1 FernUniversität in Hagen: Certification Authority (CA) Certification Practice Statement VERSION 1.1 Ralph Knoche
2 Contents 1. Introduction Overview Scope of the Certification Services CA Identity Publication Further Information CA Certification Infrastructure Overview Roles and Responsibilities Certificate Classes Client Certificates Server Certificates Certification Authority (CA) Registration Authority (RA) Certificate Database and Repository Certificate Application Overview Application for Client and Server Certificates Client Certificates Server Certificates Intermediate Certificates Validation of Certificate Application Overview Validation Requirements for Certificate Application Approval of Certificate Application Rejection of Certificate Application Certificate Issuance Overview Issuance & Publication Denial of Certification Certificate Validity and Operational Periods Certificate Format Certificate Suspension
3 6.1. Overview Certificate Revocation Overview General Reasons for Revocation Specific Reasons for Revocation Revocation of employers- and guest-certificates Automatic Revocation of student's certificates Revocation at Subscriber's Request Procedure for Automatic Revocation Request Procedure for Non-Automatic Revocation Request Revocation at RA or CA officer's Request Certificate Expiration Overview Certificate Expiry Certificate Renewal Security Audit Procedures Types of Events Recorded Frequency of Processing Log Protection of Audit Log Audit Log Backup Procedures Notification to Event Causing Subject Records Archival Events Recorded in Operational Authority Database Retention Period for Archive Files Protection of Archive Files Archive Backup Procedures Archive Collection System Procedures to Obtain and Verify Archive Information Compromise of the Certificate Authority Private Key Disaster Recovery Certificate Authority Termination of Services Relationship between CPS and CP List of Changes Appendix Definitions Key words for use in RFCs to Indicate Requirement Levels
4 1. Introduction 1.1. Overview Scope of the document This Certificate Practice Statement (CPS) describes the practices and standards employed by the FernUniversität in Hagen 1 Certification Authority (CA) in the performance of certification services. By explaining the methods used by the CA to manage and complete tasks associated with certificate generation, the CPS will promote and engender trust in the CAs Public Key Infrastructure (PKI). This CPS is applicable to all parties with relationships to the CA, whose roles are defined in it, including subscribers (e.g. certificate owners). Relationship to other documents Every CAs has to adopt the regulations defined in the Scientific Trust Certificate Policy (CP). More detailed information about the general regulations, which conforming CAs employ in their operations in issuing certificates, can be found in the Scientific Trust Certificate Policy (CP). Nomenclature Within the document the words ''must'', ''must not'', ''required'', ''shall'', ''optional'',..., are to be interpreted as defined in RFC Scope of the CPS CP, section Scope of the Certification Services The certification services are provided to improve the use of electronic mail (S/MIME), electronic communications, electronic commerce, electronic transactions and other activities by securing e.g. web-, mail-, ldap- or other network services. Certification Services provide the universities' users and those who deal and communicate with them a higher level of internet-security. To accomplish this objective, the CA will issue and manage certificates in accordance with this CPS. The certification services offered by the CA cover the following: Certificate Application/Request, Certificate Issuance, Certificate Publication, Certificate Expiry, Certificate Revocation, 1 succeeding: university 4
5 Certificate Revocation List (CRL) Generation and Management CA Identity The FernUniversität in Hagen Certification Authority (CA) performs certification services on behalf of the following organization: Company Name: Registered Offices: Address: FernUniversität in Hagen Zentrum für Medien und IT Certification Authority (CA) Feithstraße. 150b, Hagen Telephone: +49 (23 31) Fax: +49 (23 31) Electronic mail: 1.4. Publication This Certificate Practice Statement is published in electronic form at Further Information A website, containing information regarding the use of digital certificates issued by FernUniversität in Hagen's Certification Authority (CA), is provided at Users, server administrators and relying parties must familiarize themselves with this CPS and the associated CP before applying for, using, or relying upon certificates. 5
6 2. CA Certification Infrastructure 2.1. Overview The CA will facilitate the confirmation of identity within the universities domain. Such facilitation shall be accomplished by means of a certificate, i.e., a digitally signed message, issued by the CA as part of a certification process. The high level management of this certification process includes registration, naming, appropriate applicant authentication, issuance, revocation, and audittrail generation Roles and Responsibilities The Policy Managing Authority (PMA) is the CA itself. The PMA is responsible for the selection and definition of certificate policies for the university, approval of any cross-certification agreements with external Certification Authorities, conducting compliance audits of the CA, and review of this CPS to ensure consistency with the ''Certification Policy (CP)''. The CA is operated by the University of Hagen`s computing center. CA has operational authority over the universities Public Key Infrastructure. As of the effective date of this CPS, the sole universities Registration Authority (RA) is the CA. However, as it seems appropriate, the CA may appoint organizations outside of the computing center as additional RAs. In such event, all RAs shall collectively constitute the CA. The RA is needed for the physical identification/authentication of subscribers. CA security officers will interface with the system mainly for CA functions and the computing centers help desk personnel will interface with the system mainly for managing subscribers. The names of the employees filling the described positions are available from the computing center. Policy Management Authority CP, section Certification Authority (CA) CP, section Registration Authority (RA) CP, section CPS approval procedures CP, section Certificate Classes The CA issues client and server Certificates. Authorization levels differ from the type of certificate requested. Important Notice: Data recovery can not be assured for any kind of certificates. No encrypted files, s or data may be recovered. This CA does not support key escrow and key recovery at all. 6
7 Private key escrow CP, section Client Certificates The client certificate is for users 2 with a valid network ID and password. It is used for and file encryption, server log-on and browser purposes. Authentication level is web Server Certificates The server certificate is intended for server and code signing purposes. Employee applicants for a server Certificate must physically identify themselves. Applicants will be authenticated by CAs security officers in the computing centers location with their identity card or passport. No other documents will be accepted. Authentication level is personal. Server certificates will not be issued for universities students or guests Certification Authority (CA) The CA shall operate in accordance with this CPS and the ''Certification Policy (CP)'' and issue, manage, and revoke client and server certificates. Functions of the CA cover the following: Certificate Application, Certificate Issuance, Certificate Publication, Certificate Expiry, Certificate Revocation, Certificate Revocation List (CRL) issue and Management. CA obligations CP, section Registration Authority (RA) With the exceptions noted below, the RA will evaluate and approve or reject certificate applications on behalf of the CA, who will actually issue the certificates. 2 Universities students, employees and guests. 7
