HKUST CA. Certification Practice Statement

Transcription

1 HKUST CA Certification Practice Statement IN SUPPORT OF HKUST CA CERTIFICATION SERVICES Version : 2.1 Date : 12 November 2003 Prepared by : Information Technology Services Center Hong Kong University of Science & Technology

2 Table of Contents 1. Introduction Overview Scope of HKUST CA Certification Services HKUST CA Identity Publication Further Information HKUST CA Certification Infrastructure Overview Certificate Classes Personal e-cert Personal (Smartcard) e-cert Secure Server e-cert Developer e-cert Role e-cert Certificate Class Properties Certification Authority (CA) Registration Authority (RA) Certificate Repository Certificate Application Overview Application for Personal e-cert Application for Personal (Smartcard) e-cert Application for Secure Server e-cert Application for Developer e-cert Application for Role e-cert Validation of Certificate Application Overview Validation Requirements for Certificate Application Approval of Certificate Application Rejection of Certificate Application Certificate Issuance Overview Issuance & Publication Refusal Certificate Validity and Operational Periods Certificate Format Certificate Revocation Overview General Reasons for Revocation Revocation of a HKUST CA Certificate Revocation at Certificate Owner s Request Certificate Expiration Overview Certificate Expiry...20 Hong Kong University of Science & Technology ii

3 7.3 Certificate Renewal Rights and obligations Rights and obligations of Certificate Owners Rights and obligations of HKUST CA Liability Liability of Certificate Owner Liability of HKUST CA Use of Certificates Appendices Sample Letter for Secure Server e-cert Application Sample Letter for Developer e-cert Application Sample Letter for Role e-cert Application...29 Hong Kong University of Science & Technology iii

4

5 1. Introduction 1.1 Overview This HKUST CA Certification Practice Statement (CPS) describes the practices and standards employed by HKUST CA to perform Certification Authority Services and to exhibit trust by providing evidence of the methods used to manage and complete tasks associated with certificate generation. 1.2 Scope of HKUST CA Certification Services HKUST CA Certification Services are designed to support secure electronic transactions and other general security services to satisfy HKUST users for digital signatures and other network security services. To accomplish this, HKUST CA serves as a trusted third party, issuing, managing, renewing and revoking certificates in accordance with published practices. The services offered by HKUST CA include the following: Certificate Application Certificate Issuance Certificate Publication Certificate Expiry Certificate Revocation Online Certificate Status Protocol (OCSP) support Certificate Revocation List (CRL) Management 1.3 HKUST CA Identity HKUST CA certifies certificates in the name of the organization detailed below. Company Name: Registered Offices: Hong Kong University of Science and Technology Hong Kong University of Science and Technology Information Technology Services Center Clear Water Bay Kowloon Hong Kong Hong Kong University of Science & Technology 1

6 Telephone: (852) Fax: (852) Electronic mail: 1.4 Publication This HKUST CA Certification Practice Statement is published in electronic form at Further Information HKUST user acknowledges that HKUST CA has provided him/her with sufficient information to become familiar with digital certificates before applying for, using, and relying upon a certificate. For more information about this CPS or information related to HKUST CA services, please contact our HKUST Certification Authority at [email protected]. Hong Kong University of Science & Technology 2

7 2. HKUST CA Certification Infrastructure 2.1 Overview HKUST CA acts as a trusted third party to facilitate the confirmation of identity within HKUST community. Such confirmation is expressly represented by a certificate, i.e. a message which is digitally signed and issued by HKUST CA. The high-level management of this certification process includes registration, naming, appropriate applicant authentication, issuance, revocation and audit-trail generation. HKUST CA currently offers distinct levels of certification services. Each level, or class of certificate provides specific functionality and security features. Certificate applicants choose from this set of service qualities according to their needs. Depending on the class of certificate desired, certificate applicants may apply electronically to HKUST CA, and they may be required to apply in person by visiting the HKUST Certification Authority. 2.2 Certificate Classes HKUST CA currently supports distinct certificate classes within the CPS. Each class provides for a designated level of trust. The following sections describe each certificate class in detail. Please note that the descriptions for each certificate class do not represent an endorsement or recommendation by HKUST CA for any particular application or purpose, and they must not be relied upon as such. Users must independently assess and determine the appropriateness of each class of certificate for any particular purpose Personal e-cert Personal e-cert certificates are currently issued to individuals only. Personal e-cert certificates provide important assurances of the identity of individual certificate owners by requiring their personal (physical) appearance before a Registration Authority Officer with a valid proof of identity like HKUST Staff/Student ID card. They are typically used for services, online purchases, on-line subscription services or other web-based services. Hong Kong University of Science & Technology 3

