Service Descriptin Service Overview The Symantec Managed Public Key Infrastructure (PKI) Service ( Managed PKI Service r Service ) prvides a flexible PKI platfrm t manage the cmplete certificate lifecycle t issue new certificates, renew existing certificates, and revke untrustwrthy certificates. Additinally, Managed PKI Service prvides the ability t escrw and recver private keys f certificates used t encrypt emails, file systems, r ther data, as well as numerus validatin services t verify certificates current status t ensure nly trustwrthy certificates perfrm such actins as encrypting data, digitally signing dcuments, r authenticating nt netwrks. This Service Descriptin, with any attachments included by reference, is part f any agreement which incrprates this Service Descriptin by reference (cllectively, the Agreement ), fr the Service which is described in this Service Descriptin and is prvided by Symantec. Table f Cntents Technical/Business Functinality and Capabilities Service Features Symantec Obligatins Custmer Respnsibilities Assistance and Technical Supprt Service Specific Terms N Aut Renewal Service Cnditins Evaluatin License Use f Micrsft Aut Enrllment Service Level Agreement Definitins Appendices Appendix A Symantec Trust Netwrk (STN) Appendix B Private Certificate Authrity SYMANTEC PROPRIETARY PERMITTED USE ONLY 1 Cpyright 2015 Symantec Crpratin. All rights reserved. Symantec, the Symantec Lg and any ther trademark fund n the Symantec Trademark List that are referred t r displayed in the dcument are trademarks r registered trademarks f Symantec Crpratin r its affiliates in the U.S. and ther cuntries. Other names may be trademarks f their respective wners. The cntents f this dcument are nly fr use by existing r prspective custmers r partners f Symantec, slely fr the use and/r acquisitin f the Services described in this dcument.
Service Descriptin Appendix C Adbe Dcument Signing Services Appendix D LTE Certificate Service Appendix E Manufacturer Certificates TECHNICAL/BUSINESS FUNCTIONALITY AND CAPABILITIES Service Features As a managed service, the Managed PKI Service significantly reduces csts assciated with an in huse PKI. Fr example, custmers wuld need t acquire cryptgraphic and applicatin server hardware, purchase server and client licenses, and train staff befre issuing the first certificate frm an in huse PKI deplyment. Custmers wuld have t create their wn certificate plicy (CP) as a principal statement f plicy gverning the PKI hierarchy, and certificatin practices statement (CPS), which defines certificate prcess and prcedures as well as trusted rles and respnsibilities. The Managed PKI Service is designed as multi tenant, highly available envirnment based n best f breed cryptgraphic and applicatin server hardware. This envirnment is mnitred 24x7x365 by a prfessinally trained staff that has passed enhanced security backgrund checks, and is audited n a regular basis t maintain WebTrust and SOC 2 accreditatin. The Managed PKI Service creates and manages Certificate Authrity (CA) hierarchies. The Managed PKI Service is available in the fllwing standard CA hierarchies: Symantec Trust Netwrk (STN) see Appendix A Private Certificate Authrity see Appendix B Adbe Dcument Signing Services see Appendix C LTE Certificate Service see Appendix D Manufacturer Certificates see Appendix E Each service accunt includes at least ne CA Certificate fr each CA hierarchy that yu elect. Additinal CA Certificates fr a given vlume may be purchased later. Any extractin f CA Certificates and/r crrespnding key pairs frm Symantec systems and services will be subject t agreement f the parties. The Managed PKI Service ffers tw (2) deplyment mdels, Clud and Hybrid, t manage certificate lifecycle. The Clud deplyment mdel hsts accunt, certificate, and key management tls in Symantec s data centers. The Hybrid deplyment mdel als hsts all accunt, certificate, and key management tls in Symantec s data centers, but this mdel installs registratin authrity (RA) and directry integratin tls in the custmer s data center as well. The deplyment mdels are nt exclusive and can use a cmbinatin f deplyment mdels based n the needs f varius PKI prjects. Bth deplyment mdels wrk with desktp middleware, PKI Client, designed t dramatically imprve the user experience with the certificate lifecycle. SYMANTEC PROPRIETARY PERMITTED USE ONLY 2 Cpyright 2015 Symantec Crpratin. All rights reserved. Symantec, the Symantec Lg and any ther trademark fund n the Symantec Trademark List that are referred t r displayed in the dcument are trademarks r registered trademarks f Symantec Crpratin r its affiliates in the U.S. and ther cuntries. Other names may be trademarks f their respective wners. The cntents f this dcument are nly fr use by existing r prspective custmers r partners f Symantec, slely fr the use and/r acquisitin f the Services described in this dcument.
Service Descriptin The Managed PKI Service ffers the fllwing management tls: PKI Manager PKI Manager is a web prtal hsted in Symantec s data centers fr a PKI administratr t perfrm tasks related t accunt, user, certificate, and key management. Accunt Management: PKI Manager enables a PKI administratr t view certificate authrities (CAs), number f Seats, and reprts assciated with their accunt(s). PKI Manager als allws a PKI administratr t create and assign respnsibilities t additinal PKI administratrs. User Management: PKI Manager permits a PKI administratr t add users, revke users, generate unique enrllment cdesfr each user, and custmize email ntificatins sent t users. PKI Manager als has the capability t prvide users with dcument and vide based instructins t cnfigure third party applicatins t wrk with the newly issued certificates. Certificate Management: PKI Manager enables a PKI administratr t cnfigure certificate prfiles fr different CAs in their accunt. As part f these certificate prfiles, a PKI administratr sets such parameters as key sizes, key usages, and signing algrithms. A PKI administratr als selects user experience (enrllment thrugh OS/brwser r PKI Client) and security prtectin level. A PKI administratr decides whether r nt t escrw private keys f the certificates. Alng with cnfiguring certificate prfiles, PKI Manager lets a PKI administratr revke certificates which have becme untrustwrthy because a user n lnger needs a certificate (e.g., a user left the cmpany) r a private key has been cmprised (e.g., a user lst a laptp). Key Management: PKI Manager prvides a PKI administratr with the ability t recver a private key f an encryptin certificate. PKI Certificate Service PKI Certificate Service hsts the certificate enrllment web pages in Symantec s data centers fr users (a.k.a., subscribers) t request certificates. These web pages guide users thrugh the necessary steps t request certificates. In additin, these web pages may display instructins, prvided by a PKI administratr, t cnfigure third party prducts. Certificate Issuance Center Certificate Issuance Center is the certificate engine hsted in Symantec s data centers. This certificate engine creates certificates based n certificate signing requests submitted frm PKI Certificate Service, received frm PKI Enterprise Gateway, r sent via Web Services. This certificate engine signs these certificates with the issuing Certificate Authrity (CA). PKI Enterprise Gateway PKI Enterprise Gateway is a registratin authrity (RA) authrity applicatin installed in the custmer s data center, if desired. This applicatin tightly integrates with a Lightweight Directry Access Prtcl (LDAP) surce (e.g., Micrsft Active Directry ) t autmatically apprve certificate requests and publish certificate data back int the LDAP surce. PKI Client PKI Client is an endpint middleware designed t dramatically imprve user experience with the certificate lifecycle. PKI Client is available fr desktps n Windws as well as MAC perating systems. In the brwser enrllment experience, users use either Micrsft Internet Explrer, Safari, Chrme r Mzilla Firefx t request certificate frm certificate enrllment web pages. While this native experience des nt require any additinal sftware, the native experience has knwn usability limitatins. Fr example, Micrsft Internet Explrer prduces numerus pp up windws with warning messages that ften cnfuse users. In the PKI Client experience, the certificate lifecycle has been streamlined t autmate cmmn functins (i.e., certificate renewal) t minimize user invlvement. PKI Client als prvides centralized plicy management functins (e.g., SYMANTEC PROPRIETARY PERMITTED USE ONLY 3 Cpyright 2015 Symantec Crpratin. All rights reserved. Symantec, the Symantec Lg and any ther trademark fund n the Symantec Trademark List that are referred t r displayed in the dcument are trademarks r registered trademarks f Symantec Crpratin r its affiliates in the U.S. and ther cuntries. Other names may be trademarks f their respective wners. The cntents f this dcument are nly fr use by existing r prspective custmers r partners f Symantec, slely fr the use and/r acquisitin f the Services described in this dcument.
