MIB CERTIFICATE POLICY. For Digital Certificate Usage In the MIB Public Key Infrastructure (PKI) Version 1, Revision 2. 1-October-2006.

Transcription

1 MIB CERTIFICATE POLICY For Digital Certificate Usage In the MIB Public Key Infrastructure (PKI) Version 1, Revision 2 1-October-2006 Page 1 of 68

2 Table of Contents 1. Introduction Overview Scope Compliance with Applicable Standards Document name and identification Community and Applicability Certificate authorities Registration authorities Subscriber Applicability Suitable Applications Restricted Applications Prohibited Applications Contact Details Organization administering the document Contact person Person determining CPS suitability for the policy CPS approval procedures General Provisions Obligations CA Obligations RA Obligations Subscriber Obligations Relying Party Obligations Repository Obligations Liability Certification Authority Liability Certification Authority Warranties to Subscribers and Relying Parties Certification Authority Disclaimers of Warranties Certification Authority Limitations of Liability Force Majeure Registration Authority Liability Subscriber Liability Subscriber Warranties Private Key Compromise Relying Party Liability Financial Responsibility Indemnification by Subscribers and Relying Parties Indemnification by Subscribers Indemnification by Relying Parties Fiduciary Relationships Administrative Processes Page 2 of 68

3 2.4 Interpretation and Enforcement Governing Law Severability, Survival, Merger, Notice Dispute Resolution Procedures Disputes Among MIB and The CMA Disputes with Subscribers or Relying Parties Fees Certificate Issuance or Renewal Fees Certificate Access Fees Revocation or Status Information Access Fees Fees for Other Services Such as Policy Information Publication and Repository Publication of CA Information Frequency of Publication Access Controls Repositories Compliance Audit Frequency of Entity Compliance Audit Identity / Qualifications of Auditor Auditor s Relationship to Audited Party Topics Covered by Audit Self-Audits of MIB Actions Taken as a Result of Deficiency Communications of Results Confidentiality and Privacy Types of Information to be Kept Confidential and Private Types of Information Not Considered Confidential or Private Disclosure of Certificate Revocation/Suspension Information Release to Law Enforcement Officials Release as Part of Civil Discovery Disclosure Upon Owner s Request Other Information Release Circumstances Intellectual Property Rights Property Rights in Certificates and Revocation Information Property Rights in the CP Property Rights in Names Property Rights in Keys and Key Material Identification and Authentication Initial Registration Types of Names Need for Names to be Meaningful Rules for Interpreting Various Name Forms Uniqueness of names Name Claim Dispute Resolution Procedure Recognition, Authentication, and Role of Trademarks Method to Prove Possession of Private Key Page 3 of 68

4 3.1.8 Authentication of organization identity Authentication of Individual Identity Routine Rekey and Renewal Renewal of Subscriber Certificates Routine Rekey and Renewal for CA Certificates Rekey After Revocation Revocation Request Operational Requirements Certificate Application Certificate Applications for Subscriber Certificates Certificate Applications for CA and RA Certificates CA Certificates RA Certificates Certificate Issuance Issuance of Subscriber Certificates Issuance of CA and RA Certificates Certificate Acceptance Certificate Suspension and Revocation Circumstances for Revocation Circumstances for Revoking Subscriber Certificates Circumstances for Revoking CA, RA, or Infrastructure Certificates Subscribers Terminating a Relationship with MIB Who Can Request Revocation Who Can Request Revocation of a Subscriber Certificate Who Can Request Revocation of a CA or RA Certificate Procedure for Revocation Request Procedure for Requesting the Revocation of a Subscriber Certificate Procedure for Requesting the Revocation of a CA or RA Certificate Revocation Request Grace Period Circumstances for Suspension Who Can Request Suspension Procedure for Suspension Request Limits on Suspension Period CRL Issuance Frequency Certificate Revocation List Checking Requirements On-Line Revocation/Status Checking Availability On-Line Revocation Checking Requirements Other Forms of Revocation Advertisements Available Checking Requirements for Other Forms of Revocation Advertisements Special Requirements Regarding Key Compromise Security Audit Procedures Types of Events Recorded by CAs, its CMA, and RAs Frequency of Processing Log Retention Period for Audit Log Protection of Audit Log Audit Log Backup Procedures Page 4 of 68