8 2.2.2 Personal (Smartcard) e-cert Personal (Smartcard) e-cert certificates are currently issued to individuals with a valid HKUST Card. Personal (Smartcard) e-cert certificates provide important assurances of the identity of individual certificate owners who holds the HKUST Card specific to himself/herself. They are typically used for services, online purchases, on-line subscription services or other web-based services Secure Server e-cert Secure Server e-cert certificates are currently issued to departmental servers in HKUST only. Department Head or Inter-departmental Liaison Person (IDLP) can submit a signed Secure Server e-cert certificates Request for servers in their department. Secure Server e-cert certificates can provide assurance of the existence and name of servers within HKUST. Secure Server e-cert certificates are used primarily for secure web servers communication on a secure channel Developer e-cert Developer e-cert certificates are currently issued to departments in HKUST only. Department Head or Inter-departmental Liaison Person (IDLP) can submit a signed Developer e-cert certificates Request for developers of their department. Developer e-cert certificates can provide assurance of the identity of the developer within HKUST. Developer e-cert certificates are used by developers primarily for the signature of objects like software Role e-cert Role e-cert certificates are currently issued to departments requiring a digital certificate to carry out their administrative work. The Role e-cert will, in general, bind to a Departmental Network Account. Hong Kong University of Science & Technology 4

9 2.2.6 Certificate Class Properties Summary of Confirmation of Identity Certificate Applicant Private Key Protection Possible Applications Personal e-cert Automated unambiguous ITSC Network Account authentication plus personal presence plus HKUST Staff / Student ID Cards Verification Encryption software (PIN protected) required , online purchases, on-line subscription services, password replacement, software validation Personal (Smartcard) e-cert Automated unambiguous ITSC Network Account authentication plus HKUST Card and/or personal presence Encryption software (PIN protected) required, Smart Card as security tokens supported , online purchases, on-line subscription services, password replacement, software validation Summary of Confirmation of Identity Certificate Applicant Private Key Protection Possible Applications Secure Server e-cert Developer e-cert Role e-cert Records provided by the Records provided by the applicant and independent applicant and independent call-backs call-backs call-backs Encryption software (PIN protected) required Secure web-server communication Encryption software (PIN protected) required Object signing Records provided by the applicant and independent Encryption software (PIN protected) required, Smart Card as security tokens supported , online purchases, on-line subscription services, password replacement, software validation Hong Kong University of Science & Technology 5

10 2.3 Certification Authority (CA) HKUST Certification Authority operates in accordance with this CPS and issues, manages, and revokes Personal e-cert, Personal (Smartcard) e-cert, Secure Server e-cert, Developer e- Cert and Role e-cert certificates. Functions include the following: Certificate Application Certificate Issuance Certificate Publication Certificate Expiry Certificate Revocation Online Certificate Status Protocol (OCSP) support Certificate Revocation List (CRL) Management To ensure modest security level, Certification Authority will accept Certificate Request from HKUST card owners or approved from Registration Authority Officer on the Registration Authority Console only. A Personal e-cert is required to validate the identity of the Registration Authority Officer and a Secure Server e-cert is issued to Registration Authority Console to ensure secure server communication. HKUST CA NEITHER GENERATES NOR HOLDS the private keys of Certificate Applicants. HKUST CA s private key is secured against compromise via trustworthy hardware products. 2.4 Registration Authority (RA) HKUST Registration Authority evaluates and approves or rejects certificate applications, exclusively on behalf of the HKUST CA that actually issues the certificates. Registration Authority Officer is an assigned person to coordinate certificate applications and validate certificate applicants identity and confirm the information they provide during the application process. The type, scope and extent of confirmation depend upon the class of certificate and various other factors. Registration Authority Manager is an assigned person, who must be a different person other than the Registration Authority Officer, to approve certificate applications, depend upon the class of certificate, after the validation procedure performed by the Registration Authority Officer and ensure that the whole certification application procedure is performed according to the practice in this CPS. Hong Kong University of Science & Technology 6

