Upload
others
View
0
Download
0
Embed Size (px)
Citation preview
DigiCert
CertificationPracticesStatement
DigiCert,Inc.Version4.07
October7,2014
2600WestExecutiveParkwaySuite500
Lehi,UT84043USA
Tel:1‐801‐877‐2100Fax:1‐801‐705‐0481
www.digicert.com
ii
TABLEOFCONTENTS
1. INTRODUCTION ................................................................................................................................... 1
1.1. Overview ...................................................................................................................................... 1 1.2. Document name and Identification ............................................................................................... 1 1.3. PKI Participants ........................................................................................................................... 3
1.3.1. Certification Authorities ........................................................................................................... 3 1.3.2. Registration Authorities and Other Delegated Third Parties .................................................... 4 1.3.3. Subscribers ............................................................................................................................. 4 1.3.4. Relying Parties ........................................................................................................................ 4 1.3.5. Other Participants ................................................................................................................... 4
1.4. Certificate Usage ......................................................................................................................... 4 1.4.1. Appropriate Certificate Uses ................................................................................................... 5 1.4.2. Prohibited Certificate Uses ...................................................................................................... 6
1.5. Policy administration .................................................................................................................... 6 1.5.1. Organization Administering the Document .............................................................................. 6 1.5.2. Contact Person ....................................................................................................................... 6 1.5.3. Person Determining CPS Suitability for the Policy .................................................................. 7 1.5.4. CPS Approval Procedures ...................................................................................................... 7
1.6. Definitions and acronyms ............................................................................................................. 7 2. PUBLICATION AND REPOSITORY RESPONSIBILITIES .................................................................... 9
2.1. Repositories ................................................................................................................................. 9 2.2. Publication of certification information .......................................................................................... 9 2.3. Time or frequency of publication .................................................................................................. 9 2.4. Access controls on repositories ................................................................................................. 10
3. IDENTIFICATION AND AUTHENTICATION ....................................................................................... 10 3.1. Naming ...................................................................................................................................... 10
3.1.1. Types of Names .................................................................................................................... 10 3.1.2. Need for Names to be Meaningful ......................................................................................... 11 3.1.3. Anonymity or Pseudonymity of Subscribers .......................................................................... 11 3.1.4. Rules for Interpreting Various Name Forms .......................................................................... 11 3.1.5. Uniqueness of Names ........................................................................................................... 11 3.1.6. Recognition, Authentication, and Role of Trademarks .......................................................... 11
3.2. Initial identity validation .............................................................................................................. 11 3.2.1. Method to Prove Possession of Private Key ......................................................................... 11 3.2.2. Authentication of Organization Identity .................................................................................. 11 3.2.3. Authentication of Individual Identity ....................................................................................... 13 3.2.4. Non-verified Subscriber Information ...................................................................................... 18 3.2.5. Validation of Authority ........................................................................................................... 18
3.3. Identification and authentication for re-key requests .................................................................. 19 3.3.1. Identification and Authentication for Routine Re-key ............................................................. 19 3.3.2. Identification and Authentication for Re-key After Revocation............................................... 20
3.4. Identification and authentication for revocation request ............................................................. 20 4. CERTIFICATE LIFE-CYCLE OPERATIONAL REQUIREMENTS ....................................................... 20
4.1. Certificate Application ................................................................................................................ 20 4.1.1. Who Can Submit a Certificate Application ............................................................................ 20 4.1.2. Enrollment Process and Responsibilities .............................................................................. 20
4.2. Certificate application processing .............................................................................................. 21 4.2.1. Performing Identification and Authentication Functions ........................................................ 21 4.2.2. Approval or Rejection of Certificate Applications ................................................................... 21 4.2.3. Time to Process Certificate Applications ............................................................................... 21
4.3. Certificate issuance .................................................................................................................... 22 4.3.1. CA Actions during Certificate Issuance ................................................................................. 22 4.3.2. Notification to Subscriber by the CA of Issuance of Certificate ............................................. 22
4.4. Certificate acceptance ............................................................................................................... 22 4.4.1. Conduct Constituting Certificate Acceptance ........................................................................ 22 4.4.2. Publication of the Certificate by the CA ................................................................................. 22 4.4.3. Notification of Certificate Issuance by the CA to Other Entities ............................................. 22
4.5. Key pair and certificate usage .................................................................................................... 22 4.5.1. Subscriber Private Key and Certificate Usage ...................................................................... 22
iii
4.5.2. Relying Party Public Key and Certificate Usage .................................................................... 22 4.6. Certificate renewal ..................................................................................................................... 23
4.6.1. Circumstance for Certificate Renewal ................................................................................... 23 4.6.2. Who May Request Renewal .................................................................................................. 23 4.6.3. Processing Certificate Renewal Requests ............................................................................ 23 4.6.4. Notification of New Certificate Issuance to Subscriber .......................................................... 23 4.6.5. Conduct Constituting Acceptance of a Renewal Certificate .................................................. 23 4.6.6. Publication of the Renewal Certificate by the CA .................................................................. 23 4.6.7. Notification of Certificate Issuance by the CA to Other Entities ............................................. 23
4.7. Certificate re-key ........................................................................................................................ 24 4.7.1. Circumstance for Certificate Rekey ....................................................................................... 24 4.7.2. Who May Request Certificate Rekey .................................................................................... 24 4.7.3. Processing Certificate Rekey Requests ................................................................................ 24 4.7.4. Notification of Certificate Rekey to Subscriber ...................................................................... 24 4.7.5. Conduct Constituting Acceptance of a Rekeyed Certificate .................................................. 24 4.7.6. Publication of the Issued Certificate by the CA ..................................................................... 24 4.7.7. Notification of Certificate Issuance by the CA to Other Entities ............................................. 24
4.8. Certificate modification ............................................................................................................... 24 4.8.1. Circumstances for Certificate Modification ............................................................................ 24 4.8.2. Who May Request Certificate Modification............................................................................ 24 4.8.3. Processing Certificate Modification Requests ....................................................................... 24 4.8.4. Notification of Certificate Modification to Subscriber ............................................................. 25 4.8.5. Conduct Constituting Acceptance of a Modified Certificate ................................................... 25 4.8.6. Publication of the Modified Certificate by the CA .................................................................. 25 4.8.7. Notification of Certificate Modification by the CA to Other Entities ........................................ 25
4.9. Certificate revocation and suspension ....................................................................................... 25 4.9.1. Circumstances for Revocation .............................................................................................. 25 4.9.2. Who Can Request Revocation .............................................................................................. 26 4.9.3. Procedure for Revocation Request ....................................................................................... 26 4.9.4. Revocation Request Grace Period ........................................................................................ 26 4.9.5. Time within which CA Must Process the Revocation Request .............................................. 26 4.9.6. Revocation Checking Requirement for Relying Parties ......................................................... 27 4.9.7. CRL Issuance Frequency ...................................................................................................... 27 4.9.8. Maximum Latency for CRLs .................................................................................................. 27 4.9.9. On-line Revocation/Status Checking Availability ................................................................... 27 4.9.10. On-line Revocation Checking Requirements .................................................................... 27 4.9.11. Other Forms of Revocation Advertisements Available ..................................................... 27 4.9.12. Special Requirements Related to Key Compromise ......................................................... 27 4.9.13. Circumstances for Suspension ......................................................................................... 27 4.9.14. Who Can Request Suspension ........................................................................................ 27 4.9.15. Procedure for Suspension Request .................................................................................. 27 4.9.16. Limits on Suspension Period ............................................................................................ 27