5 4.5.6 Audit Collection System Notification to Event-Causing Subject Vulnerability Assessments Records Archival Types of Records Archived Retention Period for Archive Protection of Archive Archive Backup Procedures Requirements for Time-Stamping of Records Archive Collection System Procedures to Obtain and Verify Archive Information Key Changeover Compromise and Disaster Recovery Corruption of Computing Resources, Software, and/or Data Secure Facility After a Natural or Other Type of Disaster Key Compromise CA Termination Physical, Procedural, and Personnel Security Controls Physical Controls Site Location and Construction CA and RA Physical Access Power and Air Conditioning Water Exposures Fire Prevention and Protection Media Storage Waste Disposal Off-Site Backup Procedural Controls Trusted Roles Number of Persons Required Per Task Identification and Authentication for Each Role Personnel Controls Background, Qualifications, Experience, and Clearance Requirements Background Check Procedures Training Requirements Retraining Frequency and Requirements Job Rotation Frequency and Sequence Sanctions for Unauthorized Actions Contracting Personnel Requirements Documentation Supplied to Personnel Technical Security Controls Key Pair Generation and Installation Key Pair Generation Private Key Delivery to Entity Public Key Delivery to Certificate Issuer CA Public Key Delivery to Users Page 5 of 68

6 6.1.5 Key Sizes Public Key Parameters Generation Parameter Quality Checking Hardware/Software Key Generation Key Usage Purposes Private Key Protection Standards for Cryptographic Modules Private Key (n out of m) Multi-Person Control Private Key Escrow Private Key Backup Private Key Archival Private Key Entry into Cryptographic Module Method of Activating Private Key Subscriber Private Keys Administrators Private Keys Method of Deactivating Private Key Method of Destroying Private Key Other Aspects of Key Pair Management Public Key Archival Usage Periods for the Public and Private Keys Activation Data Activation Data Generation and Installation Subscribers Administrators Activation Data Protection Other Aspects of Activation Data Activation Data Transmission Computer Security Controls Specific Computer Security Technical Requirements Computer Security Rating Life Cycle Technical Controls System Development Controls Software Controls Hardware Controls Security Management Controls Life Cycle Security Ratings Network Security Controls Cryptographic Module Engineering Controls Certificate and CRL Profile Certificate Profile Version Number(s) Certificate Extensions Key Usage Certificate Policies Extension Subject Alternative Names Basic Constraints Page 6 of 68

7 Extended Key Usage CRL Distribution Points Authority Key Identifier Subject Key Identifier Algorithm Object Identifiers Name Forms Name Constraints Certificate Policy Object Identifier Usage of Policy Constraints Extension Policy Qualifiers Syntax and Semantics Processing Semantics for the Critical Certificate Policy Extension CRL Profile Version Number(s) CRL and CRL Entry Extensions Specification Administration Specification Change Procedures Items that Can Change Without Notification Items that Can Change with Notification List of Items Notification Mechanism Comment Period Mechanism to Handle Comments Changes Requiring Changes in the Certificate Policy OID or CP Pointer Publication and Notification Policies Items Not Published in the CP Distribution of the CP CP Approval Procedures Definitions BIBLIOGRAPHY Page 7 of 68

8 1. INTRODUCTION This document defines MIB s general requirements for Digital Certificates and basic commitments to its Subscribers. Many of the terms and acronyms used in this document may be foreign to the reader. If the reader is unfamiliar with PKI technologies he/she should read Section B of the ABA PAG. It is recommended that one familiarize oneself with these terms as defined in section 9. (From this point forward section references shall be indicated as CP 9). 1.1 Overview MIB Group, Inc. and its subsidiary companies MIB, Inc. and MIB Solutions, Inc. (hereinafter collectively referred to as MIB ), is a provider of Internet-based risk management and knowledge services to the financial services industry, including, but not limited to the exchange of confidential information of underwriting significance with respect to proposed insureds and insurance claimants among member companies in the North American insurance industry. Due to the nature of the information exchanged, MIB needs to provide these services in a manner as may best protect the accuracy and confidential nature of the information so exchanged and protect the privacy of those about whom the information pertains. Hence, MIB has a need for information security to conduct sensitive business transactions electronically, to streamline internal operations, to provide better service to customers and business partners and to maintain a competitive edge. Information security entails maintaining the confidentiality, integrity and availability of information. Confidentiality means that the information will not be disclosed to, or accessed by unauthorized persons; integrity means that the information remains fit for its purpose and is not corrupted; availability means that it is ready when required by authorized personnel. Towards attaining this goal for securing information assets and electronic transactions, MIB has undertaken a strategic initiative to deploy Public Key Infrastructure (PKI) technology. A Public Key Infrastructure (PKI) is a combination of hardware and software products, policies and procedures. It enables transparent, seamless, and trustworthy e-business transactions between entities. It enables security between parties that have an established business relationship such that the parties can communicate securely through a Chain of Trust. PKI is based on digital IDs known as Digital Certificates, which act like electronic passports. A PKI should consist of: A Security Policy; Certificate Authority (CA); Registration Authority (RA); Page 8 of 68

