Echoworx Encryption Services UK CA Certificate Policy and Certification Practices Statement

Transcription

1 Version 2.8 Document Release: CPS-CA2/ Effective Date: June 18, 2010 Public document (unclassified) Echoworx Corporation 4101 Yonge Street, Suite 708, Toronto, Ontario M2P 16 Canada

2 Document Control Version Date Amendment Details Author Approver 1.0 Feb 10, 2009 Initial Release David O Farrell 2.2 March 26, 2010 Update section 2.17 Acceptable uses Echoworx and limits on reliance Updated section 5.7 Event logging Updated various URLs Added section Dispute resolution Added section 5.5 Security management Added section 5.7 Personnel security Updated section 5.8 with approximate distance between CA primary and recovery site and actual and suspected CA private key compromise Greg Aligiannis Greg Aligiannis 2.3 Sept. 20,2010 Correct Fingerprint Added Section Multi-party controls 2.4 July 7, 2011 Update distance for CA recovery site from 3000 to Feb. 1, 2012 Update section to 2048 for subscriber key 2.6 August 7, 2013 Update section 3.1.2, for CA Key Archive and CA Key destruction. 2.7 March 30, 2015 Update section for OCSP support section: 2.3, 2.9, 2.16, , 3.1.1, 4.9, , , , , , , 5.1, 5.3, 5.4, 5.8, Reference A, update certificate to sha2 per microsoft requirement. 2.8 July 13, 2015 Correct CRL link, add timestamp info (section 5.10), correction of sha1 to sha2 Alex Loo Alex Loo Alex loo Alex Loo Alex Loo Alex Loo Greg Aligiannis Greg Aligiannis Greg Aligiannis Greg Aligiannis Greg Aligiannis Greg Aligiannis i

3 Contents 1. Introduction General practices Policy authority Policy identification Policy object identifiers (OIDs) Communities and applicability Contact information Limits of liability (o Warranty) Financial responsibility Interpretation and enforcement Governing law Severability, survival, merger, notice Dispute resolution Fees Publication and repository requirements Compliance audit requirements Conditions of certificate applicability CA obligations RA obligations Repository obligations Subscriber obligations Relying party obligations Acceptable uses and limits on reliance CA Key life cycle management CA key management CA key-pair generation CA key archival CA key destruction CA public key distribution CA key changeover Subscriber key management Subscriber key generation Subscriber key storage, backup, recovery Subscriber key archival Subscriber Certificate life cycle management Registration using an external RA Initial registration of Subscriber Certificate renewal Routine re-keying Re-keying after expiry or revocation Subscriber Certificate issuance Subscriber Certificate Delivery Subscriber Public Certificate distribution Certificate revocation Certificate suspension Certificate status Certificate profiles CA certificate profile Subordinate CA certificate profile End-entity certificate profiles Class 1 Subscriber (signer key) ii

4 Class 1 Subscriber (cipher key) Trusted Escrow Key Authority Trusted mail courier agent CRL profile OCSP profile Integrated circuit card (ICC) life cycle management CA environmental controls CP & CPS administration CA termination Confidentiality Intellectual property rights Security management Personnel security Physical security controls Business continuity management controls Event logging Timestamp References A. Certificate B. Definition of Terms Index of Tables Table 1 Subordinate CA Certificate Classes... 2 Table 2 Certificate Policy Object Identifiers (OIDs)... 3 iii

5 1. Introduction This document constitutes the Certificate Policy (CP) and Certification Practices Statement (CPS) for the certification authority. The purpose of this document is to publicly disclose to subscribers and relying parties the policies and practices under which this certification authority is operated. OTE:The Echoworx Root CPS is available at This document supplements the overarching Certificate Policy (CP) and Certification Practices Statement (CPS) of its issuer, the Echoworx Root CA2 certification authority [RootCA2]. Whereas this document differs therefrom, the authority of this document shall take precedence. This document has been prepared in accordance with recommended best practices defined by the American Institute of Certified Public Accountants, Inc. and Canadian Institute of Chartered Accountants in the document entitled AICPA/CICA WebTrust SM/TM Program for Certification Authorities, version 1.0, dated 2000/08/25 [WebTrust]. 1

6 2. General practices This section addresses general practices with respect to the operation of this CA, including the identification of relevant policies; the target community of interest and applicability of certificates; contact information; limits of liability; financial responsibilities; legal considerations; fees; requirements and obligations of relevant parties; and acceptable usage of certificates and limitations of reliance thereupon Policy authority The governing body of this PKI (Public Key Infrastructure) is the Echoworx Policy Authority (PA), who is responsible for the selection/definition of the certificate policy (CP) for the organization, development and management of the certification practices statement (CPS) and the correct day to day operation of the PKI Policy identification The certification authority operates as a Class A Subordinate CA that may only issue X.509 V3 certificates directly to end-entities (i.e. subscribers). Table 1 Subordinate CA Certificate Classes Certificate Class etwork Protection System Protection Private Key Protection Class A Subordinate CA Secure network zone w/layer-1 separation Highly restricted access controls & intrusion monitoring High security controls Two-factor user authentication Intrusion detection & audit logging Remote monitoring & site surveillance HSM On-line signing engine Policy object identifiers (OIDs) Certificate policy identifiers for certificates issued by this CA are provided in the following table. Echoworx Corporation was assigned the OID prefix by the Internet Assigned umbers Authority (IAA) [ whose registry is now managed by the Internet Corporation for Assigned ames and umbers (ICA) [

7 Table 2 Certificate Policy Object Identifiers (OIDs) OID Value OID ame Echoworx Object identifiers (echoworx.policy) Subordinate CA Certificate Policy identifiers (subordinateca.classa) End-Entity Certificate Policy identifiers (ESS.adminAuthority) (ESS.escrowKeyAuthority) (ESS.registrationAuthority) (ESS.agent.mailCourier) (secur .class1.signerkey) (secur .class1.cipherkey) (securereader.class1.signerkey) (securreader.class1.cipherkey) (EMX.class1.signerKey) (EMX.class1.cipherKey) 2.3. Communities and applicability This document defines the policies and practices under which Echoworx Corporation (hereafter 'Echoworx') operates a Certification Authority (CA) and contingent upon which it issues Public Key Certificate credentials to authorized end-entity parties who are subscribers to the Echoworx Encryption Services based on Echoworx's Secure Mail and related products (which may include, but is not necessarily limited to Echoworx Secure Mail TM, Echoworx Secure Dox TM, Echoworx Encrypted Document Presentment TM, Echoworx Encrypted Mail Gateway TM, and Echoworx Encrypted Message exchange TM ) and offered on a subscription basis. This CA is established to provide certification services for issuing credentials to subscribers whose identity has been verified by this CA or its authorized Registration Authorities (RAs) in accordance with obligations set forth herein in section 2.13 RA Obligations. Subscribers include all parties on whose behalf such digital certificates are issued. All parties who may rely upon the certificates issued by the CA are considered relying parties. This certificate policy and certification practices statement (CP/CPS) is applicable to all certificates issued by this CA. Subscriber certificates may have specific associated CP and/or CPS documents that supplement the information provided herein. The policies and practices described in this CP/CPS apply to the issuance and use of certificates and certificate revocation lists (CRLs), and Online Certificate Status Protocol (OCSP) for users within the community of subscribers and relying parties. 3