Service Descriptin PIN, exprt, etc.) t prtect certificates. Further, PKI Client has the ability t aut cnfigure third party prducts (e.g., wireless, virtual private netwrk clients, etc.) t use certificates. Symantec Managed PKI Certificate lifecycle management functins are als available n mbile devices such as the ios that leverages built in ios Over the Air (OTA) prtcl capabilities. This allws the ios device r applicatin t make certificate enrllment requests via Apple s SCEP prtcl. Fr mbile perating systems such as the Andrid OS, that dn t have an ios OTA equivalent, Symantec prvides a PKI Client that similarly hides the cmplexity f cnfiguring the device and applicatin t use the certificate. PKI Web Services PKI Web Services hsted in the Symantec data center prvide the capability t prgrammatically integrate with the Managed PKI Service. A third party applicatin can btain a certificate plicy and perfrm certificate lifecycle functins such as enrll and renew using the API prvided by PKI Web Services. The Managed PKI Service ffers the fllwing authenticatin methds: Authenticatin using Enrllment Cde With this type f authenticatin, a PKI administratr can generate a unique enrllment cde fr each user in rder t autmatically apprve certificate requests. When a PKI administratr sends certificate invitatins t users with a link t certificate enrllment web page, the PKI administratr includes the unique enrllment cde fr that user. Users then include their enrllment cdealng with any additinal infrmatin in the certificate enrllment web pages. Certificate Issuance Center cmpares this enrllment cde t the infrmatin generated in PKI Manager. If there is a match, Certificate Issuance Center issues a certificate. If the user entered enrllment cde des nt match the ne that was generated fr that user, Certificate Issuance Center gives an errr message t the user. Autmated Authenticatin Autmated authenticatin apprves certificate requests based n data in a LDAP surce (i.e., Micrsft Active Directry). PKI Enterprise Gateway must be installed in a custmer s data center and integrated with an LDAP surce. When users submit certificate requests via PKI Certificate Service, PKI Enterprise Gateway cmpares the data in the certificate requests with the LDAP surce. If data match, PKI Enterprise Gateway apprves certificate requests, signs certificate requests with Registratin Authrity (RA) certificate, and sends signed certificate requests t Certificate Issuance Center. Else, PKI Enterprise Gateway rejects certificates requests. The Managed PKI Service ffers the fllwing certificate validatin tls: Certificate Revcatin List (CRL) Many third party prducts have the ability t check the certificate s current status (e.g., active, revked, etc.) thrugh Certificate Revcatin List (CRL). A CRL is a black list f revked certificates that have nt yet expired. These prducts can be cnfigured t dwnlad and check mst recent CRL n a regular basis. If a certificate appears n the CRL, these prducts deny access (e.g., will nt authenticate nt netwrks, digitally sign dcuments, etc.). Symantec prduces a CRL at least nce every 24 hurs. Online Certificate Status Prtcl (OCSP) Many third party prducts verify the current status f certificates (e.g., active, revked, etc.) via Online Certificate Status Prtcl (OCSP). While all revked certificates will appear n a CRL, there is a time delay between the certificate s revcatin and next CRL run which may be up t 24 hurs fr a standard CRL. Symantec immediately updates the certificates status upn any change (e.g., revked, suspended, etc.) which is reflected in near real time within Symantec s OCSP tl, Trusted Glbal Validatin (TGV). Symantec ffers the fllwing hardware ptins t cmplement the Managed PKI Service: SafeNet PKI Tkens Symantec is an authrized reseller f SafeNet hardware USB tkens. In additin, these tkens als cme with a three (3) year warranty as described in the Warranty Infrmatin Supplement available in SYMANTEC PROPRIETARY PERMITTED USE ONLY 4 Cpyright 2015 Symantec Crpratin. All rights reserved. Symantec, the Symantec Lg and any ther trademark fund n the Symantec Trademark List that are referred t r displayed in the dcument are trademarks r registered trademarks f Symantec Crpratin r its affiliates in the U.S. and ther cuntries. Other names may be trademarks f their respective wners. The cntents f this dcument are nly fr use by existing r prspective custmers r partners f Symantec, slely fr the use and/r acquisitin f the Services described in this dcument.
Service Descriptin the Repsitry. These tkens meet Federal Infrmatin Prcessing Standard (FIPS) 140 2 and Cmmn Criteria standards. SafeNet Hardware Security Mdules (HSMs) Symantec is an authrized reseller f SafeNet Luna hardware security mdules (HSMs) which cnsists f Luna PCI cards, Luna SA netwrk appliances, and Luna PCM tkens. These HSMs may als include firmware r assciated sftware (such as SafeNet Authenticatin Client). While these HSMs include a ne (1) year basic warranty, Symantec resells ptinal SafeNet extended warranty prgrams fr additinal charge. These HSMs als meet FIPS 140 2 Level 2 and Cmmn Criteria standards. Title t any HSMs sld will pass t Custmer r t any party designated by Custmer upn shipment frm Symantec. Delivery f all items is Ex Wrks (EXW) Symantec s shipping pint Incterms 2010. Delivery f HSMs is cmplete when such are made available t the carrier at Symantec s shipping pint. Freight terms must be cllect r third party. If Custmer elects t purchase HSMs thrugh Symantec ( Custmer HSMs ) and have such Custmer HSMs stred at Symantec s datacenter, then Custmer HSMs will be stred and prtected in the same fashin as Symantec s wn HSMs. Upn any expiratin r terminatin f Symantec s applicable services prvided t Custmer, upn Custmer s request, Symantec will transfer Custmer HSMs t Custmer in accrdance with the industry s best practice. Transfer f Custmer HSMs will be at n cst t Custmer, prvided, hwever, that if Custmer requests technical supprt in cnnectin with the transfer f Custmer HSMs, Symantec will prvide transitin supprt under a separately negtiated statement f wrk that is mutually agreeable t the parties. Symantec ffers the fllwing types f Certificates r Seats thrugh the Managed PKI Service: User Seats: Certificates issued t human Subscribers that authenticate them as users accessing the private netwrk ver VPN/WiFi. Certificates issued under such User Seats allw multiple quantities and different types f user certificates (VPN, WiFi, SMIME, etc. frm the User Seat Pl) t be issued t these users. One User Seat can mean multiple quantities f certificates issued t a single and unique user. Device Seats: Certificates issued t devices (such as laptps, cmputers, LTE equipment, etc.) as Subscribers t allw such devices t access t a private netwrk. Unlike the User Seats, a Device Seat means a certificate issued t a device and t be used n ne (1) physical device nly. Server Seats: Certificates issued t an rganizatin s internal servers as Subscribers t assure such servers identity t users r devices requesting access t the intranet websites hsted n the servers. Managed PKI Service issues private hierarchy server certificates as part f this slutin. Each physical r virtualized server requires a Server Seat. Organizatin Certificates: Certificates issued t an rganizatin r entity as the Subscriber t allw identity assurance (such as in the case f private cde signing Certificates) and als digital signatures (as in the case f Wrd r PDF signing at the rganizatinal level). The fllwing are restrictins fr Organizatin Certificates. Custmer must nt use a cde signing, r any ther Organizatinal Certificate: (i) fr r n behalf f any rganizatin ther than Custmer rganizatin; (ii) t perfrm private r public key peratins in cnnectin with any dmain and/r rganizatin name ther than the ne Custmer submitted n the Certificate Applicatin; (iii) t distribute malicius r harmful cntent f any kind including, but nt limited t, cntent that wuld therwise have the effect f incnveniencing the recipient f such cntent; r (iv) in a manner that transfers cntrl r permits access fr the private key crrespnding t the public key f the Certificate t anyne ther than an SYMANTEC PROPRIETARY PERMITTED USE ONLY 5 Cpyright 2015 Symantec Crpratin. All rights reserved. Symantec, the Symantec Lg and any ther trademark fund n the Symantec Trademark List that are referred t r displayed in the dcument are trademarks r registered trademarks f Symantec Crpratin r its affiliates in the U.S. and ther cuntries. Other names may be trademarks f their respective wners. The cntents f this dcument are nly fr use by existing r prspective custmers r partners f Symantec, slely fr the use and/r acquisitin f the Services described in this dcument.