9 Certificate distribution system; Certificate revocation system; PKI-enabled Applications; Properly educated PKI Administrators and Subscribers; and An active audit mechanism The Certificate Policy sets out and defines an organization s top-level direction on PKI security, as well as the policies governing the PKI. Typically, it will include statements on how the organization will handle keys and valuable information, and will set the level of control required to match the levels of risk. This document, the Certificate Policy (CP), describes at a general level the overall business, legal, and technical infrastructure requirements of MIB s current and future PKI implementations. More specifically, it describes, among other things: Appropriate applications for, and the assurance levels associated with, each Type of Certificate; Obligations of Certification Authorities, Registration Authorities, and Subscribers; Legal matters that must be defined in related MIB Subscriber Agreements; Methods to confirm the identity of Certificate Applicants for each Type of Certificate; Operational procedures for Certificate lifecycle services: Certificate Applications, issuance, acceptance, revocation, and renewal; Operational security procedures for audit logging, records retention, and disaster recovery; Physical, personnel, key management, and logical security; Certificate and Certificate Revocation List content; and Administration of the CP, including methods of amending it Scope The scope of this Certificate Policy (CP) applies only to the requirements of MIB PKI implementations. It documents MIB s general policy for Digital Certificates to ensure that applicable electronic data transmissions are secure, that data integrity and confidentiality is maintained. This CP assumes that the reader is generally familiar with PKI, Digital Signatures and MIB PKI application plans. A glossary appears in CP 9 to assist the reader with unfamiliar terms. Additional reading can be obtained by referring to the Bibliography in CP 10. The MIB PKI includes three Types of Certificates, Types 1-3. The CP describes how these three Types correspond to three classes of applications with common security requirements. The CP is a single document that defines the applicable policy for the Page 9 of 68

10 three Types of Certificates. The associated CPS shall define additional identification, authentication, and technical requirements as needed for the three Types of Certificates. MIB currently provides three distinct types of certification services, Types 1-3, for both the wired and wireless Internet and other networks. Each level, or Type, of Certificate provides specific functionality and security features and corresponds to a specific level of trust. Type 1 Certificates, issued only to individuals, provide the lowest level of assurances within the MIB PKI. They provide assurances that the Subscriber s distinguished name is unique and unambiguous within MIB s PKI and that a certain address is associated with a public key. They are appropriate for digital signatures, encryption, and access control for non-commercial or low-assurance transactions where proof of identity is unnecessary. Type 2 Certificates, issued to individuals or devices, provide a medium level of assurances within the MIB PKI. They provide assurances of the identity of the Subscriber or device based on a comparison of information submitted by the Certificate applicant against information in business records or databases or the database of a MIBapproved identity proofing service. They can be used for digital signatures, encryption, and access control, including as proof of identity in medium-assurance transactions. Type 3 Certificates provide the highest level of assurances within the MIB PKI. Type 3 Certificates may be issued to individuals, devices, or organizations. Type 3 Certificates may be used for digital signatures, encryption, and access control, including as proof of identity, in high-assurance transactions. Type 3 Certificates provide assurances of the identity of the Subscriber based on the personal (physical) presence of the Subscriber (or an authorized representative, in the case of an device or organization) before a person (MIB RA) that confirms the identity of the Subscriber using a well-recognized form of government-issued identification and one other identification credential Compliance with Applicable Standards The structure of this CP generally corresponds to the Internet X.509 Public Key Infrastructure Certificate Policy and Certification Practices Framework, known as RFC 2527 of the Internet Engineering Task Force (IETF), an Internet standards body. The RFC 2527 framework has become a standard in the PKI industry. This CP serves to define MIB s certificate policies within the meaning of RFC This CP conforms to the RFC 2527 framework in order to make policy mapping and comparisons, assessment, and interoperation easier for persons using or considering using MIB's PKI services. MIB has conformed the CP to the RFC 2527 structure where possible, although slight variances in title and detail are necessary because of the nature of the MIB s business models. While MIB intends to continue the policy of adhering to RFC 2527 in the future, MIB reserves the right to vary from the RFC 2527 structure as needed to enhance the Page 10 of 68

11 quality of the CP or its suitability to the needs of MIB. Moreover, the CP s structure may not correspond to future versions of RFC Document name and identification This document defines the following certificate policy with corresponding object identifiers: MIB s Certificate Policy whose object identifier is: The certificate policy includes the text within this document that corresponds to all Types of MIB Certificates generically, as well as the text that may apply to specific Types of Certificates. 1.3 Community and Applicability Certificate authorities MIB shall act as the Certificate Authority and may choose to outsource specific duties to an authorized agent. Implementation specifics shall be identified in the appropriate CPS document. Certificate Authority is an umbrella term that refers to entities that issue Certificates to Subscribers or other CAs subordinate to them in the hierarchy. The MIB PKI encompasses an offline root CA that is contractually capable of signing (creating) three subordinate Issuing CAs. Currently, the subordinate CAs in operation, have the following classifications: Application CAs: These CAs will issue subscriber certificates to identified and approved participants per the applicable MIB CPS and Subscriber Agreements. (Subscribers will largely use their Certificates for authentication to application servers.) Test CAs: These CAs will issue subscriber certificates strictly for testing the functionality of the PKI. Certificates issued by an MIB Test CA shall not be used to conduct normal business transactions and shall not be required to be compliant with this CP. Page 11 of 68

