Certification Practice Statement - LexisNexis

1

Copyright © Korbitec. All copyright in and to this document, including without limitation the content, layout and structure, vests in Korbitec. This document is confidential to Korbitec and any unauthorised disclosure or copying of the document is prohibited and may be unlawful.

19 June 2014

Certification Practice Statement Version: 1.2 Effective Date: 19 June 2014

2


Table of Contents

1 Introduction ..................................................................................................................... 5

1.1 Overview ..................................................................................................................................... 5

1.2 Document Name and Identification ............................................................................................ 5

1.3 PKI Participants .......................................................................................................................... 5

1.4 Certificate Usage ........................................................................................................................ 7

1.5 Policy Administration .................................................................................................................. 7

1.6 Definitions and Acronyms ........................................................................................................... 8

2 Publication and Repository Responsibilities .............................................................. 11

3 Identification and Authentication ................................................................................. 12

3.1 Naming ..................................................................................................................................... 12

3.2 Uniqueness of Names .............................................................................................................. 12

3.3 Initial Identity Authentication ..................................................................................................... 12

3.4 Identification and Authentication of Re-key requests ............................................................... 13

3.5 Identification and Authentication for Revocation Requests ...................................................... 13

4 Certificate Life-Cycle Operational Requirements ........................................................ 14

4.1 Certificate Application ............................................................................................................... 14

4.2 Certificate Application Processing ............................................................................................ 14

4.3 Certificate Issuance .................................................................................................................. 14

4.4 Certificate Acceptance .............................................................................................................. 15

4.5 Key Pair and Certificate Usage ................................................................................................ 15

4.6 Certificate Renewal .................................................................................................................. 15

4.7 Certificate Re-key ..................................................................................................................... 15

4.8 Certificate Modification ............................................................................................................. 15

4.9 Certificate Revocation and Suspension ................................................................................... 16

4.10 Certificate Status Services ....................................................................................................... 17

4.11 End of Subscription .................................................................................................................. 17

4.12 Key Escrow and Recovery ....................................................................................................... 17

3


5 Management, Operational and Physical Controls ....................................................... 18

5.1 Physical Security Controls ........................................................................................................ 18

5.2 Procedural Controls .................................................................................................................. 19

5.3 Personnel Security Controls ..................................................................................................... 19

5.4 Audit Logging Procedures ........................................................................................................ 20

5.5 Records Archival ...................................................................................................................... 20

5.6 Key Changeover ....................................................................................................................... 20

5.7 Compromise and Disaster Recovery ....................................................................................... 20

5.8 CA or RA Termination .............................................................................................................. 21

6 Technical Security Controls ......................................................................................... 22

6.1 Key Pair Generation and Installation ........................................................................................ 22

6.2 Private Key Protection and Cryptographic Module Engineering Controls ................................ 23

6.3 Other Aspects of Key Pair Management .................................................................................. 23

6.4 Activation Data ......................................................................................................................... 23

6.5 Computer Security Controls ..................................................................................................... 23

6.6 Life Cycle Security Controls ..................................................................................................... 23

6.7 Information Security .................................................................................................................. 24

6.8 Time-stamping .......................................................................................................................... 24

7 Certificate and CRL Profiles ......................................................................................... 25

7.1 Certificate Profile ...................................................................................................................... 25

7.2 CRL Profile ............................................................................................................................... 26

7.3 OCSP Profile ............................................................................................................................ 26

8 Compliance Audit and Other Assessment .................................................................. 27

8.1 Audit of Korbitec CA and Korbitec RA ...................................................................................... 27

8.2 Frequency of Audits .................................................................................................................. 27

8.3 Relationship of Auditors ............................................................................................................ 27

8.4 Remedial Actions ...................................................................................................................... 27

9 Other Business and Legal Matters ............................................................................... 28

9.1 Fees .......................................................................................................................................... 28

4


9.2 Financial Responsibility ............................................................................................................ 28

9.3 Confidentiality of Business Information .................................................................................... 28

9.4 Privacy of Personal Information................................................................................................ 28

9.5 Intellectual Property Rights ....................................................................................................... 28

9.6 Representations and Warranties .............................................................................................. 28

9.7 Limitations of Liability ............................................................................................................... 29

9.8 Indemnities ............................................................................................................................... 29

9.9 Excusable Delay and Indemnities ............................................................................................ 29

9.10 Term and Termination .............................................................................................................. 30

9.11 Individual notices and communications with participants ......................................................... 30

9.12 Amendments............................................................................................................................. 30

9.13 Dispute Resolution Procedures ................................................................................................ 30

9.14 Arbitration ................................................................................................................................. 31

9.15 Governing Law ......................................................................................................................... 31

9.16 General Provisions ................................................................................................................... 32

5


1 Introduction

1.1 Overview

This document is the Korbitec Certification Practice Statement (CPS).

This CPS supports Certificate Policies (CP) indicating the applicability of digital certificates issued by Korbitec (Korbitec Certificates) to a particular community or a class of application for the certificates.

This CPS:

is a statement of the practices which the Korbitec CA employs in issuing Korbitec Certificates;

defines the equipment, policies and procedures that the Korbitec CA uses to satisfy the requirements specified in the Korbitec CPs that are supported by it;

defines the practices employed in the authentication of the identity of Applicants and verification of other information pertinent to the issue of Korbitec Certificates; and

allows potential participants in PKI (Public Key Infrastructure) environments using Korbitec Certificates to assess the trustworthiness of the Korbitec CA practices and the suitability of Korbitec Certificates for that PKI environment.

1.2 Document Name and Identification

The title of this document is the Korbitec Certification Practice Statement.

The structure of this CPS generally corresponds to the Internet X.509 Public Key Infrastructure Certificate Policy and Certification Practices Framework, RFC 3647 of the Internet Engineering Task Force.

The version number of the CPS and its effective date will appear on the cover page of the CPS. The CPS will be displayed in the Korbitec repository, with prior versions of the CPS allowing potential participants in PKI environments using Korbitec Certificates to consider Korbitec CA’s most current CPS.

Where appropriate, the obligations of the participants are more fully defined in agreements concluded between the Korbitec CA and participants to a PKI environment supported by the use of Korbitec Certificates.

1.3 PKI Participants

1.3.1 Policy Authority

Korbitec Certificate Policies and this CPS are authorised and administered by the Korbitec Policy Authority (“Korbitec PA”).

1.3.2 Certification Authorities

Korbitec Root CA

Korbitec is the root CA for the certificates issued by the Korbitec CA. The generation of the Root CA public and private keys, the security practices employed in the generation of the public and

6


private keys and creation of the Korbitec Signing Certificate as well as the secure retention of the keys is dealt with in general terms in this CPS.