4.10. Certificate status services .......................................................................................................... 28 4.10.1. Operational Characteristics .............................................................................................. 28 4.10.2. Service Availability ........................................................................................................... 28 4.10.3. Optional Features ............................................................................................................. 28
4.11. End of subscription .................................................................................................................... 28 4.12. Key escrow and recovery ........................................................................................................... 28
4.12.1. Key Escrow and Recovery Policy Practices ..................................................................... 28 4.12.2. Session Key Encapsulation and Recovery Policy and Practices ...................................... 29
5. FACILITY, MANAGEMENT, AND OPERATIONAL CONTROLS ........................................................ 29 5.1. Physical Controls ....................................................................................................................... 29
5.1.1. Site Location and Construction ............................................................................................. 29 5.1.2. Physical Access .................................................................................................................... 29 5.1.3. Power and Air Conditioning ................................................................................................... 30 5.1.4. Water Exposures ................................................................................................................... 30 5.1.5. Fire Prevention and Protection .............................................................................................. 30 5.1.6. Media Storage ....................................................................................................................... 30 5.1.7. Waste Disposal ..................................................................................................................... 30 5.1.8. Off-site Backup ...................................................................................................................... 30 5.1.9. Certificate Status Hosting, CMS and External RA Systems .................................................. 30
5.2. Procedural controls .................................................................................................................... 30
iv
5.2.1. Trusted Roles ........................................................................................................................ 30 5.2.2. Number of Persons Required per Task ................................................................................. 31 5.2.3. Identification and Authentication for each Role ..................................................................... 31 5.2.4. Roles Requiring Separation of Duties ................................................................................... 31
5.3. Personnel controls ..................................................................................................................... 31 5.3.1. Qualifications, Experience, and Clearance Requirements .................................................... 31 5.3.2. Background Check Procedures ............................................................................................. 32 5.3.3. Training Requirements .......................................................................................................... 32 5.3.4. Retraining Frequency and Requirements .............................................................................. 32 5.3.5. Job Rotation Frequency and Sequence ................................................................................ 32 5.3.6. Sanctions for Unauthorized Actions ...................................................................................... 33 5.3.7. Independent Contractor Requirements ................................................................................. 33 5.3.8. Documentation Supplied to Personnel .................................................................................. 33
5.4. Audit logging procedures ........................................................................................................... 33 5.4.1. Types of Events Recorded .................................................................................................... 33 5.4.2. Frequency of Processing Log ................................................................................................ 35 5.4.3. Retention Period for Audit Log .............................................................................................. 35 5.4.4. Protection of Audit Log .......................................................................................................... 35 5.4.5. Audit Log Backup Procedures ............................................................................................... 35 5.4.6. Audit Collection System (internal vs. external) ...................................................................... 36 5.4.7. Notification to Event-causing Subject .................................................................................... 36 5.4.8. Vulnerability Assessments .................................................................................................... 36
5.5. Records archival ........................................................................................................................ 36 5.5.1. Types of Records Archived ................................................................................................... 36 5.5.2. Retention Period for Archive ................................................................................................. 37 5.5.3. Protection of Archive ............................................................................................................. 37 5.5.4. Archive Backup Procedures .................................................................................................. 37 5.5.5. Requirements for Time-stamping of Records ........................................................................ 37 5.5.6. Archive Collection System (internal or external) .................................................................... 37 5.5.7. Procedures to Obtain and Verify Archive Information ........................................................... 37
5.6. Key changeover ......................................................................................................................... 37 5.7. Compromise and disaster recovery ........................................................................................... 38
5.7.1. Incident and Compromise Handling Procedures ................................................................... 38 5.7.2. Computing Resources, Software, and/or Data Are Corrupted .............................................. 38 5.7.3. Entity Private Key Compromise Procedures ......................................................................... 38 5.7.4. Business Continuity Capabilities after a Disaster .................................................................. 38
5.8. CA or RA termination ................................................................................................................. 39 6. TECHNICAL SECURITY CONTROLS ................................................................................................ 39
6.1. Key pair generation and installation ........................................................................................... 39 6.1.1. Key Pair Generation .............................................................................................................. 39 6.1.2. Private Key Delivery to Subscriber ........................................................................................ 39 6.1.3. Public Key Delivery to Certificate Issuer ............................................................................... 40 6.1.4. CA Public Key Delivery to Relying Parties ............................................................................ 40 6.1.5. Key Sizes .............................................................................................................................. 40 6.1.6. Public Key Parameters Generation and Quality Checking .................................................... 41 6.1.7. Key Usage Purposes (as per X.509 v3 key usage field) ....................................................... 41
6.2. Private Key Protection and Cryptographic Module Engineering Controls .................................. 41 6.2.1. Cryptographic Module Standards and Controls ..................................................................... 41 6.2.2. Private Key (n out of m) Multi-person Control ....................................................................... 42 6.2.3. Private Key Escrow ............................................................................................................... 42 6.2.4. Private Key Backup ............................................................................................................... 42 6.2.5. Private Key Archival .............................................................................................................. 43 6.2.6. Private Key Transfer into or from a Cryptographic Module ................................................... 43 6.2.7. Private Key Storage on Cryptographic Module ..................................................................... 43 6.2.8. Method of Activating Private Keys ......................................................................................... 43 6.2.9. Method of Deactivating Private Keys .................................................................................... 43 6.2.10. Method of Destroying Private Keys .................................................................................. 43 6.2.11. Cryptographic Module Rating ........................................................................................... 43
6.3. Other aspects of key pair management ..................................................................................... 44 6.3.1. Public Key Archival ............................................................................................................... 44 6.3.2. Certificate Operational Periods and Key Pair Usage Periods................................................ 44
6.4. Activation data ........................................................................................................................... 45
v
6.4.1. Activation Data Generation and Installation .......................................................................... 45 6.4.2. Activation Data Protection ..................................................................................................... 45 6.4.3. Other Aspects of Activation Data .......................................................................................... 45
6.5. Computer security controls ........................................................................................................ 45 6.5.1. Specific Computer Security Technical Requirements ........................................................... 45 6.5.2. Computer Security Rating ..................................................................................................... 45
6.6. Life cycle technical controls ....................................................................................................... 45 6.6.1. System Development Controls .............................................................................................. 45 6.6.2. Security Management Controls ............................................................................................. 46 6.6.3. Life Cycle Security Controls .................................................................................................. 46
6.7. Network security controls ........................................................................................................... 46 6.8. Time-stamping ........................................................................................................................... 46 6.9. PIV-I Cards ................................................................................................................................ 47
7. CERTIFICATE, CRL, AND OCSP PROFILES .................................................................................... 48 7.1. Certificate profile ........................................................................................................................ 48