Service Descriptin emplyee that Custmer has authrized (any such transfer t be in a secure manner s as t prtect the private key). Symantec Obligatins Fllwing cmpletin f the requisite installatin, Symantec will prvide Custmer with the services specified in this Service Descriptin. Symantec will issue, manage, revke, and/r renew Certificates in accrdance with the instructins prvided by Custmer and its Managed PKI Administratr(s). Upn Custmer s apprval f a Certificate Applicatin, Symantec: (1) is entitled t rely upn the accuracy f the infrmatin in each such apprved Certificate Applicatin; and (2) will issue a Certificate fr the Certificate Applicant fr which such Certificate Applicatin was submitted. Certificates issued r licensed under this Service Descriptin, including Administratr Certificates, will have a maximum Operatinal Perid f twelve (12) mnths frm the date each Certificate is issued. During a single CA Key Generatin event, Symantec will generate fr Custmer, pairs f CA keys fr use in signing Certificates issued by Symantec n behalf f Custmer in the STN r such ther hierarchy f Custmer s electin. Custmer CA Private Key f each key pair will be stred in ne r mre hardware security mdules. Custmer Respnsibilities Symantec can nly perfrm the Service if Custmer prvides required infrmatin r perfrms required actins. If Custmer des nt prvide/perfrm per the fllwing respnsibilities, Symantec s perfrmance f the Service may be delayed, impaired r prevented, as nted belw. Setup Enablement: Custmer must prvide infrmatin required fr Symantec t begin prviding the Service. Adequate Custmer Persnnel: Custmer must prvide adequate persnnel t assist Symantec in delivery f the Service, upn reasnable request by Symantec. Custmer must ensure that: all infrmatin material t the issuance f a Certificate and validated by r n behalf f Custmer is true and crrect in all material respects; Custmer s apprval f Certificate Applicatins will nt result in Errneus Issuance; Custmer s revcatin f Certificates cmplies with the STN CPS r the Adbe CPS (if and as applicable); Custmer has substantially cmplied with the STN CPS r the Adbe CPS (if and as applicable); Custmer has substantially cmplied with the RA requirements (if applicable); Certificate infrmatin prvided t Symantec will nt infringe the intellectual prperty rights f any third party (such as dmain squatting); infrmatin in the Certificate Applicatin(s) (including email address(es)) has nt been and will nt be used fr any unlawful purpse; Custmer s Managed PKI Administratr has been (since the time f the Administratr Certificate s creatin) and will remain the nly persn pssessing the Administratr Certificate s Private Key, any challenge phrase, PIN, sftware, r hardware mechanism prtecting the Private Key, and n unauthrized persn has had r will have access t such material r infrmatin; SYMANTEC PROPRIETARY PERMITTED USE ONLY 6 Cpyright 2015 Symantec Crpratin. All rights reserved. Symantec, the Symantec Lg and any ther trademark fund n the Symantec Trademark List that are referred t r displayed in the dcument are trademarks r registered trademarks f Symantec Crpratin r its affiliates in the U.S. and ther cuntries. Other names may be trademarks f their respective wners. The cntents f this dcument are nly fr use by existing r prspective custmers r partners f Symantec, slely fr the use and/r acquisitin f the Services described in this dcument.
Service Descriptin Custmer will use the Administratr Certificate exclusively fr authrized and legal purpses cnsistent with this Service Descriptin; and Custmer will nt mnitr, interfere with r reverse engineer the technical implementatin f the Symantec systems r sftware r therwise knwingly cmprmise the security f the Symantec systems r sftware. Assistance and Technical Supprt The supprt and maintenance cmmitments f Symantec are described in the applicable Service Level Agreement available in the Repsitry. SERVICE SPECIFIC TERMS N Aut Renewal Ntwithstanding anything t the cntrary in the Agreement, there is n autmatic renewal f the NSL Service. Befre the NSL Service expires, Custmer must cntact Symantec r its channel reseller partner t renew. Service Cnditins Administratr Certificate: Upn Custmer s submissin f a Certificate Applicatin fr an Administratr Certificate and Symantec s cmpletin f authenticatin prcedures required fr the Administratr Certificate, Symantec will prcess the Certificate Applicatin. Symantec will ntify Custmer whether Custmer s Certificate Applicatin fr an Administratr Certificate is apprved r rejected. Managed PKI Administratr s use f the PIN frm Symantec t pick up the Administratr Certificate r therwise installing r using the Administratr Certificate will cnstitute Managed PKI Administratr s acceptance f the Administratr Certificate. After the Managed PKI Administratr picks up r therwise installs the Administratr Certificate, the Managed PKI Administratr must review the infrmatin in it befre using it and prmptly ntify Symantec f any errrs. Upn receipt f such ntice, Symantec may revke the Administratr Certificate and issue a crrected Administratr Certificate. Survival: In additin t the terminatin prvisins set frth in the Agreement, the revcatin and security requirements in this Service Descriptin and any applicable CPS will survive terminatin f the Agreement r the applicable rder dcument until the end f the Operatinal Perid f all Certificates issued hereunder. Cmpliance with Lcal Laws: Custmer is respnsible fr ensuring that Custmer s acquisitin, use, r acceptance f public and private key pairs generated by Symantec in accrdance with this Service Descriptin cmplies with applicable lcal laws, rules and regulatins including but nt limited t exprt and imprt laws, rules, and regulatins in the jurisdictin in which Custmer acquires, uses, accepts r therwise receives such key pairs. Audit Rights: Symantec may cnduct an audit f Custmer s prcedures nt mre than nce per year t ensure cmpliance with the terms f this Service Descriptin. Any such audit will be cnducted during business hurs upn reasnable written ntice t Custmer and will nt unreasnably interfere with Custmer s business activities. Custmer must reasnably cperate with Symantec in cnnectin with any such audit. If the audit reveals that Custmer has breached any term f the Service Descriptin terms and cnditins, then: (1) Custmer will pay Symantec s reasnable csts f cnducting the audit, and (2) ntwithstanding the ne audit per year limitatin stated SYMANTEC PROPRIETARY PERMITTED USE ONLY 7 Cpyright 2015 Symantec Crpratin. All rights reserved. Symantec, the Symantec Lg and any ther trademark fund n the Symantec Trademark List that are referred t r displayed in the dcument are trademarks r registered trademarks f Symantec Crpratin r its affiliates in the U.S. and ther cuntries. Other names may be trademarks f their respective wners. The cntents f this dcument are nly fr use by existing r prspective custmers r partners f Symantec, slely fr the use and/r acquisitin f the Services described in this dcument.
Service Descriptin abve, Symantec may cnduct such further audits as it deems reasnably necessary t ensure cmpliance with the terms herein. Rutine annual audits may nly cver the activities f the immediately preceding year. Use Restrictins: Certificates issued t Subscribers may nt be integrated with r installed in any Relying Party that des nt crrespnd t the applicable Certificate request. Each Certificate must be used nly fr its intended use as the type f such Certificate indicates. Please refer t CA hierarchy specific additinal cnditins as fllws: Symantec Trust Netwrk (STN) see Appendix A Private Certificate Authrity see Appendix B Adbe Dcument Signing Services see Appendix C LTE Certificate Service see Appendix D Manugatruer Certificates see Appendix E The use f any Service Cmpnent in the frm f sftware shall be gverned by the license agreement accmpanying the sftware. If n EULA accmpanies the Service Cmpnent, it shall be gverned by the terms and cnditins lcated at (http://www.symantec.cm/cntent/en/us/enterprise/eulas/b hsted service cmpnent eula eng.pdf). Any additinal rights and bligatins with respect t the use f such Service Cmpnent shall be as set frth in this Service Descriptin. Except as therwise specified in the Service Descriptin, the Service (including any Hsted Service Sftware Cmpnent prvided therewith) may use pen surce and ther third party materials that are subject t a separate license. Please see the applicable Third Party Ntice, if applicable, at http://www.symantec.cm/abut/prfile/plicies/eulas/. Symantec may update the Service at any time in rder t maintain the effectiveness f the Service. The Service may be accessed and used glbally, subject t applicable exprt cmpliance limitatins and technical limitatins in accrdance with the then current Symantec standards. Evaluatin License These terms and cnditins apply if Custmer is accessing the Service fr evaluatin purpses. Use Rights. The licenses granted t Custmer are fr restricted use slely fr the purpses f internal, nn cmmercial, nn prductin evaluatin and interperability testing f the Service. Custmer may nt use the Service fr any ther purpses. Evaluatin Perid. The licenses granted t Custmer are time limited, and cntinue thrugh the trial end date as specified upn Custmer s enrllment fr evaluatin license (the Evaluatin Perid ). Unless Custmer purchases a cmmercial license fr the Service, the licenses granted t Custmer are terminated upn expiratin f the Evaluatin Perid. After Terminatin. Custmer must cease using the Service upn terminatin. Any terminatin will nt relieve either party f any bligatins that accrued prir t the date f such terminatin. The terms that by their nature are intended t survive beynd the terminatin, cancellatin, r expiratin will survive. LIMITATION OF LIABILITY. IN NO EVENT WILL SYMANTEC BE LIABLE FOR ANY DAMAGES, INCLUDING WITHOUT LIMITATION, ANY LOST REVENUE, LOST PROFITS, OR CONSEQUENTIAL DAMAGES EVEN IF ADVISED OF THEIR POSSIBILITY. SYMANTEC PROPRIETARY PERMITTED USE ONLY 8 Cpyright 2015 Symantec Crpratin. All rights reserved. Symantec, the Symantec Lg and any ther trademark fund n the Symantec Trademark List that are referred t r displayed in the dcument are trademarks r registered trademarks f Symantec Crpratin r its affiliates in the U.S. and ther cuntries. Other names may be trademarks f their respective wners. The cntents f this dcument are nly fr use by existing r prspective custmers r partners f Symantec, slely fr the use and/r acquisitin f the Services described in this dcument.