11 Registration Authority Console is a console machine being setup for the Registration Authority Officer to submit certificate request to the Certification Authority after getting the approval from the Registration Authority Manager. The machine can communicate with Certification Authority (CA) server to handle digital certificate request in a Certification Process. It is installed on different machine from the Certification Authority Server that it serves. 2.5 Certificate Repository Certificate Internal Database is a database to keep track of the pending certificate request, issued or revoked certificate, private Certificate Revocation List (CRL), etc. Only RA and CA have the rights to update this database. A web user interface will be provided for users to query the status of their certificate requests and any issued or revoked certificate. Various fields in certificate, such as serial no, expiry date, subject name, etc will be indexed. This will allow faster queries based on these standard attributes. A high performance directory server, based on the IETF LDAP standard, is used as a public repository of Certificate Revocation List (CRL), user and CA certificates. Its design is based on the RFC 2587 schema. A standard LDAP interface will be provided to native client for retrieving certificate for applications like S/MIME or SSL client authentication. Hong Kong University of Science & Technology 7

12 3. Certificate Application 3.1 Overview This section describes the Certificate Application Process. It includes the requirements for key pair generation and protection and lists the information required for each class of certificate. Currently, there are 5 types of certificate application for HKUST CA services. Application for Personal e-cert Application for Personal (Smartcard) e-cert Application for Secure Server e-cert Application for Developer e-cert Application for Role e-cert 3.2 Application for Personal e-cert All person desiring a Personal e-cert shall contemporaneously complete the following general procedures. Authenticate with a valid ITSC Network Account and Password. Submit a certificate application to HKUST CA and accept the Certificate Practice Statement of HKUST CA via a web interface provided by HKUST CA on a secure channel. Generate a key pair and demonstrate to HKUST CA that it is a functioning key pair. Protect the private key of this key pair from compromise. Prove their identity to Registration Authority Officer in person with HKUST Staff / Student ID Card. Fill in a registration form and accept the Certificate Practice Statement acknowledge by the Registration Authority Officer. HKUST CA communicates an on-line enrolment process to the certificate applicant. By completing this on-line enrolment process via a secure channel, the certificate applicant then affirms that : Certificate applicant information is accurate. Certificate applicant has read, understands and accepts the Certificate Practice Statement. Hong Kong University of Science & Technology 8

13 Certificate applicant accepts the certificates issued by HKUST CA. The certificate applicant proves his / her identity by submitting a signed copy of the registration form when going personally to the Registration Authority Officer. Upon completion of specified validation procedures, HKUST CA sends an to the address that was previously provided by the certificate applicant in the certification application. This contains an URL that authorises the certificate applicant to obtain the certificate from HKUST CA. 3.3 Application for Personal (Smartcard) e-cert All person desiring a Personal (Smartcard) e-cert shall contemporaneously complete the following general procedures. Authenticate with a valid ITSC Network Account and Password. Submit a certificate application to HKUST CA and accept the Certificate Practice Statement of HKUST CA via a web interface provided by HKUST CA on a secure channel. Generate a key pair and demonstrate to HKUST CA that it is a functioning key pair. Protect the private key of this key pair from compromise on HKUST Card. HKUST CA communicates an on-line enrolment process to the certificate applicant. By completing this on-line enrolment process via a secure channel, the certificate applicant then affirms that : Certificate applicant information is accurate. Certificate applicant has read, understands and accepts the Certificate Practice Statement. Certificate applicant accepts the certificates issued by HKUST CA. For staff/students who have signed the acknowledgment slip receiving their HKUST Card through Personnel Office or Admissions, Registration & Records Office, identity verification process will be done automatically. The certificate will be downloaded to the HKUST Card if the applicants choose an address in their certification application same as their ITSC network account suffixed by domain. For applicants have choose their departmental address in the certification application, HKUST CA sends an to their departmental address and this contains a token that authorises the certificate applicant to obtain the certificate from HKUST CA. Hong Kong University of Science & Technology 9