7.1.1. Version Number(s) ................................................................................................................ 48 7.1.2. Certificate Extensions ........................................................................................................... 48 7.1.3. Algorithm Object Identifiers ................................................................................................... 48 7.1.4. Name Forms ......................................................................................................................... 49 7.1.5. Name Constraints ................................................................................................................. 49 7.1.6. Certificate Policy Object Identifier ......................................................................................... 49 7.1.7. Usage of Policy Constraints Extension ................................................................................. 49 7.1.8. Policy Qualifiers Syntax and Semantics ................................................................................ 49 7.1.9. Processing Semantics for the Critical Certificate Policies Extension ..................................... 49
7.2. CRL profile ................................................................................................................................. 49 7.2.1. Version number(s) ................................................................................................................. 49 7.2.2. CRL and CRL Entry Extensions ............................................................................................ 49
7.3. OCSP profile .............................................................................................................................. 50 7.3.1. Version Number(s) ................................................................................................................ 50 7.3.2. OCSP Extensions ................................................................................................................. 50
8. COMPLIANCE AUDIT AND OTHER ASSESSMENTS ....................................................................... 50 8.1. Frequency or circumstances of assessment .............................................................................. 50 8.2. Identity/qualifications of assessor .............................................................................................. 50 8.3. Assessor's relationship to assessed entity ................................................................................. 51 8.4. Topics covered by assessment .................................................................................................. 51 8.5. Actions taken as a result of deficiency ....................................................................................... 51 8.6. Communication of results .......................................................................................................... 51 8.7. Self-Audits ................................................................................................................................. 51
9. OTHER BUSINESS AND LEGAL MATTERS ...................................................................................... 51 9.1. Fees ........................................................................................................................................... 51
9.1.1. Certificate Issuance or Renewal Fees ................................................................................... 51 9.1.2. Certificate Access Fees ........................................................................................................ 51 9.1.3. Revocation or Status Information Access Fees ..................................................................... 51 9.1.4. Fees for Other Services ........................................................................................................ 51 9.1.5. Refund Policy ........................................................................................................................ 51
9.2. Financial responsibility ............................................................................................................... 52 9.2.1. Insurance Coverage .............................................................................................................. 52 9.2.2. Other Assets ......................................................................................................................... 52 9.2.3. Insurance or Warranty Coverage for End-Entities ................................................................. 52
9.3. Confidentiality of business information ....................................................................................... 52 9.3.1. Scope of Confidential Information ......................................................................................... 52 9.3.2. Information Not Within the Scope of Confidential Information ............................................... 52 9.3.3. Responsibility to Protect Confidential Information ................................................................. 52
9.4. Privacy of personal information .................................................................................................. 52 9.4.1. Privacy Plan .......................................................................................................................... 52 9.4.2. Information Treated as Private .............................................................................................. 52 9.4.3. Information Not Deemed Private ........................................................................................... 52 9.4.4. Responsibility to Protect Private Information ......................................................................... 53 9.4.5. Notice and Consent to Use Private Information .................................................................... 53 9.4.6. Disclosure Pursuant to Judicial or Administrative Process .................................................... 53 9.4.7. Other Information Disclosure Circumstances ........................................................................ 53
9.5. Intellectual property rights .......................................................................................................... 53
vi
9.6. Representations and warranties ................................................................................................ 53 9.6.1. CA Representations and Warranties ..................................................................................... 53 9.6.2. RA Representations and Warranties ..................................................................................... 54 9.6.3. Subscriber Representations and Warranties ......................................................................... 54 9.6.4. Relying Party Representations and Warranties ..................................................................... 54 9.6.5. Representations and Warranties of Other Participants ......................................................... 55
9.7. Disclaimers of warranties ........................................................................................................... 55 9.8. Limitations of liability .................................................................................................................. 55 9.9. Indemnities ................................................................................................................................ 56
9.9.1. Indemnification by DigiCert ................................................................................................... 56 9.9.2. Indemnification by Subscribers ............................................................................................. 56 9.9.3. Indemnification by Relying Parties ........................................................................................ 56
9.10. Term and termination ................................................................................................................. 56 9.10.1. Term ................................................................................................................................. 56 9.10.2. Termination ...................................................................................................................... 56 9.10.3. Effect of Termination and Survival .................................................................................... 56
9.11. Individual notices and communications with participants ........................................................... 56 9.12. Amendments .............................................................................................................................. 57
9.12.1. Procedure for Amendment ............................................................................................... 57 9.12.2. Notification Mechanism and Period .................................................................................. 57 9.12.3. Circumstances under which OID Must Be Changed ........................................................ 57
9.13. Dispute resolution provisions ..................................................................................................... 57 9.14. Governing law ............................................................................................................................ 57 9.15. Compliance with applicable law ................................................................................................. 57 9.16. Miscellaneous provisions ........................................................................................................... 57
9.16.1. Entire Agreement ............................................................................................................. 57 9.16.2. Assignment ....................................................................................................................... 57 9.16.3. Severability ....................................................................................................................... 58 9.16.4. Enforcement (attorneys' fees and waiver of rights) ........................................................... 58 9.16.5. Force Majeure .................................................................................................................. 58
9.17. Other provisions ......................................................................................................................... 58 Appendix A: Sample Opinion LETTER ......................................................................................................... 59
1
1. INTRODUCTION
1.1. OVERVIEWThisdocumentistheDigiCert,Inc.(“DigiCert”)CertificationPracticesStatement(CPS)thatoutlinestheprinciplesandpracticesrelatedtoDigiCert’scertificationandtime‐stampingservices.ThisCPSappliestoallentitiesparticipatinginorusingDigiCert’scertificateandtime‐stampingservices,excludingparticipantsinDigiCert’sPrivatePKIservices,whicharenotcross‐certifiedorpubliclytrusted.SpecificrequirementsregardingthosecertificatesaresetforthintheindividualagreementswiththeappropriateDigiCertcustomer.ThisCPSdescribesthepracticesusedtocomplywiththeDigiCertCertificatePolicy(the“CP”),theAdobeSystemsInc.(“Adobe”)AATLCertificatePolicy,theFederalBridgeCertificationAuthority(“FBCA”)CertificatePolicy,andotherapplicablepolicies.DigiCertconformstothecurrentversionoftheguidelinesadoptedbytheCertificationAuthority/BrowserForum(“CABForum”)whenissuingpubliclytrustedcertificates,includingtheBaselineRequirementsfortheIssuanceandManagementofPublicly‐TrustedCertificates(“BaselineRequirements”)andtheGuidelinesforExtendedValidationCertificates(“EVGuidelines”)bothofwhicharepublishedathttps://www.cabforum.org.IfanyinconsistencyexistsbetweenthisCPSandtheBaselineRequirementsortheEVGuidelines,thentheEVGuidelinestakeprecedenceforEVCertificatesandtheBaselineRequirementstakeprecedenceforpubliclytrustedSSLcertificates.Time‐stampingservicesareprovidedaccordingtoIETFRFC3161andothertechnicalstandards.ThisCPSisonlyoneofseveraldocumentsthatcontrolDigiCert’scertificationservices.Otherimportantdocumentsincludebothprivateandpublicdocuments,suchastheCP,DigiCert’sagreementswithitscustomers,RelyingPartyagreements,andDigiCert’sprivacypolicy.DigiCertmayprovideadditionalcertificatepoliciesorcertificationpracticestatements.Thesesupplementalpoliciesandstatementsareavailabletoapplicableusersorrelyingparties.PursuanttotheIETFPKIXRFC3647CP/CPSframework,thisCPSisdividedintoninepartsthatcoverthesecuritycontrolsandpracticesandproceduresforcertificateandtime‐stampingserviceswithintheDigiCertPKI.TopreservetheoutlinespecifiedbyRFC3647,sectionheadingsthatdonotapplyhavethestatement"Notapplicable"or"Nostipulation."
1.2. DOCUMENTNAMEANDIDENTIFICATIONThisdocumentistheDigiCertCertificationPracticesStatementandwasapprovedforpublicationon9August2010bytheDigiCertPolicyAuthority(DCPA).Thefollowingrevisionsweremadetotheoriginaldocument:
Date Changes Version7‐October‐2014 UpdatedforconsistencywithDigiCertCPv.2.27 4.0714‐May‐2014 Updatedpracticestocomplywithnewpolicyrequirementsand
changestotheDirectTrustCP,BaselineRequirements,EVGuidelines,andEVCodeSigningGuidelines.
4.06
2‐May‐2013 Updatedmailingaddress.Alsoupdatedpracticestocomplywithnewpolicyrequirements,theDirectTrustCP,changestotheAdobeprogram,andCABForumguidelines.
4.05
10‐May‐2012 UpdatedtoincludepracticessetforthintheBaselineRequirements,thecurrentMozillaCAPolicy,EVCodeSigning,theIGTF,andotherpolicybodies.