12 1.3.2 Registration authorities MIB shall act as the Registration Authority and may choose to outsource specific duties to an authorized agent. Implementation specifics shall be identified in the appropriate CPS document. The Registration Authority is responsible for the identification and authentication of certificate subjects on behalf of a CA, but does not sign or issue certificates Subscriber A Subscriber is an entity that is named in a certificate and has possession of the corresponding private key. Depending upon the PKI-related application, MIB PKI shall include a specific set of subscribers that include, but are not limited to: Devices; Employees; Customers; or Business Partners Applicability This CP applies to all MIB PKI Participants as entities in the domain of MIB. This CP describes the policies governing the use of Certificates within MIB s PKI implementation. Each Type of Certificate is generally appropriate for use with the applications set forth in MIB CP Suitable Applications Currently, the appropriate use of MIB PKI certificates is restricted to the following functions: Page 12 of 68

13 Authentication; Identification; Digital Signatures; SSL; Encrypting data; and Decrypting data. MIB reserves the right to modify the suitable application of certificate usage as defined in CP at any time to accommodate changes within MIB s various PKI implementations Restricted Applications Certificates issued under this CP shall be used only for functions permitted under CP and shall not be used for any other purposes. MIB Certificates are limited in function. For example, CA Certificates may not be used for any functions except CA functions. Moreover, Subscriber Certificates are intended for Subscriber Authentication and encryption to applications and shall not be used any other purpose. Administrator Certificates shall only be used to perform Administrator functions. More generally, MIB Certificates shall be used only to the extent use is consistent with this MIB CP, the MIB CPS, the MIB Subscriber Agreement, and applicable law, and in particular shall be used only to the extent permitted by applicable export or import laws Prohibited Applications MIB Certificates are not designed, intended, or authorized for use or resale as control equipment in hazardous circumstances or for uses requiring fail-safe performance where failure could lead directly to death, personal injury, or severe environmental damage. 1.4 Contact Details Organization administering the document The organization administering this CP is the MIB Certificate Policy Management Board (CPMB). CP contains contact information for the CPMB Contact person No specific contact person is named in this document. Please send inquiries to: CPMB@mib.com or MIB CPMB 50 Braintree Hill Park Braintree, MA Page 13 of 68

14 1.4.3 Person determining CPS suitability for the policy The persons determining whether the CPS of a Certificate Authority is suitable for this CP are the members of the CPMB CPS approval procedures MIB s Certificate Policy Management Board shall be responsible for determining the CPS approval procedures. For questions regarding the CPS approval procedure, please see CP GENERAL PROVISIONS 2.1 Obligations CA Obligations CAs perform the specific obligations appearing throughout this CP. MIB shall reserve the right to outsource specific functions of a CA s operations to third parties provided the third parties adhere to the obligations of this CP. In addition, MIB shall ensure that Subscriber Agreements bind Subscribers to their obligations within the MIB PKI domain. Examples of such requirements may include, but are not limited to, requiring a hardcopy signature assent to a Subscriber Agreement as a condition of enrollment. MIB PKI will use Subscriber Agreements specific to them that shall include the provisions required by MIB CP RA Obligations MIB RAs assist a CA by performing validation functions, approving or rejecting Certificate Applications, requesting revocation of Certificates, and approving renewal requests. The provisions of this MIB CP and the applicable MIB CPS, describe in more detail the specific obligations of the MIB RAs. In performing their services, RAs shall comply with all MIB policies Subscriber Obligations CAs, in their CPSs, and/or the subscriber agreements they or their RAs use, shall require that subscribers: Provide accurate information on their certificate applications; May require the Subscriber to generate their private keys and activation data; Protect their private keys and the activation data for their private keys in accordance with CP 6.1.1, 6.2, 6.4; Use their certificates in accordance with CP 1.3.4; Notify the CA or RA that approved the subscriber s certificate application in the event that either Page 14 of 68