Korbitec CA

The Korbitec Root CA has issued a Signing Certificate to the Korbitec CA which will be used to create public key certificates in PKI environments supported by the Korbitec CA.

Korbitec will not issue certificates to an external subordinate or intermediary certification authority.

1.3.3 Registration Authority

The Korbitec PA has authorised the establishment of the Korbitec RA. The operations of the Korbitec RA are governed by this CPS, and by the Korbitec Registration Authority Charter (“the Korbitec RA Charter”).

The Korbitec RA is responsible for the identification and authentication of Applicants for Korbitec Certificates. The Korbitec RA, while falling under the control of the Korbitec PA is not the Korbitec CA and does not sign or issue Korbitec Certificates. Once the authentication of identification and verification of other information, which may be required for the issue of a Korbitec Certificate, has been completed, the Korbitec RA will communicate a Certificate Request to the Korbitec CA.

To enable the functioning of the Korbitec RA, the Korbitec PA has authorised it to assign Korbitec RA functions to:

Registration Officers employed by Korbitec (“Registration Officers”); and

Registration Officers not employed by Korbitec who will have limited duties and authorities relating particularly to the revocation of Korbitec Certificates (“Certificate Managers”).

All Registration Officers or Certificate Managers assigned registration functions by the Korbitec RA shall:

have their identity authenticated as provided in this CPS;

be properly qualified and trained to fulfil their duties; and

enter into an agreement acknowledging and accepting the fiduciary duties owed by the Registration Officers and Certificate Managers to Korbitec and to subscribers of Korbitec’s services.

In general terms, without limitation, Registration Officers shall be required to:

receive applications for Korbitec Certificates;

generate a public and private key to be assigned to the Applicant;

authenticate the identity and verify any additional information required by the Korbitec CA for the consideration of an application for a Korbitec Certificate;

require the acceptance by an applicant of the provisions of the Subscribers Agreement and check that the Agreement has been properly concluded by an applicant;

on successful authentication of the identity and verification of information required of an applicant and the conclusion of a Subscribers Agreement, submit a Certificate Request to the Korbitec CA in accordance with the provisions of this CPS.

In general terms, without limitation, Certificate Managers shall be required to:

7


notify the Korbitec RA of the need to issue a Korbitec Certificate to a person requiring a Korbitec Certificate for use in a specified PKI environment;

communicate any suspicion of a compromise of Korbitec Certificates to the Korbitec RA;

request the revocation of a Korbitec Certificate in appropriate circumstances.

1.3.4 Applicant

An Applicant is a person that has applied for, but has not yet been issued with a Korbitec Certificate.

1.3.5 Subscribers

A Subscriber is a person who has been issued a Korbitec Certificate.

1.3.6 Relying Parties

Both Subscribers and third parties may rely on a Korbitec Certificate.

No agreements are concluded with relying parties which are relevant to the party’s reliance on Korbitec Certificates.

1.3.7 Other Participants

Other Participants are parties which Korbitec may rely on in ensuring that appropriate safeguards and practices required in terms of this CPS and generally accepted practice governing PKIs are complied with.

1.4 Certificate Usage

1.4.1 Appropriate certificate uses

Korbitec Certificates will be used:

to authenticate the identity of the Subscriber;

to digitally sign electronic communications originated by the Subscriber; and

to encrypt and decrypt electronic communications sent to and from the Subscriber.

1.4.2 Prohibited usage

The use of Korbitec Certificates for purposes other than those stipulated in 1.4.1 are deemed to be prohibited.

1.5 Policy Administration

This CPS is administered by the Korbitec PA.

The Korbitec PA is responsible for ensuring that the statements made in this CPS and the Korbitec RA Charter as well as provisions of agreements entered into by Subscribers are adhered to.

The Korbitec PA will, among its other duties, do everything reasonably practicable to ensure that all security controls designed to safeguard the proper and secure use of certificates issued by the Korbitec CA are implemented and maintained at all material times.

8


1.5.1 Contact details

All enquiries relating to the CPS and other documentation published by the PA may be addressed to:

The Policy Officer

Korbitec

1st Floor Great Westerford

240 Main Road

Rondebosch

Cape Town

South Africa

[email protected]

Telephone: +27 (21) 658 9700

1.6 Definitions and Acronyms

Word or Phrase Definition Abbreviation

Activation Data Data values, other than keys, which are required to operate cryptographic modules and which need to be protected by a person selecting the activation data (for example a pin, a passphrase, a password).

Authentication Verification of an individual’s named identity –

on application for a Certificate the validation of credentials and documentation provided as evidence of the claimed identity; and

during use of a certificate, the process of comparing electronically submitted identity and credentials with stored value to prove identity.

Certificate Public key and identity of a Subscriber, rendered unforgeable by signing the certificate information with the private key of the Certification Authority that issued the public key certificate.

Certificate Policy Set of rules that indicate the applicability of a certificate to a particular community and/or class of application.

CP

Certificate Profile The specification of the required format (including requirements for the usage of standard fields and extensions) for a particular type of certificate.

Certificate Re-Key The process whereby the Korbitec CA would issue a new Korbitec certificate for a new public key, following the generation of a new public key by Korbitec.

Certificate Request Submission of a request by a Registration Authority after the authentication of the Applicant and the

mailto:[email protected]

9


verification of any other information required by the Registration Authority, to register an Applicant’s public key to be placed in a certificate.

Certificate Revocation List

A list of revoked certificates. CRL

Certification Authority An entity entrusted by one or more Subscribers or relying parties to create, assign and revoke or hold public key certificates.

Certification Practice Statement

A statement of practices which a certification authority employs in issuing certificates and which defines the equipment, policies and procedures the CA uses to satisfy the requirements specified in the certificate policies that are supported by the certification practice statement.

CPS

Compromise Violation of the security of an information system that may result in an unauthorised disclosure of sensitive information and/or the private key.

Digital Signature A cryptographic transformation that, when associated with other data, provides the services of authentication of the origin of the data, ensures the integrity of the data and establishes the non-repudiation of the signature and data signed by the signature by the signor.

Korbitec Certificate Public key and identity of Subscriber for a Korbitec Certificate associated with the public key, rendered enforceable by signing the certificate information with the private key of the Korbitec Signing CA.

Korbitec Certificate Revocation List

A list of Korbitec revoked certificates. Korbitec CRL

Korbitec Certification Policy

The set of rules published by Korbitec that indicates the applicability of a certificate issued by the Korbitec CA to a particular community or class of application.