Service Descriptin DISCLAIMERS. IF THE SERVICE CONTAINS TECHNOLOGY THAT SYMANTEC HAS NOT PUBLICLY ANNOUNCED ITS GENERAL AVAILABILITY, THE SERVICE MAY NOT PERFORM AT THE LEVEL OF A FINAL, GENERALLY AVAILABLE PRODUCT. THE SERVICE MAY NOT OPERATE CORRECTLY, AND MAY BE SUBSTANTIALLY MODIFIED PRIOR TO FIRST COMMERCIAL RELEASE, IF ANY. THE PARTIES ACKNOWLEDGE THAT THE SERVICE OR SOFTWARE PROVIDED TO CUSTOMER PURSUANT TO AND FOR THE PURPOSES OF EVALUATION ARE PROVIDED AS IS AND WITHOUT ANY WARRANTY WHATSOEVER. SYMANTEC DISCLAIMS ANY AND ALL WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, INCLUDING WITHOUT LIMITATION, ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON INFRINGEMENT OF THIRD PARTY RIGHTS. THE PARTIES FURTHER ACKNOWLEDGE THAT THE SERVICE DESCRIPTION IS SOLELY FOR THE PURPOSE OF DESCRIBING THE SERVICE AND THAT ANY REPRESENTATIONS, WARRANTIES, SERVICE LEVEL COMMITMENTS OR OTHER SYMANTEC COMMITMENTS, OBLIGATIONS OR LIABILITIES ARE HEREBY DISCLAIMED BY SYMANTEC. NO SYMANTEC AGENT OR EMPLOYEE IS AUTHORIZED TO MAKE ANY MODIFICATIONS, EXTENSIONS, OR ADDITIONS TO THIS WARRANTY. Order f Precedence. In the event f any cnflict between this Sectin and any prvisin f the Agreement, this Sectin will prevail and supersede such ther prvisins with respect t the Service while prvide fr evaluatin purpses. Use f Micrsft Aut Enrllment If yu use the Micrsft Aut Enrllment cmpnent f the MPKI Service, then the fllwing MICROSOFT REQUIRED SUPPLEMENTAL OBLIGATIONS will apply: (a) Disclaimer f Warranties. MICROSOFT AND ITS AFFILIATES MAKE NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY AS TO THE SERVER SOFTWARE PROVIDED HEREUNDER ( SERVER SOFTWARE ), AND HAVE NO RESPONSIBILITY FOR ITS PERFORMANCE OR FAILURE TO PERFORM. AS TO MICROSOFT, THE SERVER SOFTWARE IS PROVIDED AS IS AND WITH ALL FAULTS, AND MICROSOFT AND ITS AFFILIATES HEREBY DISCLAIM ALL OTHER WARRANTIES, DUTIES AND CONDITIONS, EITHER EXPRESS, IMPLIED OR STATUTORY, INCLUDING, BUT NOT LIMITED TO, ANY (IF ANY) IMPLIED WARRANTIES, CONDITIONS OF MERCHANTABILITY, OF FITNESS FOR A PARTICULAR PURPOSE, OF RELIABILITY OR AVAILABILITY, ALL WITH REGARD TO THE SERVER SOFTWARE. ALSO, MICROSOFT AND ITS AFFILIATES MAKE NO WARRANTY OR CONDITION OF TITLE, QUIET ENJOYMENT, CORRESPONDENCE TO DESCRIPTION OR NON-INFRINGEMENT WITH REGARD TO THE SERVER SOFTWARE. (b) Exclusin f Certain Damages. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, IN NO EVENT SHALL MICROSOFT BE LIABLE FOR ANY SPECIAL, INCIDENTAL, PUNITIVE, INDIRECT, OR CONSEQUENTIAL DAMAGES WHATSOEVER (INCLUDING, BUT NOT LIMITED TO, DAMAGES FOR LOSS OF PROFITS OR CONFIDENTIAL OR OTHER INFORMATION, FOR BUSINESS INTERRUPTION, FOR PERSONAL INJURY, FOR LOSS OF PRIVACY, FOR FAILURE TO MEET ANY DUTY INCLUDING OF GOOD FAITH OR OF REASONABLE CARE, FOR NEGLIGENCE, AND FOR ANY OTHER PECUNIARY OR OTHER LOSS WHATSOEVER) ARISING OUT OF OR IN ANY WAY RELATED TO THE USE OF OR INABILITY TO USE THE SERVER SOFTWARE, THE PROVISION OF OR FAILURE TO PROVIDE SUPPORT OR OTHER SERVICES, INFORMATION, SOFTWARE, AND RELATED CONTENT THROUGH THE SERVER SOFTWARE OR OTHERWISE ARISING OUT OF THE USE OF THE SERVER SOFTWARE, OR OTHERWISE UNDER OR IN CONNECTION WITH ANY OF THESE SERVICE DESCRIPTION TERMS AND CONDITIONS, EVEN IN THE EVENT OF THE FAULT, TORT (INCLUDING NEGLIGENCE), STRICT LIABILITY, BREACH OF CONTRACT OR BREACH OF WARRANTY OF MICROSOFT, AND EVEN IF MICROSOFT HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. (c) Server Sftware Requirements. Custmer may use nly ne (1) cpy (unless therwise specified in the applicable Services Order r Statement f Wrk) f the Server Sftware prvided hereunder as specified in the dcumentatin accmpanying this sftware, and nly t interperate r cmmunicate with native Micrsft Windws 2000 Prfessinal, Windws XP Hme r Prfessinal, r Vista client perating systems (r any successrs theret). Custmer may nt use the Server Sftware n a Persnal Cmputer under any SYMANTEC PROPRIETARY PERMITTED USE ONLY 9 Cpyright 2015 Symantec Crpratin. All rights reserved. Symantec, the Symantec Lg and any ther trademark fund n the Symantec Trademark List that are referred t r displayed in the dcument are trademarks r registered trademarks f Symantec Crpratin r its affiliates in the U.S. and ther cuntries. Other names may be trademarks f their respective wners. The cntents f this dcument are nly fr use by existing r prspective custmers r partners f Symantec, slely fr the use and/r acquisitin f the Services described in this dcument.