8 RA officers will coordinate certificate applications, validate the identity of certificate applicants, and confirm the information obtained during the application process. The type, scope and extent of confirmations required are dependent upon the certificate applied for. The RA will approve certificate applications, on behalf of the CA after ensuring that the whole certification application procedure has been performed in accordance with the practice defined by this CPS. Certificate requests will be accepted via the certificate server web forms only. RA obligations CP, section Certificate Database and Repository A certificate database shall be maintained to keep track of the pending certificate requests, issued or revoked certificates and Certificate Revocation Lists (CRL). Only the RA and CA shall have the authority to update this database. A web user interface will be provided for users to query the status of their certificate requests and any issued or revoked certificate. The web server interface is available at https://ca.fernuni-hagen.de/certserver/. Publication of CA information CP, section Personnel Controls CP, section
9 3. Certificate Application 3.1. Overview This section describes the certificate application process. It includes the requirements for key pair generation and protection and lists the information required for each certificate Application for Client and Server Certificates The CA establishes different authentication levels for client and server certificates Client Certificates For client certificates authentication level is web. Actor's actions are as defined below: Actor Number Action Applicant 1. Enroles at the university and has to accept the enrollment rules, The applicant is legally bound to indicate his proper adress and retieve at least every 14 days the box. University 2. Identifies the applicants address. University 3. Stores address, , registration number and network ID in central database. Applicant 4. Submits his registration number by filling out the web form https://account.fernunihagen.de/password.php in order to apply for a password. CA 5. Generates and stores password in combination with first name, second name, , network ID in certificate database. CA 6. Sends password by postal services to address located in central database. Applicant 7. Submits his registration number and password by filling out web form https://ca.fernunihagen.de/certserver/, follows the instructions displayed and requests a certificate. CA 8. Receives and reviews the request automatically. CA 9. Issues the requested certificate and offers it for download. 9
10 CA 10. Stores the certificate in certificate database and publishes it (https://ca.fernunihagen.de/certserver/). Applicant 11. Downloads and installs certificate. Applicant 12. Ensures certificate usage in conformity with CP and this CPS. Subscriber obligations CP, section Authentication of the individual identity CP, section Certificate Application CP, section 4.1. Certificate Issuance CP, section Server Certificates For server certificates authentication level is personal. Server certificates are issued only for the universities employees. Actor's actions are as defined below: Actor Number Action Applicant 1. Takes employment at the university. University 2. Stores office address, network ID in central database and assigns the applicant an adress Applicant 3. Submits his network ID by filling out the web form https://account.fernunihagen.de/password.php in order to apply for a password. CA 4. Stores password in combination with first name, second name, , network ID in certificate database. CA 5. Sends password by postal services to address located in central database. Applicant 6. Submits his network ID and password by filling out the web form https://ca.fernunihagen.de/certserver/, follows the instructions displayed and requests a certificate. CA 7. Receives and reviews the request manually. 10
11 CA 8. Identifies the applicant with applicants identity card. CA 9. Verifies the domain ownership by asking the dns administrator of the university. The administrator knows the link between person and domain ownership. CA 10. Issues the requested certificate. CA 11. Hands out certificate to applicant. CA 12. Stores the certificate in certificate database and publishes it (https://ca.fernunihagen.de/certserver/). Applicant 13. Ensures certificate usage in conformity with CP and this CPS. If an Intermediate CA wants to issue an Intermediate CA certificate, we want to add the following to the Scientific Trust CPS document: For intermediate certificates authentication level is personal. Actor's actions are as defined below: Intermediate Certificates For intermediate certificates authentication level is personal. Actor's actions are as defined below: Actor Number Action Applicant 1. Wants to have an intermediate certificate Intermediate CA 2. Requests more informationen over the applicant and wants a CPS document. Applicant 3. Submits his CPS document to the CA Intermediate CA Scientific Trust Intermediate CA Intermediate CA 4. Checks the CPS document. 5. CA performs an audit at the applicant. 6. Issues the requested certificate. 7. Hands out certificate to applicant. Applicant 8. Ensures certificate usage in conformity with CP and this CPS. 11
13 4. Validation of Certificate Application 4.1. Overview This section presents the requirements for validation of certificate applications to be performed by the RA on behalf of the CA. It also explains the procedures applicable to applications that are not approved Validation Requirements for Certificate Application Upon receipt of a certificate application, the RA shall perform all required validations as a prerequisite to certificate issuance by the CA. Once a certificate is issued, the CA and RA shall have no continuing duty to monitor and investigate the accuracy of the information in the certificate, unless the CA or RA is notified in accordance with this CPS of that certificate's compromise or a request to change any significant detail (i.e., Name, Department, etc.). The following table highlights certain differences between the validation requirements for each certificate class. The CA shall have the right to update these validation requirements to improve the validation process. client certificate server certificate personal authentication not applicable mandatory web authentication mandatory mandatory authentication code mandatory mandatory identity card validation not applicable mandatory The following table describes, who is allowed to apply for which type of certificate: client certificate server certificate students yes no employees yes yes guests yes no Authentication of the individual identity CP, section Certificate Issuance CP, section