15 - the subscriber knows or suspects that a loss, theft, disclosure, unauthorized use, or unauthorized modification of the subscriber s private key or its activation data has occurred, or - the information within the certificate is incorrect or has changed; and Manifest assent to the applicable subscriber agreement as a condition of obtaining a certificate Relying Party Obligations MIB PKI currently does not use a Relying Party Agreement, due to the fact that all relying parties of the MIB PKI are actually subscribers. In the future, or if determined necessary, Relying Party Agreements within MIB s PKI domain shall state that before any act of reliance, Relying Parties must independently assess the appropriateness of the use of a Certificate for any given purpose and determine that the Certificate will, in fact, be used for an appropriate purpose. CAs shall, in their CPSs and/or relying party agreements, require that relying parties, as a condition of reliance on a certificate: Use the certificates of subscribers in accordance with CP 1.3.4; and Successfully carry out the cryptographic operations needed to perform the applications described in CP using the appropriate hardware and/or software (for example, a party relying on a certificate to verify a digital signature in an should rely on the certificate only if his or her system states that the signature is valid);and MIB Subscribers, when relying upon MIB certificates other than their own certificate shall be required to check the status of all certificates in the chain before relying upon them Repository Obligations The repository shall be accessible by all MIB PKI Participants. Each CA shall maintain a repository that makes available, at a minimum, the following information: The CA s CPS, both current and past versions; The subscriber agreements; The relying party agreements, if applicable; Copies of certificates; Certificate revocation lists ( CRLs ) and optionally an online certificate status database for web-based or online certificate status protocol ( OCSP ) queries; and A copy of or link to this CP. Repositories may include directories that can be accessed using the lightweight directory access protocol ( LDAP ). Page 15 of 68

16 2.2 Liability Certification Authority Liability Certification Authority Warranties to Subscribers and Relying Parties MIB s Subscriber Agreements shall include a warranty to Subscribers that: There are no material misrepresentations of fact in the Certificate known to or originating from the entities approving the Certificate Application or issuing the Certificate; There are no errors in the information in the Certificate that were introduced by the entities approving the Certificate Application or issuing the Certificate as a result of a failure to exercise reasonable care in managing the Certificate Application or creating the Certificate; Their Certificates meet all material requirements of this CP; and Revocation services and use of a repository conform to this CP in all material aspects. If applicable, MIB s Relying Party Agreements contain a warranty to Relying Parties who reasonably rely on a Certificate that: Certificate status information is accessible; All information in or incorporated by reference in such Certificate, except nonverified Subscriber Information, is accurate; and The entities approving the Certificate Application and issuing the Certificate have substantially complied with this CP when issuing the Certificate Certification Authority Disclaimers of Warranties To the extent permitted by applicable law, MIB s Subscriber Agreements and Relying Party Agreements disclaim, and other Subscriber Agreements shall disclaim, MIB s possible warranties, including any warranty of merchantability or fitness for a particular purpose Certification Authority Limitations of Liability To the extent permitted by applicable law, MIB Subscriber Agreements and Relying Party Agreements shall limit the liability of MIB and its CMA. Without limiting the generality of the foregoing, MIB shall not be liable for any indirect, consequential, or incidental damages, even if notified of the possibility of such damages. They also include the following liability caps (See Table 1) limiting MIB damages concerning a specific Certificate: Type Type 1 Type 2 Type 3 Liability Caps One Hundred U.S. Dollars ($ US) One Thousand U.S. Dollars ($ 1, US) Five Thousand U.S Dollars ($ 5, US) Page 16 of 68

17 Table 1 Liability Caps Force Majeure To the extent permitted by applicable law, MIB s Subscriber and Relying Party Agreements shall include a force majeure clause protecting MIB and its CMA Registration Authority Liability The warranties, disclaimers of warranty, and limitations of liability between an RA and the CA it is assisting are set forth and governed by the agreements between them. MIB shall use Subscriber Agreements in accordance with this CP , which have their own warranties, disclaimers, and limitations. MIB warranties, disclaimers of warranty, and limitations of liability apply to Subscribers whose Certificate Applications are approved by MIB RAs. If applicable and Relying Party Agreements are used, MIB warranties, disclaimers of warranty, and limitations of liability shall apply to Relying Parties relying on Certificates resulting from the Certificate Applications approved by MIB RAs Subscriber Liability Subscriber Warranties MIB s Subscriber Agreements shall require Subscribers to warrant that: Each digital signature created using the private key corresponding to the public key listed in the Certificate is the digital signature of the Subscriber; The Certificate has been accepted by the named Subscriber and is operational (not expired or revoked) at the time the digital signature is created; No unauthorized person has or will ever have access to the Subscriber s private signing or authentication key; All representations made by the Subscriber in the Certificate Application submitted by the Subscriber are true; All information supplied by the Subscriber and contained in the Certificate is true; The Certificate is being used exclusively for authorized and legal purposes, consistent with this CP; and The Subscriber is not a CA, and is not using the private key corresponding to any public key listed in the Certificate for purposes of digitally signing any Certificate (or any other form of certified public key) or CRL, as a CA or otherwise Private Key Compromise This CP sets forth MIB Standards, as defined in this CP and the applicable CPS(s) for the protection of the private keys of Subscribers, which are included by virtue of this CP language in Subscriber Agreements. Subscriber Agreements shall state that Subscribers failing to meet the MIB Standards are solely responsible for any loss or damage resulting from such failure. Page 17 of 68