8 2.4. Contact information This Certification Authority is owned and operated by Echoworx Corporation. General inquiries and customer requests may be addressed to: Echoworx Corporation Attn: Director of Certification Services 4101 Yonge Street, Suite 708 Toronto, Ontario, Canada M2P 16 Web: Tel: Fax: Limits of liability (o Warranty) Echoworx asserts no control over how members of the community protect their own credentials, and therefore UDER O CIRCUMSTACES IS Echoworx RESPOSIBLE FOR THE COSEQUECES TO A RELYIG PARTY OF MAKIG USE OF CREDETIALS Echoworx ISSUES. AS CERTIFICATES ISSUED BY THIS CA ARE UDER THE COTROL OF THE SUBSCRIBER TO WHOM THE CREDETIALS WERE ISSUED Echoworx CAOT BE HELD LIABLE FOR AY DAMAGES OF AY KID WHETHER DIRECT, IDIRECT, ICIDETAL OR COSEQUETIAL EVE IF Echoworx HAS BEE ADVISED OF THE POSSIBILITY OF SUCH DAMAGES Financial responsibility By applying for and being issued certificates, or otherwise relying upon such certificates, subscribers agree to indemnify, defend, and hold harmless the CA, and its personnel, organizations, entities, subcontractors, suppliers, vendors, representatives, and agents from any errors, omissions, acts, failures to act, or negligence resulting in liability, losses, damages, suits, or expenses of any kind, due to or otherwise proximately caused by the use or publication of a certificate that arises from the subscriber's failure to provide the CA with current, accurate, and complete information at the time of certificate application or the subscriber's errors, omissions, acts, failures to act, and negligence. This CA and its registration authorities (RAs) are not the agents, fiduciaries, trustees, or other representatives of subscribers or relying parties Interpretation and enforcement The following sections describe the interpretation and enforcement guidelines. 4

9 Governing law The laws of the province of Ontario in Canada shall govern the enforceability and construction of this CP/CPS document to ensure uniform procedures and interpretation for all users Severability, survival, merger, notice Severance or merger may result in changes to the scope, management, and/or operations of this CA. In such an event, this CP/CPS may require modification as well. Changes to the operations will occur consistently with the CA's disclosed CP/CPS management processes as stated in section Dispute resolution In the event of any dispute involving the services or provisions covered by this CP/CPS, the aggrieved party shall first notify the CA and all other relevant parties regarding the dispute. The CA will involve the appropriate personnel to resolve the dispute Fees This CA does not charge any fees directly to the subscriber for certificates issued by the CA referenced in this CPS. This CA may, however choose to charge a fee to the provider of the related services with respect to certificates issued under this CPS Publication and repository requirements This CA's certificate policy and certification practices statement (CP/CPS) (this document) shall be published at: As many of the relying parties are internal to the realm of the operational application service provider, only those certificates upon which external parties may rely need be published. All certificate revocation lists (CRLs) issued directly by this CA shall, upon issuance, be published at: Retrieval of certificate status with OCSP is published at : All subscribers and relying parties have access to this repository. 5

10 2.10. Compliance audit requirements An annual audit is performed by an external third party to assess the adequacy of this CA's practice disclosure and the effectiveness of the CA's controls over its CA operations. Topics covered by the annual audit include the following: CA practice disclosure Service integrity (including key and certificate life cycle management controls) CA environmental controls Significant deficiencies identified during the compliance audit will result in a determination of actions to be taken. This determination is made by the auditor with input from CA management. The CA is responsible for seeing that corrective action is taken within 60 days. Should a severe deficiency be identified that might compromise the integrity of the CA, CA management considers, with input from the auditor, whether suspension of the CA's operation is warranted. If the service is suspended for reasons of an audit this will be without liability to the CA and the provider of the Services. Compliance audit if any results are communicated to the board of directors of the CA, CA management, and the CA's policy authority, as well as others deemed appropriate by CA management Conditions of certificate applicability Certificates issued under the CA's certificate policy are limited to use in connection with Echoworx Encryption Services and related services based on Echoworx's Secure Mail and related products. Certificates issued by the CA may not be used for any other purpose unless expressly permitted otherwise, and will not be supported unless in connection with the Echoworx licensed application software CA obligations This CA is obligated to: Perform its operations as described in this CP/CPS. This CP/CPS may from time to time be modified by amendments. Maintain an online repository of historical versions of this CP/CPS document at (insert URL) Issue and publish certificates in a timely manner in accordance with the relevant certificate policy for the class of certificate issued as defined the in section of this CP/CPS Revoke certificates issued by this CA, upon receipt of a valid request to revoke the certificate from a person authorized to request revocation as specified in section 4.9 Publish CRLs on a timely basis in accordance with the applicable certificate policy and with provisions described in section 4.9 Certificate Revocation. For CRL publishing frequency, please see section

11 As required, otify subscribers via (1) that certificates have been generated for them and (2) how the subscribers may retrieve the certificates In the event this CA is not successful in validating the subscriber's application in accordance with the requirements for that class of certificate this CA shall notify the subscriber that the application has been rejected otify subscribers via , or another suitable method as determined by the CA, that the subscriber's certificate has been revoked otify other participants in the PKI of certificate issuance revocation through access to certificates and CRLs, OCSPs in the CA's repository In accordance with best practices and international standards, subscriber information that is collected by this CA will only be retained and used in accordance with the purpose of delivering the services supported by this CA. The CA will have regard to any confidential information provided to it and protect it to the standards expressed in Section Confidentiality below. The CA and RA will require from the provider of the Services the Subscribers name and addresses which may be construed as personal data. It is a condition of the service that anyone using it consents to this information being held in Canada. The use of any information received by the CA and RA will be restricted to the provision of the service described in this document and the CA and RA will comply with Canadian privacy protection laws in so using it RA obligations The role of the RAs, or this CA's RA function, is to: Verify the accuracy and authenticity of the information provided by the subscriber at the time of application, in accordance with the relevant certificate policy as indicated in Validate and securely send a revocation request to this CA upon receipt of a request to revoke a certificate, in accordance with the relevant certificate policy as indicated in Verify the accuracy and authenticity of the information provided by the subscriber at the time of renewal or re-key, in accordance with the relevant certificate policy as indicated in Repository obligations The CA's repository function is obligated to publish certificates and certificate revocation lists in a timely manner. For CRL issuance frequency, please refer to section Subscriber obligations Subscribers are obligated to: Provide information to the CA that is accurate and complete to the best of the 7