14 4.3. Approval of Certificate Application Upon successful accomplishment of all certificate application validation requirements, the RA shall approve applications on behalf of the CA. The CA shall issue the appropriate certificates based upon such approvals Rejection of Certificate Application If any of the validation requirements have not been fulfilled, the RA shall reject the certificate application on behalf of the CA and promptly notify the certificate applicant of the validation failure and the reason for such failure. Any applicant whose certificate application is rejected may reapply, provided that the reason for rejection has been resolved. Certificate Issuance CP, section
15 5. Certificate Issuance 5.1. Overview This section presents additional information concerning the issuance of certificates Issuance & Publication Upon approval of a certificate application by the RA on behalf of the CA, and receipt of the approval by the CA via the certificate server, the CA will issue a certificate. The issued certificate and the corresponding public key will be added by the CA to the universities certificate repository where it is publicly accessible. CA obligations CP, section RA obligations CP, section Repository obligations CP, section Certificate Issuance CP, section Denial of Certification The university may deny issuance of a certificate to any person, at its sole discretion, and assumes no liability or responsibility for any damages, losses or expenses of any nature arising out of or caused by such denial. Certificate Issuance CP, section Certificate Validity and Operational Periods Certificates shall be considered valid if Issued by the CA, and Listed on the CAs repository, and Not listed on the current CAs CRL, and Not expired, and Verifiable by a valid CA certificate. The standard operational periods for the various classes of certificates are as follows, subject to earlier suspension or revocation of the operational period. 15
16 certificate class client server CA validity period 3 years 3 years 10 years 5.4. Certificate Format The format of all certificates issued by the CA complies with ISO/IEC 9594 X.509 version 3. Certificate Profile CP, section 7.1. Version number(s) CP, section
17 6. Certificate Suspension 6.1. Overview This CA does not support certificate suspension at all. Instead of being suspended, a certificate may be revoked and the user can reapply for a new certificate. Circumstances for suspension CP, section
18 7. Certificate Revocation 7.1. Overview This section sets forth the circumstances under which a certificate may or must be revoked by the CA. It also details the procedures for revoking certificates General Reasons for Revocation A certificate shall be revoked by the CA if There has been a loss, theft, unauthorized disclosure, or other compromise of the private key of the subscriber. The subscriber has breached a significant requirement of this CPS. Information pertaining to the security of the certificate is essentially threatened or compromised for any reason. There has been a modification of the information contained in the certificate concerning the subscriber. The student has left university. The subscriber is no longer employed or in the universities service, or is no longer doing business with the university, or the reason for issuance of the certificate ceases to exist. The subscriber applies for revocation. Circumstances for revocation CP, section Specific Reasons for Revocation The CA must revoke a certificate if An essential fact represented in the certificate application or certificate is or is reasonably believed by the RA or CA to be false. An essential prerequisite to certificate issuance was not satisfied. The private key or other aspect of the system was compromised in a manner significantly affecting the certificate's reliability. The subscriber has breached a significant requirement of this CPS. Circumstances for revocation CP, section Revocation of employers- and guest-certificates 18
19 When universities employers or guests are no longer doing business with the university, they have to request for revocation. The procedure for this revocation process is described in section Automatic Revocation of student's certificates A certificate will be automatically revoked, if a student leaves university Revocation at Subscriber's Request A certificate shall be revoked by the CA upon receipt of a formal request from the subscriber. Important Notice: This section describes the secure and trustworthy process used to initiate a revocation request. This process is often manual, e.g., in person, via secure e mail, telephone verification. The important factor is that the process should provide for the authentication of the requestor and integrity of the request. The requirements for identification and authentication of revocation requests are based on a threat, risk analysis based on the use of the certificates and type of subscribers, and should follow security guidelines in the universities security policy. Who can request revocation CP, section Revocation Requests CP, section Procedure for Automatic Revocation Request Upon automatic validation of a revocation request from a subscriber, the certificate will be revoked automatically. The request must be made by submission of the web form https://ca.fernuni-hagen.de/certserver/ by the subscriber to the certificate server: Actor Number Action Subscriber 1. Submits registration number / network ID and password by filling out web form https://ca.fernuni-hagen.de/certserver/. Subscriber 2. Requests revocation of the certificate. CA 3. Receives and reviews the request automatically. CA 4. Revokes the requested certificate. CA 5. Issues and publishes a new CRL automatically ( 19
20 CA 6. Informs the subscriber. Procedure for revocation request CP, section Revocation Requests CP, section Procedure for Non-Automatic Revocation Request Upon validation of a revocation request from a subscriber, the certificate will be revoked by the RA or CA Officer. Under specific circumstances, e.g., where the subscriber is travelling, the subscriber may be permitted to request revocation directly to the RA, CA or help desk. Under such circumstances, the help desk will authenticate the subscriber's request appropriate through data available in central databases. This procedure is the only procedure for revoking server certificates. Actor Number Action Subscriber 1. Contacts CA, RA or help desk. Subscriber 2. Requests revocation of the certificate. CA 3. Authenticates the Subscriber in a secure and trustworthy process. CA 4. Receives and reviews the request. CA 5. Revokes the requested certificate. CA 6. Issues and publishes a new CRL automatically CA 7. Informs the subscriber. Procedure for revocation request CP, section Revocation requests CP, section Revocation at RA or CA officer's Request Under circumstances in which a key compromise is strongly suspected, the RA, CA or help desk will immediately revoke the certificate. In the case of 6.2 the decision to revoke the certificate shall be made by the RA, CA or the help desk respectively. 20
21 If a security officer of the RA or CA is initiating a revocation request, he must login by providing the appropriate credentials to the certificate server and initiate a revocation request. 21
22 8. Certificate Expiration 8.1. Overview This section provides information about certificate expiry and renewal procedures Certificate Expiry The CA will make reasonable efforts to notify subscribers via , fourteen (14) days before the expiration date of their certificates, of the impending expiration of their certificates. All such notices will be sent for the convenience of subscribers only to assist them in the process of renewing their certifications. It is the responsibility of subscribers to monitor the expiration dates of their certificates Certificate Renewal For renewals of all classes of certificates, subscribers must apply for a new certificate as described in chapters 3 to 5 Routine Rekey CP, section 3.2. Rekey after Revocation CP, section