14 For staff/students who did not sign any acknowledgment slip receiving their HKUST Card, they will need to prove his / her identity by submitting a signed copy of the registration form when going personally to the Registration Authority Officer. Upon completion of specified validation procedures, HKUST CA sends an to the address that was previously provided by the certificate applicant in the certification application. This contains an URL that authorises the certificate applicant to obtain the certificate from HKUST CA. 3.4 Application for Secure Server e-cert Department desiring a Secure Server e-cert shall contemporaneously complete the following general procedures. Authenticate with ITSC Network Account and Password from a technical person in their department. Generate a key pair and demonstrate to HKUST CA that it is a functioning key pair. Protect the private key of this key pair from compromise. Submit a signed certificate application letter with hand-written signature of an authorized person in the department like Department Head or Inter-departmental Liaison Person and hand-written signature of the technical person to HKUST CA. A sample letter can be found in Appendices for reference. HKUST CA communicates an on-line enrolment process to the certificate applicant. By completing this on-line enrolment process via a secure channel, the certificate applicant then affirms that : Certificate applicant information is accurate. Certificate applicant has read, understands and accepts the Certificate Practice Statement. Certificate applicant accepts the certificates issued by HKUST CA. Upon completion of specified validation procedures, HKUST CA sends an to the address that was previously provided by the certificate applicant in the certification application. This contains an URL that authorises the certificate applicant to obtain the certificate from HKUST CA. 3.5 Application for Developer e-cert Department desiring a Developer e-cert shall contemporaneously complete the following general procedures. Hong Kong University of Science & Technology 10

15 Authenticate with ITSC Network Account and Password from a technical person in their department. Generate a key pair and demonstrate to HKUST CA that it is a functioning key pair. Protect the private key of this key pair from compromise. Submit a signed certificate application letter with hand-written signature of an authorized person in the department like Department Head or Inter-departmental Liaison Person and hand-written signature of the technical person to HKUST CA. A sample letter can be found in Appendices for reference. HKUST CA communicates an on-line enrolment process to the certificate applicant. By completing this on-line enrolment process via a secure channel, the certificate applicant then affirms that : Certificate applicant information is accurate. Certificate applicant has read, understands and accepts the Certificate Practice Statement. Certificate applicant accepts the certificates issued by HKUST CA. Upon completion of specified validation procedures, HKUST CA sends an to the address that was previously provided by the certificate applicant in the certification application. This contains an URL that authorises the certificate applicant to obtain the certificate from HKUST CA. 3.6 Application for Role e-cert Department desiring a Role e-cert shall contemporaneously complete the following general procedures. Submit a signed application of an authorized person in the department like Department Head or Inter-departmental Liaison Person to HKUST CA. A sample letter can be found in Appendices for reference. Successful applicant shall receive notification from HKUST CA about collection of the Departmental Admin Card and related e-cert password. By acknowledge receipt of the Role e-cert (s), certificate applicant then affirms that : Certificate applicant information is accurate. Certificate applicant has read, understands and accepts the Certificate Practice Statement. Certificate applicant accepts the certificates issued by HKUST CA. Hong Kong University of Science & Technology 11