18 2.2.4 Relying Party Liability Subscriber Agreements and Relying Party Agreements shall require Relying Parties to acknowledge that they have sufficient information to make an informed decision as to the extent to which they choose to rely on the information in a Certificate, that they are solely responsible for deciding whether or not to rely on such information, and that they shall bear the legal consequences of their failure to perform the Relying Party obligations in this CP Financial Responsibility Indemnification by Subscribers and Relying Parties Indemnification by Subscribers To the extent permitted by applicable law, Subscriber Agreements shall require Subscribers to indemnify MIB CAs, their RAs and their CMA for: Falsehood or misrepresentation of fact by the Subscriber on the Subscriber s Certificate Application; Failure by the Subscriber to disclose a material fact on the Certificate Application, if the misrepresentation or omission was made negligently or with intent to deceive any party; The Subscriber s failure to protect the Subscriber s private key, to use a Trustworthy System, or to otherwise take the precautions necessary to prevent the compromise, loss, disclosure, modification, or unauthorized use of the Subscriber s private key; or The Subscriber s use of a name (including without limitation, within a common name, domain name, or address) that infringes upon the Intellectual Property Rights of a third party Indemnification by Relying Parties To the extent permitted by applicable law, Subscriber Agreements and Relying Party Agreements shall require Relying Parties to indemnify MIB CAs, their RAs and their CMA for: The Relying Party s failure to perform the obligations of a Relying Party; The Relying Party s reliance on a Certificate that is not reasonable under the circumstances; or The Relying Party s failure to check the status of such Certificate to determine if the Certificate is expired or revoked Fiduciary Relationships To the extent permitted by applicable law, MIB CAs and their RAs shall disclaim any and all fiduciary duties toward subscribers or any other persons or entities participating in the MIB PKI. Subscriber Agreements and Relying Party Agreements shall disclaim any fiduciary relationship between MIB RAs and Subscribers and/or Relying Parties. Page 18 of 68

19 2.3.3 Administrative Processes MIB shall have sufficient financial resources to maintain their PKI operations and perform their duties. MIB must be reasonably able to bear the risk of liability to Subscribers and Relying Parties. 2.4 Interpretation and Enforcement Governing Law Subject to any limitations of applicable law, the laws of the Commonwealth of Massachusetts, USA, shall govern the enforceability, construction, interpretation, and validity of this CP, irrespective of contract or other choice of law provisions and without the requirement to establish a commercial nexus in a specific state. This choice of law is made to ensure uniform procedures and interpretation for all MIB PKI Participants, no matter where they are located. This governing law provision applies only to this CP. Agreements incorporating the CP by reference may have their own governing law provisions, provided that this CP governs the enforceability, construction, interpretation, and validity of the terms of the CP separate and apart from the remaining provisions of any such agreements, subject to any limitations appearing in applicable law. This CP is subject to applicable national laws, rules, regulations, ordinances, decrees, executive orders and orders including, but not limited to, restrictions on exporting or importing software, hardware, or technical information Severability, Survival, Merger, Notice To the extent permitted by applicable law, MIB s Subscriber Agreements and Relying Party Agreements contain, and other Subscriber Agreements shall contain severability, survival, merger, and notice clauses. A severability clause in an agreement prevents any determination of the invalidity or unenforceability of a clause in the agreement from impairing the remainder of the agreement. A survival clause specifies the provisions of an agreement that continue in effect despite the termination or expiration of the agreement. A merger clause states that all understandings concerning the subject matter of an agreement are incorporated in the agreement. A notice clause in an agreement sets forth how the parties are to provide notices to each other. If any provision of this CP is found to be invalid or unenforceable, then this CP will be deemed amended by modifying such provision to the extent necessary to make it valid and enforceable while preserving its intent, or if that is not possible, by striking the provision and enforcing the remainder of this CP Dispute Resolution Procedures Disputes Among MIB and The CMA Disputes between MIB and their CMA shall be resolved pursuant to provisions in the applicable agreements among the parties. Page 19 of 68