Service Descriptin circumstances. Fr purpses f the freging, a Persnal Cmputer means any cmputer cnfigured s that its primary purpse is fr use by ne persn at a time and that uses a vide display and keybard. (d) Third Party Beneficiary. Ntwithstanding any incnsistent terms f the Agreement, Custmer hereby agrees that Micrsft Crpratin, as a licensr f intellectual prperty included in the Server Sftware, is intended t be a third party beneficiary f these Service Descriptin terms and cnditins with rights t enfrce any terms herein that affect any included Micrsft intellectual prperty r ther Micrsft interest related t the terms heref. (e) Server Class 2. If Custmer has elected the Server Class 2, Custmer may use the Server Sftware n a server that (a) cntains nt mre than fur (4) prcessrs, where each such prcessr has a maximum f thirty-tw (32) bits and fur (4) gigabytes f RAM, and (b) is nt capable f having memry added, changed r remved withut the requirement that the server n which it is running be rebted ( Ht Swapping Capabilities ). Custmer may nt use the Server Sftware in cnjunctin with any sftware that supprts Ht Swapping Capabilities r Clustering Capabilities, where Clustering Capabilities means the ability t allw a grup f servers t functin as a single high-availability platfrm fr running applicatins using applicatin failver between Server ndes in the grup. (f) Audit Rights. Symantec may audit Custmer and inspect Custmer s facilities and prcedures during regular business hurs at Custmer premises upn nt less than furteen (14) days ntice t verify Custmer s cmpliance with all terms and cnditins heref. Ntwithstanding any incnsistent terms f the Agreement (including withut limitatin any cnfidentiality prvisins), shuld Custmer refuse t underg such audit and Symantec has reasn t believe Custmer may nt be in cmpliance with the Service Descriptin terms and cnditins, Custmer agrees that Symantec may disclse t Micrsft Custmer s identity and the basis fr Symantec s belief f nncmpliance. (g) Multiplexing Devices. Hardware r sftware that reduces the number f users directly accessing r using services prvided by the Server Sftware des nt reduce the number f users deemed t be accessing r using services prvided by the Server Sftware. The number f users accessing r using the Server Sftware is equal t the number f users wh access r use, either directly r thrugh a Multiplexing Device, services prvided by (a) the Server Sftware r (b) any ther sftware r system where the authenticatin r authrizatin fr such sftware r system is prvided by the Server Sftware (an Other Authenticated System ). As used here, a Multiplexing Device means any hardware r sftware that prvides r btains access, directly r indirectly, t services prvided by the Server Sftware r any Other Authenticated System t r n behalf f multiple ther users thrugh a reduced number f cnnectins. (h) Windws CAL Requirement. Custmer must acquire and dedicate a separate Windws CAL fr each user that is accessing r using, either directly r thrugh r frm a Multiplexing Device, services prvided by the Server Sftware r any Other Authenticated System. A Windws CAL means (a) a Windws Device Client Access License ( CAL ), r a Windws User CAL, in either case fr a Micrsft Windws Server 2003 (Standard Editin, Enterprise Editin, r Datacenter Editin) server perating system prduct (r any successrs theret) ( Windws Server ); r (b) a Micrsft Cre CAL that prvides an individual persn r electrnic device with rights t access and use Windws Server, in either f (a) r (b) abve that Custmer has acquired fr use with ne r mre such Micrsft Windws Server perating system prducts r electrnic device and that is used n a per user r per device basis. SERVICE LEVEL AGREEMENT. The service availability cmmitments f Symantec are described in the applicable Service Level Agreement available in the Repsitry. DEFINITIONS Capitalized terms used in this Service Descriptin, and nt therwise defined in the Agreement r this Services Descriptin, have the meaning given belw: SYMANTEC PROPRIETARY PERMITTED USE ONLY 10 Cpyright 2015 Symantec Crpratin. All rights reserved. Symantec, the Symantec Lg and any ther trademark fund n the Symantec Trademark List that are referred t r displayed in the dcument are trademarks r registered trademarks f Symantec Crpratin r its affiliates in the U.S. and ther cuntries. Other names may be trademarks f their respective wners. The cntents f this dcument are nly fr use by existing r prspective custmers r partners f Symantec, slely fr the use and/r acquisitin f the Services described in this dcument.
Service Descriptin Administratr Certificate means the Certificate issued by Symantec t the Custmer emplyee r such ther Trusted Persn designated as the Managed PKI Administratr fr the sle purpse f accessing the PKI Manager t perfrm Administratr functins. [Fr Appendix D LTE Certificate Service nly] Administratr Certificate means the client Certificate issued by Symantec t a Custmer appinted Managed PKI Administratr r such ther Trusted Persn designated as the Managed PKI Administratr fr the purpse f accessing the PKI Manager t manage end entity LTE Certificates r Manufacturers Certificates. Affiliated Individual means a persn that is affiliated t Custmer: (1) as an fficer, directr, emplyee, partner, cntractr, intern, r ther persn within Custmer s rganizatin; r (2) as a persn maintaining a cntractual relatinship with Custmer s rganizatin where Custmer has business recrds prviding strng assurances f the identity f such persn. CA Certificate means a Digital Certificate issued t Certificatin Authrity r CA. Certificate r Digital Certificate means a digital recrd that includes, at a minimum, a name r identity f the issuing CA, the Subscriber, the Subscriber s Public Key, the Certificate s Operatinal Perid, a Certificate serial number, and a digital signature f the issuing CA. Certificate Applicant means an individual r rganizatin that requests the issuance f a Certificate by a CA. Certificate Applicatin(s) means a request frm a Certificate Applicant (r authrized agent) t a CA fr the issuance f a Certificate. Certificatin Authrity r CA means a persn r entity authrized t issue, suspend, r revke Certificates. Certificate Management Prtcl r CMP means a prtcl fr aut enrllment and lifecycle management f the LTE r Manufacturers certificates. Devices will interface directly with the Symantec PKI system via CMP. The devices must be preauthrized by a Managed PKI Administratr befre the device is permitted t send CMP request t the Symantec PKI system. Certificatin Practices Statement r CPS means a dcument, as revised frm time t time, representing a statement f the practices a CA r RA emplys in issuing Certificates. The STN CPS and Adbe CPS s are published in the Repsitry n the Symantec website. Custmer means the entity using the Service. Errneus Issuance means (a) issuance f a Certificate nt materially in accrdance with the prcedures required by the applicable CPS; (b) issuance f a Certificate t a persn, entity r bject ther than the ne named as the subject f the Certificate; r (c) issuance f a Certificate withut the authrizatin f the persn, entity r bject named as the subject f the Certificate. End User License Agreement r EULA means the terms and cnditins accmpanying Sftware. Key Generatin means the Symantec prcedures fr prper generatin f Custmer CA Public Key and Private Key via a trustwrthy prcess and fr strage f the Private Key and dcumentatin theref. SYMANTEC PROPRIETARY PERMITTED USE ONLY 11 Cpyright 2015 Symantec Crpratin. All rights reserved. Symantec, the Symantec Lg and any ther trademark fund n the Symantec Trademark List that are referred t r displayed in the dcument are trademarks r registered trademarks f Symantec Crpratin r its affiliates in the U.S. and ther cuntries. Other names may be trademarks f their respective wners. The cntents f this dcument are nly fr use by existing r prspective custmers r partners f Symantec, slely fr the use and/r acquisitin f the Services described in this dcument.