4.04
3‐May‐2011 IGTFCertificatesaddedandminorupdatesmadetoseveralsections.
4.03
29‐October‐2010 ChangesmadeinresponsetocommentsfromtheFPKICPWGregardingcertificatestatusservices,trustedroles,andoff‐sitebackupofarchive.
4.02
26‐August‐2010 Updatedtheprocessusedtoauthenticatethecertificate 4.01
2
Date Changes Versionrequester’sauthorityundersection3.2.5forcodesigningcertificatesissuedtoorganizations
9‐August‐2010 Thisversion4.0replacestheDigiCertCertificatePolicyandCertificationPracticesStatement,Version3.08,datedMay29,2009,andtheDigiCertCertificationPracticeStatementforExtendedValidationCertificates,Version1.0.4,May29,2009.
4.0
TheOIDforDigiCertisjoint‐iso‐ccitt(2)country(16)USA(840)US‐company(1)DigiCert(114412).TheOID‐arcforthisversion4oftheCPSis2.16.840.1.114412.0.2.4.SubsequentrevisionstothisCPSmighthavenewOIDassignments.DigiCertissuescertificatesandtime‐stamptokenscontainingthefollowingOIDs/OIDarcs:
DigitallySignedObject ObjectIdentifier(OID)DomainVettedSSLCertificatesandpertheBaselineRequirements
2.16.840.1.114412.1.2and/or2.23.140.1.2.1(CABForumBaselineReqs.)
OrganizationVettedSSLCertificatesandpertheBaselineRequirements
2.16.840.1.114412.1.1and/or2.23.140.1.2.2(CABForumBaselineReqs.)
FederatedDeviceCertificate 2.16.840.1.114412.1.11FederatedDeviceHardwareCertificate 2.16.840.1.114412.1.12IssuerCA(whereallowedbypolicy) 2.5.29.32.0 (anyPolicy)ExtendedValidationSSLCertificates 2.16.840.1.114412.2 and/or
2.23.140.1.1.X(CABForumEVGuidelines)ObjectSigningCertificates 2.16.840.1.114412.3 CodeSigningCertificates 2.16.840.1.114412.3.1 ExtendedValidationCodeSigning 2.16.840.1.114412.3.2 WindowsKernelDriverSigning 2.16.840.1.114412.3.11 AdobeSigningCertificate 2.16.840.1.114412.3.21ClientCertificateOIDArc 2.16.840.1.114412.4 Level1Certificates‐Personal 2.16.840.1.114412.4.1.1 Level1Certificates‐Enterprise 2.16.840.1.114412.4.1.2 Level2Certificates 2.16.840.1.114412.4.2 Level3Certificates‐US 2.16.840.1.114412.4.3.1 Level3Certificates‐CBP 2.16.840.1.114412.4.3.2 Level4Certificates‐US 2.16.840.1.114412.4.4.1 Level4Certificates‐CBP 2.16.840.1.114412.4.4.2PIV‐IOIDArc 2.16.840.1.114412.4.5
PIV‐IHardware‐keysrequireactivationbythePIV‐ICardholder(PIVAuth,DigSigandKeyManagement)
2.16.840.1.114412.4.5.1
PIV‐ICardAuthentication‐keysdonotrequirePIV‐ICardholderactivation
2.16.840.1.114412.4.5.2
PIV‐IContentSigning–usebyPIV‐I‐compliantCMS
2.16.840.1.114412.4.5.3
GridCertificateOIDArcs 2.16.840.1.114412.4.31 or2.16.840.1.114412.31(Grid‐onlyarc)
IGTFClassicX.509Authoritieswithsecuredinfrastructure
2.16.840.1.114412.4.31.1(Clientw/Public),2.16.840.1.114412.31.4.1.1(ClientGridOnly),and/or1.2.840.113612.5.2.2.1.x(IGTF)
IGTFMemberIntegratedX.509CredentialServiceswithSecuredInfrastructureCertificates
2.16.840.1.114412.4.31.5and/or1.2.840.113612.5.2.2.5.x(IGTF)
3
IGTFGridHost‐PublicTrust 2.16.840.1.114412.1.31.1IGTFGrid‐OnlyHostCertificate 2.16.840.1.114412.31.1.1.1,
1.2.840.113612.5.2.2.1.x(IGTF),and/or1.2.840.113612.5.2.2.5.x(IGTF)
Authentication‐OnlyCertificates 2.16.840.1.114412.6TrustedTime‐stamping 2.16.840.1.114412.7.1Legacyarc 2.16.840.1.114412.81Testarc 2.16.840.1.114412.99EUOIDs
EUQualifiedCertificatesETSITS101456
0.4.0.1456.1.2
EUQConSecureSignatureCreationDeviceETSITS101456
0.4.0.1456.1.1
ETSITS101862‐QualifiedCertificateStatements
0.4.0.1862.1.x
EUQualifiedTime‐stampingETSITS102023
0.4.0.2023.1.x
AllOIDsmentionedabovebelongtotheirrespectiveowners.ThespecificOIDsusedwhenobjectsaresignedpursuanttothisCPSareindicatedintheapplicableCertificateProfilesdocument.WhenDigiCertissuesanSSLcertificatecontainingoneoftheabove‐specifiedpolicyidentifiersfor“BaselineRequirements”,itassertsthatthecertificateismanagedinaccordancewiththeBaselineRequirements.CommercialBestPractices(“CBP”)differsfrom“US”inthattherearenotrustedrolecitizenshiprequirementsforanIssuerCAissuingunderaCBPpolicy,whereaspoliciesdesignated“US”mustfollowthecitizenshippracticessetforthinSection5.3.1.TheLegacyarcexiststoidentifycertificatesissuedforpurposeofachievingcompatibilitywithlegacysystemsthatareincapableofprocessingneweralgorithmsthatmightberequiredbycomparableindustrybestpractices,e.g.,toidentifycertificatessignedusingtheSHA‐1algorithmwhenSHA‐256wouldberequiredunderaCPthatDigiCerthascross‐certified.
1.3. PKIPARTICIPANTS
1.3.1. CertificationAuthoritiesDigiCertisacertificationauthority(CA)thatissuesdigitalcertificates.AsaCA,DigiCertperformsfunctionsassociatedwithPublicKeyoperations,includingreceivingcertificaterequests,issuing,revokingandrenewingadigitalcertificate,andmaintaining,issuing,andpublishingCRLsandOCSPresponses.GeneralinformationaboutDigiCert’sproductsandservicesareavailableatwww.digicert.com.DigiCert’sofflineself‐signedRootCAsissueCAcertificatestosubordinateCAsandcrosscertificatestootherRootCAsinaccordancewiththisCPS,applicablecross‐certification/federationpolicies,andDigiCert’smemorandaofagreementwiththoseexternallyoperatedCAs.An“externalsubordinateCA”isanunaffiliatedthirdpartythatisissuedaCACertificatebyDigiCertwherethePrivateKeyassociatedwiththatCACertificateisnotmaintainedunderthephysicalcontrolofDigiCert.InaccordancewithEUDirective99/93,DigiCertdoesnotallowexternalsubordinateCAstoissueEUQualifiedCertificates.InaccordancewithrequirementsoftheU.S.FederalPKIPolicyAuthority(FPKIPA),DigiCertnotifiestheFPKIPApriortoissuingaCAcertificatechainingtotheFederalBridgeCAtoanexternalsubordinateCA.AllexternalsubordinateCAsareprohibited,eithertechnicallyorcontractually,fromissuingcertificatestodomainnamesorIPaddressesthataSubscriberdoesnotlegitimatelyownorcontrol(i.e.issuanceforpurposesof“trafficmanagement”isprohibited),andexternalsubordinateCAsarerequiredtoimplementproceduresthatareatleastasrestrictiveasthosefoundherein.DigiCertisalsoatimestampingauthority(TSA)andprovidesproof‐of‐existencefordataataninstantintimeasdescribedherein.