20 Disputes with Subscribers or Relying Parties To the extent permitted by applicable law, Subscriber Agreements and Relying Party Agreements shall contain a dispute resolution clause. These procedures shall define a negotiation period, specify the court of jurisdiction for litigation for U.S. residents, or, in the case of all other claimants, arbitration administered by the International Chamber of Commerce ( ICC ) in accordance with the ICC Rules of Conciliation and Arbitration. 2.5 Fees Certificate Issuance or Renewal Fees MIB shall reserve a right to charge Subscribers for the issuance, management, and renewal of Certificates. MIB reserves the right to recover the cost of replacing lost tokens or smart cards, if used in the MIB PKI Certificate Access Fees MIB shall reserve the right to charge a fee as a condition of making a Certificate available in a repository or otherwise making Certificates available to Relying Parties Revocation or Status Information Access Fees MIB shall not charge a fee as a condition of making the CRLs (required by MIB CP 4.4.9) available in a repository or otherwise available to Relying Parties. They shall, however, be entitled to charge a fee for providing customized CRLs, OCSP services, or other value-added revocation and status information services Fees for Other Services Such as Policy Information MIB shall not charge a fee for access to this CP or the applicable CPS. Any use made for purposes other than simply viewing the document, such as reproduction, redistribution, modification, or creation of derivative works, is subject to a license agreement with VeriSign holding the copyright to the document. 2.6 Publication and Repository Publication of CA Information MIB Certificates, certificate status information, and non-sensitive PKI documentation shall be published and made available to relying parties through various query methods. Methods include, but are not limited to: LDAP, web page, or OCSP. At the discretion of MIB, Certificates may be accessible only via a search using the Certificate s serial number Frequency of Publication Updates to this CP are published in accordance with this CP 8. Updates to Subscriber Agreements and Relying Party Agreements are published as necessary. Certificates are published upon issuance. Certificate status information is published in accordance with CP and Page 20 of 68

21 2.6.3 Access Controls MIB shall not intentionally use technical means of limiting read access of subscribers or Relying Parties to this CP, the applicable CPS(s), Certificates, Certificate status information, or CRLs. MIB shall, however, require persons not covered under a Subscriber Agreement, to agree to a Relying Party Agreement or CRL Usage Agreement as a condition to accessing Certificates, Certificate status information, or CRLs. MIB shall implement controls to prevent unauthorized persons from adding, deleting, or modifying repository entries Repositories See CP and Compliance Audit MIB shall undergo a periodic Compliance Audit to ensure compliance with MIB standards after they begin operations. The compliance audit requirements appear within the subsections of CP 2.7 and the applicable CPS 2.7. In addition to compliance audits, MIB and its CMA shall be entitled to perform other reviews and investigations to ensure the trustworthiness of the PKI. This provision applies to the root CA and to all subordinate CAs in the Certificate Chain. MIB shall be entitled to delegate the performance of these audits, reviews, and investigations to internal resources or to a third party firm. Entities that are subject to an audit, review, or investigation shall provide reasonable cooperation with MIB and the personnel performing the audit, review, or investigation. All MIB audits, reviews, or investigations reports will be presented solely to the CPMB prior to any other dissemination Frequency of Entity Compliance Audit MIB shall conduct compliance audits of their RA functions at least annually. MIB s CPMB may order an aperiodic inspection or audit of any MIB facility within the MIB CA domain to validate that functions are being operated in accordance with this CP Identity / Qualifications of Auditor Internal reviews and audits performed by MIB, shall be conducted by MIB personnel and/or contractors acting on behalf of MIB, that are accredited security professionals with demonstrated expertise in the performance of IT security and PKI compliance audits. Reviews and audits performed by a third party audit firm shall be performed by accredited computer security professionals employed by a competent security consultancy or a certified public accounting firm with demonstrated expertise in computer security. Such firm shall also have demonstrated expertise in the performance of IT security and PKI compliance audits, and have experienced, certified, auditors on staff. Page 21 of 68

22 2.7.3 Auditor s Relationship to Audited Party The auditor conducting the compliance audit shall be independent of the CPMB, RAs, and System Administrators and shall ensure there is no conflict of interest within the MIB PKI. Any MIB personnel, performing self-audits, shall ensure that no conflict of interest prevents such personnel from rendering an unbiased evaluation of the audited entity Topics Covered by Audit The purpose of a compliance audit of an Entity shall be to verify that the audited entity, subject to the requirements of this CP and its associated CPS, is complying with the requirements of those documents. The compliance audit shall verify that the CA entities and facilities are compliant with all provisions of this CP and the requirements of its associated Certification Practice Statement (CPS) Self-Audits of MIB MIB shall meet its annual Compliance Audit requirement via a self-audit or third party audit, attesting to the satisfaction of the control objectives in the CP and applicable CPS and noting any exceptions or irregularities Actions Taken as a Result of Deficiency With respect to compliance audits of MIB s PKI operations, significant exceptions or deficiencies identified during the Compliance Audit shall result in a determination of actions to be taken. This determination shall be made by the MIB CPMB with input from the auditor and the CMA. MIB CPMB shall be responsible for developing and implementing corrective action plans for systems and functions housed at MIB locations. MIB CPMB will work jointly with their CMA to develop and implement corrective action plans for systems and functions housed externally to MIB. The action plans shall include the decision to 1) continue PKI operations as usual while corrective actions are being executed, 2) continue PKI operations as usual, but at a lower assurance level, or 3) suspend/terminate all PKI operations until the deficiency is remedied. If MIB CPMB determines that such exceptions or deficiencies pose an immediate threat to the security or integrity of the MIB PKI domain or MIB, a corrective action plan shall be developed and implemented without delay. For less serious exceptions or deficiencies, MIB CPMB shall evaluate the significance of such issues and determine the appropriate course of action Communications of Results Following any Compliance Audit, MIB shall provide it s CMA with the annual report and attestations based on its audit or self-audit within fourteen (14) days after the completion of the audit and no later than forty-five (45) days after the anniversary date of commencement of operations. Direct all audit report inquiries to the CPMB. (See CP 1.4.2) Page 22 of 68