Service Descriptin LTE Certificate means a message t be stred in a device, including a name, the issuing CA, r a netwrk element in the peratr netwrk. The netwrk element may be an Operatr Base Statin r a Security Gateway r ther similar device. In all cases, the LTE Certificate cntains the netwrk element s Public Key, Certificate s Operatinal Perid, a Certificate serial number, and a digital signature f the issuing CA. Managed PKI Administratr means an emplyee f the Registratin Authrity r such ther Trusted Persn authrized t perfrm RA tasks. [Fr Appendix D LTE Certificate Service nly] Managed PKI Administratr means a Trusted Emplyee f Custmer r Affiliate that has been designated t perfrm certain Certificate related administrative functins described in the Service Descriptin. Manufacturer means a business entity that makes devices fr distributin and sale. Manufacturers Certificates means Certificates issued t devices and embedded n devices at the time f manufacture that typically havea lng lifespan f 35 40 years and d nt require revcatin mechanism. Operatinal Perid means a perid starting with the date and time a Certificate is issued (r n a later date and time certain if stated in the Certificate) and ending with a date and time at which the Certificate expires, r is earlier revked. [Fr Appendix D LTE Certificate Service nly] Operatinal Perid means a perid starting with the date and time a Certificate is issued and ending at the date and time at which the Certificate expires. Operatr means a business entity that is a subsidiary f the Custmer typically frm anther cuntry r regin and is treated as a Sub accunt f the Custmer by Symantec. Private Hierarchy means a Certificatin Authrity t issue Certificates in a hierarchy ther than STN, and a dmain cnsisting f a system f CAs that issue Certificates in a chain leading frm Custmer s Rt CA thrugh ne r mre CAs t Subscribers in accrdance with Custmer s practices. Certificates issued in a Private Hierarchy are intended t meet the needs f rganizatins authrizing their issuance and are nt intended fr interactins between rganizatins and/r individuals thrugh public channels. Private Key means a mathematical key (kept secret by the hlder) used t create digital signatures and, depending upn the algrithm, decrypt messages r files encrypted (fr cnfidentiality) with the crrespnding Public Key. Public Key means a mathematical key that can be made publicly available and which is used t verify signatures created with its crrespnding Private Key. Depending n the algrithm, Public Keys are als used t encrypt messages r files which can then be decrypted with the crrespnding Private Key. Registratin Authrity r RA means an entity that perfrms identificatin and authenticatin f Certificate Applicants fr Certificates, initiates r passes alng revcatin requests fr Certificates, r apprves applicatins fr renewal r re keying f Certificates. A RA is nt an agent f a Certificate Applicant. A RA may nt delegate the authrity t apprve Certificate Applicatins ther than t authrized Managed PKI Administratrs f the RA. Relying Party means a persn, entity r bject that acts in reliance f a Certificate and/r a digital signature. A Relying Party may, r may nt, als be a Subscriber. SYMANTEC PROPRIETARY PERMITTED USE ONLY 12 Cpyright 2015 Symantec Crpratin. All rights reserved. Symantec, the Symantec Lg and any ther trademark fund n the Symantec Trademark List that are referred t r displayed in the dcument are trademarks r registered trademarks f Symantec Crpratin r its affiliates in the U.S. and ther cuntries. Other names may be trademarks f their respective wners. The cntents f this dcument are nly fr use by existing r prspective custmers r partners f Symantec, slely fr the use and/r acquisitin f the Services described in this dcument.
Service Descriptin "Repsitry" means the cllectin f dcuments lcated at www.symantec.cm maintained fr the purpse f cmpliance with any applicable CPS. Rt CA means the tp entity in the dmain f trusted hierarchy and Rt CA is identified by a Rt Certificate. Seat means a single Subscriber that is an authrized end user f the Service, withut regard t the number f Certificates actually issued t that Subscriber. Service Cmpnent means Sftware, as may be required by the Service, which must be installed n each Custmer cmputer, in rder t receive the Service. Service Cmpnent includes the Sftware and assciated dcumentatin that may be separately prvided by Symantec as part f the Service. Sftware means each Symantec r licensr sftware prgram, in bject cde frmat, licensed t Custmer by Symantec and gverned by the terms f the accmpanying EULA, r this Service Descriptin, as applicable, including withut limitatin new releases r updates as prvided hereunder. Subscriber means a persn, entity r bject that is the subject f, and has been issued, a Certificate, and is capable f using, and is authrized t use, the Private Key that crrespnds t the Public Key listed in the Certificate at issue. Subscriber Agreement is the agreement executed between a Subscriber and the CA r Symantec relating t the prvisin f designated Certificate related services gverning the Subscriber s rights and bligatins relating t the Certificate. The STN Subscriber Agreement is published in the Repsitry n the Symantec website. Subscriptin Instrument means ne r mre f the fllwing applicable dcuments which further defines Custmer s rights and bligatin related t the Service: a Symantec certificate r a similar dcument issued by Symantec, r a written agreement between Custmer and Symantec, that accmpanies, precedes r fllws the Service. Symantec Trust Netwrk r STN means the Certificate based Public Key Infrastructure gverned by the Symantec Trust Netwrk CPS, which enables the wrldwide deplyment and use f Certificates by Symantec and its affiliates, and their respective custmers, Subscribers, and Relying Parties. Trusted Persn means an emplyee, cntractr, r cnsultant f Custmer wh is respnsible fr managing infrastructural trustwrthiness f Custmer, its prducts, its services, its facilities, and/r its practices. APPENDICES. Appendix A: Symantec Trust Netwrk (STN) Symantec Managed Public Key Infrastructure (PKI) service prvides custmers with the ability t issue certificates frm the Symantec Trust Netwrk (STN). Symantec has wrked with hardware and sftware vendrs t embed the STN Primary Certificate Authrities (PCAs) int the mst ppular web brwsers, email applicatins, perating systems, and netwrk appliances. As a result, certificates chaining t ne f these PCAs are autmatically trusted by these applicatins. These certificates can generally be used acrss SYMANTEC PROPRIETARY PERMITTED USE ONLY 13 Cpyright 2015 Symantec Crpratin. All rights reserved. Symantec, the Symantec Lg and any ther trademark fund n the Symantec Trademark List that are referred t r displayed in the dcument are trademarks r registered trademarks f Symantec Crpratin r its affiliates in the U.S. and ther cuntries. Other names may be trademarks f their respective wners. The cntents f this dcument are nly fr use by existing r prspective custmers r partners f Symantec, slely fr the use and/r acquisitin f the Services described in this dcument.
Service Descriptin rganizatins withut any special preparatin by either administratrs r users. Fr example, many custmers use STN certificates fr secure email which digitally signs and/r encrypts email. Custmer electing STN as a Certificate Authrity (CA) is autmatically prvisined an issuing CA chaining t Class 2 PCA as part f the accunt setup. If a custmer wants anther trademarked name r change any f the default values in the CA, the custmer may purchase an ptin t create additinal CAs. Nte: Custmers and user must adhere t the Symantec Trust Netwrk Certificatin Practice Statement (CPS) t issue, manage, and use these certificates. ADDITIOANL SERVICE CONDITIONS Apply t Symantec Trust Netwrk Only Appintment. Symantec hereby appints Custmer as a nn Symantec CA within the STN pursuant t the STN CPS, and Custmer accepts such appintment. STN CPS. Except fr the functins utsurced t Symantec under this Service Descriptin, Custmer must meet all requirements and perfrm all bligatins impsed upn a CA and/r RA within the STN including but nt limited t the STN CPS, as peridically amended. Symantec will ntify the Custmer appinted Managed PKI Administratr f any amendments by psting the infrmatin t the PKI Manager. Appintment. Custmer must appint ne r mre authrized Custmer emplyees r Trusted Persns as Managed PKI Administratr(s). Such Managed PKI Administratr(s) must be entitled t appint additinal Managed PKI Administratrs n Custmer s behalf. Custmer must cause Managed PKI Administratrs receiving Certificates hereunder t abide by the terms f the applicable Subscriber Agreement. Administratr Functins. Custmer must cmply with the requirements stated in the STN CPS as peridically amended, including withut limitatin, requirements fr validating the infrmatin in Certificate Applicatins, apprving r rejecting such Certificate Applicatins, and revking Certificates, using hardware and sftware designated by Symantec. Custmer must perfrm such tasks in a cmpetent, prfessinal, and wrkmanlike manner. Custmer must apprve a Certificate Applicatin nly if the Certificate Applicant is an Affiliated Individual as t Custmer. If a Subscriber, wh had been issued a Certificate by Custmer, ceases t be affiliated with Custmer as an Affiliated Individual, then Custmer must prmptly request revcatin f such Subscriber s Certificate thrugh the PKI Manager. If a Managed PKI Administratr ceases t have the authrity t act as Managed PKI Administratr n behalf f Custmer, then Custmer must prmptly request revcatin f the Administratr Certificate f such Managed PKI Administratr. Custmer s Subscribers. Custmer must cause Subscribers receiving Certificates hereunder t abide by the terms f the apprpriate Subscriber Agreement, t which they must assent as a cnditin f enrlling fr their Certificates. Custmer will ensure that the terms f such Subscriber Agreement must be n less prtective f CAs than thse in the STN CPS. Symantec s Warranties. Symantec warrants that: (i) there are n errrs intrduced by Symantec in the Certificate infrmatin as a result f Symantec s failure t use reasnable care in creating the Certificate; (ii) its issuance f the Certificate(s) cmplies in all material respects with the STN CPS; and (iii) its revcatin services and use f a repsitry cnfrm t the STN CPS in all material aspects. SYMANTEC PROPRIETARY PERMITTED USE ONLY 14 Cpyright 2015 Symantec Crpratin. All rights reserved. Symantec, the Symantec Lg and any ther trademark fund n the Symantec Trademark List that are referred t r displayed in the dcument are trademarks r registered trademarks f Symantec Crpratin r its affiliates in the U.S. and ther cuntries. Other names may be trademarks f their respective wners. The cntents f this dcument are nly fr use by existing r prspective custmers r partners f Symantec, slely fr the use and/r acquisitin f the Services described in this dcument.