16 Hong Kong University of Science & Technology 12

17 4. Validation of Certificate Application 4.1 Overview This section presents the requirements for validation of certificate applications to be performed by HKUST CA. It also explains the procedures for applications that fail validation. 4.2 Validation Requirements for Certificate Application Upon receipt of a certificate application, HKUST CA shall perform all required validations as a prerequisite to certificate issuance. Particularly for Personal e-cert Applications, the applicants must appear personally before an Registration Authority Officer to facilitate the confirmation of their identity. Once a certificate is issued, HKUST CA shall have no continuing duty to monitor and investigate the accuracy of the information in a certificate, unless HKUST CA is notified in accordance with this CPS of that certificate s compromise. The following tables highlight certain differences between the validation requirements for each certificate class. HKUST CA reserves the right to update these validation procedures to improve the validation process. Hong Kong University of Science & Technology 13

18 Personal e-cert Personal (Smartcard) e-cert Method 1 * Method 2 ** HKUST Card No Yes Yes Personal Yes No Yes Presence ITSC Network Yes Yes Yes Account Authentication Submission of Yes No Yes Hard Copy Application Form HKUST Staff / Yes Yes Yes Student ID Card Validation (Automated) Submission by Department Head or IDLP Only No No No * Method 1: Signed the acknowledgment slip receiving their HKUST Card through Personnel Office or Admissions, Registration & Records Office ** Method 2: Did not sign any acknowledgment slip receiving their HKUST Card via Personnel Office or Admissions, Registration & Records Office Hong Kong University of Science & Technology 14

19 Personal Presence ITSC Network Account Authentication Submission of Hard Copy Application Form HKUST Staff / Student ID Card Validation Submission by Department Head or IDLP Only Secure Server e-cert Developer e-cert Role e-cert No No No Yes Yes No Yes Yes No (via signed ) No No Yes (During collection of the Departmental Admin Card) Yes Yes Yes (Signed using the HKUST e-cert) 4.3 Approval of Certificate Application Upon successful performance of all required validations of certificate application, HKUST CA shall approve the application. Approval is demonstrated by issuing a certificate according to this CPS. 4.4 Rejection of Certificate Application If a validation fails, HKUST CA shall reject the certificate application by promptly notifying the certificate applicant of the validation failure and providing a reason for such failure. Such notice shall be communicated to the certificate applicant using the same method as was used to communicate the certificate application to HKUST CA. A person whose certificate application has been rejected may thereafter reapply. Hong Kong University of Science & Technology 15

20 5. Certificate Issuance 5.1 Overview This section presents more information about the issuance of certificates. 5.2 Issuance & Publication Upon approving a certificate application, HKUST CA issues a certificate. The issuance of a certificate indicates a complete and final approval of the certificate application by HKUST CA. The issued certificate and the corresponding public key will be published to the HKUST Certificate Repository and the HKUST LDAP Directory server for public access. HKUST CA NEITHER GENERATES NOR HOLDS the private keys of Certificate Applicants or Certificate owners. 5.3 Refusal HKUST CA may refuse to issue a certificate to any person, at its sole discretion, without incurring any liability or responsibility for any loss or expenses arising out of such refusal. 5.4 Certificate Validity and Operational Periods All certificates shall be considered valid upon: Issued by HKUST CA, and Published on HKUST LDAP Directory Server, and Is not on the HKUST CA Certificate Revocation List, and Has not expired, and Can be verified by a valid HKUST Certification Authority certificate. The standard operational periods for the various classes of certificates are as follows, subject to earlier termination of the operational period due to revocation. Hong Kong University of Science & Technology 16

21 Validity Period starting from the date of certificate issuance by HKUST CA Personal e-cert Personal (Smartcard) e-cert Secure Server e-cert Developer e-cert Role e-cert 3 year 3 year 3 year 3 year 3 year 5.5 Certificate Format The format of all certificates issued by HKUST CA is in accordance with ISO/IEC 9594 X.509 Version 3 plus any HKUST specific extensions. Hong Kong University of Science & Technology 17

