. Other costs related to training including travel, accommodation, per diem costs, visa/ registration fees shall be handled by the purchaser.

SN Questions Asked Responses to be shared93. B. Establishment of a Registration Authority (RA)

Backend RA System (Setup in the GoU datacentre, GoU will provide Infrastructure as a service). This component shall be owned by the bidder.Question: Please let us know, (i) apart from owing the RA, do the contractor’s personnel have to be resident at NITA -U to administer this RA? (ii) Will NITA-U provide the contractor with access through a secured VPN connection/tunnel, for the contractor’s team that will mandatorily be resident in

The bidder is expected to be onsite during implementation as well as provide local support during and after implementationNITA-U will provide access through secured VPN connection.

27

Uganda?

94. Bidding document section II “Bid Data Sheet (BDS)”, ITB 6.1 (a), point “b”:The bidder shall provide audited financial statements for the last three complete financial years demonstrating the soundness of the bidder’s financial position andSection VII, “Sample forms” Article 5, part 3.5.5 “Financial Capabilities” the Bidder is requested to summarize actual assets and liabilities for the previous 5 years.Could you please clarify:1. Should audited financial statements provide all companies if proposal will be submitted by bidders in a joint venture;2.The term for which audited financial statements shall be presented ( 3 or 5 years);3. In case, it will be decided to participate by forming a joint venture, will it be acceptable if one of the company provides not audited financial statements, if under applicable legislation of Republic of Lithuania such company is not required to be audited under.

1. Yes, Bidders, including each partner of a Joint Venture, shall provide audited financial statements to demonstrate that they meet the requirements stated in the BDS for ITB Clause 6.1 (a). Each Bidder or partner of a Joint Venture shall complete this form.

2. The term for which audited financial statements shall be presented is the last three (3) complete financial years.3. All bidders participating in the joint venture are required to provide audited financial statements for the last three (3) complete financial years.

SN Questions Asked Responses to be shared95. Bidding document Section I “Instructions to Bidders”, Article 17, part

17.2, point “b” : “In case of Bid security, it shall be issued by a reputable institution selected by the Bidder and located in any eligible country; if the institution issuing the security is located outside the Purchaser’s Country”Qn.Could you please detail the banks which are considered as appropriate for issuance of the Bid Security. If it is possible, please provide the list of banks, which operates in Europe to which we can apply for Bid Security.

The bidder may select a reputable financial institution located in any eligible country to issue the bid security; if the institution issuing the bid security is located outside the Purchaser’s Country, it shall have a correspondent financial institution located in the Purchaser’s Country to make the security enforceable.

For details on eligible countries, please refer to page 57, section III of the bidding document.

28

96. Bidding document Section II “Bid Data Sheet (BDS)”, ITB 6.1 (a), point “f”. “Foreign companies are encouraged to partner with a local company in this regard.”Qn.Will it be the participation of the local partner taken as an advantage of a Bider

Partnering with a local company is a requirement against which the bidder will be evaluated as stated in Section II, “Bid Data Sheet (BDS)”, ITB 6.1.

97. 1. Compatibility between smartphone and PKI based solution. How the private key and certificates will reside in the smartphone. If so will the private key and certificates reside on the Server side. Need detailed requirement on the signing service.2.Solution requirement to be fulfilled by Single OEM or Multiple OEM (like for Authentication solution, Face biometric & NFC solution, PKI doc signing, Mobile App etc.. )3.HSM module details or supported for this requirement.4.Details Mobile OS version supported for Android & iOS platform.5.Details of Mobile Development Applications platform.(Native Android or any other)6.Details of Authentication server used in this solution.7.Database supported to fulfilled Solution/RFP requirement.8.List of NFC supported mobile device in Uganda. Or Number of users using this technology.9.Any minimum requirement to fulfil Biometric solution for FACE, Finger based authentication etc.. (As spec are not mentioned in the RFP)

1. Please refer to addendum 1. S/N.3. and S/N.9. for details on protection of the private key.

2. The bidder is referred to section VI part (B) Table 3- General Functional / Technical requirements and pages 158 – 171, section VI part (B) in the bidding document for details on queries numbered 2 – 9.