Korbitec CP

Korbitec Certification Practice Statement

The statement of practices which the Korbitec Certification Authority employs in issuing certificates and which defines the equipment, policies and procedures the CA uses to satisfy the requirements specified in the certificate policies that are supported by the certification practice statement.

Korbitec CPS

Korbitec Policy Authority

A body appointed by the Korbitec Board of Directors, having final authority and responsibility for specifying certificate policies relating to Korbitec Certificates and ensuring that the Korbitec CA establishes and maintains practices and controls defined in the Korbitec CPS.

Korbitec PA

Korbitec Public Key Infrastructure Environment

The structure of hardware, software, people, processes and policies that employs digital signature technology to facilitate a verifiable association between the public keys contained in a Korbitec Certificate and the private key in the possession of a

Korbitec PKI Environment

10


Korbitec Subscriber.

Korbitec Registration Officer

A person employed by Korbitec appointed by the Korbitec RA to perform registration functions in terms of the criteria provided for in the Korbitec CPS and the Korbitec RA Charter

Korbitec Registration Authority

The entity authorised by the Korbitec PA to be responsible for the identification and authentication of applicants for Korbitec Certificates, which is not part of the Korbitec CA and does not sign or issue certificates.

Korbitec RA

Korbitec Certificate Manager

A person not employed by Korbitec appointed by the Korbitec RA to perform registration functions in terms of the criteria provided for in the Korbitec CPS and the Korbitec RA Charter

Policy Authority The body with final authority and responsibility for specifying certificate policies and ensuring that certificate authority practices and controls as defined in the relevant Certification Practice Statement fully support the specified certificate policies.

Public Key Infrastructure

The structure of hardware, software, people, processes and policies that employ digital signature technologies and facilitate a verifiable association between a public key with a subscriber possessing the corresponding private key.

PKI

Registration Authority The entity that is responsible for the identification and authentication of applicants for certificates, but is not a certification authority and does not sign or issue certificates.

RA

Relying Party A recipient of a certificate who acts in reliance on that certificate, and digital certificates verified using that certificate, or both.

Repository A system of storage and distribution of certificates and related information published under the authority of a Policy Authority.

Root Certification Authority

The Root Certification Authority is at the apex of the Certification Authority hierarchy.

Root CA

Subscriber The person or entity subscribing to a Certification Authority for the issue of a Certificate to a person.

Trusted Role A job function describing the performance of critical functions which, if performed unsatisfactorily, may have an adverse impact upon the trust provided by the Certification Authority.

11


2 Publication and Repository Responsibilities

The repository of all documents published by the Korbitec PA, the Korbitec CA and the Korbitec RA may be accessed on Korbitec’s website (www.korbitec.com) and following the link to the Korbitec Repository, which appears among the links provided at the foot of the Korbitec website page.

All amendments to documents appearing in the repository are made in accordance with a formalised document change control procedure before publication on its website. The documents will be arranged in categories and in each category in the order of publication of the documents. The most recent documents will appear at the top of the list of documents published by the Korbitec PA.

http://www.korbitec.com/

12


3 Identification and Authentication

Before a Korbitec Certificate is issued, Registration Officers appointed by the Korbitec RA must authenticate the identity of an Applicant and verify all further information in the application, some of which may be displayed as attributes in the Korbitec Certificate.

The criteria for the authentication of identity and verification of attributes of an Applicant in the naming conventions defining the information published in a Korbitec Certificate are more fully described in 3.3.

In addition the criteria for the authentication of the identity of persons requesting revocation of a Korbitec Certificate is more fully described in 3.5.

3.1 Naming

A Korbitec Certificate will include the Subscriber’s first and surnames as they appear in the identification documentation used to authenticate the identity of an Applicant, as more fully described in 3.3.

A Korbitec Certificate will include, in addition to the first and surname of the Subscriber:

A unique serial number;

The ID or passport number of the Subscriber, as may be appropriate;

The name of the Subscriber’s employer or entity (juristic person) to which the Subscriber may be associated.

All names contained in Korbitec Certificates shall be meaningful.

Subscribers may not be anonymous or use pseudonyms.

3.2 Uniqueness of Names

The combination of the first name, surname and identity number, alternatively passport number, as the case may be, together with the serial number attributed to the Korbitec Certificate provide a unique electronic identity for the person associated with the Korbitec Certificate.

Korbitec shall not re-use a serial number previously used by it in a Korbitec Certificate.

The name constitutes a distinguished name (DN) in terms of X500 Standards.

3.3 Initial Identity Authentication

In all instances which constitute the initial authentication of the identity of an Applicant for a Korbitec Certificate the identification, generation of the public and private keys and submission of a Certificate Request to the Korbitec CA shall be conducted by a Registration Officer. A Certificate Manager shall not perform an initial authentication of identity.

The Registration Officer will:

be trained in the techniques required to correctly authenticate the identity of an Applicant.

in the case of an Applicant to whom an identity document has been issued by the Department of Home affairs, check that the identity document displayed to him or her is an

13


original and compare the photographic image in the identity document to the facial features of the applicant;

in the case of an Applicant who is not a South African citizen check that the passport displayed to him or her is an original and compare the photographic image in the passport to the facial features of the applicant,

verify the information of the juristic person with which the Applicant is to be associated, the name of which must appear as an attribute in the Korbitec Certificate issued to the Applicant;

Once the Registration Officer is satisfied that:

the identity of the Applicant has been authenticated;

the information relating to the Applicant’s employer or entity to which the Applicant is to be associated in a Korbitec Certificate has been verified;

the information contained in the application for a Korbitec Certificate together with the Subscriber Agreement has been properly and accurately completed and signed by the Applicant,

the Registration Officer shall submit a Certificate Request to the Korbitec CA signed with the Korbitec Certificate issued to the Registration Officer by the Korbitec CA.

The Certificate Request will be accompanied by the Applicant’s public key, generated by an application run by the Registration Officer on the Applicant’s computer.

3.4 Identification and Authentication of Re-key requests

The process described in 3.3 will be followed in respect of re-key requests.

3.5 Identification and Authentication for Revocation Requests

Revocation Requests may be received by Korbitec telephonically or in writing.

Where Revocation Requests are received telephonically the Korbitec Registration Officer will request that the Revocation Request is followed up in writing, addressed to the eMail address designated by the Registration Officer.

Korbitec will use a different process to check the identity of the originator of the Revocation Request and that the request is valid.

When a request for revocation of a Korbitec Certificate is received by the Korbitec RA, Registration Officers assigned to deal with the revocation of Korbitec Certificates will communicate with the requestor, authenticate the identity of the requestor and the reasons for the request for revocation of the Korbitec Certificate.