22 6. Certificate Revocation 6.1 Overview This section explains the circumstances under which a certificate may or must be revoked. It also details the procedures for revoking certificates. 6.2 General Reasons for Revocation A certificate shall be revoked if There has been a loss, theft, modification, unauthorised disclosure, or other compromise of the private key of the certificate s subject. The certificate s subject has breached a material obligation under this CPS. The performance of a person s obligations under this CPS is delayed or prevented by a natural disaster, computer or communications failure, or other cause beyond the person s reasonable control, and as a result another person s information is materially threatened or compromised. There has been a modification of the information contained in the certificate of the certificate s subject. 6.3 Revocation of a HKUST CA Certificate HKUST CA must make a reasonable effort to revoke a certificate if it determines any of the following: A material fact represented in the certificate is known or reasonably believed by HKUST CA to be false. A material prerequisite to certificate issuance was not satisfied. The private key or trustworthy system was compromised in a manner materially affecting the certificate s reliability. Hong Kong University of Science & Technology 18

23 The certificate s subject has breached a material obligation under this CPS. 6.4 Revocation at Certificate Owner s Request The certificate Owner must make a formal request to HKUST CA to revoke their certificate. The request must be made either the following ways. Sending a paper Certificate Revocation Request form to HKUST CA. The form must be signed with the same signature as on the original application for the certificate and/or with a valid proof of identity. On-Line Submission of a digitally signed Certificate Revocation Request Form. The online submission of the Certificate Revocation Request Form must be digitally signed by a valid HKUST CA certificate. Hong Kong University of Science & Technology 19

24 7. Certificate Expiration 7.1 Overview This section provides information about Certificate Expiry and Renewal procedures. 7.2 Certificate Expiry HKUST CA will undertake a reasonable effort to notify certificate Owners thirty (30) days before the expiration date, via , of the impending expiration of their certificates. Such notice is intended solely for the convenience of the certificate Owner in the renewal process. 7.3 Certificate Renewal Personal e-cert or Personal (Smartcard) e-cert certificate can be renewed via the HKUST Certificate Management System before the expiration of the certificate. For Secure Server e-cert, Developer e-cert and Role e-cert certificate renewal, certificate Owner should submit a signed written request to HKUST CA before the expiration. Request received after the expiration of the certificate will not be accepted. Requirements for renewal are subject to change at HKUST CA s discretion. Hong Kong University of Science & Technology 20

25 8. Rights and obligations 8.1 Rights and obligations of Certificate Owners HKUST user acknowledges that HKUST CA has provided him/her with sufficient information to become familiar with digital certificates before applying for, using, and relying upon a certificate. By applying a certificate issued by HKUST CA, the applicant certifies to and agrees with HKUST CA and to all who reasonably rely on the information contained in the certificate that, at the time of acceptance and throughout the operational period of the certificate, until notified otherwise by the certificate owner, of the following points: All representations made by the certificate owner to HKUST CA regarding the information contained in the certificate are true. All information contained in the certificate is true to the extent that the certificate owner had knowledge or notice of such information. Each digital certificate created using the private key corresponding to the public key listed in the certificate is the digital certificate of the certificate owner and the certificate has been accepted and is operational (not expired or revoked) at the time the digital certificate is created. No unauthorised person has ever had access to the certificate owner's private key. The certificate owner is an end-user certificate owner and not an Issuing Authority, and will not use the private key corresponding to any public key listed in the certificate for purposes of signing any certificate (or any other format of certified public key) or CRL, as an Issuing Authority or otherwise, unless expressly agreed in writing between certificate owner and HKUST CA. By accepting a certificate, the certificate owner assumes a duty to retain control of the certificate owner's private key, to use a trustworthy system, and to take reasonable precautions to prevent its loss, disclosure, modification, or unauthorized use. The user must revoke his / her certificate when there has been a loss, theft, modification, unauthorized disclosure, or other compromise of the private key of the certificate with HKUST CA. By accepting a certificate, the certificate owner agrees to indemnify and hold HKUST CA harmless from any acts or omissions resulting in liability, any loss or damage, and any suits and expenses of any kind that HKUST CA may incur, that are caused by the use or publication of a certificate and that arises from: Falsehood or misrepresentation of fact by the certificate owner. Hong Kong University of Science & Technology 21