98. Section VI/B/2.5/A.BThe private keys for authentication and signing are split and one part is on DAES server and other on user’s mobile. In both the authentication and signing services, is the server part sent to the mobile device and private key operation happens on the mobile? OR user’s part is sent to the DAES server and private key operation happens on the server?

Please refer to addendum 1. S/N.9 for details on protection of the private keyThe Bidders are required to demonstrate with clear description how best their solution meets the principle of protecting the private key.

99. Section VI/Table 3/DAES005Did not understand this

Requirement DAES005 in Table 3 requires bidders to state how their proposed solution will provide a scheme for third party developers and innovators to

29

develop over the edge DAES use cases using an Application Program Interface (API)

100. Section VI/Table 3/DAES072Where are these protocols going to be used?

The Bidder is expected to describe how they will use these protocols within their proposed Digital Authentication and Advanced Electronic Signature (DAES) Solution requirements. Further guidance on the nature of operations that the DAES will support can be found in section VI, part (B), Table 3 item DAES060.

101. Section VI/Table 3/ DAES077How does “Data Distribution Service (DDS)” come into picture in this context?

DDS is a data exchange interface that enable integration with external systems.This is required by the Digital Authentication and Electronic Signatures (DAES) solution.

102. Section VI/Table 3 /DAES081Is it intended that authentication public/private key-pair be used for TLS/SSL client authentication? How will this work considering private key is split into parts, with the other part present on DAES server?

Further guidance on the authentication applicability can be found on page 167 Section VI, Part B, Item 2.5

Also refer to addendum 1. S/N. 9. The Bidders are required to demonstrate with clear description how best their solution meets the principle of protecting the private key.

SN Questions Asked Responses to be shared103. Section VI/Table 3/DAES 142

Did not understand this. What third party service providers are being referred to? Where do they come into picture? How will signing portal enforce their compliance?

This is noted. As a requirement DAES142 is removed. Please refer to addendum 1. S/N.22.

104. Section VI/ Table 3/ DAES 193It says the following formats should be supported for signing: PDF, Word, ASic-E itself is a signature container. What are the expected signature formats for word and ADoc documents?

The bidder is advised to refer to page 192 section VI Table 3: DAES138.The solution must be able to support the following minimum document signing formats;i. XADESii. PADESiii. CADESiv. ASIC

30

105. Section VI/Table 3/ DAES150 It talks about “qualified electronic seals” . Electronic seals are nothing but electronic signatures done by legal entities (As opposed to individuals). How are legal entities going to be enrolled into the DAES system? How will DEAS know if the requesting entity is an individual or a legal entity?

Refer to pages 203 – 204 section VI Table 3: DAES224 – DAES239 for the requirements relating to Electronic Seals for ‘legal persons.’ Bidders are required to state how they meet this requirement. Guidance concerning onboarding of entities will be determined by Government of Uganda

106. Section VI/ Table 3 /DAES155It talks about signing portal creating document categories and grouping documents. Does it mean the signing portal shall maintain all signed documents and also act like a Document Management System, with document up load, download, sharing, versioning etc?

The bidder is advised to refer to pages 194 -195 section VI table 3: DAES151 to DAES159 for details on this requirement.

107. Section VI/B/2.4In all 3 methods of on-boarding, there is step which says “Once the user is successfully identified, private keys are generated”. However, the corresponding step in flow-charts says “ Requested sent to QCA for generation of keys”. Which is correct? Are the public-private key pairs generated on the user’s mobile and a part of the private key sent to the DAES server? OR the key pairs are generated on the DAES server and public key along with user’s part is sent to the user’s mobile device?

The bidder is advised to refer to the note on page 168 under Section V1 item (2.4) which states that the three processes described above; that is, Registration, Authentication and Digital signing shall be open to improvements at the time of implementation of the Digital Authentication and Electronic Signatures solution.