14


4 Certificate Life-Cycle Operational Requirements

This specifies the requirements imposed on the Korbitec PA, the Korbitec RA and Subscribers for Korbitec Certificates and other participants with respect to the life-cycle of a Korbitec Certificate.

4.1 Certificate Application

Applicant

A person wishing to participate in a PKI environment supported by Korbitec Certificates may apply to the Korbitec RA for a Korbitec Certificate.

In making the application the Applicant shall agree in writing to be bound by the terms of this CPS and a subscriber’s agreement.

If any fees are payable by the Subscriber the application will be accompanied by proof of payment of the fees.

On receipt of the application and any supporting information required by the Korbitec RA the identity of the Applicant will be authenticated and the information verified in accordance with this CPS and Korbitec RA Charter.

4.2 Certificate Application Processing

If the Korbitec RA is satisfied that the application for a Korbitec Certificate is complete and that the Applicant has been authenticated, it shall initiate a Certificate Request to the Korbitec CA.

The Korbitec RA will retain all relevant information collected for the purposes of the application for a Korbitec Certificate for a reasonable period in accordance with the directions of the Korbitec PA, as may be appropriate to a particular PKI environment, taking into consideration Protection of Personal Information legislation.

4.3 Certificate Issuance

The Registration Officer, once satisfied that the application and authentication contemplated in 4.2 have been properly completed will, using a secure mobile device, load the software application onto the Applicant’s computer. The software application will generate the required key pair, the private key is securely retained and never exported from the Applicant’s computer.

The Registration Officer, using a computer which facilitates secure login and communication with the Korbitec RA server, then requests an activation code which is submitted to the Korbitec CA server. The activation code is automatically generated by the Korbitec CA server and returned to the computer under the control of the Registration Officer. This is a one-time code which cannot be re-used. Using the activation code the Registration Officer submits the Applicant’s public key and a Certificate Request to the Korbitec RA. The Applicant’s public key is associated with a Korbitec Certificate, duly signed by the Korbitec CA and transmitted to the Applicant’s computer.

Communications between the Applicant’s computer and the Korbitec RA servers, facilitating the issue of Korbitec Certificates, are appropriately secured. The communication between the Registration Officer’s computer and the Korbitec RA including, without limitation, the activation code, are also appropriately secured to ensure that there can be no compromise of information communicated in the certificate issuance process.

15


4.4 Certificate Acceptance

It is the responsibility of the Applicant, who on the issue of the Korbitec Certificate becomes a Subscriber to check that all information contained in the Korbitec Certificate issued to the Subscriber is correct. Failure by the Subscriber to do so constitutes acceptance of the information contained in a Korbitec Certificate by the Subscriber.

The use by the Subscriber of a Korbitec Certificate is deemed to be acceptance by the Subscriber of the Korbitec Certificate issued to the Subscriber and confirmation of the acceptance of the Subscriber’s obligation to discharge the responsibilities assigned to the Subscriber in the Subscriber Agreement.

4.5 Key Pair and Certificate Usage

Limited PKI Environments

Korbitec Certificates will only be used in PKI environments which may be stipulated in the Certificate Policy under which the Korbitec Certificate and its use is defined.

Subscriber

The Subscriber shall use a private key and Korbitec Certificate in strict compliance with the provisions of the Subscriber Agreement concluded between the Subscriber and the Korbitec CA. The subscriber shall comply with the provisions of this CPS.

Relying Party

No agreements are entered into with Relying Parties and Relying Parties are required to check the status of any Korbitec Certificate before relying on the Certificate.

4.6 Certificate Renewal

Korbitec Certificates may be renewed if a Registration Officer or Certificate Manager confirms that the information obtained in the initial authentication and verification conducted when the Subscriber applied for a Korbitec Certificate remains valid and that any other requirements of the Korbitec RA have been complied with.

4.7 Certificate Re-key

Korbitec Certificate re-key is not offered nor supported.

Where a new certificate is required the Identification and Authentication processes described in 3 as well as the Certificate Application and Certificate Application Processing described in 4.1 and 4.2 will have to be repeated.

Prior to any re-key the existing Korbitec Certificate and key pairs shall be revoked.

4.8 Certificate Modification

Korbitec Certificate "modification" is not offered nor supported.

Where a new certificate is required the identification and authentication processes described in 3 as well as the Certificate Application and Certificate Application Processing described in 4.1 and 4.2 will have to be repeated.

Prior to any modifications the existing Korbitec Certificate and key pairs shall be revoked.

16


4.9 Certificate Revocation and Suspension

4.9.1 Revocation

The Korbitec CA shall revoke a Korbitec Certificate against receipt of a valid Revocation Request from the Korbitec RA.

The Korbitec RA shall request revocation of a Korbitec Certificate if it is aware or has reasonable grounds to believe that:

the Korbitec Root Key or Korbitec Signing Key used to issue Korbitec Certificates have been compromised;

the Subscriber is no longer employed by the employer indicated in the Korbitec Certificate or associated with the entity indicated in the Korbitec Certificate;

this CPS or the Subscriber Agreement concluded with the Subscriber has been breached and that the breach may compromises the Subscriber’s private key or the Korbitec Certificate (and associated public key);

the information contained in the Korbitec Certificate issued to the Subscriber is inaccurate;

a change in the information contained in the Korbitec Certificate issued to the Subscriber;

any reason which the Korbitec CA or the Korbitec RA reasonably believes may affect the integrity, security and trustworthiness of the Korbitec Certificate or the PKI environment in which the Korbitec Certificate is used.

The Korbitec CA or Korbitec RA may require revocation of a Korbitec Certificate if it has reasonable grounds to believe that a Korbitec Certificate or the private key associated with the Korbitec Certificate has been or may become compromised, including without limitation, any compromise which may occur in the processing of Korbitec’s Root Key, its Certificate Signing Key or any Certificate issued to the Subscriber.

The Subscriber or the employer of a Subscriber may request the revocation of the Subscriber’s Korbitec Certificate at any time and for any reason.

Before revoking a Certificate at the request of a Subscriber or the Subscriber’s employer, the Korbitec CA or Korbitec RA shall use commercially reasonable efforts to verify the identity of the Subscriber, the employer, or persons representing the Subscriber or the employer and shall not be required to revoke the Korbitec Certificate until it is satisfied as to the identity of the requestor. The requestor shall comply with all reasonable requirements of the Korbitec CA or Korbitec RA with a view to verifying that the request is genuine and made by a person who is authorised to do so.

4.9.2 Revocation Procedure

If the Korbitec RA is satisfied that a Korbitec Certificate must be revoked it shall immediately communicate a Revocation Request to the Korbitec CA, signed by a Registration Officer using a Korbitec Certificate issued by the Korbitec CA.