12 subscribers' knowledge and belief regarding information in their certificates and identification and authentication information and promptly notify the CA of any changes to this information Safeguard their private key from compromise Use certificates exclusively for legal purposes and in accordance with the relevant certificate policy (see section 2.2.1) and the acceptable uses as defined in section 2.3 of this CPS, and certificate applicability (see section 2.11) Promptly request that the CA revoke a certificate if the subscriber has reason to believe there has been a compromise of their private key corresponding to the public key listed in the certificate Relying party obligations Relying parties are obligated to: Restrict reliance on certificates issued by the CA to the purposes for those certificates, in accordance with the relevant certificate policy and with this CP/CPS Verify the status of certificates at the time of reliance with OCSP and by checking the CRL for this CA either manually through browsing to the stated URL in section Acceptable uses and limits on reliance Certificates issued under the CA s certificate policy are limited to use in connection with Echoworx licensed application software. Certificates issued by the CA may not be used for any other purpose unless expressly permitted otherwise. Use of, and the related services described in this document, are intended as a further level of secure communications but not a replacement to other safeguards. This CA does not accept any financial liability with respect to the reliance on certificates issued under this CA s certificate policy. Relying parties are required in addition to their obligations expressly stated in this document to use due dilligence in confirming that the identity of the party they are dealing with is associated with the certificate being relied upon. In order to confirm the policy under which a subscriber s certificate were issued please reference section and confirm the Policy Object Identifier in the certificate. 8

13 3. CA Key life cycle management This section addresses the management of this CA's cryptographic keys throughout the operational life cycle of this CA, including how the public and private keys are generated and/or re-generated (i.e., key changeover or re-keying); how the private key(s) are stored, protected and eventually destroyed; and how the public key(s) are distributed and archived CA key management The following sections describe the CA key management procedures CA key-pair generation This CA's signing key is 2048 bits in length. The private-/public key-pair is generated in a Luna SA hardware security module (HSM) using the RSA algorithm with true random number generation (RG) per Annex C of ASI X9.17. This CA's private signing key material is generated, stored and used wholly within the K3 cryptographic engine of the Luna SA device; it is never exported except for cloning to another LunaSA Hardware Security Module for backup purposes, or to a Luna SA token for archival and secure storage.. This CA's private signing key shall only be used to sign non-ca end-entity public key certificates and certificate revocation lists (CRLs) and certificate Online Certificate Status Protocol (OCSP). The lifetime of the CA signing key-pair is ten (10) years. This CA's private signing key is stored in a Luna SA hardware security module (HSM) device that is compliant with FIPS Level 3. Multi-party controls ensure that at least two (2) individuals (one designated as a Security Officer and another designated as a Crypto Officer) provide dual control over physical access to the hardware modules at any time; m of n secret shares held by other, separate custodians (all executives of the CA operator, Echoworx, or duly appointed thereby) on removable media (i.e., Luna DataKeys ) are also required for logical access to the HSM management functions and activation of the private keys. There is a separation of physical and logical access to this CA's private signing key. This CA's private keys HAVE OT and WILL OT be placed in escrow with an external thirdparty CA key archival This CA's expired and/or revoked CA public key certificates shall be archived. A backup copy on removable media shall be stored securely in an off-site vault. Archived keys are accessed only where historical evidence requires validation of archive keys. Only authorized Trusted Personnel are permitted to obtain access to archived keys.

14 CA key destruction This CA's private signing key shall be destroyed by securely removing them from Luna SA HSM Partition as per the manufacturer s guidelines and re-initializing all of the Luna SA tokens upon which it is stored. The CA key destruction will not occur unless the business purpose or application has ceased to have value or legal obligations CA public key distribution Customers establishing an Echoworx application service shall be provided with the Echoworx Root CA2 public key in a public key certificate on a CDROM contained within the software installation kit. The end-user software package shall be signed using Microsoft's Authenticode technology for which a code-signing key has been certified by a trusted third-party CA key changeover The CA signing private key has a lifetime of ten (10) years and the corresponding public key certificate has a lifetime of ten (10) years. Upon the end of the private key's lifetime, a new CA signing key pair may be generated and all subsequently issued certificates and CRLs, and OCSPs are signed with the new private signing key. A corresponding new CA public key certificate shall be securely provided to subscribers and relying parties Subscriber key management For subscribers approved by the customer (i.e., Echoworx application service provider) that subscribe to this CA s certification service, the following key management practices shall apply Subscriber key generation The Subscriber s pubic key pair shall be at least 2048 bits in length using the RSA algorithm. The Subscriber s private key may be software generated and stored locally as a passwordencrypted PKCS#12 container file in PEM or DER format. The lifetime of the subscriber s signing key pair shall not exceed two (2) years. 10

15 Subscriber key storage, backup, recovery The subscriber s private key may be stored locally as a password-encrypted PKCS#12 container file in PEM or DER format on a hard drive or floppy disk. Backup and recovery of subscriber private keys is the responsibility of the subject subscriber. Subscriber cipher keys may be placed in escrow with an external third-party. The escrowed subscriber cipher keys may be provided to legal authorities subject to validated requests under local, state, national or federal legislation. Private signer-keys HAVE OT and SHALL OT be placed in escrow with an external thirdparty. Private signer-keys SHALL OT be archived Subscriber key archival The subscriber s expired and/or revoked public key certificates shall not be archived. 11

16 4. Subscriber Certificate life cycle management This section addresses the key life cycle management of end-entity (i.e. subscriber) certificates, including initial registration, renewal, key roll-over and certificate revocation Registration using an external RA The CA requires that external registration authorities (RAs) physically present themselves along with two forms of identification to an employee of the CA. The CA authorizes external RAs upon successful identification and authentication, and approval of the external RA enrolment and certificate application forms. External RAs are responsible for identification and authentication of subscribers and must secure their private signing keys used for signing certificate applications, securely forward certificate applications to the CA, and securely store any subscriber information collected. The CA verifies the authenticity of certificate request submissions received from an external RA by validating the RA's digital signature on the submission Initial registration of Subscriber The CA has established a single naming hierarchy utilizing the X.500 Distinguished ame form. In all cases, names of subscribers must be meaningful. Generally, the address by which an individual is commonly known to the CA should be used. All subscribers are unambiguously identified in the naming hierarchy. This CA issues certificates within a closed PKI. Trademarks and related naming issues will generally not apply to certificates issued within this space. Possession of a private key is proved by a public key certificate applicant by providing check values as defined in the certificate policy. If organizational identity is considered important based upon the certificate policy, the organization identity is verified using a method approved by the certificate policy. In submitting a certificate application, at least the following information must be submitted to this CA: subscriber's public key, subscriber's distinguished name, the subscriber s address, and other information required on the CA's certificate application form.