23 9. Security Audit Procedures Types of Events Recorded All significant security events on the CAs Public Key Infrastructure will be automatically recorded in audit trail files maintained by the CA. These events include: Events related to password issuance, events related to certificate application, issuance, publication and revocation, events related to security policy modification and validation, events related to database backup and management, events related to cross certification, events related to web server / certificate server usage, and events related to other miscellaneous events. Security Audit Procedures CP, section 4.5. Types of event recorded CP, section Frequency of Processing Log The audit trail shall be processed (reviewed for policy violations or other significant events) by the CA periodically, but at least once a month. Frequency of processing log CP, section Protection of Audit Log The audit trail will be stored in regular operating system flat files. Each audit trail file will consist of an audit header that contains information about the audits in the file and a list of events. The audit trail will be capable of being spread across many files. A new audit trail file will be created when the it deems to be appropriate for the CA officer. Individuals with security officer or audit privileges will be capable of viewing and processing audit trail files through custom built audit reduction reports / tools. Protection of audit log CP, section
24 Audit Log Backup Procedures Audit trail files will be archived by the system administrator on a daily basis. All files, including the latest audit trail file, will be moved to magnetic tapes and stored in a secure archive facility in accordance with the universities operational backup procedures. Audit log backup procedures CP, section Notification to Event Causing Subject There is no notification system to inform the users of the universities PKI about audit event causing actions. Notification to event-causing subject CP, section Records Archival Both the audit trail files and the operational authority database will be archived, as described below. Audit logs will be maintained in accordance with existing universities standards. Records Archival CP, section Events Recorded in Operational Authority Database The types of events that will be recorded in the audit trail files are described in Section of this CPS. The types of events that will be recorded in the operational authority database include: Creation of the CA signing key pair, Addition and removal of subscribers from the system; Changes to the encryption key pair history and verification public key history for all subscribers, including certificate issuance and revocation events, Addition/removal of administrator and security officer privileges; Changes to the privileges of RA personnel; 24
25 Changes to policy, such as certificate validity period, and Creation and revocation of cross certificates. Types of event recorded CP, section Retention Period for Archive Files The archives will be retained as required by the universities record retention policy. Retention period for archive CP, section Protection of Archive Files The operational authority database will be encrypted and protected by master user keys. Protection of the audit trail files will be as described in section of this CPS. All archive media will be protected by physical security and will be retained in a restricted access facility to which only CA officers and the operational authority will have access. Protection of archive CP, section Archive Backup Procedures Archive files will be backed up as they are created. They will be stored on site and housed with the operational authority system. Archive backup procedures CP, section Archive Collection System The archive collection system (backup facility) for the operational authority database will be internal to the operational authority system. 25
26 The archive collection system (backup facility) for the audit trail files will be as described in section of this CPS. The archiving will be external from the operational authority system. Archive collection system CP, section Procedures to Obtain and Verify Archive Information The archive tapes will regularly be retrieved and examined by the operational authority to ensure that no damage or loss of data has occurred. In addition, the condition of the archive will be verified during every compliance audit. Procedures to obtain and verify archive information CP, section Compromise of the Certificate Authority Private Key In case of a compromise, the CA will take the following steps, as a minimum, to recover a secure environment: Generate a new CA signing key in software or hardware (on separate HSM token). Update the CA signing key. This will renew the CAs certificate. Ensure all passwords are changed for the RA and CA security officers and administrators. Force key updates for all subscribers. Subscribers will generate new private signing keys / decryption keys the first time they log in and new subscriber public certificates signed by the new CA signing key will be issued. Archive the certificate database and the CRL. Revoke the old CA signing key. Any digital signatures created before the old CA key is revoked will no longer validate within the PKI because the PKI will no longer trust the revoked CA certificate and the old digital signatures can not be checked against a valid CRL. Relying parties will receive a message that the certificate should not be trusted. Important Notice: The specific actions to be taken in response to a CA private key compromise will be dependent on a threat, risk analysis and the nature of the compromise. 26
27 Compromise and disaster recovery CP, section 4.8. Computing resources, software and / or data are corrupted CP, section Disaster Recovery All operations of the PKI will be covered by a business continuity plan prepared by the CA that provides for a smooth transition to the Disaster Recovery (DR) facility. The business continuity plan shall provide for the following actions: The directory data, encryption certificates and CRLs will be restored from backup archives by the personnel responsible for doing so at the DR facility; The master user will restore the CA; and Should the profile of a security officer, administrator or the RA need recovery, another security officer will do so. If there are not enough security officers with valid security officer privileges in existence to recover a security officer profile, two master users will perform the recovery. Compromise and Disaster Recovery Computing resources, software and / or data are corrupted CP, section 4.8. CP, section Certificate Authority Termination of Services In the event that the CA ceases operation, the following procedures will be performed, as a minimum: All certificates issued by the CA will be revoked and a CRL will be published as long as any issued certificate would be valid without revocation. An archive of the certificate database will be created and retained for a minimum of 7 years. No further CRL or directory services are offered. The archive will be kept off-line. The archive will be made available only on the official directive of law enforcement agencies. CA Termination CP, section