SN Questions Asked Responses to be shared108. The DAES solution is a digital authentication solution that allows

citizens to utilize their existing smart phones to register for a securely verified Digital Authentication and Electronic Signatures account and later use it to authenticate themselves online for seamless and secure access to a variety of e-services and also use advanced electronic signatures to securely e-sign the documents. The envisioned mobile application for citizens would not need a special purpose hardware (such as smart-card readers or Trusted Platform Module chips) or special purpose SIM-cards. The Digital Authentication & Electronic Signatures SIM-less subscriber mobile app is envisioned to work with regular smart phones that citizens already have and would not require any extraordinary permissions.

a) Yes, certificates will be stored in a Hardware Security Module (HSM). Please refer to page 176 section VI part (B) DAES014 for details.b) The mobile app will perform online self-registration, authentication and digital signing. Please refer to Pages 158 -170, section VI part (B) in the bidding document for details.c) Please refer to Section VI part (B) DAES145 which states that the signing portal should support the following minimum document standards such as PDF, Word, ASiCE, ADoc.d) The signing portal shall be setup on server

31

It is my understanding that the certificates will have to be stored in an HSM and later being accessed by a user using a mobile app.Qns:

a) Is this correct? b) What does this mobile app have to do, at least initially? c) Is PDF/docx signing enough? d) Would you consider a setup using a Server that does receives the

document and does the signing? e) Does this HSM have to reside in a datacenter where Uganda has

sovereignty? Can we host it externally? Point 2 According to the invitation

infrastructure provided by the Government of Uganda. Please refer to Section VI part (B) items DAES134 – DAES171 for details on the signing portal as required by the purchaser.e) The primary HSM will reside in the bidder’s datacenter while the secondary HSM will reside in the Government of Uganda datacenter. Please refer to section VI, part (B), items DAES014 and DAES168 for details.

The bidder is further referred to section VI part (B) Table 3- General Functional / Technical requirements in the bidding document for details.

109. The Electronic Signatures Act (2011) section 23 mentions: Qualifications of certification service providers. (1) The Minister in consultation with National Information Technology Authority- Uganda shall, by regulations made under this Act, prescribe the qualifications required for certification service providers. (2) The Minister in consultation with National Information Technology Authority- Uganda may vary or amend the qualifications prescribed under subsection (1) but any such variation or amendment shall not be applied to a certification service provider holding a valid licence under this Act until the expiry of that license

Qualifications to provide certification services (1) The Controller shall not license a person as a certification service provider unless that person meets the qualifications specified in sub regulation (2). (2) A person is qualified to be licensed as a certification service provider if that person— (a) has adequate expertise or experience to operate as a certification service provider;

These are requirements for certification service providers. The successful bidder will be subjected to compliance audits against these regulatory requirements.

32

(b) utilizes a secure and reliable system in providing certification services; (c) has adequate measures in place to ensure all employees are fit and proper to carry out the duties assigned to them; (d) complies with the operational and technical requirements specified in regulation 4; (e) has adequate policies relating to information security and privacy, physical security, and disaster recovery; (f) provides evidence of access to adequate working capital to enable it to operate as a certification service provider; and (g) has adequate insurance cover, including liability cover for subscribers and persons relying on certificates issued. Qna) Are these the requirements for the auditors? b) If so, is a WebTrust auditor considered to conform to those requirements

110. Section 4 of the same regulation, entitled Technical and operational requirements, contains a set of technical requirements. According to my reading, WebTrust for CAs fulfills all of them. Qn Can you confirm this?

The bidder is advised to carry out their own assessment as to the similarity of their mentioned standards. It is the responsibility of the bidder to ensure they comply with the requirements.

111. Section 5 of the same regulation, entitled Application to provide certification services, repository or stamp services, contains a process that you have to comply with in order to provide certification services.Qn: a) I guess we should conform to this, is this correct?

Bidders are expected to comply with the Electronic Signatures Act (2011) and its attendant Regulations. These can be found on the NITA-U website https://www.nita.go.ug/laws.