17 If required by the certificate policy, the CA verifies the authority of the subscriber to request a certificate by checking whether the subscriber is an employee of a particular organization or association through inquiry of the organization's HR department or the association's membership department. The CA may verify the accuracy of the information included in the subscriber's certificate request through validation against a third-party database. The CA shall check certificate requests for errors or omissions Certificate renewal Certificate renewal is an automatic process that occurs upon expiry of the subscriber s key pair, and is managed by way of the related encryption service. Active users are notified of the impending expiry via the service and are required to confirm the certificate renewal via the service for their certificate to be renewed. During the certificate renewal process, new keys are generated by the subscriber via the associated service and are signed by this CA Routine re-keying Certificates issued by this CA are only for use with the Echoworx Encryption Services based on Echoworx's Secure Mail and related products. Users set for re-keying are handled automatically by the products offered in the service. Users are forced to authenticate themselves using their subscriber name and password in order to complete the process. Users are set for re-keying either at the request of the user or as a result of changes to the CA service that are initiated by the CA Re-keying after expiry or revocation For subjects whose certificates have been revoked or have expired, re-keying is permitted, and where re-keying is performed the re-keying process is as outlined in Section Subscriber Certificate issuance Certificates are issued to the subscriber upon successful processing of the application. Certificate format, validity period, extension field, and key usage extension field requirements are specified in accordance with the CA's disclosed certificate profile (see section 4.12) Subscriber Certificate Delivery Certificates issued by this CA are issued for use within the Echoworx Encryption Services based on Echoworx's Secure Mail and related products. The offered solutions automatically deliver the certificates to the end user over an encrypted channel and/or store them securely for retrieval by the user through the related Echoworx Application(s). Certificate retrieval requires end users to authenticate using their subscriber name and password.

18 4.8. Subscriber Public Certificate distribution A repository is operated for subscribers using Echoworx application software to search and retrieve other subscribers' public cipher-key certificates used in encrypting messages or documents for a recipient. Access to this repository is limited to authorized subscribers. There is no repository published which contains subscribers' public signer-key certificates as these are distributed directly to relying parties by way of attachment to digitally signed secure mail messages sent using Echoworx application software. Certificate revocation lists (CRLs) relating to all (both cipher- and signer-key) public key certificates issued by this CA are published in a public repository for any relying party to access. This repository is provided as a web directory accessible via the HTTP protocol and is located at: OCSP (Online Certificate Status Protocol) provides information about the status of a particular certificate can be found at: Certificate revocation A certificate can be revoked by this CA for several reasons, including suspected or actual compromise of control of the private key that relates to the public key contained in the certificate, hardware or software failures that render the private key inoperable, or failure of a subscriber to meet the obligations of this certificate policy and certification practices statement (CP/CPS) and/or related certificate policy (CP). Unless stipulated in the particular CP, other reasons for revocation (i.e., such as may relate to changes in a subscriber's relationship with the CA, RA or Customer organization) shall be considered only in exceptional circumstances as deemed appropriate by the CA. Revocation requests shall only be accepted from an authorized agent of the Registration Authority (RA) or this CA (i.e., not directly from a subscriber end-entity). Requests by RA personnel to revoke a certificate may require sufficient RA system access rights. Validated certificate revocation requests will be processed no more than 48 hours after receipt and validation. Revocation requests for reasons other than key compromise must be placed within a maximum of 72 hours of the event necessitating revocation. In the case of suspected or known private key compromise, revocation request should be made immediately upon identification of the event. This CA's certificate revocation process supports the secure and authenticated revocation of one or more certificates of one or more entities and provides a means of rapid communication of such revocation through OCSP and the issuance of CRLs published on an as-needed basis. The CA's system and processes provide the capability to revoke (1) the set of all certificates issued by the CA that have been signed with a single CA private signing key or (2) groups of certificates issued by the CA that have been signed with different CA private signing keys. Upon the revocation of a subscriber's certificate, the newly revoked certificate is recorded in a CRL that is published within 24 hours and the subscriber is notified via . When a revocation request has been processed by an external registration authority, the external RA is 14

19 also notified upon the revocation of a subscriber's certificate. This CA supports revocation with the following reason-codes: Unspecified Credentials Compromised Cessation of Operations Affiliation Change CA Compromised Certificate suspension This CA does not support suspension of public key certificates Certificate status The CA publishes CRLs on a regular basis. CRLs shall be issued within 24 hours of certificate revocation (i.e., daily). The onus for CRL checking is placed upon relying parties. A subscriber should be notified of the revocation of his or her certificate by the CA or registered RA by , postal mail, or telephone. The CP may define other forms of revocation advertisements. The CA archives and retains all certificates and CRLs issued by the CA for a period not less than two (2) years after expiry. OCSP also provides the certificate status Certificate profiles The following sections specify the profiles of certificates that may be issued directly by this CA, including its own self-signed certificate. 15

20 CA certificate profile The CA certificate profile is shown in the following table. Issuer CA Certificate Profile Version 0x2 (Version 3) Serial umber uniqueidentifier (Integer) Signature Algorithm SHA2withRSA-Encryption Issuer Validity Subject Subject Public Key Issuer Unique ID Subject Unique ID Mandatory X.509v3 Certificate Extensions Basic Constraints id-ce-basic-constraints Subject Key Identifier id-ce-subjectkeyidentifier Authority Key Identifier id-ce-authoritykeyidentifier Key Usage id-ce-keyusage Certificate Policy id-ce-certificatepolicy D: C=CA, ST=Ontario, L=Toronto, O=Echoworx Corporation, OU=Certification Services, C=Echoworx Root CA2 GeneralizedTime (10 Years) ot valid before: issue date - 1day ot valid after: issue date + 10yrs + 1day D: C=CA, ST=Ontario, L=Toronto, O=Echoworx Corporation, OU=Certification Services, C= subjectpublickeyinfo BitString BitString Y True Recommended X.509v3 Certificate Extensions octetstring (optional) octetstring (optional) keycertificatesign CRLSign (i.e., escrow allowed) Object Signing, etscape Certificate Type Object Signing CA, SSL CA, S/MIME CA nscerttype Certification Practices Statement id-ce-certificatepolicies + id-qt-cps 1 Refer to RFC-3280 for the definition and specific OID values for extended attributes. 16