28 10. Relationship between CPS and CP The Certification Practice Statement defines the practices for managing certificates as defined in the Certification Policy. This CPS is based on Scientific Trusts Certification Policy. CPS chapters match to CP chapters as follows: CPS CP 1.1 Overview 1.1 Overview 2.2 Roles and Responsibilities Specification administration organization Certification Authorities Registration Authorities 8.3 CPS approval procedure 2.3 Certificate Classes Private Key Escrow 2.4 Certification Authority CA obligations 2.5 Registration Authority RA obligations 2.6 Certificate Database and Repository Publication of CA Information 5.3 Personnel Controls Client Certificates Subscriber Obligations Authentication of Individual Entity 4.1 Certificate Application 4.2 Certificate Issuance 4.2 Validation Requirements for Certificate Application 4.4 Rejection of Certificate Application Authentication of Individual Entity 4.2 Certificate Issuance 4.2 Certificate Issuance 5.2 Issuance and Publication CA obligations RA obligations Repository Obligations 4.2 Certificate Issuance Denial of Certification 4.2 Certificate Issuance 28
29 5.4 Certificate Format 7.1 Certificate Profile Version Numbers 6.1 Overview Circumstances for Suspension 7.2 General Reasons for Revocation Circumstances for Revocation 7.3 Specific Reasons for Revocation Circumstances for Revocation 7.5 Revocation at Subscriber's Request Procedure for Automatic Revocation Request Procedure for Non-Automatic Revocation Request Who can Request Revocation 3.4 Revocation Request Procedure for Revocation Request 3.4 Revocation Request Procedure for Revocation Request 3.4 Revocation Request 8.3 Certificate Renewal 3.2 Routine Rekey 3.3 Rekey after Revocation Types of Events Recorded 4.5 Security Audit Procedures Types of Events Recorded Frequency of Processing Log Security Audit Procedures Protection of Audit Log Protection of Audit Log Audit Log Backup Procedures Audit Log Backup Procedures Notification to Event Causing Subject Notification to Event Causing Subject 9.2 Records Archival 4.6 Records Archival Events Recorded in Operational Authority Database Retention Period for Archive Files Types of Events Recorded Retention Period for Archives Protection of Archive Files Protection for Archive Archive Backup Procedure Archive Backup Procedure Archive Collection System Archive Collection System (internal vs. external) Procedures to Obtain and Verify Archive Information Procedures to Obtain and Verify Archive Information 29
30 9.2 Compromise of the Certificate Authority Private Key 4.8 Compromise and Disaster Recovery Computing Resources, Software, and/or Data are Corrupted 9.3 Disaster Recovery 4.8 Compromise and Disaster Recovery Computing Resources, Software, and/or Data are Corrupted 9.4 Certificate Authority Termination of Services 4.9 CA Termination 11. List of Changes Version Date Changes not applicable DFN review Scientific Trust review new Section
31 12. Appendix Definitions An authority trusted by one or more users to create and assign public key certificates. Optionally the CA may create the user's keys. It is important to note that the CA is responsible for the public key certificates during their whole lifetime, not just for issuing them. A certificate for one CAs public key issued by another CA. A named set of rules that indicates the applicability of a certificate to a particular community and/or class of application with common security requirements. For example, a particular certificate policy might indicate applicability of a type of certificate to the authentication of electronic data interchange transactions for the trading of goods within a given price range. A statement of the practices, which a certification authority employs in issuing, certificates. A CRL is a time stamped list identifying revoked certificates, which is signed by a CA and made freely available in a public repository. The expression ''conforming CA'' is used to indicate a CA whose behavior is conforming to the set of provisions specified in this document. In particular, this may be Scientific Trust RootCA or one of its Intermediate CAs. The Authority responsible for the maintenance of the CP and CPS. The set of hardware, software, people, policies and procedures needed to create, manage, store, distribute, and revoke PKCs based on public key cryptography. An entity that is responsible for identification and authentication of certificate subjects, but that does not sign or issue certificates (i.e., an RA is delegated certain tasks on behalf of a CA). [Note: The term Local Registration Authority (LRA) is used elsewhere for the same concept.] A recipient of a certificate who acts in reliance on that certificate and/or digital signatures verified using that certificate. In this document, the terms ''certificate user'' and ''relying party'' are used interchangeably Key words for use in RFCs to Indicate Requirement Levels According to RFC 2119 ''Key words for use in RFCs to Indicate Requirement Levels'', we specify how the main keywords used in RFCs should be interpreted. Authors who follow these guidelines should incorporate this phrase near the beginning of their document: The key words ''must'', ''must not'', ''required'', ''shall'', ''shall not'', ''should'', ''should not'', ''recommended'', ''may'', and ''optional'' in this document are to be interpreted as described in RFC This word, or the terms ''required'' or ''shall'', mean that the definition is an absolute requirement of the specification. This phrase, or the phrase ''shall not'', mean that the definition is an absolute prohibition of the specification. 31
32 This word, or the adjective ''recommended'', mean that there may exist valid reasons in particular circumstances to ignore a particular item, but the full implications must be understood and carefully weighed before choosing a different course. This phrase, or the phrase ''not recommended'' mean that there may exist valid reasons in particular circumstances when the particular behavior is acceptable or even useful, but the full implications should be understood and the case carefully weighed before implementing any behavior described with this label. This word, or the adjective ''optional'', mean that an item is truly optional. One vendor may choose to include the item because a particular marketplace requires it or because the vendor feels that it enhances the product while another vendor may omit the same item. An implementation which does not include a particular option must be prepared to interoperate with another implementation which does include the option, though perhaps with reduced functionality. In the same vein an implementation which does include a particular option must be prepared to interoperate with another implementation which does not include the option (except, of course, for the feature the option provides.) 32
HKUST CA Certification Practice Statement IN SUPPORT OF HKUST CA CERTIFICATION SERVICES Version : 2.1 Date : 12 November 2003 Prepared by : Information Technology Services Center Hong Kong University of
HKUST CA Certification Practice Statement IN SUPPORT OF HKUST CA CERTIFICATION SERVICES Version : 1.1 Date : 3 March 2000 Prepared by : Information Technology Services Center Hong Kong University of Science
Document history Version Date Remarks 1.0 19-05-2011 finalized 1.01 15-11-2012 URL updated after web page restructuring. 2 Table of Contents 1. Introduction... 4 2. Policy administration... 4 2.1 Overview...