33


b) Can Geda become qualified according to these requirements (also note section 6 entitled Recognition of foreign certification service providers)?

112. Section 18 which describes the types of certificates does not mention anything regarding public trust at browsers. Qn: a)Do you want a Private PKI or Public PKI. In your scenario I think Private PKI is better because it will give you the freedom to set your own profiles based on your needs and you won’t be under the strict policy requirements of the browswers.

Qn: b)Is the enrollment process the one described at section 19 entitled Issuing certificates to subscribers? Part 3 According to the invitation, the PKI should include:

The bidder is referred to the scope of this DAES solution as per the bidding document on page 39 Section II part (A) ITB 1.1 for clarification on what is required by the purchaser regarding the PKI.

b) Please refer to Pages 161-170, section VI part (B) item 2.4 in the bidding document for details on subscriber registration.

SN Questions Asked Responses to be shared113. Digital Certificates for Electronic machine-readable travel documents

(eMRTDs) Qn;

a) Does this mean that we need to issue ICAO certificates that will be used for actual passports?

b) Are these the same certificates that will be used for signing documents. According to my knowledge, this cannot be done. Should every citizen get a couple of certificates? One for document signing and an eMRTD one?

c) Should the PKI issue eMRTD certificates or should it be ready to issue them whenever this is needed? (deployment of the infrastructure, or be ready to deploy when needed?)

a) Yes, the bidder will be required to issue digital certificates for Electronic machine-readable travel documents (eMRTDs) as per the International Civil Aviation Organisation (ICAO) frameworks for eMRTDs.

b) No, these are not the same certificates that will be used for signing documents. Please refer to Pages 158 -170, section VI part (B) and pages 39 - 41 Section II part (A) ITB 1.1 in the bidding document for details.

34

c) The bidder’s PKI should issue digital certificates for eMRTDs.

114. Authentication services ii. Qualified Signatures Qn:

a) Is this a signing and verification service that will be hosted at GoU’s datacenter and which will cooperate with our PKI as a Service?

b) Will it be used to authenticate users on governmental services using a certificate supplied by us?

a) This is the Digital Authentication and Advanced Electronic Signature (DAES) Solution platform that will be hosted in the GoU datacenter. GoU will provide infrastructure for the DAES solution platform.

b) Yes, the digital certificates used by the DAES solution shall be provided by the bidder.

The bidder is referred to pages 39 - 41 Section II part (A) ITB 1.1 in the bidding document for details.

115. The DAES solution shall also integrate with electronic services, as well as with the Government of Uganda Systems Integration Platform and Government of Uganda Identification Registers. Qn:a)Can we have a description of these electronic services?b) Is an oauth or similar service enough to fulfill these requirements?

a) Please refer to addendum 1. S/N.8 for a description of the electronic services.

b) The bidder is advised to propose a suitable technology to fulfil these requirements.

SN Questions Asked Responses to be shared116. Registration Authority (RA) i. Backend RA System (Setup in the GoU

datacentre, GoU will provide Infrastructure as a service). This component shall be owned by the bidder. ii. Subscriber Mobile Application Qn:a)Will the system have access to some governmental service for the verification of the user’s identity? Since enrollment should be possible through a mobile app, will we have access to a database that will associate the user’s name with his phone number?

Please refer to Pages 161-170, section VI part (B) item 2.4 in the bidding document for details on the methods of subscriber registration including access to the government ID databases for verification of the user’s identity amongst others.

35

117. The DAES solution shall be implemented to accommodate initial 500,000 users and be easily scalable to address future needs. Qn:a) Are the 500,000 users going to be mass-subscribed on initialization of the project?b) Do we need to have such a process?

a) No, the 500,000 users will not be mass-subscribed on initialization of the project. They will be enrolled over a period of 12 months.