21 Subordinate CA certificate profile This CA does not issue Subordinate CA certificates End-entity certificate profiles The following sections provide the end-entity certificate profiles Class 1 Subscriber (signer key) The profile for the subscriber signer key is shown in the following table. Class 1 Secure Mail Subscriber (signer key) Certificate Profile Basic Fields Value Version 0x2 (Version 3) Serial umber UniqueIdentifier (Integer) Signature Algorithm SHA2withRSA-Encryption D: C=CA, ST=Ontario, L=Toronto, Issuer O=Echoworx Corporation, OU=Certification Services, C= GeneralizedTime (1 Year) Validity ot valid before: issue date - 1day ot valid after: issue date + 1yr + 1day D: C=Echoworx Encryption Services, E= Address Subject Subject Public Key Issuer Unique ID Subject Unique ID subjectpublickeyinfo BitString BitString Mandatory X.509v3 Certificate Extensions Extended Attributes Critical Value Basic Constraints Y True id-ce-basic-constraints Subject Key Identifier octetstring (optional) id-ce-subjectkeyidentifier Authority Key Identifier octetstring (optional) id-ce-authoritykeyidentifier Key Usage id-ce-keyusage digitalsignature, keyencipherment Certificate Policy id-ce-certificatepolicy CRL Distribution Points id-ce-crldistributionpoints Authority Info Access id-ce-autorityinfoaccess Recommended X.509v3 Certificate Extensions etscape Certificate Type nscerttype Certification Practices Statement id-ce-certificatepolicies + id-qt-cps (recommended if used in conjunction with Echoworx Secure Mail) 17

22 Class 1 Subscriber (cipher key) The profile for the subscriber cipher key is shown in the following table. Class 1 Subscriber (cipher key) Certificate Profile Basic Fields Value Version 0x2 (Version 3) Serial umber UniqueIdentifier (Integer) Signature Algorithm SHA2withRSA-Encryption D: C=CA, ST=Ontario, L=Toronto, Issuer O=Echoworx Corporation, OU=Certification Services, C= GeneralizedTime (1 Year) Validity ot valid before: issue date - 1day ot valid after: issue date + 1yr + 1day D: C=Echoworx Encryption Services Subscriber, E= Address Subject Subject Public Key subjectpublickeyinfo Issuer Unique ID BitString Subject Unique ID BitString Mandatory X.509v3 Certificate Extensions Extended Attributes Critical Value Basic Constraints Y True id-ce-basic-constraints Subject Key Identifier octetstring (optional) id-ce-subjectkeyidentifier Authority Key Identifier octetstring (optional) id-ce-authoritykeyidentifier Key Usage keyencipherment id-ce-keyusage Certificate Policy id-ce-certificatepolicy or CRL Distribution Points id-ce-crldistributionpoints Authority Info Access id-ce-autorityinfoaccess Recommended X.509v3 Certificate Extensions etscape Certificate Type nscerttype Certification Practices Statement id-ce-certificatepolicies + id-qt-cps (recommended if used in conjunction with Echoworx Secure Mail) Trusted Escrow Key Authority This profile is applicable to key authorities for the purposes of facilitating the recovery of escrowed private key material belonging to a subscriber (i.e., user), pursuant to service provider policies. Such action may be in response to a legitimate request for assistance in lawful interception by a recognized law enforcement agency, subject to due diligence vetting of the jurisdictional authority, or it may be initiated by the need to assure business continuity or 18

23 "corporate memory" in the event that an erstwhile authorized user is no longer available (for whatever reason) to access the private key needed to decrypt information belonging to the company. Realm Trusted Key Authority Certificate Profile Basic Fields Value Version 0x2 (Version 3) Serial umber UniqueIdentifier (Integer) Signature Algorithm SHA2withRSA-Encryption Issuer D: C=CA, ST=Ontario, L=Toronto, O=Echoworx Corporation, OU=Certification Services, C= Validity GeneralizedTime (2 Years) ot valid before: issue date - 1day ot valid after: issue date + 2yrs + 1day Subject D: C=CA, ST=Ontario, L=Toronto, O=Echoworx Corporation, OU=Secure Mail Service, C=commoname, E= Address Subject Public Key subjectpublickeyinfo Issuer Unique ID BitString Subject Unique ID BitString Mandatory X.509v3 Certificate Extensions Extended Attributes Critical Value Basic Constraints Y True id-ce-basic-constraints Subject Key Identifier octetstring (optional) id-ce-subjectkeyidentifier Authority Key Identifier octetstring (optional) id-ce-authoritykeyidentifier Key Usage id-ce-keyusage dataencipherment, digitalsignature, keyencipherment Certificate Policy id-ce-certificatepolicy CRL Distribution Points id-ce-crldistributionpoints Authority Info Access id-ce-autorityinfoaccess Recommended X.509v3 Certificate Extensions etscape Certificate Type nscerttype Certification Practices Statement id-ce-certificatepolicies + id-qt-cps client, , objectsigning Trusted mail courier agent This profile is applicable to mail courier (i.e., Echoworx' Digital Courier agent) end-entities for use with the S/MIME protocol. The agent is presumed to have a single dual-purpose keypair for 19

24 digital signature and message decryption operations. Domain Mail Courier Agent Certificate Profile Basic Fields Value Version 0x2 (Version 3) Serial umber UniqueIdentifier (Integer) Signature Algorithm SHA2withRSA-Encryption Issuer D: C=CA, ST=Ontario, L=Toronto, O=Echoworx Corporation, OU=Certification Services, C= Validity GeneralizedTime (10 Years) ot valid before: issue date - 1day ot valid after: issue date + 10yrs + 1day Subject D: C=CA, ST=Ontario, L=Toronto, O=Echoworx Corporation, OU=Secure Mail Service, C=Echoworx Digital Courier, E= Address Subject Public Key subjectpublickeyinfo Issuer Unique ID BitString Subject Unique ID BitString Mandatory X.509v3 Certificate Extensions Extended Attributes Critical Value Basic Constraints Y True id-ce-basic-constraints Subject Key Identifier octetstring (optional) id-ce-subjectkeyidentifier Authority Key Identifier octetstring (optional) id-ce-authoritykeyidentifier Key Usage id-ce-keyusage digitalsignature, keyencipherment Certificate Policy id-ce-certificatepolicy CRL Distribution Points id-ce-crldistributionpoints Authority Info Access id-ce-autorityinfoaccess Recommended X.509v3 Certificate Extensions etscape Certificate Type nscerttype Certification Practices Statement id-ce-certificatepolicies + id-qt-cps CRL profile The profile for the CRL is shown in the following table. CRL Certificate Profile Basic Fields Value Version 0x1 (Version 2) Serial umber UniqueIdentifier (Integer) Signature Algorithm SHA2withRSA-Encryption Issuer D: C=CA, ST=Ontario, L=Toronto, O=Echoworx Corporation, OU=Certification Services, C=Echoworx 20