4
1.3.2. RegistrationAuthoritiesandOtherDelegatedThirdPartiesDigiCertmaydelegatetheperformanceofcertainfunctionstoRegistrationAuthorities(RA)andotherthirdpartiestorequestcertificatesand/orperformidentificationandauthenticationforend‐usercertificates.ThespecificroleofanRAorDelegatedThirdPartyvariesgreatlybetweenentities,rangingfromsimpletranslationservicestoactualassistanceingatheringandverifyingApplicantinformation.SomeRAsoperateidentitymanagementsystems(IdMs)andmaymanagethecertificatelifecycleforend‐users.ForIGTFcertificates,designatedRAsareresponsibleforvettingtheidentityofeachcertificateapplicant.DigiCertcontractuallyobligateseachDelegatedThirdPartytoabidebythepoliciesandindustrystandardsthatareapplicabletothatDelegatedThirdParty’sroleincertificateissuance,management,revocationorotherrelatedtaskthattheDelegatedThirdPartyperforms.RApersonnelinvolvedintheissuanceofpublicly‐trustedSSLCertificatesmustundergotheskillsandtrainingrequiredunderSection5.3.AnRAoridentitymanagement(IdM)systemsupportingaparticularcommunityofinterestwithcustomidentity‐vettingpracticesthatdifferfromthosefoundhereinmaysubmitdocumentationtotheDCPAforreviewandapproval.ThedocumentationmustcontainsufficientdetailtoensurethatalltasksrequiredbytheCPwillbeperformed.
1.3.3. SubscribersSubscribersuseDigiCert’sservicesandPKItosupporttransactionsandcommunications.Subscribersarenotalwaysthepartyidentifiedinacertificate,suchaswhencertificatesareissuedtoanorganization’semployees.TheSubjectofacertificateisthepartynamedinthecertificate.ASubscriber,asusedherein,referstoboththeSubjectofthecertificateandtheentitythatcontractedwithDigiCertforthecertificate’sissuance.Priortoverificationofidentityandissuanceofacertificate,aSubscriberisanApplicant.
1.3.4. RelyingPartiesRelyingPartiesareentitiesthatactinrelianceonacertificateand/ordigitalsignatureissuedbyDigiCert.RelyingpartiesmustchecktheappropriateCRLorOCSPresponsepriortorelyingoninformationfeaturedinacertificate.ThelocationoftheCRLdistributionpointisdetailedwithinthecertificate.
1.3.5. OtherParticipantsOtherparticipantsincludeAccreditationAuthorities(suchasPolicyManagementAuthorities,FederationOperators,ApplicationSoftwareVendors,andapplicableCommunity‐of‐Interestsponsors);BridgeCAsandCAsthatcross‐certifyDigiCertCAsastrustanchorsinotherPKIcommunities;CardManagementSystemsandintegrators(CMSs)thatensureproperoperationandprovisioningofPIV‐Icards;andTimeSourceEntities,TimeStampTokenRequesters,andTimeStampVerifiersinvolvedintrustedtimestamping.AccreditationAuthoritiesaregrantedanunlimitedrighttore‐distributeDigiCert’srootcertificatesandrelatedinformationinconnectionwiththeaccreditation.WhenissuingPIV‐Icards,DigiCertusesaCardManagementSystems(CMS)thatmeetstherequirementshereinresponsibleformanagingsmartcardtokencontent.DigiCertdoesnotissuecertificatestoaCMSthatincludeaPIV‐IHardwareorPIV‐ICardAuthenticationpolicyOID.DigiCerthascross‐certifiedwiththeFederalBridgeCertificationAuthority(FBCA)andhasbeenissuedcrosscertificatesbyEntrustandCybertrust.
1.4. CERTIFICATEUSAGEAdigitalcertificate(orcertificate)isformatteddatathatcryptographicallybindsanidentifiedsubscriberwithaPublicKey.Adigitalcertificateallowsanentitytakingpartinanelectronictransactiontoproveitsidentitytootherparticipantsinsuchtransaction.Digitalcertificatesareusedincommercialenvironmentsasadigitalequivalentofanidentificationcard.Atime‐stamptoken(TST)cryptographicallybindsarepresentationofdatatoaparticulartimestamp,thusestablishingevidencethatthedataexistedatacertainpointintime.
5
1.4.1. AppropriateCertificateUsesCertificatesissuedpursuanttothisCPSmaybeusedforalllegalauthentication,encryption,accesscontrol,anddigitalsignaturepurposes,asdesignatedbythekeyusageandextendedkeyusagefieldsfoundwithinthecertificate.However,thesensitivityoftheinformationprocessedorprotectedbyacertificatevariesgreatly,andeachRelyingPartymustevaluatetheapplicationenvironmentandassociatedrisksbeforedecidingonwhethertouseacertificateissuedunderthisCPS.ThisCPScoversseveraldifferenttypesofendentitycertificates/tokenswithvaryinglevelsofassurance.Thefollowingtableprovidesabriefdescriptionoftheappropriateusesofeach.Thedescriptionsareforguidanceonlyandarenotbinding.
Certificate AppropriateUseDVSSLCertificates Usedtosecure onlinecommunicationwheretherisksand
consequencesofdatacompromisearelow,includingnon‐monetarytransactionsortransactionswithlittleriskoffraudormaliciousaccess.
OVSSLCertificates Usedtosecureonlinecommunicationwheretherisksandconsequencesofdatacompromisearemoderate,includingtransactionshavingsubstantialmonetaryvalueorriskoffraudorinvolvingaccesstoprivateinformationwherethelikelihoodofmaliciousaccessissubstantial.
EVSSLCertificates Usedtosecureonlinecommunicationwhererisksandconsequencesofdatacompromisearehigh,includingtransactionshavinghighmonetaryvalue,riskoffraud,orwhereinvolvingaccesstoprivateinformationwherethelikelihoodofmaliciousaccessishigh.
FederatedDeviceCertificates
SimilartoSSLCertificates abovebutforuseasnecessaryinconnectionwithcross‐certifiedPKIs
CodeSigningCertificates,includingEVCodeSigning
EstablishestheidentityoftheSubscribernamedinthecertificateandthatthesignedcodehasnotbeenmodifiedsincesigning.
RudimentaryLevel1ClientCertificates‐Personal
Providesthelowestdegreeofassuranceconcerningidentityoftheindividualandisgenerallyusedonlytoprovidedataintegritytotheinformationbeingsigned.Thesecertificatesshouldonlybeusedwheretheriskofmaliciousactivityislowandifanauthenticatedtransactionisnotrequired.
Level1ClientCertificates‐Enterprise
Usedinenvironmentswheretherearerisksandconsequencesofdatacompromise,butsuchrisksarenotofmajorsignificance.Usersareassumednotlikelytobemalicious.
Level2ClientCertificates(FBCAbasicassurancecertificates)
Issuedtoidentity‐vettedindividuals.Certificatesspecifyifthenameisapseudonym.Usedinenvironmentswheretherearerisksandconsequencesofdatacompromise,butsuchrisksarenotofmajorsignificance.Usersareassumednotlikelytobemalicious.
Level3ClientCertificates(FBCAmediumcertificates)
Usedinenvironmentswhererisksandconsequencesofdatacompromisearemoderate,includingtransactionshavingsubstantialmonetaryvalueorriskoffraudorinvolvingaccesstoprivateinformationwherethelikelihoodofmaliciousaccessissubstantial.
