High Assurance SSL Sub CA Addendum to the Comodo Certification Practice Statement v.3.0

Transcription

1 High Assurance SSL Sub A Addendum to the omodo ertification Practice Statement v.3.0 omodo A, Ltd. High Assurance SSL Sub-A Addendum to Version 3.0 Amendments 21 ctober rd Floor, ffice Village, Exchange Quay, Trafford Road Salford, Manchester, M5 3EQ, United Kingdom

2 Begining ctober 29, 2008, omodo A Ltd. ( omodo ) will begin to issue High Assurance SSL ertificates from its omodo High Assurance Secure Server A intermediary certificate. The purpose of this Addendum to the omodo ertification Practice Statement ( APS ) is to amend version 3.0 of the omodo ertification Practice Statement ( PS ) to include the hierarchy and crl addresses for the certificate chain. All provisions of the PS not specifically amended or added herein remain in full force and effect and where applicable shall apply to the new product offerings. nly the amended portions in this APS are included herein. Nothing in the PS shall be deemed omitted, deleted or amended unless expressly stated in this APS. Headings from the PS are included to identify the location of the Amended information and are not intended to be duplicative. 1 General 1.8 omodo PKI Hierarchy year certificates (InstantSSL and EnterpriseSSL) Entrust ertificates Entrust.net Secure Server ertification Authority (serial number = 37 4a d2 43, expiry = 25 MAY 2019) Entrust omodo Intermediate - TBA (serial number = TBA, expiry = TBA) GTE ertificates End Entity SSL/End Entity Secure (serial number = x, expiry = 1, 2 or 3 years from issuance) GTE ybertrust Root (serial number = 01A5, expiry = 14 August 2018) omodo lass 3 Security Services A (serial number = A, expiry = 27 August 2012) End Entity SSL/End Entity Secure (serial number = x, expiry = 1, 2 or 3 years from issuance) UTN/AddTrust certificates InstantSSL and EnterpriseSSL A Visible on IE compatible browsers as follows: UTN-USERFIRST-Hardware (serial number = 44 be 0c 8b b4 11 d3 36 2a fe 65 0a fd, expiry = 09 July :19:22) End Entity SSL/End Entity Secure (serial number = x, expiry = 1 month or up to 10 year(s) from issuance) ross signed and therefore visible on Netscape compatible browsers as follows: AddTrust External A Root (serial number = 01, expiry = 30/05/ :48:38)

3 UTN-USERFirst-Hardware (serial number = 48 4b ac f1 aa c7 d d1 a , expiry = 30 May :48:38) End Entity SSL/End Entity Secure (serial number = x, expiry = 1 month or up to 10 year(s) from issuance) omodo ertification Authority ertificates Visible on IE compatible browsers as follows: MD ertification Authority (serial number = 4e 81 2d 8a e0 0b 02 ee 3e e5 3d, expiry = 31 Dec ember :59:59 MD High Assurance Secure Server A (serial number = 08 0a c c6f5 e1 4f 19 b c , expiry = 31 December :59:59) End Entity SSL ertificate (serial number = x, expiry = 1 month or up to 5 year(s) from issuance) ross signed and therefore visible on Netscape compatible browsers as follows: AddTrust External A Root (serial number = 01, expiry = 30/05/ :48:38) MD ertification Authority (serial number = 4e 81 2d 8a e0 0b 02 ee 3e e5 3d, expiry = 31 Dec ember :59:59 MD High Assurance Secure Server A (serial number = 08 0a c c6f5 e1 4f 19 b c , expiry = 31 December :59:59) End Entity SSL ertificate (serial number = x, expiry = 1 month or up to 5 year(s) from issuance) omodo SG / Platinum SG / Multi-Domain certificates UTN ertificates Visible on IE compatible browsers as follows: UTN - DATAorp SG (serial number = 44 be 0c 8b b4 11 d3 2a a9 ad 69, expiry = 24 June :06:40) End Entity SSL (serial number = x, expiry = 1 month or up to 10 year(s) from issuance) ross signed and therefore visible on Netscape compatible browsers as follows: AddTrust External A Root (serial number = 01, expiry = 30/05/ :48:38) UTN - DATAorp SG (serial number = 53 7b f 29 7f 14 dc e9 22 ad 2c 79, expiry = 30 May :48:38) End Entity SSL (serial number = x, expiry = 1 month or up to 10 year(s) from issuance) omodo ertification Authority ertificates Visible on IE compatible browsers as follows: UTN - DATAorp SG (serial number = 44 be 0c 8b b4 11 d3 2a a9 ad 69, expiry = 24 June :06:40)