25 This update ext update List of Revoked Certificates Certificate identification information Encryption Services UK CA GeneralizedTime time of CRL issuance GeneralizedTime Current CRL Issue Date + 1 day OCSP profile The profile for the OCSP is shown in the following table. OCPS Certificate Profile Basic Fields Value Version Defined by RFC 2560 OCSP Extension o stipulation Issuer Status of Certificates Status of Certificate D: C=CA, ST=Ontario, L=Toronto, O=Echoworx Corporation, OU=Certification Services, C=Echoworx Secure Mail CA Integrated circuit card (ICC) life cycle management This CA does not issue smart cards to end-entities. Subjects may, at their own discretion, purchase smart cards and readers for purposes of key generation and storage. 21

26 5. CA environmental controls This section addresses the business and security controls for assuring integrity and trust in this CA, including how this CP/CPS document is administered; cessation of operations; handling of sensitive and confidential information; intellectual property; physical security; business continuity; and event journaling CP & CPS administration Some revisions to this certificate policy and certification practices statement (CP/CPS) and or related certification policy (CP) documents may be deemed by the CA's policy authority to have minimal or no impact on subscribers and relying parties using certificates CRLs, and OCSPs issued by this CA. Such revisions may be made without notice to subscribers issued certificates under this CP/CPS and without changing the version number of this CP/CPS. Revisions to the certificate policies supported by this CP/CPS, as well as revisions to the CP/CPS which are deemed by the CA's policy authority to have significant impact on the subscribers issued certificates under this CP/CPS, may be made with 30 days notice to the subscribers and a change in version number for this CP/CPS. This CA's policy authority will provide notification of upcoming changes on the CA's website 30 days prior to significant revisions to this CPS. This CP/CPS and any subsequent changes are approved by the CA's policy authority. Please refer to section 2.4 for contact information CA termination The Echoworx Policy Authority is the only entity which may terminate this CA. In the event this CA is terminated, the Echoworx Root CA will revoke this SubCA and the SubCA s subscriber certificates and the CA will cease to issue subscriber certificates. The CA shall provide no less than 30 days notice to all operators of services that rely upon this CA for certificate issuance. Upon termination, the records of the CA shall be archived and transferred to a designated custodian Confidentiality Information not belonging to the public domain is to be kept confidential. Confidential information includes: Subscribers' private signing keys are confidential and are not provided to the CA or RA Information specific to the operation and control of the CA, such as security parameters and audit trails, is maintained confidentially by the CA and is not released outside of the CA organization unless required by law

27 Information about subscribers held by the CA or RAs, excluding that which is published in certificates, CRLs, OCSPs, certificate policies, or this CP/CPS, is considered confidential and shall not be released outside of the CA except as required by certificate policy or otherwise required by law. Generally, the results of annual audits are kept confidential, unless disclosure is deemed necessary by CA management on-confidential information includes: Information included in certificates and CRLs, and OCSPs issued by the CA is not considered confidential Information in the certificate policies supported by this CA is not considered confidential Information in the CA's disclosed CP/CPS is not considered confidential When the CA revokes a certificate, a revocation reason is included in the CRL entry for the revoked certificate. This revocation reason code is not considered confidential and can be shared with all other subscribers and relying parties. However, no other details concerning the revocation are normally disclosed. The CA shall comply with legal requirements to release information to law enforcement officials. The CA may disclose to another party information pertaining to the owner of such information upon the owner's request Intellectual property rights Public key certificates and CRLs, and OCSPs issued by the CA are the property of Echoworx. This CP/CPS document is the property of Echoworx Security management A current information security policy exists, which is approved and endorsed by senior management. It is published as corporate document and is communicated to the appropriate staff groups via security awareness program. The policy defines the objectives, scope, intend and principals of information security and measures to ensure compliance with security standards and regulatory requirements. In particular, the security policy contains an approach to address and meet requirements of the following areas of information security: compliance with regulatory, legislative and contractual requirements guidance for security training requirements of staff computer security to reduce weaknesses and exposures and for example to prevent software viruses or malicious software business continuity and responsibility of management and staff compliance enforcement and consequences of policy violations. 23

28 Information security is managed to establish sustainable compliance with business objectives and with requirements. This includes direction, governance and review and authorization process. Management of security addresses also: procedures to sustain physical and logical security in CA facilities and systems despite thirdparty access risk assessments to identify security implications and security control requirements the addressing of security requirements and responsibilities with contracts between parties or in cases of delegation of CA roles and responsibilities Personnel security Security roles and responsibilities, as specified in the organization s security policy, are documented in job descriptions. Verification checks on key permanent and contract staff are performed at the time of job application. The CA s policies and procedures specify the background checks and clearance procedures required for the personnel filling the trusted roles, and other personnel, including janitorial staff. Employees sign a confidentiality (nondisclosure) agreement as part of their initial terms and conditions of employment. Contracted personnel controls include the following: Bonding requirements on contract personnel Contractual requirements including indemnification for damages due to the actions of the contractor personnel Audit and monitoring of contractor personnel Employee and contracted staff receive appropriate training to raise awareness and achieve compliance with corporate security policies. This training is aligned with clear role based compliance and training requirements. A formal disciplinary process exists and is followed for employees who have violated organizational security policies and procedures. The CA s policies and procedures specify the sanctions against personnel for unauthorized actions, unauthorized use of authority, and unauthorized use of systems. Appropriate and timely actions are taken when an employee is terminated so that controls and security are not impaired by such an occurrence. 24

29 5.7. Physical security controls All critical CA operations take place within a physically secure facility with at least three layers of security to access sensitive hardware or software. Sensitive system components are physically separated from the organization's other systems so that only authorized employees of the CA can access them. Physical access to the CA system is strictly controlled and is subject to continuous (24/7) electronic surveillance monitoring. Only trustworthy individuals with a valid business reason are provided such access. The access control system is always functional and, in addition to conventional combination locks, electronic badge readers are used. All CA systems have industry standard power and air conditioning systems to provide a suitable operating environment. All CA systems have reasonable precautions taken to minimize the impact of water exposure. All CA systems have industry standard fire prevention and protection mechanisms in place. Cryptographic devices are physically destroyed or zeroized in accordance with the manufacturers' guidance prior to disposal. Off-site backups are stored in a secure storage facility by a bonded third-party Business continuity management controls The CA has a business continuity plan to restore the CA's core functionality (ability to issue certificates, revoke certificates and post Certificate Revocation Lists to the CRL distribution point identified in section 4.8) in a reasonably timely manner following interruption to, or failure of, critical business processes. The CA's business continuity plan defines 72 hours as an acceptable system outage time in the event of a major natural disaster or CA private key compromise. Copies of essential business information and CA system software are performed whenever there is a change made. The CA maintains a recovery site, which is approximately 15 km apart from the CA s primary site. Effectiveness of business and disaster recovery plans are tested at least once a year with appropriate methods. Controls are in place to detect a compromised CA private signing key or a suspected compromise. Its occurrence is considered a disaster and appropriate measures are taken as defined in the disaster recovery plan including the revocation and reissuing of the private signing key Event logging A continuous tamper-evident event journal is maintained for all CA events. As part of the backup processes for this CA, the event journal is backed up. The CA event journal is continually monitored via automated log monitoring and any errors detected are immediately investigated. At 25