Level4ClientCertificates(FBCAmediumhardwarecertificates)
Usedinenvironmentswhererisksandconsequencesofdatacompromisearehigh,includingtransactionshavinghighmonetaryvalueorriskoffraudorinvolvingaccesstoprivateinformationwherethelikelihoodofmaliciousaccessishigh.
DirectCertificates UsedtotransferhealthcareinformationinaccordancewiththeDirectProtocoladoptedbytheONC.DirectCertificatesareissuedasLevel2orLevel3Certificates.
AuthenticationOnly Usedwheretheidentityofthecertificateholderisirrelevantandwheretheriskofunauthorizedaccesstoasecuresiteislow.
6
IGTFandGrid‐onlyCertificates
SupportidentityassertionsandsystemauthenticationamongstparticipantsintheInternationalGridTrustFederation.IGTFCertificatesincludethoseissuedaspublicly‐trustedclientcertificatesandthoseissuedundertheGrid‐onlyarc.
PIV‐IHardwarePIV‐ICardAuthenticationPIV‐IContentSigningPIV‐IDigitalSignaturePIV‐IKeyManagement
Thislevelisrelevanttoenvironmentswhererisksandconsequencesofdatacompromisearemoderate.ThismayincludecontactlesssmartcardreaderswhereuseofanactivationPINisnotpractical.PersonalIdentityVerification–Interoperable(PIV‐I)cardsareintendedtotechnicallyinteroperatewithFederalPIVCardreadersandapplications.TherequirementsassociatedwithPIV‐IHardwareandPIV‐IContentSigningareidenticaltoLevel4Certificatesexceptwherespecificallynotedherein.PIV‐IContentSigningpolicyisreservedforcertificatesusedbytheCardManagementSystem(CMS)tosignthePIV‐Icardsecurityobjects
EUQualifiedCertificateandEUQConSecureSignatureCreationDevice
EUQualifiedCertificatesmayonlybeusedforsigning(ETSITS101456)
AdobeSigningCertificates UsedtosignAdobedocumentsandshowthattheportionofthedocumentsignedbytheauthorhasnotbeenmodifiedsincesigning.
TimeStampToken Usedtoidentifytheexistenceofdataatasetperiodoftime.
1.4.2. ProhibitedCertificateUsesCertificatesdonotguaranteethattheSubjectistrustworthy,honest,reputableinitsbusinessdealings,compliantwithanylaws,orsafetodobusinesswith.Acertificateonlyestablishesthattheinformationinthecertificatewasverifiedasreasonablycorrectwhenthecertificateissued.Codesigningcertificatesdonotindicatethatthesignedcodeissafetoinstallorfreefrommalware,bugs,orvulnerabilities.CertificatesissuedunderthisCPSmaynotbeused(i)foranyapplicationrequiringfail‐safeperformancesuchas(a)theoperationofnuclearpowerfacilities,(b)airtrafficcontrolsystems,(c)aircraftnavigationsystems,(d)weaponscontrolsystems,or(e)anyothersystemwhosefailurecouldleadtoinjury,deathorenvironmentaldamage;or(ii)whereprohibitedbylaw.CertificatesissuedundertheGrid‐onlyarccannotbeusedtoestablishtrustoutsideoftherelevantgridnetwork.
1.5. POLICYADMINISTRATION
1.5.1. OrganizationAdministeringtheDocumentThisCPSandthedocumentsreferencedhereinaremaintainedbytheDCPA,whichcanbecontactedat:
DigiCertPolicyAuthoritySuite5002600WestExecutiveParkwayLehi,UT84043USATel:1‐801‐877‐2100Fax:1‐801‐705‐0481
1.5.2. ContactPersonAttn:LegalCounselDigiCertPolicyAuthoritySuite5002600WestExecutiveParkwayLehi,UT84043USA
7
1.5.3. PersonDeterminingCPSSuitabilityforthePolicyTheDCPAdeterminesthesuitabilityandapplicabilityofthisCPSbasedontheresultsandrecommendationsreceivedfromanindependentauditor(seeSection8).TheDCPAisalsoresponsibleforevaluatingandactingupontheresultsofcomplianceaudits.
1.5.4. CPSApprovalProceduresTheDCPAapprovestheCPSandanyamendments.AmendmentsaremadeaftertheDCPAhasreviewedtheamendments’consistencywiththeCP,byeitherupdatingtheentireCPSorbypublishinganaddendum.TheDCPAdetermineswhetheranamendmenttothisCPSisconsistentwiththeCP,requiresnotice,oranOIDchange.SeealsoSection9.10andSection9.12below.
1.6. DEFINITIONSANDACRONYMS“AffiliatedOrganization”meansanorganizationthathasanorganizationalaffiliationwithaSubscriberandthatapprovesorotherwiseallowssuchaffiliationtoberepresentedinacertificate.“Applicant”meansanentityapplyingforacertificate.“ApplicationSoftwareVendor”meansasoftwaredeveloperwhosesoftwaredisplaysorusesDigiCertcertificatesanddistributesDigiCert’srootcertificates.“CABForum”isdefinedinsection1.1.“CertificateApprover”isdefinedintheEVGuidelines.“CertificateRequester”isdefinedintheEVGuidelines.“ContractSigner”isdefinedintheEVGuidelines.“DirectAddress”meansanemailaddressconformingtotheApplicabilityStatementforSecureHealthTransport.“DirectAddressCertificate”meansacertificatecontaininganentireDirectAddress.“DirectDeviceCertificate”meansacertificatecontainingtheFQDNorIPaddressofahostmachine.“DirectOrganizationalCertificate”meansacertificatecontainingonlythedomainnameportionofaDirectAddress.“EUDirective99/93”meanstheEUCouncilDirective1999/93/ECoftheEuropeanParliamentandoftheCouncilof13December1999onaCommunityframeworkforElectronicSignatures,OJL13,19.01.2000,pp.12‐20.“EVGuidelines”isdefinedinsection1.1.“KeyPair”meansaPrivateKeyandassociatedPublicKey.“OCSPResponder”meansanonlinesoftwareapplicationoperatedundertheauthorityofDigiCertandconnectedtoitsrepositoryforprocessingcertificatestatusrequests.“PIV‐IProfile”meanstheX.509CertificateandCertificateRevocationList(CRL)ExtensionsProfileforPersonalIdentityVerificationInteroperable(PIV‐I)Cards,Ver.1.0,Date:April232010.
8
“PrivateKey”meansthekeyofakeypairthatiskeptsecretbytheholderofthekeypair,andthatisusedtocreatedigitalsignaturesand/ortodecryptelectronicrecordsorfilesthatwereencryptedwiththecorrespondingPublicKey.“PublicKey”meansthekeyofakeypairthatmaybepubliclydisclosedbytheholderofthecorrespondingPrivateKeyandthatisusedbyaRelyingPartytoverifydigitalsignaturescreatedwiththeholder'scorrespondingPrivateKeyand/ortoencryptmessagessothattheycanbedecryptedonlywiththeholder'scorrespondingPrivateKey.“QualifiedCertificate”meansacertificatethatmeetstherequirementsinAnnexIofEUDirective99/93andisprovidedbyanIssuerCAmeetingtherequirementsofAnnexIIoftheDirective.“RelyingParty”meansanentitythatreliesuponeithertheinformationcontainedwithinacertificateoratime‐stamptoken.“RelyingPartyAgreement”meansanagreementwhichmustbereadandacceptedbytheRelyingPartypriortovalidating,relyingonorusingaCertificateoraccessingorusingDigiCert’sRepository.TheRelyingPartyAgreementisavailableforreferencethroughaDigiCertonlinerepository.“SecureSignatureCreationDevice”meansasignature‐creationdevicethatmeetstherequirementslaiddowninAnnexIIIofEUDirective99/93.“Subscriber”meanseithertheentityidentifiedasthesubjectinthecertificateortheentitythatisreceivingDigiCert’stime‐stampingservices.“SubscriberAgreement”meansanagreementthatgovernstheissuanceanduseofacertificatethattheApplicantmustreadandacceptbeforereceivingacertificate.“WebTrust”meansthecurrentversionoftheAICPA/CICAWebTrustProgramforCertificationAuthorities.“WebTrustEVProgram”meanstheadditionalauditproceduresspecifiedforCAsthatissueEVCertificatesbytheAICPA/CICAtobeusedinconjunctionwithitsWebTrustProgramforCertificationAuthorities.