118. DAES043: The bidder’s QCA service should be able to generate and securely provide digital certificates for electronic machine readable travel document for the following servies:

a) Country signing Certificate authority(CSCA)according to the International Civil Aviation Authority (ICAO) Doc 9303 Public Key Infrastructure for machine Readable Travel Document

b) Country Verifying Certificate Authority(CVCA)Qn: Are the Root CAS for CSCA and CVCA required or also subsequent certificates such as Document Signer(x.509 format) and DVCA/IS (7816 CVC format)

The bidder is required to provide PKI as a service to the Government of Uganda as per scope of the bidding document. Please refer to page 39 Section II part (A) ITB 1.1 for details.

SN Questions Asked Responses to be shared119. DAES010. The bidder’s solution must be able to support integration

with a wide variety of CAs and other back office system QN: a)Can we know the meant by :a wide variety of CA”b)Do you mean CA hierarchy of PKI software vendors?

The bidder’s solution must be able to support integration with other Government subordinate CAs.

120. DAES045 The bidder’s QCA service should be able to integrate their Directory service to the ICAO Public key Directory(PKD)Qn In order to interface with the ICAO PDK ,shall the bidder also provide a National PKD product?If not , how the national infrastructure interfaces with ICAO PKD


36

121. Advanced vs Qualified SignatureTender not clear on whether qualified electronic signatures or advanced signatures are required

Please refer to page 175 section VI part (B) DAES004 on Declaration of Conformity for details.

122. CSCA and CVCATender talks about ePassport PKI such as CSCA and CVCA, although this PKI has no relationship to the authentication and signature solution. Why that? What is expected here? There is mention of “securely transfer generated certificates to the GoU Agency’s Hardware Security Module”. Further, the bidder should “integrate their Directory service to the ICAO Public Key Directory (PKD)”

The bidder is referred to the scope of this DAES solution as per the bidding document on page 39 Section II part (A) ITB 1.1 for clarification on what is required by the purchaser.Further to this, the bidder is referred to response under item No.120 above.

123. Project Duration – please confirmChapter 2.1 says:Overall projection duration of the solution should not exceed more than 12 months. The solution for the Digital Authentication and Electronic Signatures should be operational in 12 months and should start serving initial traffic at go-live.During the next 48 months of the contract, it shall be operations, maintenance and support of the DAES solution.This implies a 4 year contract + 1 year implementation.

Then again, another place in document says:The bidder should provide the total cost of ownership for five (5) years thus breaking down all cost elements including licenses, annual software subscription and support and any other elementsFurther, table in chapter 2.7 shows 5 years of operation.

This implies a 5 year contract, including a year of implementation.

The bidder will sign a 5 year contract with the GoU. The 12 months of implementation of the DAES solution is counted as part of the 5 year contract duration.Also as per the scope of this DAES solution, the bidder is expected to provide PKI as a service for the entire contract period. Thus the need for the bidder to provide the total cost of ownership for five (5) years.

It is 5 years of operation because the 12 months of implementation are included.

124. Performance – please clarifyChapter 2.2b requests 3000 concurrent users per second.DAES063 lists 200 transactions per minute

The Platform/solution design shall support a minimum of 3000 users logged in at a given time. Additionally, the solution shall support at least 200 transactions per minute.

37

125. Access to signing portalWhat is the purpose of having authentication certificates and services when access to the signing portal is by username/password?

The signing portal shall support authentication and signing through the DAES solution platform.Please refer to addendum 1. S/N.21 for details.

126. Target – Please confirm 1) Subscriber mobile application (Android and IOS)2) No PCs mentioned and no support for desktop browsers requested3) Signature Portal with many functionalities beyond signature4) PKI suitable to provide necessary certificates ( and keys)

1)Please refer to page 189 section VI, Table 3 – DAES113. This requires that the solution is compatible with devices that are supported by iOS and Android. Both iOS and Android publish the versions of OS they individually support. 2) and 3) Please refer to pages 192 - 197 section VI part (B) DAES134 – DAES171 for details on the signing portal as required by the purchaser.4 ) Please refer to page 39, section II part (A) ITB 1.1 item 5 –PKI as a service requirements.