4 MD ertification Authority (serial number = 4e 81 2d 8a e0 0b 02 ee 3e e5 3d, expiry = 31 Dec ember :59:59 MD High Assurance Secure Server A (serial number = 08 0a c c6f5 e1 4f 19 b c , expiry = 31 December :59:59) End Entity SSL ertificate (serial number = x, expiry = 1 month or up to 5 year(s) from issuance) ross signed and therefore visible on Netscape compatible browsers as follows: AddTrust External A Root (serial number = 01, expiry = 30/05/ :48:38) UTN - DATAorp SG (serial number = 53 7b f 29 7f 14 dc e9 22 ad 2c 79, expiry = 30 May :48:38) MD ertification Authority (serial number = 4e 81 2d 8a e0 0b 02 ee 3e e5 3d, expiry = 31 Dec ember :59: Relying Parties MD High Assurance Secure Server A (serial number = 08 0a c c6f5 e1 4f 19 b c , expiry = 31 December :59:59) End Entity SSL ertificate (serial number = x, expiry = 1 month or up to 5 year(s) from issuance) To verify the validity of a digital certificate they receive, relying parties must refer to the ertificate Revocation List (RL) or SP response prior to relying on information featured in a certificate to ensure that omodo has not revoked the certificate. The RL location is detailed within the certificate. SP responses are sent through the omodo SP responder Root A Signing Key Protection and Recovery 90 omodo ertification Authority 153 omodo High Assurance Secure Server A High Assurance SSL ertificates Intermediate for High Assurance SSL ertificates 31 Dec Dec omodo Directories, Repository and ertificate Revocation Lists omodo manages and makes publicly available directories of revoked certificates using ertificate Revocation Lists (RLs). All RLs issued by omodo are X.509v2 RLs, in particular as profiled in RF3280. Users and relying parties are strongly urged to consult the directories of

5 revoked certificates at all times prior to relying on information featured in a certificate. omodo updates and publishes a new RL every 24 hours or more frequently under special circumstances. The RL for end entity certificates can be accessed via the following URLs: crl omodo operates an SP service at omodo s SP responder conforms to RF Revocation information is made immediately available through the SP services. The SP responder and responses are available 24x ertificate Policy (P) omodo Secure Server ertificates InstantSSL / ProSSL / PremiumSSL / PremiumSSL Wildcard / EliteSSL /GoldSSL / PlatinumSSL / PlatinumSSL Wildcard / PremiumSSL Legacy / PremiumSSL Legacy Wildcard / PlatinumSSL Legacy / PlatinumSSL Legacy Wildcard / PlatinumSSL SG Legacy / PlatinumSSL SG Legacy Wildcard / omodo SG SSL / omodo SG SSL Wildcard / Trial SSL / Intranet SSL / ther SSL ertificates Signature Algorithm Issuer (option 1) (not for any SG type) Issuer (option 2) (not for any SG type) Issuer (option 3) for SG types only. Issuer (option 4) (not for any SG type) Issuer (option 5) Sha1 N N L S N L S N N omodo lass 3 Security Services A (c) 2002 omodo Limited Terms and onditions of use: omodo Trust Network omodo Limited GB UTN-USERFIRST-Hardware The USERTRUST Network Salt Lake ity UT US UTN - DATAorp SG The USERTRUST Network Salt Lake ity UT US omodo lass 3 Security Services A (c) 2006 omodo A Limited Terms and onditions of use: omodo Trust Network omodo A Limited GB omodo High Assurance Secure Server A 2008 omodo A Limited

6 Validity Subject Authority Key Identifier Key Usage (Nonritical) Extended Key Usage (Additional usages for SG types only) Netscape ertificate Type Basic onstraint ertificate Policies Terms and onditions of use: omodo Trust Network omodo A Limited GB 1 year / 2 year / 3 year / 4 year / 5 year N ommon Name InstantSSL / ProSSL/PremiumSSL / PremiumSSL Wildcard / EliteSSL /GoldSSL / PlatinumSSL / PlatinumSSL Wildcard / PremiumSSL Legacy / PremiumSSL Legacy Wildcard / PlatinumSSL Legacy / PlatinumSSL Legacy Wildcard / PlatinumSSL SG Legacy / PlatinumSSL SG Legacy Wildcard / omodo SG SSL / omodo SG SSL Wildcard / ther SSL ertificate name / Powered SSL product name (0 or 1 Hosted by [Web Host Reseller Subscriber Name] of) Issued through [EPKI Manager Subscriber Name] (for Intranet SSL only) (for Trial SSL only) L STREET S Postalode Provided by [Powered SSL Subscriber Name] INTRANET USE NLY N WARRANTY ATTAHED MPANY NT VALIDATED TEST USE NLY - N WARRANTY ATTAHED rganization rganization Unit Locality Street State Zip or Postal ode ountry KeyID only is specified. Digital Signature, Key Encipherment(A0) Server Authentication ( ) lient Authentication ( ) Microsoft SG ( ) Netscape SG ( ) SSL lient Authentication, SSL Server Authentication(c0) Subject Type = End Entity Path Length onstraint = None [1] ertificate Policy: PolicyIdentifier = [1,1]Policy Qualifier Info: Policy Qualifier Id = PS Qualifier:

7 RL Distribution Policies [1]RL Distribution Point Distribution Point Name: Full Name: URL=<Primary DP URL> [2]RL Distribution Point Distribution Point Name: Full Name: URL=<Secondary DP URL> (only when the Issuing A is omodo lass 3 Security Services A ) Authority Information Access (omitted when Issuing A is omodo lass 3 Security Services A ) (non-critical) Thumbprint Algorithm Thumbprint [3]RL Distribution Point Distribution Point Name: Full Name: RF822 Name=<RL Request Address> [1]Authority Info Access Access Method = id-ad-caissuers ( ) URL=<Primary AIA URL> [2]Authority Info Access Access Method = id-ad-ocsp ( ) URL = SHA1 omodo MD Signature Algorithm Issuer (ption 1) Issuer (ption 2) Validity Subject Sha1 N UTN - DATAorp SG The USERTRUST Network L Salt Lake ity S UT US N omodo High Assurance Secure Server A 2008 omodo A Limited Terms and onditions of use: omodo Trust Network omodo A Limited GB 1 Year / 2 Year / 3 Year N ommon Name [Name Windows displays as Issued To Typically Entity Name like field] Hosted by [Web Host Reseller Subscriber Name] Issued through [EPKI Manager Subscriber Name] Provided by [Powered SSL Subscriber Name] rganisation rganisation Unit L Locality S Street ountry N Domain Name 1

8 N Domain Name 2 N Domain Name 3 (etc to Domain Name 100) N ommon Name [Name Windows displays as Issued To Typically Entity Name like field] Enhanced Key Usage Server Authentication ( ) lient Authentication ( ) Microsoft SG ( ) Netscape SG ( ) Key Usage (Nonritical) Digital Signature, Key Encipherment(A0) Netscape ertificate Type SSL lient Authentication, SSL Server Authentication(c0) Basic onstraint Subject Type=End Entity Path Length onstraint=none ertificate Policies [1]ertificate Policy: Policy Identifier= [1,1]Policy Qualifier Info: Policy Qualifier Id=PS Qualifier: RL Distribution Points [1]RL Distribution Point Distribution Point Name: Full Name: URL= <Primary DP URL> Authority Information Access (non-critical) [2]RL Distribution Point Distribution Point Name: Full Name: URL=<Secondary DP URL> [1]Authority Info Access Access Method = id-ad-caissuers ( ) URL=<Primary AIA URL> [2]Authority Info Access Access Method = id-ad-ocsp ( ) URL = Subject Alternate Name DNS Name=Domain Name 1 DNS Name=Domain Name 2 DNS Name=Domain Name 3.up to DNS Name=Domain Name 100 Thumbprint Algorithm Thumbprint Effect of Revocation SHA1 Upon revocation of a certificate, the operational period of that certificate is immediately considered terminated. The serial number of the revoked certificate will be placed within the ertificate Revocation List (RL) and remains on the RL until some time after the end of the certificate s validity period. An updated RL is published on the omodo website every 24 hours; however, under special circumstances the RL may be published more frequently. In addition, omodo s systems are configured to pre-generate SP responses using the private key of the certificate. This provides real-time information regarding the validity of the ertificate making the revocation information immediately available through the SP.

9 5.12 Reliance on Unverified Digital Signatures Parties relying on a digital certificate must verify a digital signature at all times by checking the validity of a digital certificate against the relevant RL published by omodo or using the omodo SP responder. Relying parties are alerted that an unverified digital signature cannot be assigned as a valid signature of the subscriber bligations of a Relying Party A party relying on a omodo certificate accepts that in order to reasonably rely on a omodo certificate they must: Minimize the risk of relying on a digital signature created by an invalid, revoked, expired or rejected certificate; the relying party must have reasonably made the effort to acquire sufficient knowledge on using digital certificates and PKI. Study the limitations to the usage of digital certificates and be aware through the Relying Party agreement the maximum value of the transactions that can be made using a omodo digital certificate. Read and agree with the terms of the omodo PS and relying party agreement. Verify a omodo certificate by referring to the relevant RL and the RLs of intermediate A and root A or by checking the SP response using the omodo SP responder. Trust a omodo certificate only if it is valid and has not been revoked or has expired. Rely on a omodo certificate, only as may be reasonable under the circumstances listed in this section and other relevant sections of this PS. Document ontrol This document is the High Assurance SSL Sub-A Addendum to omodo PS Version 3.0, created on 16 ctober 2008 and signed off by the omodo ertificate Policy Authority. omodo A Limited 3rd Floor, ffice Village, Exchange Quay, Trafford Road, Salford, Manchester, M5 3EQ, United Kingdom URL: legal@comodogroup.com Tel: +44 (0) Fax: +44 (0) opyright Notice opyright omodo A Limited All rights reserved. No part of this publication may be reproduced, stored in or introduced into a retrieval system, or transmitted, in any form or by any means (electronic, mechanical, photocopying, recording or otherwise) without prior written permission of omodo Limited. Requests for any other permission to reproduce this omodo document (as well as requests for copies from omodo) must be addressed to: omodo A Limited 3rd Floor, ffice Village, Exchange Quay, Trafford Road,

10 Salford, Manchester, M5 3EQ, United Kingdom