Apple Inc. Certificate Policy and Certification Practice Statement Version 2.0 Effective Date: April 10, 2015 Table of Contents 1. Introduction... 4 1.1. Trademarks... 4 1.2. Table of acronyms... 4 1.3.
COMPANY INFO 1 (23) Ericsson Group Certificate Value Statement - 2013 COMPANY INFO 2 (23) Contents 1 Ericsson Certificate Value Statement... 3 2 Introduction... 3 2.1 Overview... 3 3 Contact information...
Equens Certificate Policy WebServices and Connectivity Final H.C. van der Wijck 11 March 2015 Classification: Open Version 3.0 Version history Version no. Version date Status Edited by Most important edit(s)
Apple Inc. Certification Authority Certification Practice Statement Worldwide Developer Relations Version 1.14 Effective Date: September 9, 2015 Table of Contents 1. Introduction... 5 1.1. Trademarks...
Apple Inc. Certification Authority Certification Practice Statement Worldwide Developer Relations Version 1.8 Effective Date: June 11, 2012 Table of Contents 1. Introduction... 4 1.1. Trademarks... 4 1.2.
THE RSA ROOT SIGNING SERVICE Certification Practice Statement For RSA Certificate Authorities (CAs) Last Revision Date: June 28, 2007 Version: 3.0 Published By: RSA Security Inc. Copyright 2002-2007 by
Certification Practice Statement Date: February 21, 2008 Version: 1.0.1 Table of Contents Document History... 1 Acknowledgments... 1 1. Introduction... 2 1.1 Overview... 3 1.2 Ford Motor Company Certificate
Gandi CA Certification Practice Statement Gandi SAS 15 Place de la Nation Paris 75011 France Version 1.0 TABLE OF CONTENTS 1.INTRODUCTION...10 1.1.Overview...10 1.2.Document Name and Identification...10
ESnet SSL CA service Certificate Policy And Certification Practice Statement Version 1.0 June 30, 2004 Table of Contents Table of Contents...2 1 Introduction...3 1.1 Overview...3 1.1.1 General Definitions...4
SYMANTEC NON-FEDERAL SHARED SERVICE PROVIDER PKI SERVICE DESCRIPTION I. DEFINITIONS For the purpose of this Service Description, capitalized terms have the meaning defined herein. All other capitalized
PKI Belgium Government CA Government AA Certification Practice Statement 184.108.40.206.1.1.3 220.127.116.11.18.104.22.168 22.214.171.124.126.96.36.199 188.8.131.52.184.108.40.206 220.127.116.11.1.1.6 18.104.22.168.22.214.171.124 126.96.36.199.1.1.3 188.8.131.52.184.108.40.206
Certification Practice Statement 1.0 INTRODUCTION 1.1 OVERVIEW The Federal Reserve Banks ( FRBs ), utilizing Public Key Infrastructure ( PKI ) technology and operating as a Certification Authority ( FR-CA
VeriSign Trust Network Certificate Policies Version 2.8.1 Effective Date: February 1, 2009 VeriSign, Inc. 487 E. Middlefield Road Mountain View, CA 94043 USA +1 650.961.7500 http//:www.verisign.com - 1-
GlobalSign Subscriber Agreement for DocumentSign Digital ID for Adobe Certified Document Services (CDS) Version 1.1 PLEASE READ THIS AGREEMENT CAREFULLY BEFORE USING THE DIGITAL CERTIFICATE ISSUED TO YOU
Malaysian Identity Federation and Access Management Certification Authority Certificate Policy and Certification Practice Statement Version 2.2 Document OID: 220.127.116.11.4.1.36318.104.22.168.2 February 2012 Contents
Federal Reserve Certification Authority (FR-CA) Certification Practice Statement for United States Treasury Auctions 1.0 INTRODUCTION 1.1 OVERVIEW The Federal Reserve Bank of New York ( FRBNY ) acts as
Internet Security Research Group (ISRG) Certificate Policy Version 1.0 Updated May 5, 2015 Approved by ISRG Policy Management Authority ISRG Web Site: https://letsencrypt.org Page 1 of 83 Copyright Notice
PKI Tutorial Jim Kleinsteiber February 6, 2002 Page 1 Outline Public Key Cryptography Refresher Course Public / Private Key Pair Public-Key Is it really yours? Digital Certificate Certificate Authority
SwissSign Certificate Policy and Certification Practice Statement for Gold Certificates Version March 2004 Version 2004-03 SwissSign Gold CP/CPS Page 1 of 66 Table of Contents 1. INTRODUCTION...9 1.1 Overview...
Class 3 Registration Authority Charter Version 1.0 applicable from 09 November 2010 Building A, Cambridge Park, 5 Bauhinia Street, Highveld Park, South Africa, 0046 Phone +27 (0)12 676 9240 Fax +27 (0)12
Fraunhofer Corporate PKI Certification Practice Statement Version 1.1 Published in June 2012 Object Identifier of this Document: 22.214.171.124.4.1.7126.96.36.199.1 Contact: Fraunhofer Competence Center PKI Fraunhofer
SAUDI NATIONAL ROOT-CA CERTIFICATE POLICY Document Classification: Public Version Number: 2.5 Issue Date: June 25, 2015 National Center for Digital Certification Policies and Regulations Department Digitally
Post.Trust Certificate Authority Certification Practice Statement CA Policy and Procedures Document Issue date: 03 April 2014 Version: 188.8.131.52 Release Contents DEFINITIONS... 6 LIST OF ABBREVIATIONS...