127. RegulationsMust have copies of Electronic Transactions Act (2011) Electronic Signatures Act (2011) Electronic Signatures Regulations (2013)

Please find copies of the laws on the NITA website: https://www.nita.go.ug/laws

SN Questions Asked Responses to be shared128. 1) The terms of requirements are technically restrictive since they are

based on PKI architecture only and seem to exclude any other solutions like especially blockchain based on KSI;

2) A confirmation that the technical evaluation will take cognizance of more functionalities responsive to blockchain based solutions is needed

The requirements are retained as provided in the bidding document.

129. DAES001No. ISO 21188 Certification, PKI for financial services

38


The certificate issuer shall have a Certified Information Security Management System (ISMS) as defined in ISO/IEC 27001:2013. The management system shall, as a minimum, encompass the part of the organization and procedures that relate to the management of the CA services. The bidder should submit certified ISMS by an internationally accredited Management Systems Certification Body.

Qn: Does ISO 21188 Certification, which represents the required banking security standards for PKI shall suffice the customer set standards?

industry shall not replace the requirement for the ISO/IEC 27001:2013 as stated in the bid document.

The bidder is expected to have the ISO/IEC 27001:2013 certification for their current business processes related to CA services.

130. The requirement DAES001 is for compliance to the ISO27001, which is an information security management standard. Seeing that this project is predominantly related to the Public Key Infrastructure (PKI) the compliance to the (Webtrust based on ISO21188) is the adequate certification for control objectives and supporting procedures to manage risks. The WebTrust sets the standards for security and audit compliance of all Certification Authorities, include all digital certificates that need public trust, such as digital signatures, which forms part of the scope. The standards for both ISO 21188 and ISO 27001 overlap in terms of documentation, policies and practices.

Qn:Can NITA approve in writing that the Webtrust is sufficient for this requirement?

There are no changes made to the bidding document in this regard;

The bidder is expected to have the ISO/IEC 27001:2013 certification for their current business processes related to CA services.

SN Questions Asked Responses to be shared131. Digital Certificates for Electronic machine-readable travel documents

(eMRTDs)

DAES042

a) Are you currently issuing electronic passports?b) Do you have existing HSM or looking for new HSM?c) Are you intending to issue ePassports? If so, please refer to BAC

Bidders are advised to restrict their responses to the scope of the DAES solution as per the bidding document on page 39 Section II part (A) ITB 1.1 for clarification on what is required by the purchaser.

Bidders are also advised to note Section VI part (B) Table3: DAES042 – DAES046 which describes what is expected of the bidder in regard to provision of digital

39

or EAC section below.d) Are you looking for ePassports Issuance and personalization

system?e) How many GOU sites will be involved in the ePassports

issuance?f) How many local operations centers / registration authorities will

be allocated to manage the ePassports solution?g) Are you looking at issuing National ID (NID) cards which will

include chips on short or long run?h) Are you using/considering BAC or EAC on NID cards?

1. If so, please refer to BAC or EAC section below.i) Do you want to use your NID to authenticate to online

government services?1. If so, we can include an X.509 certificate on the document

for online authentication.

certificates for Electronic machine-readable travel documents (eMRTDs).

132. a)Do you want a solution which has achieved independent security validation?b) Do you want a solution which has been proven to scale within

large environments?a. Entrust PKI is used within some of the highest volume

countries, including the US and UK. Also automated lifecycle management of keys supports scalability.

c) How many ePassports user CAL you’re looking?d) Support & maintenance option ? i.e. 1, 2, 3 years, etc.e) Training?

a. Type of Training required?b. Onsite or Offsite the GOU training facility

Bidders are referred to the scope of this DAES solution as per the bidding document on page 39 - 41 Section II part (A) ITB 1.1 for clarification on what is required by the purchaser, including support and maintenance.

Bidders are also advised to refer to page 172, section VI part (B) item 2.4 on Training for details.

Bidders are also referred to page 48 Section II, ITB16.2 (c), part (h) where the bidder is required to provide a Training Plan. The training plan must include both the Bidder’s classroom training proposal and the Bidders on-the-job training and technology transfer proposal.