30 a minimum, event journals are reviewed on a monthly basis. The review must be documented including findings, notifications to senior management, actions taken and issue resolution The logged events must be inspected to identify incidents with high severity and to eliminate false positives. Events that are considered high severity could cause a risk for system availability or represent a security breach or an attempted breach, such as multiple incorrect logons of a user account, attempts of unauthorized access to systems and resources and unauthorized alterations of critical and security related system parameters Timestamp The system time on Echoworx server maintains a time and date using the etwork Time Protocol (TP). One local TP server per server location is run locally (which synchronizes to the established reference time pool.ntp.org time server pool), with the remaining servers in each hosting location synchronizing to the local time server. Time and date are kept on a real time basis with a continuous calculations between client and reference time server packet exchanges. 26

31 6. References [RFC2560] M. Myers et al., X.509 Internet Public Key Infrastructure Online Certificate Status Protocol - OCSP, June [RFC3280] Housley, R. et al., Internet X.509 Public Key Infrastructure: Certificate and Certificate Revocation List (CRL) Profile, etwork Working Group Request for Comments: 3280, The Internet Society, April 2002 [WebTrust] AICPA/CICA WebTrust SM/TM Program for Certification Authorities, version 1.0, American Institute of Certified Public Accountants, Inc. and Canadian Institute of Chartered Accountants, 2000/08/25 [RootCA2] Echoworx Root CA2:, Version 1.1,Document umber: CPS-CA2-001, Echoworx Corporation,

32 A. Certificate The Following is the Certificate SHA2 Fingerprint PEM Form Text Form 52:3C:B6:DF:D6:0B:E8:98:D8:5C:94:9D:2B:FD:9A:A8:1D:FE:88:A3:A2:F6: 75:6D:04:92:58:B1:FB:33:B4: BEGI CERTIFICATE----- MIIFSzCCBDOgAwIBAgIBHjABgkqhkiG9w0BAQsFADCBjTELMAkGA1UEBhMCQ0Ex EDAOBgVBAgTB09udGFyaW8xEDAOBgVBAcTB1Rvcm9udG8xHTAbBgVBAoTFEVj ag93b3j4ievcnbvcmf0aw9umr8whqydvqqlexzdzxj0awzpy2f0aw9uiflcnzp Y2VzMRowGAYDVQQDExFFY2hvd29yeCBSb290IEBMjAeFw0xTAzMjQwODMzMTZa Fw0yTAzMjQwODMzMTZaMIGgMQswCQYDVQQGEwJDQTEQMA4GA1UECBMHT250YXJp bzeqma4ga1uebxmhvg9yb250bzedmbsga1uechmurwob3dvcnggq29ycg9yyxrp b24xhzadbgvbastfklcnrpzmljyxrpb24gu2vydmljzxmxltarbgvbamtjevj ag93b3j4ievuy3j5chrpb24gu2vydmljzxmgvusgq0egmjccasiwdqyjkozihvc AQEBBQADggEPADCCAQoCggEBAJSutrddQ0iqs0MWGBPrqnQgHVWlhA9yLEBRjKdm 0zusjswFrGoSeVnuLdgxXuvzLmGOz6ZBh85ljUj3akUpwOqim9booEJQcodHvm y/fkdbjtsqehxw/bxjh68aduidwycwsjkvh5m3qrfawwxfpya/56+v/hykgfripi W3PFlUB2kf3Y2Yh0oa9cljn4T5JL7Xnjfot/o4HvlAfOeeBnMi6y8TyLtlR/dB5 xr1b91ua2tv7xmhs1tzu6cm9rhb18glqjjfqbhgfya8i3rxi3+aq0zlsyqj5sia abls9ajpq6g5dyiu6xrtuw2vlb2ou10wovzfgolycfbodh0caweaaaocaz8wgggb MA8GA1UdEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgEGMB0GA1UdDgQWBBR7Q54+Reel yi26cl7kmac8qimetcbugydvr0jbigymigvgbq74yeboks/oygc1eisrq5qqxsl E6GBk6SBkDCBjTELMAkGA1UEBhMCQ0ExEDAOBgVBAgTB09udGFyaW8xEDAOBgV BAcTB1Rvcm9udG8xHTAbBgVBAoTFEVjaG93b3J4IEvcnBvcmF0aW9uMR8wHQYD VQQLExZDZXJ0aWZpY2F0aW9uIFlcnZpY2VzMRowGAYDVQQDExFFY2hvd29yeCBS b290iebmoibadarbglghkgbhvhcaqeebamcabcwoqydvr0fbdiwmdauocygkoyo ahr0cdovl3d3dy5ly2hvd29yec5jb20vy2evcm9vddivy3jslnblbtbrbgvhsae SjBIMEYGDCsGAQQB+REKAQQBATA2MDQGCCsGAQUFBwIBFihodHRwOi8vd3d3LmVj ag93b3j4lmvbs9jys9yb290mi9jchmucgrmma0gcsqgsib3dqebcwuaa4ibaqc4 aeze4hbpldlaaewndskp6awjkhdcc4ly1tiryk5jsqsytfa4d9gjjtchqy1kzc xcgsuz+/e3bah1ofot3h5v/jyiczgwxywnoxpjd2ingc3gxxin8shv26kqal60yx R80FI9zyPb1d1A6f4z4FZdflnhobq4UWAYQyhUM1VqbROxmCmwlxK4dFQl0V8YPp m6bdvo3vu98vtows+cy81tsu3vr8jce17e5bbjhwc6i3ap3q8zjfhpaertegmvd 0IfnB2fRpeJ7bLjAKqv5XPRJ3p65Q+TH5gAyxH0zehS3rl8S1f/F4Wfm1hRWl2 m6byreycvelnlo1istmv -----ED CERTIFICATE----- Certificate: Data: Version: 3 (0x2) Serial umber: 30 (0x1e) Signature Algorithm: sha256withrsaencryption Issuer: C=CA, ST=Ontario, L=Toronto, O=Echoworx Corporation, OU=Certification Services, C=Echoworx Root CA2 Validity ot Before: Mar 24 08:33: GMT ot After : Mar 24 08:33: GMT Subject: C=CA, ST=Ontario, L=Toronto, O=Echoworx Corporation, OU=Certification Services, C= 2 Subject Public Key Info: Public Key Algorithm: rsaencryption Public-Key: (2048 bit) Modulus: 00:94:ae:b6:b7:5d:43:48:aa:b3:43:16:18:13:eb: aa:74:20:1d:55:a5:84:0f:72:2c:40:51:8c:a7:66: d3:3b:ac:8e:cc:05:ac:6a:12:79:59:ee:2d:d8:31: 5e:eb:f3:2e:61:8d:38:dc:fa:64:18:7c:e6:58:d4: 8f:76:a4:52:9c:0e:aa:29:bd:6e:8a:04:25:07:28: 74:7b:e6:cb:f7:ca:0c:12:53:4a:a7:a1:5d:6f:c1: 28