Service Descriptin Appendix B: Private Certificate Authrity Symantec Managed Public Key Infrastructure (PKI) service prvides custmers with the ability t issue certificates frm a private Certificate Authrity (CA). Symantec perfrms a frmal, secure prcedure t create private/public key pair fr this CA called a key ceremny. These certificates are generally used t cntrl access t rganizatinal resurces. Fr example, many custmers nly trust their private CA fr access t their private netwrk (ver VPN r WiFi) t prevent unauthrized access t their netwrks. Every custmer is autmatically prvisined a private Certificate Authrity (CA) as part f the accunt setup. This CA is based n the vetted custmer s legal entity name prvided t Symantec fr setting up the accunt. If a custmer wants t use anther name trademarked t that rganizatin (e.g., a brand name versus a legal entity name) r change any f the default values in the CA, the custmer may purchase an ptin t create additinal CAs. Nte: Custmers are respnsible fr defining and fllwing their wn Certificatin Practice Statement (CPS) that gverns the issuing, managing, and use f certificates frm the applicable private CA. ADDITIOANL SERVICE CONDITIONS Apply t Private Certificate Authrity Only Appintment. Custmer must appint ne r mre authrized Custmer emplyees r Trusted Persns as Managed PKI Administratr(s). Such Managed PKI Administratr(s) must be entitled t appint additinal Managed PKI Administratrs n Custmer s behalf. Custmer must cause Managed PKI Administratrs receiving Certificates hereunder t abide by the terms f the applicable Subscriber Agreement. Administratr Functins. Custmer must, thrugh its Managed PKI Administratr(s) using hardware and sftware designated by Symantec, validate the infrmatin in Certificate Applicatins, apprve r reject such Certificate Applicatins, and instruct Symantec t issue, renew and revke Certificates. If a Managed PKI Administratr ceases t have the authrity t act as a Managed PKI Administratr n behalf f Custmer, Custmer must prmptly request revcatin f the Administratr Certificate f such Managed PKI Administratr. Symantec s Warranty. Symantec warrants that there are n errrs intrduced by Symantec in the Certificate infrmatin as a result f Symantec s failure t use reasnable care in creating the Certificate. Appendix C: Adbe Dcument Signing Services Symantec Managed Public Key Infrastructure (PKI) service prvides custmers with the ability t issue certificates frm Adbe Dcument Signing Services. Symantec has wrked with Adbe t have ability t issue certificates autmatically trusted by Adbe Acrbat, Reader, and LiveCycle prducts. These certificates are used t digitally sign prtable dcument files (PDF) in these prducts. Custmer electing Adbe as a Certificate Authrity (CA) is autmatically prvisined an issuing CA chaining t Symantec s intermediate CA fr Adbe Dcument Signing Services as part f the accunt setup. This CA is based n the vetted custmer s legal entity name prvided t Symantec fr setting up the accunt. If a custmer wants t use anther name trademarked t that rganizatin (e.g., a brand name versus a legal SYMANTEC PROPRIETARY PERMITTED USE ONLY 15 Cpyright 2015 Symantec Crpratin. All rights reserved. Symantec, the Symantec Lg and any ther trademark fund n the Symantec Trademark List that are referred t r displayed in the dcument are trademarks r registered trademarks f Symantec Crpratin r its affiliates in the U.S. and ther cuntries. Other names may be trademarks f their respective wners. The cntents f this dcument are nly fr use by existing r prspective custmers r partners f Symantec, slely fr the use and/r acquisitin f the Services described in this dcument.
Service Descriptin entity name) r change any f the default values in the CA, the custmer may purchase an ptin t create additinal CAs. Nte: Custmers and user must adhere t the Adbe CDS Certificatin Practice Statement (CPS), r Adbe ATL CPS, as applicable, t issue, manage, and use these certificates. Fr AATL, Custmers can chse between SHA256 and ECC. ADDITIOANL SERVICE CONDITIONS Apply t Adbe Dcument Signing Services Only Appintment. Custmer must appint ne r mre authrized Custmer emplyees r Trusted Persns as Managed PKI Administratr(s). Such Managed PKI Administratr(s) must be entitled t appint additinal Managed PKI Administratrs n Custmer s behalf. Custmer must cause Managed PKI Administratrs receiving Certificates hereunder t abide by the terms f the applicable Subscriber Agreement and the CPS. Administratr Functins. Custmer must, thrugh its Managed PKI Administratr(s) using hardware and sftware designated by Symantec, validate the infrmatin in Certificate Applicatins, apprve r reject such Certificate Applicatins, and instruct Symantec t issue, renew and revke Certificates in accrdance with the CPS, published at the PKI Manager and amended frm time t time. If a Managed PKI Administratr ceases t have the authrity t act as a Managed PKI Administratr n behalf f Custmer, Custmer must prmptly request revcatin f the Administratr Certificate f such Managed PKI Administratr. Custmer s Subscribers. Custmer must cause Subscribers receiving Certificates hereunder t abide by the terms f the apprpriate Subscriber Agreement, t which they must assent as a cnditin f enrlling fr their Certificates. Custmer will ensure that the terms f such Subscriber Agreement must be n less prtective f CAs than thse in the CPS. Symantec s Warranty. Symantec warrants that there are n errrs intrduced by Symantec in the Certificate infrmatin as a result f Symantec s failure t use reasnable care in creating the Certificate. Appendix D: LTE Certificate Service Symantec LTE Service ( LTES r Service ) prvides custmer with an ability t btain device Certificates in a private hierarchy fr integratin int peratr LTE equipment. Custmer r their Operatrs submits request t Symantec fr LTES thrugh a prgrammatic interface such as the Certificate Management Prtcl (CMP). ADDITIOANL SERVICE CONDITIONS Apply t LTE Certificate Service Only Appintment. Custmer must appint ne r mre authrized Custmer and/r Operatr emplyees as Managed PKI Administratrs fr the entities emplying such persnnel. Custmer must require Managed PKI Administratrs receiving Administratr Certificates hereunder t abide by the terms f the applicable Subscriber Agreement assciated with such Certificates, and t use Managed PKI Administratr Certificates exclusively fr authrized and legal purpses cnsistent with this Service Descriptin. Custmer must immediately request revcatin f the applicable Administratr Certificate if the subscriber ceases t be an authrized Managed PKI Administratr. SYMANTEC PROPRIETARY PERMITTED USE ONLY 16 Cpyright 2015 Symantec Crpratin. All rights reserved. Symantec, the Symantec Lg and any ther trademark fund n the Symantec Trademark List that are referred t r displayed in the dcument are trademarks r registered trademarks f Symantec Crpratin r its affiliates in the U.S. and ther cuntries. Other names may be trademarks f their respective wners. The cntents f this dcument are nly fr use by existing r prspective custmers r partners f Symantec, slely fr the use and/r acquisitin f the Services described in this dcument.