Once the Korbitec CA has received a Revocation Request from the Korbitec RA, or is itself satisfied that a Korbitec Certificate must be revoked, it shall immediately process the Revocation Request and post the revocation of the Korbitec Certificate to the Korbitec Revocation List published in the Korbitec Repository at http://certificates.korbitec.com/.

Korbitec shall use commercially reasonable efforts to renew the Korbitec Certificate Revocation Lists within twenty four hours of a Korbitec Certificate being revoked.

17


All parties relying on Korbitec Certificates must check Korbitec Certificate Revocation Lists on a daily basis to ensure reliance on Korbitec Certificates.

4.10 Certificate Status Services

Aside from the information published in the Korbitec Repository, including the Korbitec Certificate Revocation Lists, no further certification status services are provided.

4.11 End of Subscription

If a fee is charged for the services provided by the Korbitec CA and the Subscriber fails to pay the fee, Korbitec may terminate the subscription and revoke Korbitec Certificates.

4.12 Key Escrow and Recovery

The Korbitec CA does not offer key escrow and recovery services in respect of Korbitec Certificates.

18


5 Management, Operational and Physical Controls

5.1 Physical Security Controls

5.1.1 Site Location

Root Keys and Signing Certificate

The key pairs of Korbitec’s Root CA are retained in a safety deposit box situate in a safety deposit facility of an offsite high security environment.

Signing Servers

The Korbitec CA Signing Servers are situate in a safe contained in a security vault provided by a high security hosting facility designed and built to offer security appropriate to a certification authority function.

5.1.2 Physical Access

Hosting Facility

The Hosting Facility employs stringent physical access controls and no access is granted to the Hosting Facility without prior arrangements for the grant of access having been concluded with security personnel appointed by the Korbitec CA.

At the reception area of the Hosting Facility positive identification against an identity document, a passport or drivers licence is performed and a correlation between the persons identified and the persons named in the prior arrangement to access the Hosting Facility is made. Against successful completion of the identification and validation processes access will be granted to the security area of the Hosting Facility.

A key to the server cabinets housing Korbitec Servers is provided.

Within the security area of the Hosting Facility, which is monitored by the security guards using CCTV facilities, access is gained by Korbitec personnel by unlocking the security facilities assigned to Korbitec, in which the Korbitec CA Signing Servers and other equipment are hosted.

Persons authorised by the Korbitec CA will then be escorted to the security vault and using the key provided by security personnel in the secure area will gain access to the security vault. On the completion of the work required they will be escorted from the security vault to the security and reception areas.

Safe

The Korbitec CA Signing Server is situated in a safe.

After accessing the safe the two Korbitec key bearing officers who each have a portion of the password used to logon and operate the Korbitec CA Signing Server.

In addition the Korbitec CA has appointed three senior technical advisors, two of whom have to be present, before the Korbitec Certificate Signing Server or any other hardware or software which is housed in the safe can be worked on.

5.1.3 Environmental Controls

The Korbitec PA has satisfied itself that the data centre facilitates the following environmental controls which are fit for purpose for the hosting of the Korbitec CA:

19


electrical power back up;

air-conditioning;

protection against water exposure;

fire detection, alarm and suppression;

connectivity to primary and secondary internet service providers.

5.1.4 Media Storage

Media critical to the Korbitec CA’s operation is stored separately from the CA and appropriately safeguarded.

5.1.5 Offsite Backup

Backups of all information critical to the restoration of the Korbitec CA operation are made regularly in terms of generally accepted practice and stored securely at a separate location.

5.2 Procedural Controls

The Korbitec PA has established a number of trusted roles. The Korbitec PA has appointed key-bearing officers who, among their other duties, have the responsibility for the secure custody of the Korbitec CA root keys, the key shares for the Korbitec CA Signing Server and the combination for the safe housing the Korbitec Certificate Signing Server.

Both key-bearing officers must be present to open the safe and remain present while any action is performed relating to the Korbitec CA Certificate Signing Server and any other equipment retained in the safe.

Korbitec has also assigned system technical advisers, two of whom must be present when any action is performed on the Korbitec CA Certificate Signing Server or any other equipment retained with the server in the safe and at least two of whom must also be present when any work is performed on any equipment facilitating Korbitec’s CA operations which is retained in the security vault.

The Korbitec PA has also assigned the trusted role of Policy Officer. The Policy Officer is responsible for the establishment, maintenance, review and continuous improvement of both physical and information security relevant to the secure operation of the Korbitec CA with due regard to generally accepted information security practices and to specific security requirements pertinent to the Korbitec CA.

The parties appointed to these trusted roles have contractually agreed to fulfil these roles and have acknowledged their responsibilities in writing.

All persons who have been assigned trusted roles and who may be granted access to components of the Korbitec Information System which are required for the operation of the Korbitec CA, have consented to and must undergo background security evaluations. These evaluations are reported to the Korbitec PA.

There is a strict segregation of duties between persons assigned to the Korbitec CA operations and the Korbitec RA operations. No person assigned a role in either one of the Korbitec CA or the Korbitec RA may be assigned a function in the other.

5.3 Personnel Security Controls

The Korbitec PA assigns trusted roles and persons required to perform any functions necessary for the proper operation of the Korbitec CA and the Korbitec RA.

20


In assigning the roles the Korbitec PA ensures that persons assigned to the different roles have the necessary qualifications, experience and have received adequate training in the specific role or function assigned to the person, to ensure that appropriate levels of technical expertise and an appreciation of the security responsibilities will be fulfilled by the assignees.

The Korbitec PA will consider role rotation in terms of generally accepted practises and at a frequency which the Korbitec PA believes will best serve the security interests of the Korbitec CA.

The Korbitec PA will not assign trusted roles or other roles important to the functioning of the Korbitec CA to persons not employed by Korbitec.

The Korbitec PA may assign the role of Certificate Manager to persons not employed by Korbitec to perform the limited functions described in this CPS and in the Korbitec RA Charter.

5.4 Audit Logging Procedures

The processing of information relating to the issue of Korbitec Certificates is, automatically logged.

The logs are regularly checked by trained Korbitec personnel to establish any anomalies, breaches and violations of this CPS, or irregularities of use of Korbitec Certificates.

5.5 Records Archival

The Korbitec CA and the Korbitec RA audit logs and databases are backed up and retained for a period of at least 3 (three) years, or such longer period as the Korbitec PA may determine.

The Korbitec records are protected against accidental or unauthorised modification and any attempted or actual modification of the audit logs can be detected. The records are backed up regularly and archived in terms of record retention policies applicable to the Korbitec CA.