NCDC GOVERNMENT-CA PKI DISCLOSURE STATEMENT Document Classification: Public Version Number: 1.5 Issue Date: June 11, 2015 Copyright 2015 National Center for Digital Certification, Kingdom of Saudi Arabia.
TR-GRID CERTIFICATION AUTHORITY CERTIFICATE POLICY AND CERTIFICATION PRACTICE STATEMENT Version 2.3 May 15, 2014 Table of Contents TABLE OF CONTENTS:... 2 1. INTRODUCTION... 7 1.1 OVERVIEW... 7 1.2 DOCUMENT
Globe Hosting Certification Authority Globe Hosting, Inc. 501 Silverside Road, Suite 105, Wilmington, DE 19809, County of New Castle, United States www.globessl.com TABLE OF CONTENTS 1. INTRODUCTION...
e-authentication guidelines for esign- Online Electronic Signature Service Version 1.0 June 2015 Controller of Certifying Authorities Department of Electronics and Information Technology Ministry of Communications
THE WALT DISNEY COMPANY PUBLIC KEY INFRASTRUCTURE CERTIFICATE POLICY July 2011 Version 2.0 Copyright 2006-2011, The Walt Disney Company Version Control Version Revision Date Revision Description Revised
Advantage Security Certification Practice Statement Version 3.8.5 Effective Date: 01/01/2012 Advantage Security S. de R.L. de C.V. Prol. Paseo de la Reforma # 625 Int 402, Col Paseo de las Lomas. Del Alvaro
Certification Practice Statement of the Federal Reserve Banks Services Public Key Infrastructure 1.0 INTRODUCTION 1.1 Overview The Federal Reserve Banks operate a public key infrastructure (PKI) that manages
Federal Public Key Infrastructure (FPKI) Compliance Audit Requirements July 10, 2015 Version REVISION HISTORY TABLE Date Version Description Author 10/15/09 0.0.1 First Released Version CPWG Audit WG 11/18/09
TR-GRID CERTIFICATION AUTHORITY CERTIFICATE POLICY AND CERTIFICATION PRACTICE STATEMENT Version 2.1 January, 2009 Table of Contents: TABLE OF CONTENTS:...2 1. INTRODUCTION...7 1.1 OVERVIEW...7 1.2 DOCUMENT
Certification Practice Statement Internet Security Research Group (ISRG) Version 1.0 Updated May 5, 2015 Approved by ISRG Policy Management Authority Web Site: https://letsencrypt.org Page 1 of 11 Copyright
REGISTRATION WWW..CO.ZA Eskom Registration Authority Charter Version 2.0 applicable from 20 November 2009 Megawatt Park Maxwell Drive Sunninghill, SOUTH AFRICA, 2157 Phone +27 (0)11 800 8111 Fax +27 (0)11
Visa Public Key Infrastructure Certificate Policy (CP) Version 1.7 Effective: 24 January 2013 2010-2013 Visa. All Rights Reserved. Visa Public Important Note on Confidentiality and Copyright The Visa Confidential
Symantec External Certificate Authority Key Recovery Practice Statement (KRPS) Version 2 24 April 2013 (Portions of this document have been redacted.) Symantec Corporation 350 Ellis Street Mountain View,
TREND MICRO SSL CERTIFICATION PRACTICE STATEMENT Version 2.0 Effective Date: 14 April 2015 TABLE OF CONTENTS 1. INTRODUCTION 1.1 Overview 1.2 Document name and identification 1.3 PKI participants 1.3.1
Comodo Certification Practice Statement Notice: This CPS should be read in conjunction with the following documents:- * LiteSSL addendum to the Certificate Practice Statement * Proposed Amendments to the
Application ID Number (For Official Use only) APPLICATION FOR DIGITAL CERTIFICATE Instructions: 1. Please fill the form in BLOCK LETTERS ONLY. 2. All fields are mandatory. 3. Present one (1) copy and the
[Draft] Bangladesh Bank Certification Authority (BBCA) Certification Practice Statement (CPS) Version: 1.00 August, 2015 Bangladesh Bank Page 2 of 42 Document Reference Title Document Type Bangladesh Bank
Registration Authority Charter Version 3.0 is applicable from Effective Date Inyanda House 21 Wellington Road Parktown, 2193 Phone +27 (0)11 544 9368 Fax +27 (0)11 544 9599 Website: http://www.transnet.co.za/
phicert Direct Certificate Policy and Certification Practices Statement Version 1. 1 Effective Date: March 31, 2014 Copyright 2013-2014 EMR Direct. All rights reserved. [Trademark Notices] phicert is a
Polish Grid Certification Authority Certificate Policy and Certification Practice Statement version 0.4 (DRAFT ) September 2, 2002 1 1 Introduction 1.1 Overview This document is written according to the
Meeting the FDA s Requirements for Electronic Records and Electronic Signatures (21 CFR Part 11) Executive Summary...3 Background...4 Internet Growth in the Pharmaceutical Industries...4 The Need for Security...4
Trustwave Subscriber Agreement for Digital Certificates Ver. 11JUL14 PLEASE READ THIS AGREEMENT AND THE TRUSTWAVE CERTIFICATION PRACTICES STATEMENTS ( CPS ) CAREFULLY BEFORE USING THE CERTIFICATE ISSUED
EBIZID EBIZID CPS Certification Practice Statement Version 1.02 Contents 1 General 7 1.1 EBIZID 7 1.2 Digital Certificates 7 1.3 User Interaction for Selecting a Certification Service 7 1.4 EBIZID Registration
National Identity Exchange Federation (NIEF) Trustmark Signing Certificate Policy Version 1.1 February 2, 2016 Copyright 2016, Georgia Tech Research Institute Table of Contents TABLE OF CONTENTS I 1 INTRODUCTION
thawte Certification Practice Statement Version 3.7.5 Effective Date: 4 June, 2012 (All CA/Browser Forum-specific requirements are effective on July 1, 2012) thawte Certification Practice Statement 2012
Introduction Symantec Managed PKI Service for Windows Service Description Symantec Managed PKI Service for Windows provides a flexible PKI platform to manage complete lifecycle of certificates, which includes:
Certification Practice Statement March 2009 1. Overview 1.1 What is a Certification Practice Statement? A certification practice statement is a statement of the practices that a Certification Authority
DigiCert Certificate Policy and Certification Practice Statement DigiCert, Inc. Version 3.03 March 15, 2007 333 South 520 West Lindon, UT 84042 USA Tel: 1-801-805-1620 Fax: 1-801-705-0481 www.digicert.com
CERTIFICATION PRACTICE STATEMENT UPDATE Reference: IZENPE-CPS UPDATE Version no: v 5.03 Date: 10th March 2015 IZENPE 2015 This document is the property of Izenpe. It may only be reproduced in its entirety.