23 2.8 Confidentiality and Privacy MIB s privacy policy shall not disclose or sell the names of Certificate Applicants or other identifying information about them, subject to the right of a terminating CA to transfer such information to a successor CA under CP Types of Information to be Kept Confidential and Private The following records of Subscribers shall, subject to MIB CP 2.8.2, be kept confidential and private: CA application records, whether approved or disapproved; Certificate Application records; Transactional records (both full records and the audit trail of such transactions); Audit trail records created or retained the CA; Audit reports created by the CA (to the extent such reports are maintained), or their respective auditors (whether internal or public); Contingency planning and disaster recovery plans; Security measures controlling the operations of MIB CA hardware and software; and Security measures controlling the administration of Certificate services and designated enrollment services Types of Information Not Considered Confidential or Private MIB PKI Participants acknowledge that Certificates, Certificate revocation and other status information, the repository, and information contained within them are not considered Confidential/Private Information. Information not expressly deemed Confidential/Private Information under this CP shall be considered neither confidential nor private. This section is subject to applicable privacy laws, government regulations and collective bargaining agreements Disclosure of Certificate Revocation/Suspension Information See this CP Release to Law Enforcement Officials MIB, its RAs, and Subscribers acknowledge that MIB and its CMA shall be entitled to disclose Confidential/Private Information if, in good faith, MIB believes disclosure is necessary in response to subpoenas and search warrants. This section is subject to applicable privacy laws, government regulations and collective bargaining agreements Release as Part of Civil Discovery MIB, its RAs, and Subscribers acknowledge that MIB and its CMA shall be entitled to disclose Confidential/Private Information if, in good faith, MIB believes disclosure is necessary in response to judicial, administrative, or other legal process during the discovery process in a civil or administrative action, such as subpoenas, interrogatories, requests for admission, and requests for production of documents. This section is subject to applicable privacy laws, government regulations and collective bargaining agreements. Page 23 of 68

24 2.8.6 Disclosure Upon Owner s Request MIB s privacy policy contains provisions relating to the disclosure of Confidential/Private Information to the person disclosing it to MIB. This section is subject to applicable privacy laws, government regulations and collective bargaining agreements Other Information Release Circumstances No stipulation. 2.9 Intellectual Property Rights The allocation of Intellectual Property Rights among the MIB PKI Participants other than Subscribers and Relying Parties is governed by the applicable agreements among such MIB PKI Participants. The following subsections of this CP 2.9 apply to the Intellectual Property Rights in relation to Subscribers and Relying Parties Property Rights in Certificates and Revocation Information The CA minting certificates and generating revocation information shall retain all Intellectual Property Rights in and to the Certificates and revocation information that they issue. MIB shall grant permission to reproduce and distribute Certificates on a nonexclusive royalty-free basis, provided that they are reproduced in full and that use of Certificates is subject to the Relying Party Agreement referenced in the Certificate. MIB shall grant permission to use revocation information to perform Relying Party functions subject to the applicable CRL Usage Agreement, Relying Party Agreement, or any other applicable agreements. The specific certificate licensing relationship between MIB and its CMA shall be covered under a separate contractual vehicle, not within this CP Property Rights in the CP MIB PKI Participants acknowledge that MIB retains all Intellectual Property Rights in and to this CP Property Rights in Names A Certificate Applicant retains all rights it has (if any) in any trademark, service mark, or trade name contained in any Certificate Application and distinguished name within any Certificate issued to such Certificate Applicant Property Rights in Keys and Key Material Key pairs corresponding to Certificates of CAs and Subscribers are the property of the CAs and Subscribers that are the respective Subjects of these Certificates, regardless of the physical medium within which they are stored and protected. Such persons retain all Intellectual Property Rights in and to these key pairs. Finally, without limiting the generality of the foregoing, Secret Shares of a CA s private key are the property of the CA, and the CA retains all Intellectual Property Right in and to such Secret Shares. Page 24 of 68