5.6 Key Changeover

If it becomes necessary for the Korbitec CA to withdraw the key pairs associated with the Korbitec CA Signing Certificate, a new key pair will be generated and associated with the new Korbitec CA Signing Certificate. This may be necessary to support the continuation of the Korbitec CA operation in a secure manner.

The Korbitec CA key changeover processes will facilitate that the changeover is conducted in a manner that ensures the continued security of existing Korbitec Certificates and a seamless signing of Korbitec Certificates with the new Korbitec Signing Certificate.

The Korbitec CA will continue to publish Korbitec Certificate Revocation Lists signed with the Korbitec Signing Certificate that has been withdrawn until all certificates issued by the Korbitec CA using the withdrawn Korbitec Signing Certificate have expired or been revoked.

5.7 Compromise and Disaster Recovery

The Korbitec Business Continuity Management Processes incorporate Compromise and Disaster Recovery Procedures.

The Korbitec Compromise and Disaster Recovery Procedure has been established and documented with a view to mitigating the adverse effects of the failure or outage of the information system used by the Korbitec CA to provide its services.

21


The Korbitec PA requires that an Incident Response Management Team is established. The team is trained to deal with security incidents and compromises to Korbitec Certificates, to further develop and continuously improve its Disaster Recovery Procedures in light of local or global threats, changes in the environment, and identified risks to the operation of the Korbitec CA and the use of Korbitec Certificates.

The Korbitec PA requires regular and documented testing of its Compromise and Disaster Recovery Procedures.

5.8 CA or RA Termination

In terms of this CPS Korbitec does not contemplate the appointment of an external RA.

If the Korbitec CA and Korbitec RA cease to provide the services contemplated in this CPS, the Korbitec CA will revoke all certificates issued by it and the Korbitec Signing Certificate will be revoked using the Korbitec Root CA.

22


6 Technical Security Controls

6.1 Key Pair Generation and Installation

6.1.1 Korbitec Root CA

The Korbitec Root CA Signing Keys were generated by Korbitec. The generation of the key pair is documented in “Creation of the Korbitec Public Key Infrastructure (PKI)” which is not published for reasons of confidentiality.

The Korbitec Root CA private key was used to sign a single Korbitec Signing Certificate. The Korbitec Signing Certificate will be used to sign all Certificates issued by the Korbitec CA.

The security of Korbitec keys are more fully described in “5. Management, Operational and Physical Controls”.

6.1.2 Key size

The minimum key length required by the Korbitec CA is 2048 bits-RSA.

The Korbitec PA shall review Korbitec CA Private Key lengths regularly, but at least once annually, with a view to determining their appropriateness for the uses defined.

6.1.3 Key usage purposes

The Korbitec CA private signing key is used for signing Korbitec Certificates and Korbitec Certificate Revocation Lists exclusively.

Korbitec Certificates shall be used strictly for the purposes defined in this CPS and Subscribers Agreements concluded in terms of this CPS.

6.1.4 Key pair generation

The Subscriber’s key pair is generated by a Korbitec RA Registration Officer, in compliance with the Korbitec RA Charter.

The Registration Officer will install a software application on an Applicant’s computer. The private key remains on the Applicant’s (who, once a Korbitec Certificate is issued to the Applicant, becomes a Subscriber) computer at all times.

The Registration Officer, having completed the tasks contemplated in 4.1 submits a Certificate Request to the Korbitec CA accompanied by the Applicant’s public key.

Certificate Requests communicated from the Applicant’s computer to the Korbitec CA are communicated in a secure SSL session in a message initiated by the Registration Officer using a one-time activation code.

The Registration Officer will, prior to the communication of the Signing Request, generate a one-time activation code which will be captured into the Certificate Request as an additional factor of authentication.

Provision of Korbitec CA Public Keys to Relying Parties

The Korbitec CA’s public key is retained in the Korbitec Repository and can be accessed at:

http://certificates.korbitec.com/korbitecgateway.cer; or

http://certificates.korbitec.com/korbitecrootca.cer.

http://certificates.korbitec.com/korbitecgateway.cer

23


The Korbitec CA will allow its public key to be incorporated in applications using Korbitec Certificates to enable ease of checking by relying parties.

6.2 Private Key Protection and Cryptographic Module Engineering

Controls

The Korbitec CA’s Private Key is used to sign all Korbitec Certificates and the Korbitec Certificate Revocation Lists exclusively.

The Korbitec CA Private Key is securely retained on a server housed in a safe situate in a secure vault in the data centre.

Access to the safe can, in the normal course, only be facilitated by both key bearing officers appointed by the Korbitec PA opening the safe and facilitating access to the Korbitec Signing Server.

The Subscriber’s private keys are stored in the Operating System Key Store on the Subscriber’s computer and are not exportable.

The Korbitec private keys are protected by the procedures required in the software implementation supported by the operating systems on the servers generating and on which the private keys are retained.

The private keys are under the dual control of two persons, both of whom are required to deal with critical events relating to the private key.

The private key is not escrowed but it is backed up on a physical device secured in a safety deposit box where it remains archived in plain text.

Private keys will be used for disaster recovery purposes or as may be determined by the Korbitec PA. The transmission of the private key will be secure with all appropriate security measures applied.

6.3 Other Aspects of Key Pair Management

No stipulation

6.4 Activation Data

No stipulation

6.5 Computer Security Controls

The environment in which the Korbitec CA servers are housed is subject to strict physical security and physical access control.

Logical access to all computers used bv the Korbitec CA in the provision of its services are subject to appropriate access controls which are monitored and audited on a regular basis as prescribed by the Korbitec PA.

6.6 Life Cycle Security Controls

The implementation of the Korbitec Root CA and the Korbitec CA have been conducted in strict compliance with control measures appropriate to the creation of the Korbitec PKI.

The Korbitec CA has established and will maintain security management controls, including without exception, the regular monitoring and checking of technologies used in its information

24


system, the development and regular review of documented procedures aimed at ensuring and improving the management of the security and integrity of its services and certificates issued by the Korbitec CA.

6.7 Information Security

The Korbitec CA shall establish and maintain an Information Security Management System appropriate to the services that it provides. The Korbitec PA shall be responsible for ensuring that the Information Security Management System is established and maintained in accordance with generally accepted information security practices.

6.8 Time-stamping

No stipulation.