26 Failure by the certificate owner to disclose a material fact, if the misrepresentation or omission was made negligently or with intent to deceive HKUST CA or any person receiving or relying on the certificate. Failure to protect the certificate owner's private key, to use a trustworthy system, or to otherwise take the precautions necessary to prevent the compromise, loss, disclosure, modification or unauthorized use of the certificate owner's private key. 8.2 Rights and obligations of HKUST CA HKUST CA neither generates nor holds the private keys of certificate owners. Also HKUST CA cannot ascertain or enforce any particular private key protection requirements of any applicant or certificate owner. Upon receipt of a certificate application, HKUST CA shall perform all required validations as a prerequisite to certificate issuance, as follows: The certificate applicant is the person identified in the request (in accordance with and only to the extent provided in the certificate class descriptions). The information to be listed in the certificate is accurate, except for non-verified certificate owner information. Once a certificate is issued, HKUST CA shall have no continuing duty to monitor and investigate the accuracy of the information in a certificate. Unless otherwise provided in the CPS or mutually agreed upon by both HKUST CA and the certificate owner in an authenticated record, HKUST CA promises to the certificate owner named in the certificate that There are no mis-representations of fact in the certificate known to HKUST CA or originating from HKUST CA, There are no data transcription errors as received by HKUST CA from the certificate applicant resulting from a failure of HKUST CA to exercise reasonable care in creating the certificate. The certificate meets all material requirements of the CPS. Unless otherwise provided in this CPS or mutually agreed upon by both HKUST CA and the certificate owner in an authenticated record, HKUST CA promises to the certificate owner to make reasonable efforts: To promptly revoke certificates upon request of the certificate owner. To notify certificate owners of any facts known to it that materially affect the validity and reliability of the certificate it issued to such certificate owner. Upon certificate owner's acceptance of the certificate, and checking by HKUST CA, HKUST CA shall publish a copy of the certificate in the HKUST CA repository and in one or more Hong Kong University of Science & Technology 22

27 other repositories, as determined by HKUST CA. Certificate owners may publish their HKUST CA certificates in other repositories. HKUST CA provides the controls and foundation for PKI. Hong Kong University of Science & Technology 23

28 9. Liability 9.1 Liability of Certificate Owner Without limiting other certificate owner obligations stated in the CPS, certificate owners are liable for any mis-representation they make in certificates to third parties that, reasonably rely on the representations contained therein. 9.2 Liability of HKUST CA HKUST CA Does not warrant the accuracy, authenticity, completeness or fitness of any unverified information contained in certificates or otherwise compiled, published, or disseminated by or on behalf of HKUST CA. Shall not incur liability for representations of information contained in a certificate, provided the certificate content substantially complies with the CPS. Does not warrant "non-repudiation" of any certificate or message (because nonrepudiation is determined exclusively by law and the applicable dispute resolution mechanism). Hong Kong University of Science & Technology 24

29 10. Use of Certificates HKUST CA and "users" of the certificate, (i.e., the certificate owner and the relying parties), are notified of the following rules governing the respective rights and obligations of the parties among themselves: Verification of Digital Certificates Verification of a digital certificate shall be undertaken as follows: Checking with the HKUST CA (or other) repository for revocation of certificates. To verify a digital certificate, it is necessary to know precisely what data has been signed. In the case of public key cryptography standards (PKCS), a standard signed message format is specified to accurately denote the signed data. To support non-repudiation, the data to which the corresponding digital certificate is attached must include, or reference, a time stamp. The time stamp shall reflect the time at which date and time the digital certificate is affixed. Failure of Digital Certificate Verification A person relying on an unverifiable digital certificate assumes all risks with regard to it and is not entitled to any presumption that the digital certificate is effective as the certificate of the certificate owner. Security Measures Any person using or relying upon a HKUST CA certificate in conjunction with a message shall apply reasonable security measures to the message to provide message authentication and, as required, to support data confidentiality. Revocation A certificate shall be revoked under circumstances like: There has been a loss, theft, modification, unauthorised disclosure, or other compromise of the private key of the certificate's subject. The certificate's subject (whether HKUST CA or a certificate owner) has breached a material obligation under the CPS. The performance of a person's obligations under the CPS is delayed or prevented by an act of God, natural disaster, computer or communications failure, or other cause beyond the person's reasonable control, and as a result another person's information is materially threatened or compromised. Hong Kong University of Science & Technology 25