Service Descriptin Administratr Functins. Custmer and/r its Operatrs, as applicable, thrugh the appinted Managed PKI Administratrs, must be respnsible fr: i. creatin f peratr sub accunt; ii. creatin f certificate prfiles; iii. prvide Manufacturer CA Certificates; iv. prvide IP address blcks fr validatin; v. register new devices and set up a pre apprval fr a future request; and vi. cnfigure CMP respnder URL t n netwrk elements. Accunt Authrizatin and Certificate Issuance. Custmer must prvide Symantec advance written authrizatin f any Operatr authrized t receive LTE Certificate issued hereunder, including such Operatr s cntact infrmatin, identificatin f the individual(s) designated t be Managed PKI Administratr(s) fr such Operatr (including enrllment infrmatin therefre), and the number f LTE Certificates and sites fr which each Operatr has been authrized. Custmer must ensure, and require its Operatr(s) t ensure, that each Managed PKI Administratr has been (since the time f the applicable Managed PKI Administratr Certificate s creatin) and will remain the nly persn pssessing such Certificate s Private Key, any PIN, sftware, r hardware mechanism prtecting the Private Key, and n unauthrized persn has had r will have access t afrementined material r infrmatin. Upn a Managed PKI Administratr s submissin thrugh PKI Manager f a Certificate request fr which the requested number f Certificates have been authrized by Custmer as stated abve, Symantec is entitled t (i) rely upn the accuracy f the infrmatin in each such Certificate request, and (ii) issue and prvide such Certificates t the requesting Managed PKI Administratr. Device Certificates issued r licensed under this Service Descriptin will have a validity perid f ne (1), tw (2) r three (3) years frm the date the Certificate is issued. Symantec will fulfill all rders meeting the frging requirements in the rder received. Ntwithstanding any incnsistent prvisin heref, the number f Operatrs that may request Certificates, and the number prductin sites and Managed PKI Administratrs thrugh which Certificates may be requested, will be strictly limited t the number specified in the applicable rder dcument(s). Manufacturer Flw Dwn Obligatin. Custmer must nt mnitr, interfere with, reverse engineer the technical implementatin f, r therwise knwingly cmprmise the security f any Symantec system r sftware, and must impse the same restrictin n its appinted Manufacturers. CA Certificates. Ntwithstanding anything t the cntrary in this Service Descriptin, Symantec will create and hst, in accrdance with Symantec s standard PKI practices and plicies, tw (2) Custmer Rt Certificates and ptinally up t tw (2) CA Certificates issued under each Rt Certificate, which CA Certificates will be used slely fr the purpse f prviding the Service t Custmer hereunder. Additinal CA Certificates may be purchased separately. Symantec will nbard Operatrs and create sub accunts fr them based n requests frm Custmer with accrdance with standard PKI practices and plicies. IP address cnfiguratin. As part f the n barding prcess f a new Operatr, a range f valid IP addresses must be prvided t Symantec. Symantec's System will nly respnd t CMP requests cming frm the valid IP addresses and all ther requests nt riginated frm the cnfigured IP addresses will be rejected. This cnfiguratin must be perfrmed by the Operatr. SYMANTEC PROPRIETARY PERMITTED USE ONLY 17 Cpyright 2015 Symantec Crpratin. All rights reserved. Symantec, the Symantec Lg and any ther trademark fund n the Symantec Trademark List that are referred t r displayed in the dcument are trademarks r registered trademarks f Symantec Crpratin r its affiliates in the U.S. and ther cuntries. Other names may be trademarks f their respective wners. The cntents f this dcument are nly fr use by existing r prspective custmers r partners f Symantec, slely fr the use and/r acquisitin f the Services described in this dcument.
Service Descriptin Accunt Activatin. Subject t advance purchase, Symantec will use cmmercially reasnably effrts t activate sub accunts based within the United States within ten (10) business days and accunts utside f the United States within a cmmercially reasnable perid upn the fllwing requirements being satisfied: (i) cmpletin f the necessary enrllment prcess; and (ii) authenticatin f the Operatr and its Managed PKI Administratr(s). These Managed PKI Administratr(s) must be accessible during this perid in rder fr Symantec t perfrm authenticatin in a timely manner. Symantec s Warranty. Symantec warrants that there are n errrs intrduced by Symantec in the Certificates issued hereunder as a result f Symantec's failure t use reasnable care in creating the Certificates. Appendix E: Manufacturer Certificates Symantec Managed Public Key Infrastructure (PKI) service prvides custmers with the ability t issue Manufacturer certificates in a private hierarchy fr integratin int Manufacturer s ecsystem specific devices. Manufacturer certificates are used fr device authenticatin r t encrypt messages sent frm the device. Custmers use batch interface t request Manufacturer Certificates frm Symantec PKI service. ADDITIOANL SERVICE CONDITIONS Apply t Manufacturer Certificates Only Appintment. Custmer must appint ne r mre authrized Custmer emplyees as Managed PKI Administratrs fr the entities emplying such persnnel. Custmer must require Managed PKI Administratrs receiving Administratr Certificates hereunder t abide by the terms f the applicable Subscriber Agreement assciated with such Certificates, and t use Administratr Certificates exclusively fr authrized and legal purpses cnsistent with this Service Descriptin. Custmer must immediately request revcatin f the applicable Administratr Certificate if the subscriber ceases t be an authrized Service Administratr. Administratr Functins. Custmer and/r its Operatrs, as applicable, thrugh the appinted Managed PKI Administratrs, must be respnsible fr: i. creatin f sub accunts; ii. creatin f certificate prfiles; iii. prvide Manufacturer CA Certificates; and iv. submissin f batch requests fr certificate issuance. Manufacturer Flw Dwn Obligatin. Custmer must nt mnitr, interfere with, reverse engineer the technical implementatin f, r therwise knwingly cmprmise the security f any Symantec system r sftware, and must impse the same restrictin n its appinted Manufacturers. Certificate Issuance. Upn a Service Administratr s submissin thrugh PKI Manager f a batch Certificate request, Symantec is entitled t (i) rely upn the accuracy f the infrmatin in each such Certificate request, and (ii) issue and prvide such Certificates t the requesting Managed PKI Administratr.. Symantec will fulfill all rders meeting the frging requirements in the rder received. Ntwithstanding any incnsistent prvisin heref, the number f Certificates that culd be requested, will be strictly limited t the number specified in the applicable rder dcument(s). SYMANTEC PROPRIETARY PERMITTED USE ONLY 18 Cpyright 2015 Symantec Crpratin. All rights reserved. Symantec, the Symantec Lg and any ther trademark fund n the Symantec Trademark List that are referred t r displayed in the dcument are trademarks r registered trademarks f Symantec Crpratin r its affiliates in the U.S. and ther cuntries. Other names may be trademarks f their respective wners. The cntents f this dcument are nly fr use by existing r prspective custmers r partners f Symantec, slely fr the use and/r acquisitin f the Services described in this dcument.
Service Descriptin Accunt Activatin. Subject t advance purchase, Symantec will use cmmercially reasnably effrts t activate accunts based within the United States within ten (10) business days and accunts utside f the United States within a cmmercially reasnable perid upn the fllwing requirements being satisfied: (i) cmpletin f the necessary enrllment prcess; and (ii) authenticatin f the Custmer and its Managed PKI Administratr(s). These Managed PKI Administratr(s) must be accessible during this perid in rder fr Symantec t perfrm authenticatin in a timely manner. Symantec s Warranty. Symantec warrants that there are n errrs intrduced by Symantec in the Certificates issued hereunder as a result f Symantec's failure t use reasnable care in creating the Certificates. Private Rt CA s Required Terms. Because Manufacturer Certificates perate in a Rt CA s Private Hierarchy, Symantec s prvisin f Manufacturer Certificates may be cnditined upn Custmer s satisfying all the cnditins impsed by Rt CA as prerequisites t receiving Manufacturer Certificates issued under Rt Certificate hsted by Symantec if Rt CA is a third party ther than Custmer, such as an industry cnsrtium r standard setting bdy, and such Manufacturer Certificates are intended fr use nly within the ecsystem managed by such Rt CA. Such prerequisites may include withut limitatin executin f any additinal dcumentatin designated by Rt CA. Rt CA has abslute authrity ver issuance f Manufacturer Certificates fr their ecsystem, and reserves the right t direct Symantec nt t issue Certificates t Custmer. Symantec disclaims any and all liability in cnnectin with actins taken by Rt CA. Rt CA retains all prprietary and intellectual prperty rights that it wns in each Manufacturer Certificates f an ecsystem. Such rights wned by Rt CA are licensed t Custmer pursuant t dcumentatin designated by Rt CA. Custmer acknwledges and agrees that, upn Rt CA s request, Symantec may be required t reprt Custmer s identity and all sales f the Certificates. END OF SERVICE DESCRIPTION SYMANTEC PROPRIETARY PERMITTED USE ONLY 19 Cpyright 2015 Symantec Crpratin. All rights reserved. Symantec, the Symantec Lg and any ther trademark fund n the Symantec Trademark List that are referred t r displayed in the dcument are trademarks r registered trademarks f Symantec Crpratin r its affiliates in the U.S. and ther cuntries. Other names may be trademarks f their respective wners. The cntents f this dcument are nly fr use by existing r prspective custmers r partners f Symantec, slely fr the use and/r acquisitin f the Services described in this dcument.