25


7 Certificate and CRL Profiles

7.1 Certificate Profile Section 7.1 Version number(s) supported; Version 3 Certificate extensions populated and their criticality; CRL Distribution Points Certificate policies Key Usage [critical] Basic Constraints [critical] 1.3.6.1.4.1.41881.1.1.3.1 - Subscriber ID or passport Number 1.3.6.1.4.1.41881.1.1.3.2 - Representation of the certificate signing request Cryptographic algorithms object identifiers; Signature Algorithm: Algorithm ObjectId: 1.2.840.113549.1.1.11 sha256RSA Public Key Algorithm: Algorithm ObjectId: 1.2.840.113549.1.1.1 RSA (RSA_SIGN) Name forms used for the CA, RA, and subscriber names; Subject CN = Common Name E = Email address O = Organisation / attorney firm name C = Country (South Africa) Issuer CN = Korbitec Gateway O = Korbitec C = South Africa Name constraints used and the name forms used in the name constraints; Refer section 3.1 Applicable CP OID(s); 1.3.6.1.4.1.41881.1.2

26


Policy qualifiers syntax and semantics Used to specify the location of CPS in the repository (http://certificates.korbitec.com/)

7.2 CRL Profile

CRLs are created in X.509 v2 format

No extension

7.3 OCSP Profile

Not implemented

http://certificates.korbitec.com/

27


8 Compliance Audit and Other Assessment

8.1 Audit of Korbitec CA and Korbitec RA

The Korbitec PA will determine if audits are necessary and the frequency of the audits to ensure that the Korbitec CA and the Korbitec RA comply with:

stated practices contained in this CPS and any other documentation that the Korbitec PA deems appropriate and generally accepted information security practices;

the Korbitec PA will also ensure that the Korbitec RA is audited against the requirements of the Korbitec RA Charter.

8.2 Frequency of Audits

Audits will be conducted at least annually or, if the Korbitec PA determines, when a change in the Korbitec CA or Korbitec RA practice is made, a security compromise occurs, or any other reason that the Korbitec PA believes warrants the initiation of an interim audit.

8.3 Relationship of Auditors

The audit will be conducted by Korbitec's internal auditors, alternatively external auditors, determined by the Korbitec PA to have the requisite qualification to perform the audit.

8.4 Remedial Actions

The Korbitec PA shall immediately on deficiencies being discovered as a result of an audit, cause the necessary remedial action to be taken to remedy the deficiencies and ensure the integrity of the Korbitec CA services as may be appropriate and with the urgency that may be appropriate.

All reports on audits conducted on the Korbitec CA and the Korbitec RA shall be submitted to the Korbitec PA.

28


9 Other Business and Legal Matters

9.1 Fees

The fees charged by Korbitec, if applicable, for its services will be published in a Fee Schedule and subject to review as may be determined by Korbitec from time to time.

9.2 Financial Responsibility

Save for the limited liability accepted by Korbitec in terms of paragraph 9.7 it accepts no financial responsibility for any failure of certificates issued by the Korbitec CA.

9.3 Confidentiality of Business Information

The Korbitec CA and the Korbitec RA shall not disclose information of an Applicant, Subscriber or the employer of the Applicant or Subscriber, except as may be necessary in the use of Korbitec Certificates in terms of this CPS.

All personnel engaged by the Korbitec CA and the Korbitec RA (including Certificate Managers appointed by the Korbitec) will be required to sign appropriate confidentiality agreements.

The confidentiality undertakings provided by Korbitec will not in any way affect Korbitec’s obligations to provide information to third parties when it is compelled to do so in legal, judicial and administrative proceedings, as may be required by law.

9.4 Privacy of Personal Information

The Korbitec CA and the Korbitec RA undertake that they shall establish and maintain commercially reasonable measures to protect the personal information being processed by them.

Korbitec will comply with all relevant law governing the Protection of Personal Information.

9.5 Intellectual Property Rights

Save for the information of a Subscriber or the employer of a Subscriber included in a Korbitec Certificate, Korbitec shall retain all right, title, interest and intellectual property rights of whatever nature in and to Korbitec Certificates.

All Applicants, Subscribers and employers of Applicants or Subscribers shall in terms of Subscriber Agreements grant to the Korbitec CA and the Korbitec RA a non-exclusive, worldwide, royalty free licence to use, copy, modify, publicly display and distribute their information as the Korbitec CA in its discretion may deem appropriate, for the purposes contemplated in this CPS or Subscribers Agreements concluded with Subscribers.

Subject to the publication of copyright notices associated with documents and the accurate reproduction of documents, or parts thereof, Korbitec grants the right to reproduce documents published in the Korbitec Repository, provided that the reproduction is exclusively for the use of the person (natural or juristic) reproducing the document.

9.6 Representations and Warranties

9.6.1 The Korbitec CA warrants, with regard to Korbitec Certificates, that:

29


the first name and surname of the subscriber have been authenticated by the Korbitec RA in compliance with the provisions of this CPS; and

the attributes displayed in Korbitec Certificates have been verified against documentation provided to the Korbitec RA.

9.6.2 Korbitec further warrants that the operation of the Korbitec CA and the Korbitec RA shall be consistent with the statements made in this CPS.

9.6.3 Korbitec provides no further warrantees or whatever nature to Subscribers or parties relying on Korbitec Certificates.

9.6.4 Korbitec relies on the information provided by the Applicant, who warrants that the information provided to Korbitec is true and correct and that the documentation used by Korbitec to authenticate the identity of an Applicant and verify the attributes contained in a Korbitec Certificate are originals.

9.6.5 An Applicant for a Korbitec Certificate shall enter into a Subscribers Agreement governing the Subscriber’s relationship with the Korbitec CA and the Korbitec RA and the Subscriber’s use of Korbitec Certificates.

9.6.6 Participants to any PKI supported by the use of or reliance on Korbitec Certificates acknowledge and agree that the operation of the PKI is dependent on third parties and technologies provided by third parties. Korbitec expressly disclaims any responsibility for, or liability arising from, errors, failures, delays, interruptions, defects or corruption pertaining to a Korbitec Certificate or a Korbitec Certificate Revocation List which may result from a dependency of third party technologies not under the control or operation of Korbitec.

9.7 Limitations of Liability

9.7.1 Korbitec does not accept any liability for any loss (whether financial or otherwise) that may be suffered by any Subscriber or a party relying on a Korbitec Certificate.

9.7.2 If Korbitec is found by an arbitrator or court to be liable to any party for any loss suffered as contemplated in 9.7.1 Korbitec’s liability is strictly limited to R5,000.00 (Five thousand Rand).

9.8 Indemnities

9.8.1 The Korbitec CA and Korbitec RA do not provide any indemnities of whatever nature to participants in PKI supported by the use of or reliance on Korbitec Certificates.