Acronyms:AATL AdobeApprovedTrustListCA CertificateAuthorityorCertificationAuthorityCAB ”CA/Browser”asin“CABForum”CMS CardManagementSystemCP CertificatePolicyCPS CertificationPracticeStatementCRL CertificateRevocationListCSR CertificateSigningRequestDBA DoingBusinessAs(alsoknownas"TradingAs")DCPA DigiCertPolicyAuthorityETSI EuropeanTelecommunicationsStandardsInstituteEU EuropeanUnionEV ExtendedValidationFIPS (USGovernment)FederalInformationProcessingStandardFQDN FullyQualifiedDomainNameFTP FileTransferProtocolHISP HealthInformationServiceProviderHSM HardwareSecurityModuleHTTP HypertextTransferProtocolIANA InternetAssignedNumbersAuthorityICANN InternetCorporationforAssignedNamesandNumbers
9
IdM IdentityManagementSystemIDN InternationalizedDomainNameISSO InformationSystemSecurityOfficerIETF InternetEngineeringTaskForceIGTF InternationalGridTrustFederationITU InternationalTelecommunicationUnionITU‐T ITUTelecommunicationStandardizationSectorMICS Member‐IntegratedCredentialService(IGTF)OCSP OnlineCertificateStatusProtocolOID ObjectIdentifierONC OfficeoftheNationalCoordinatorforHealthcare(U.S.)PIN PersonalIdentificationNumber(e.g.asecretaccesscode)PIV‐I PersonalIdentityVerification‐InteroperablePKI PublicKeyInfrastructurePKIX IETFWorkingGrouponPublicKeyInfrastructurePKCS PublicKeyCryptographyStandardRA RegistrationAuthorityRFC RequestforComments(atIETF.org)SHA SecureHashingAlgorithmSSCD SecureSignatureCreationDeviceSSL SecureSocketsLayerTLD Top‐LevelDomainTLS TransportLayerSecurityTSA TimeStampingAuthorityTST Time‐StampTokenURL UniformResourceLocatorUTC CoordinatedUniversalTimeX.509 TheITU‐TstandardforCertificatesandtheircorrespondingauthentication
framework
2. PUBLICATIONANDREPOSITORYRESPONSIBILITIES
2.1. REPOSITORIESDigiCertmakesitsrootcertificates,revocationdataforissueddigitalcertificates,CPs,CPSs,RelyingPartyAgreements,andstandardSubscriberAgreementsavailableinpublicrepositories.DigiCert’slegalrepositoryformostservicesislocatedathttp://www.digicert.com/ssl‐cps‐repository.htm.DigiCert’srepositoryforInternationalGridTrustislocatedathttp://www.digicert‐grid.com/.DigiCert’spubliclytrustedrootcertificatesanditsCRLsandOCSPresponsesareavailablethroughonlineresources24hoursaday,7daysaweekwithsystemsdescribedinSection5tominimizedowntime.
2.2. PUBLICATIONOFCERTIFICATIONINFORMATIONTheDigiCertcertificateservicesandtherepositoryareaccessiblethroughseveralmeansofcommunication:
1. Ontheweb:www.digicert.com(andviaURIsincludedinthecertificatesthemselves)2. [email protected]. Bymailaddressedto:DigiCert,Inc.,Suite500,2600WestExecutiveParkway,Lehi,Utah840434. BytelephoneTel:1‐801‐877‐21005. Byfax:1‐801‐705‐0481
2.3. TIMEORFREQUENCYOFPUBLICATIONCAcertificatesarepublishedinarepositoryassoonaspossibleafterissuance.CRLsforend‐usercertificatesareissuedatleastonceperday.CRLsforCAcertificatesareissuedatleastevery6months(every31daysforofflineCAschainingtotheFederalBridgeCA),andalsowithin18hoursifaCAcertificateisrevoked.Under
10
specialcircumstances,DigiCertmaypublishnewCRLspriortothescheduledissuanceofthenextCRL.(SeeSection4.9foradditionaldetails.)NewormodifiedversionsoftheCP,thisCPS,SubscriberAgreements,orRelyingPartyWarrantiesaretypicallypublishedwithinsevendaysaftertheirapproval.
2.4. ACCESSCONTROLSONREPOSITORIESRead‐onlyaccesstotherepositoryisunrestricted.Logicalandphysicalcontrolspreventunauthorizedwriteaccesstorepositories.
3. IDENTIFICATIONANDAUTHENTICATION
3.1. NAMING
3.1.1. TypesofNamesCertificatesareissuedwithanon‐nullsubjectDistinguishedName(DN)thatcomplieswithITUX.500standardsexceptthatDigiCertmayissueaLevel1CertificatewithanullsubjectDNifitincludesatleastonealternativenameformthatismarkedcritical.WhenDNsareused,commonnamesmustrespectnamespaceuniquenessrequirementsandmustnotbemisleading.Thisdoesnotprecludetheuseofpseudonymouscertificates,exceptwherestatedotherwiseunderSection3.1.3.SomeSSL/TLScertificates,includingcertificatesforintranetuseandUnifiedCommunicationsCertificates,maycontainentriesinthesubjectalternativenameextensionthatarenotintendedtoberelieduponbythegeneralpublic(e.g.,theycontainnon‐standardtopleveldomainslike.localortheyareaddressedtoanIPnumberspacethathasbeenallocatedasprivatebyRFC1918).Theissuanceofpublicly‐trustedSSLcertificatestotheselocalIPaddressesorwithnon‐FQDN(DNS‐addressable)servernameshasbeendeprecated.UnlessotherwisemodifiedbytheCA/BrowserForuminitsBaselineRequirements,asofJuly1,2012,DigiCertwillnotissueapubliclytrustedSSLcertificatewithanExpiryDatelaterthanNovember1,2015ifithasasubjectAlternativeNameextensionorSubjectcommonNamefieldcontainingaReservedIPAddressorInternalName,andonOctober1,2016,DigiCertwillrevokeanyunexpiredcertificatecontaininganinternalnameorreservedIPaddress.CertificatesforPIV‐Icardsincludebothanon‐nullsubjectnameandsubjectalternativename.EachPIV‐IHardwarecertificateindicateswhetherornottheSubscriberisassociatedwithanAffiliatedOrganizationbytakingoneofthefollowingforms:
ForcertificateswithanAffiliatedOrganization:cn=Subscriber'sfullname,ou=AffiliatedOrganizationName,{BaseDN}
ForcertificateswithnoAffiliatedOrganization:cn=Subscriber'sfullname,ou=Unaffiliated,ou=EntityCA’sName,{BaseDN}
EachPIV‐IContentSigningcertificatealsoclearlyindicatestheorganizationadministeringtheCMS.PIV‐ICardAuthenticationsubscribercertificatedonotincludeaSubscribercommonname.EachPIV‐ICardAuthenticationcertificateindicateswhetherornottheSubscriberisassociatedwithanAffiliatedOrganizationbytakingoneofthefollowingforms:
ForcertificateswithanAffiliatedOrganization:serialNumber=UUID,ou=AffiliatedOrganizationName,{BaseDN}
ForcertificateswithnoAffiliatedOrganization:serialNumber=UUID,ou=Unaffiliated,ou=EntityCA’sName,{BaseDN}
TheUUIDisencodedwithintheserialNumberattributeusingtheUUIDstringrepresentationdefinedinSection3ofRFC4122(e.g.,"f81d4fae‐7dec‐11d0‐a765‐00a0c91e6bf6").ThesubjectnameineachEUQualifiedCertificatecomplieswithsection3.1.2ofRFC3739
11
3.1.2. NeedforNamestobeMeaningfulDigiCertusesdistinguishednamesthatidentifyboththeentity(i.e.person,organization,device,orobject)thatisthesubjectofthecertificateandtheentitythatistheissuerofthecertificate.DigiCertonlyallowsdirectoryinformationtreesthataccuratelyreflectorganizationstructures.