30 HKUST CA must make a reasonable effort to revoke a certificate, if it determines any of the following: A material fact represented in the certificate is known or reasonably believed by HKUST CA to be false. A material prerequisite to certificate issuance was neither satisfied nor waived. The private key or trustworthy system was compromised in a manner materially affecting the certificate's reliability. The certificate's subject has breached a material obligation under the CPS. Hong Kong University of Science & Technology 26

31 11. Appendices 11.1 Sample Letter for Secure Server e-cert Application <Department Letter Head> Attention: HKUST Certification Authority Information Technology Services Center Hong Kong University of Science and Technology Clear Water Bay Kowloon Hong Kong <Date> Application for Secure Server e-cert I, <Name of Applicant>, hereby approve the use of a HKUST CA Secure Server e-cert for secure and authenticated electronic transactions. I hereby represent that I am fully authorized to make such approval, and that I understand that a digital certificate acts as a department stamp or director s signature for the purposes of electronic commerce, and that the management of the private keys associated with such certificates is the responsibility of our technical staff or contractors. The contents of that certificate are as follows: Server Domain Name : <Server Name> e.g. ccms01.ust.hk Department : <Department Name> e.g. Information Technology Services Center The person responsible for key management and security is fully authorized to install and utilise the certificate to represent this organization s electronic presence. Authorizing Signatory <Full Name> <Post> <Telephone Number> < address> <Signature> Technical Signatory <Full Name> <Post> <Telephone Number> < address> <Signature> Our department stamp appears below. <Department Stamp> Hong Kong University of Science & Technology 27

32 11.2 Sample Letter for Developer e-cert Application <Department Letter Head> Attention: HKUST Certification Authority Information Technology Services Center Hong Kong University of Science and Technology Clear Water Bay Kowloon Hong Kong <Date> Application for Developer e-cert I, <Name of Applicant>, hereby approve the use of a HKUST CA Developer e-cert for secure and authenticated electronic software distribution. I hereby represent that I am fully authorized to make such approval, and that I understand that a digital certificate acts as a department stamp or director s signature for the purposes of electronic commerce, and that the management of the private keys associated with such certificates is the responsibility of our technical staff or contractors. The contents of that certificate are as follows: Developer Description : <Name of Developer and Project Team> Department : <Department Name> e.g. Information Technology Services Center The person responsible for key management and security is fully authorized to install and utilise the certificate to represent this organization s electronic presence. Authorizing Signatory <Full Name> <Post> <Telephone Number> < address> <Signature> Technical Signatory <Full Name> <Post> <Telephone Number> < address> <Signature> Our department stamp appears below. <Department Stamp> Hong Kong University of Science & Technology 28

33 11.3 Sample Letter for Role e-cert Application [Signed addressed to signed by applicant s HKUST Personal (Smartcard) e-cert or HKUST Personal e-cert] Subject: Application for Role e-cert Body: Attention: HKUST Certification Authority Information Technology Services Center, HKUST On behalf of <Department>, I would like to apply for HKUST CA Role e-cert for the following departmental account(s): Departmental Admin Card ID Departmental Account(s) N/A <Account A>, <Account B> 2. N/A <Account A> 3. D <Account B> By digitally signed this , I understand that a digital certificate acts as a department stamp for the purposes of electronic commerce, and that the management of the Departmental Admin Card(s) and the private key associated with the certificate(s) are the responsibility of the applicant. Digitally Signed by Applicant: <Full Name> <Post> e.g. IDLP of <Department> <Telephone Number> < address> Hong Kong University of Science & Technology 29