9.9 Excusable Delay and Indemnities

9.9.1 No participants to a PKI supported by Korbitec Certificates shall have a claim against the Korbitec CA or the Korbitec RA for any failure on their part to carry out any of its obligations in terms of this CPS resulting from any cause howsoever beyond the control of Korbitec’s CA or RA.

9.9.2 The performance by Korbitec of its obligations in terms of this CPS shall be suspended for the duration of the reason of the delay and immediately resumed as soon as this is possible.

30


9.10 Term and Termination

9.10.1 This CPS will commence and become effective from the date specified on the first page of the CPS published by the Korbitec PA in the Korbitec Repository and will continue (as may be amended from time to time by the Korbitec PA) indefinitely.

9.10.2 This CPS (amended from time to time by the Korbitec PA as provided in 9.12) will continue indefinitely and will continue to apply to participants until the CPS or any provisions of the CPS cease to be of any effect to the participant.

9.11 Individual notices and communications with participants

9.11.1 All communications with participants to PKI supported by the use of or reliance on Korbitec Certificates, originated by the Korbitec CA or the Korbitec RA shall be addressed to the eMail address provided by the participant to the Korbitec RA, in writing.

9.11.2 All communications to the Korbitec RA must be addressed to [email protected].

9.12 Amendments

9.12.1 Any amendments to the provisions of this CPS or any other documentation used by the Korbitec CA and the Korbitec RA in the provision of its services, shall be subject to consideration and authorisation by the Korbitec PA.

9.12.2 The Korbitec PA shall, in considering proposals for amendments, do so with due regard to the urgency of the amendment and notification of participants of the amendment.

9.12.3 Once an amendment has been ratified by the Korbitec PA, its publication and effective date of the amendment will be authorised by the Korbitec PA, in writing, and published in the Korbitec Repository.

9.12.4 If the Korbitec PA believes that the amendment is of such a nature that notification must be provided to all participants, or a restricted class of participants, the Korbitec PA will authorise and direct the provision of notification.

9.13 Dispute Resolution Procedures

Disputes between Participants other than Korbitec, the Korbitec CA or the Korbitec RA

9.13.1 Should any disputes between participants to a PKI supported by use of or reliance on Korbitec Certificates occur and the participants agree in writing to refer the dispute to the Korbitec PA for mediation, they may do so by addressing an email containing the details of the parties to the dispute and an agreed description of the dispute to [email protected].

9.13.2 The Korbitec PA will appoint a person with appropriate expertise to mediate the dispute and will notify the parties of the appointment within 5 (five) business days of receipt of notification of the dispute.

9.13.3 The role of the person appointed by the Korbitec PA will be one of mediation to assist in the understanding of the use of Korbitec Certificates within the PKI environment in which the participants participate.



31


9.13.4 If the person appointed by Korbitec has failed to mediate the dispute within 7 (seven) days of meeting with the parties (in person or telephonically) either party to the dispute shall be entitled to take whatever action they deem necessary to resolve the dispute.

Disputes with Korbitec, the Korbitec CA or the Korbitec RA

9.13.5 All disputes of whatever nature between a participant in a PKI supported by the use of an reliance on Korbitec Certificates shall be notified to the Korbitec PA at [email protected].

9.13.6 The Korbitec PA will assign a member of the Korbitec PA, having the requisite expertise, to address the dispute, who will communicate with the complainant, within a period of not more than 5 (five) business days, with a view to resolving the dispute as soon as reasonably possible.

9.13.7 If the complainant and the person appointed by the Korbitec PA are unable to resolve the dispute within a period of 7 (seven) business days in writing of the appointment of the member of the Korbitec PA to do so or any longer period agreed between the parties, the matter shall be referred to arbitration by the Arbitration Foundation of South Africa.

9.14 Arbitration

9.14.1 If the parties to a dispute as contemplated in 9.13.5 fail to resolve the disputes contemplated in 9.13.6 and 9.13.7 and the dispute arises from reliance on this CPS, the parties are deemed to have agreed that the dispute be resolved in Cape Town in accordance with the current rules of the Arbitration Foundation of South Africa, by 1 (one) arbitrator appointed by agreement between the parties, or if the parties fail to agree on the arbitrator within 5 (five) business days of notice of the referral of the matter for arbitrator, the arbitrator shall be appointed by the Secretariat of the Arbitration Foundation of South Africa.

9.14.2 Each party consents to an arbitration in terms of this provision being conducted as a matter of urgency and the parties irrevocably agree to authorise the party applying to the Arbitration Foundation of South Africa for arbitration to require that the arbitration be conducted on an urgent basis, unless agreed to the contrary by the parties, in writing.

9.14.3 The decision or award resulting from the arbitration shall be final and binding on the parties to the arbitration and may be made an order of court at the instance of any party. The parties irrevocably submit to the jurisdiction of the Cape of Good Hope Division of the High Court of the Republic of South Africa should they wish to make the arbitration an order of court.

9.14.4 There shall be no right of appeal against the decision made by the arbitrator.

9.14.5 The arbitration shall be held in camera, in the English language, and will be kept confidential to the parties.

9.14.6 Neither party shall be precluded by these provisions from seeking interim relief pending the outcome of the arbitration contemplated, provided that the parties irrevocably submit to the jurisdiction of the Cape of Good Hope Division of the High Court of the Republic of South Africa.

9.15 Governing Law

9.15.1 All Korbitec Certificate Policies, this CPS and any other documentation, including, without limitation, RA Charters and Subscribers Agreements, used by the Korbitec CA in providing its


32


services shall be governed and construed in accordance with the laws of the Republic of South Africa.

9.16 General Provisions

9.16.1 Entire Contract

This CPS, to the extent that it may be contractually relied upon, constitutes, together with agreements with Subscribers (where applicable), the entire contract between parties relying on the terms of this CPS with regard to matters dealt with in this CPS and Subscriber Agreements.

9.16.2 No Representations

No representations (save for fraudulent misrepresentations), terms, conditions or warranties not contained in this CPS or Subscriber Agreement shall be binding on the parties.

9.16.3 Cession

The Korbitec CA or its principal Korbitec (Pty) Limited may cede its rights and delegate its obligations to a third party without the prior consent of any other party. The Korbitec CA will notify participants to the Gateway PKI of the intended cession at least 30 (thirty) days prior to the cession taking effect.

9.16.4 VALIDITY

If any provision of this CPS is found or held to be invalid or unenforceable, the validity of all the other provisions of this CPS will not be affected thereby and may be severed from this CPS. The remaining provisions of this CPS shall continue in full force and effect, notwithstanding the severing of provisions found to be invalid or unenforceable.

Documents

Certification Practice Statement - LexisNexis