33 c6:38:7a:f0:00:d4:88:35:b2:0b:0b:23:29:51:f9: 33:74:2b:7d:a5:b0:5c:53:f2:6b:fe:7a:fa:ff:e1: 60:a8:05:46:2a:48:5b:73:c5:95:40:76:91:fd:cd: 63:66:21:d2:86:bd:72:58:e7:e1:3e:49:2f:b5:e7: 8d:fa:2d:fe:8e:07:be:50:1f:39:e7:81:9c:c8:ba: cb:c4:f2:2e:d9:51:fd:d0:79:c5:1d:5b:f7:5b:80: d9:35:7b:5e:61:d2:d6:dc:ee:e8:29:bd:44:70:75: f2:02:d0:34:92:45:41:b1:c6:17:20:3c:23:74:57: 8b:7f:9a:ab:46:4b:b3:2a:89:e6:c8:9a:69:b2:d2: f4:02:4f:43:a8:39:75:82:2e:e9:74:6d:bb:0d:95: 95:bd:8e:53:5d:16:39:56:45:1a:89:72:09:f0:68: 76:1d Exponent: (0x10001) X509v3 extensions: X509v3 Basic Constraints: critical CA:TRUE X509v3 Key Usage: Certificate Sign, CRL Sign X509v3 Subject Key Identifier: 7B:43:9E:3E:45:E7:A5:C8:8D:BA:0A:5E:CA:99:A0:BC:35:08:A6:79 X509v3 Authority Key Identifier: keyid:3b:e1:81:1b:a0:ab:3f:3b:21:82:d5:e2:12:ae:ae:50:ab:14:a5:13 Dirame:/C=CA/ST=Ontario/L=Toronto/O=Echoworx Corporation/OU=Certification Services/C=Echoworx Root CA2 serial:00 etscape Cert Type: Object Signing, SSL CA, S/MIME CA, Object Signing CA X509v3 CRL Distribution Points: Full ame: URI: X509v3 Certificate Policies: Policy: CPS: Signature Algorithm: sha256withrsaencryption b8:68:4c:c4:e2:16:e9:2d:d9:40:00:45:8d:36:77:6c:92:9e: 80:58:99:21:0c:20:b8:2d:8d:53:8a:b6:24:e4:94:aa:b3:2b: 5f:03:80:fd:82:38:d3:0a:1a:98:d6:4c:c2:c4:28:2c:53:3f: bf:13:70:5a:87:5a:05:3a:dd:e1:e5:5f:c9:60:87:33:1b:05: d8:c2:7a:17:3e:37:76:22:71:82:dc:6c:71:22:7f:12:1e:fd: ba:29:00:25:eb:4c:b1:47:cd:05:23:dc:f2:3d:bd:5d:d4:0e: 9f:e3:3e:05:65:d7:e5:9e:1a:1b:ab:85:16:01:84:32:85:43: 35:56:a6:d1:3b:19:82:9b:09:71:2b:87:45:42:5d:15:f1:83: e9:9b:a6:c3:bc:ed:ef:bb:df:2f:4c:ec:2c:f9:cc:bc:d5:34: ae:de:fa:fc:8d:c1:35:ec:4e:41:6e:33:61:c1:ce:a2:dd:a3: f7:ab:c6:63:16:13:c0:12:b4:c4:1a:65:43:d0:87:e7:07:67: d1:a5:e2:4d:ed:b2:e3:00:aa:af:e5:73:d1:27:7a:7a:e5:0f: 93:1f:98:00:cb:11:f4:cd:e8:52:de:b9:7c:4b:57:ff:17:85: 9f:9b:53:61:45:69:76:9b:a0:72:44:46:1c:bd:e9:67:2c:ed: 48:49:33:2f 29

34 B. Definition of Terms Term Administrator Certificate Certificate Authority (CA) Echoworx Security Services (ESS) Key Authority Key Escrow MIME Policy Object Identifier (Policy OID) Private Key Public Key Public Key Infrastructure (PKI) Root CA S/MIME Subordinate CA Subscriber Definition An individual who performs administrative functions within an Echoworx Security Services deployment. An electronic document that is made up of a public key and a digital signature. An entity that issues digital certificates to end entities.. The Echoworx applications that interoperate with a Certificate Authority to enable certificate issuance and management in an environment for use with end-user applications for encryption and/or digital signing of documents and . An administrative user whose function is to act as part of a trusted group authorized to retrieve subscriber keys that have been escrowed Key Escrow is a means of securely holding subscriber key material for retrieval by an authorized third party. MIME stands for Multipurpose Internet Mail Extensions. MIME is the standard used for defining the format of internet mail messages (i.e. ) A Policy OID is a unique number used to name and identify the Policy under which a certificate is issued.the inclusion of an issuance policy object identifier in an issued certificate indicates that the certificate was issued in a manner that meets the issuance requirements associated with the defined issuance policy object identifier A digital key held by an individual or end-entity used for decrypting documents that have been encrypted for them with a corresponding public key and/or for digitally signing documents A digital key that corresponds to a private key belonging to an individual that is used for encrypting a document for that individual and/or for verifying their digital signature on a document. A PKI is a technical infrastructure that is used to bind a private key to an identity through the issuance of a digital certificate by a trusted third party (a CA). A certification authority that sits at the top of a CA Hierarchy or PKI. S/MIME stands for Secure Multipurpose Internet Mail Extensions, and is a standard for the application of public key cryptography to messages encapsulated in the MIME format. A Certificate Authority that is part of a CA hierarchy below a Root CA An individual who subscribes for a service 30