Certification Practice Statement Version 2.0 Effective Date: October 1, 2006 Continovation Services Inc. (CSI) Certification Practice Statement 2006 Continovation Services Inc. All rights reserved. Trademark
TC TrustCenter GmbH Certification Practice Statement NOTE: The information contained in this document is the property of TC TrustCenter GmbH. This Certification Practice Statement is published in conformance
Trustis FPS PKI Glossary of Terms The following terminology shall have the definitions as given below: Activation Data Asymmetric Cryptosystem Authentication Certificate Certificate Authority (CA) Certificate
GlobalSign Subscriber Agreement for DomainSSL Certificates Version 1.3 PLEASE READ THIS AGREEMENT CAREFULLY BEFORE USING THE DIGITAL CERTIFICATE ISSUED TO YOU OR YOUR ORGANISATION. BY USING THE DIGITAL
thawte Certification Practice Statement Version 2.3 Effective Date: July, 2006 thawte Certification Practice Statement 2006 thawte, Inc. All rights reserved. Printed in the United States of America. Revision
DigiCert Certification Practice Statement DigiCert, Inc. Version 2.22 June 01, 2005 333 South 520 West Orem, UT 84042 USA Tel: 1-801-805-1620 Fax: 1-801-705-0481 www.digicert.com 1 General...7 1.1 DigiCert,
REGISTRATION AUTHORITY (RA) POLICY Registration Authority (RA) Fulfillment Characteristics SECURITY DATA SEGURIDAD EN DATOS Y FIRMA DIGITAL, S.A. INDEX Contenido 1. LEGAL FRAMEWORK... 4 1.1. Legal Base...
Operational Research Consultants, Inc. Non Federal Issuer Certificate Policy Version 1.0.1 Operational Research Consultants, Inc. 11250 Waples Mill Road South Tower, Suite 210 Fairfax, Virginia 22030 June
CERTIFICATE POLICY/ CERTIFICATION PRACTICE STATEMENT May 22, 2006 Version 2.00 SECOM Trust Systems Co.,Ltd. Revision History Version Date Description V1.00 2003.08.01 Initial Draft (Translated from Japanese
Subscriber Agreement for Certificates PLEASE READ THIS AGREEMENT AND MICROS CERTIFICATION PRACTICES STATEMENTS ("CPS") CAREFULLY BEFORE USING THE CERTIFICATE ISSUED TO YOUR ORGANIZATION. BY USING THE CERTIFICATE,
Preface This Key Recovery Policy (KRP) is provided as a requirements document to the External Certification Authorities (ECA). An ECA must implement key recovery policies, procedures, and mechanisms that
(CP) (For SSL, EV SSL, OSC and similar electronic certificates) VERSION : 09 DATE : 01.12.2014 1. INTRODUCTION... 10 1.1. Overview... 10 1.2. Document Name and Identification... 11 1.3. Participants...
GlobalSign Subscriber Agreement for PersonalSign and DocumentSign for Adobe CDS Certificates Combined Agreement for epki (US) Version 1.1 PLEASE READ THIS AGREEMENT CAREFULLY BEFORE USING THE DIGITAL CERTIFICATE
OFFICE OF THE CONTROLLER OF CERTIFICATION AUTHORITIES TECHNICAL REQUIREMENTS FOR AUDIT OF CERTIFICATION AUTHORITIES Table of contents 1.0 SOFTWARE 1 2.0 HARDWARE 2 3.0 TECHNICAL COMPONENTS 2 3.1 KEY MANAGEMENT
Trustwave Holdings, Inc Certificate Policy and Certification Practices Statement Version 2.9 Effective Date: July 13, 2010 This document contains Certification Practices and Certificate Policies applicable
ING Public Key Infrastructure Certificate Practice Statement Version 5.3 - June 2015 Colophon Commissioned by Additional copies ING Corporate PKI Policy Approval Authority Additional copies of this document
CERTUM QCA PKI Disclosure Statement v1.1 1 Certum QCA PKI Disclosure Statement Version 1.1 Effective date: 1 st of April, 2016 Status: valid Asseco Data Systems S.A. ul. Żwirki i Wigury 15 81-387 Gdynia
Your consent to our cookies if you continue to use this website.