133. Basic Access Control (BAC):15. Are you currently using BAC to secure your documents?a)If so, what technology are you using?b) Is this working well for you, or are you considering changing PKI

The issues raised are out of scope of the requirements staged in the Bid document. Bidders are referred to the scope of this DAES solution as per the bidding

40

c) Do you need integration with ICAO PKD?d) Do you need a component to automate the signing of the chip content according to ICAO standards?e) Are you inspecting or planning to inspect domestic or foreign BAC documents at your border?f) Extended Access Control (EAC):Are you currently using EAC to protect your documents?1. If so, what technology are you using?2. Is this working well for you, or are you considering changing PKI?g) How are you planning to secure administration of your Country Verifying Certification Authority (CVCA)?h) Do you need to support ICAO standards (including Single Point of Contact [SPOC]), with proven interoperability with other countries?

Extended Access Control (EAC):a) Are you currently using EAC to protect your documents?

1. If so, what technology are you using?2. Is this working well for you, or are you considering

changing PKI?b) How are you planning to secure administration of your Country

Verifying Certification Authority (CVCA)?c) Do you need to support ICAO standards (including Single Point

of Contact [SPOC]), with proven interoperability with other countries?

Given that within EAC certificates need to be updated every 3-30 days, do you see value in automating issuance of Inspection System (IS) and Document Verifier (DV) certificates to reduce outages and cost of ownership

document on page 39 Section II part (A) ITB 1.1 for clarification on what is required by the purchaser.

134. Additional questionsa) Do you have a deadline for delivering the project in a Live

Environment that you can share?b) Any complete RFx? i.e. RFP, RFI, etc.

The issues raised are out of scope of the requirements staged in the Bid document. Bidders are referred to the scope of this DAES solution as per the bidding

41

c) How many documents do you plan to issue (i.e. for all Nationals?)

d) Time frame to issue all passports.e) What certificate profile is used for the CV CA?

o Cert lifetimeso Extensions

What certificate profile is used for the inspection system?o Which data group is the “file” being stored on the

eMRTD?o Cert lifetimeso Extensions

Is there any other third-party company providing the inspection system software component?a. How will the inspection system enrol and then perform certificate updates?b. How does the inspection system update the CVCA cert on the chip?

document on page 39 Section II part (A) ITB 1.1 for clarification on what is required by the purchaser.

135. DAES168

The Bidder shall provide the required secure and reliable secondary HSM module/appliance with its attendant rack and rack level security (to be located in the GoU Data Centre) for the secure storage and processing of qualified electronic seals linked to the CA services.

a) What android and iOS devices are expected to be supported? b)What kind of compliance do you want to enforce on third parties? c)If somebody logs into the signing portal, they want to be able to dictate what authentication mechanisms to use?

The bidder is referred to pages 192 – 197, section VI part (B) Table 3, DAES134 – DAES171 for details concerning the signing portal. Logging into the signing portal should be via the user’s digital identity.

42

136.What is (NITA-U) current internet throughput?

Current internet throughput is up to 10 Gigabits per second

137. Does the clause in yellow is confusing does it mean the warranty period is 4 years?"Recurrent costs for the first 4 years (warranty period – ref: ITB1.1) after operational acceptance shall be paid in quarterly in advance within this contract. Recurrent costs during the post warranty period (4 years –refer to GCC1.1) shall be paid under separate contract directly by GoU."

The warranty period shall be for a period of one (1) year or as given by the manufacturer from the day of operational acceptance.

138. What do you mean by a ‘designated accredited training centre? A training center that is formally recognized by the bidder.

Certification of minutes as a true record of the proceedings of the meeting:

Name: ___________________________________ Sign: ______________________Date:_______________

Chairperson of the meeting

43

minu… · Web viewThe WebTrust sets the standards for security and audit compliance of all...

Documents

Transcript of minu… · Web viewThe WebTrust sets the standards for security and audit compliance of all...