3.1.3. AnonymityorPseudonymityofSubscribersGenerally,DigiCertdoesnotissueanonymousorpseudonymouscertificates;however,forIDNs,DigiCertmayincludethePunycodeversionoftheIDNasasubjectname.DigiCertmayalsoissueotherpseudonymousend‐entitycertificatesprovidedthattheyarenotprohibitedbypolicyandanyapplicablenamespaceuniquenessrequirementsaremet.
3.1.4. RulesforInterpretingVariousNameFormsDistinguishedNamesincertificatesareinterpretedusingX.500standardsandASN.1syntax.SeeRFC2253andRFC2616forfurtherinformationonhowX.500distinguishednamesincertificatesareinterpretedasUniformResourceIdentifiersandHTTPreferences.
3.1.5. UniquenessofNamesTheuniquenessofeachsubjectnameinacertificateisenforcedasfollows:SSLServerCertificates Inclusionofthedomainnameinthe Certificate.Domainname
uniquenessiscontrolledbytheInternetCorporationforAssignedNamesandNumbers(ICANN).
ClientCertificates Requiringauniqueemailaddress ora uniqueorganizationnamecombined/associatedwithauniqueserialinteger.
IGTFandGrid‐onlyDeviceCertificates
Fordevicecertificates,anFQDNisincludedintheappropriatefields.Forothercertificates,DigiCertmayappendauniqueIDtoanamelistedinthecertificate.
CodeSigningCertificates(includingCDSCertificates)
Requiringauniqueorganizationnameandaddressorauniqueorganizationnamecombined/associatedwithauniqueserialinteger.
TimeStamping Requiringauniquehashandtimeoruniqueserialintegerassignedtothetimestamp
3.1.6. Recognition,Authentication,andRoleofTrademarksSubscribersmaynotrequestcertificateswithcontentthatinfringesontheintellectualpropertyrightsofanotherentity.UnlessotherwisespecificallystatedinthisCPS,DigiCertdoesnotverifyanApplicant’srighttouseatrademarkanddoesnotresolvetrademarkdisputes.DigiCertmayrejectanyapplicationorrequirerevocationofanycertificatethatispartofatrademarkdispute.
3.2. INITIALIDENTITYVALIDATIONDigiCertmayuseanylegalmeansofcommunicationorinvestigationtoascertaintheidentityofanorganizationalorindividualApplicant.DigiCertmayrefusetoissueaCertificateinitssolediscretion.
3.2.1. MethodtoProvePossessionofPrivateKeyDigiCertestablishesthattheApplicantholdsorcontrolsthePrivateKeycorrespondingtothePublicKeybyperformingsignatureverificationordecryptionondatapurportedtohavebeendigitallysignedorencryptedwiththePrivateKeybyusingthePublicKeyassociatedwiththecertificaterequest.
3.2.2. AuthenticationofOrganizationIdentityDVSSLServerCertificates DigiCertvalidatestheApplicant’srighttouseorcontrolthedomain
namesthatwillbelistedinthecertificateusingoneormoreofthefollowingprocedures:
1. RelyingonpubliclyavailablerecordsfromtheDomainNameRegistrar,suchasWHOISorotherDNSrecordinformation;
12
2. Communicatingwithoneofthefollowingemailaddresses:[email protected],[email protected],[email protected],hostmaster@domain,postmaster@domain,oranyaddresslistedinthetechnical,registrant,oradministrativecontactfieldofthedomain’sRegistrarrecord;
3. Requiringapracticaldemonstrationofdomaincontrol(e.g.,requiringtheApplicanttomakeaspecifiedchangetoaDNSzonefileoralivepageonthegivendomain);and/or
4. Adomainauthorizationletter,providedthelettercontainsthesignatureofanauthorizedrepresentativeofthedomainholder,adatethatisonorafterthecertificaterequest,alistoftheapprovedfully‐qualifieddomainname(s),andastatementgrantingtheApplicanttherighttousethedomainnamesinthecertificate.DigiCertalsocontactsthedomainnameholderusingareliablethird‐partydatasourcetoconfirmtheauthenticityofthedomainauthorizationletter;and/or
5. AsimilarprocedurethatoffersanequivalentlevelofassuranceintheApplicant’sownership,control,orrighttousetheDomainName.
DigiCertverifiesanincludedcountrycodeusing(a)theIPAddressrangeassignmentbycountryforeither(i)thewebsite’sIPaddress,asindicatedbytheDNSrecordforthewebsiteor(ii)theApplicant’sIPaddress;(b)theccTLDoftherequestedDomainName;or(c)informationprovidedbytheDomainNameRegistrar.
OVSSLServer,ObjectSigning,andDeviceCertificates(excludingdevicecertificatesissuedundertheGrid‐onlyarc)
DigiCertvalidatestheApplicant’srighttouseorcontroltheDomainName(s)thatwillbelistedintheCertificateusingtheDVSSLServerCertificatevalidationproceduresabove.DigiCertalsoverifiestheidentityandaddressoftheApplicantusing:
1. areliablethirdparty/governmentdatabasesorthroughcommunicationwiththeentityorjurisdictiongoverningtheorganization’slegalcreation,existence,orrecognition;
2. asitevisit;3. anattestationletterthatissignedbyanaccountant,
lawyer,governmentofficial,orotherreliablethirdparty;or
4. foraddressonly,autilitybill,bankstatement,creditcardstatement,taxdocument,orotherreliableformofidentification.
DigiCertverifiesanyDBAincludedinacertificateusingathirdpartyorgovernmentsource,attestationletter,orreliableformofidentification.
DevicecertificatesissuedundertheGrid‐onlyarc
AnRAorTrustedAgentvalidatestheapplicant’sinformationinaccordancewithanRPS(orsimilardocument)applicabletothecommunityofinterest.
EVSSLandEVCodeSigningCertificates
InformationconcerningorganizationidentityrelatedtotheissuanceofEVCertificatesisvalidatedinaccordancewiththeEVGuidelines.
Level1ClientCertificates‐Enterprise
DigiCertverifies organizationalcontrolovertheemaildomainusingauthenticationproceduressimilartothoseusedbyDigiCertwhen
13
establishingdomainownershipbyanorganizationbeforeissuanceofaDVorOVSSLServerCertificate.
Level2,3,and4ClientCertificates
Ifthecertificatecontainsorganizationinformation,DigiCertobtainsdocumentationfromtheorganizationsufficienttoconfirmthattheindividualhasanaffiliationwiththeorganizationnamedinthecertificate.
PIV‐I Forcertificate requests thatassertanorganizationalaffiliationbetweenahumansubscriberandanorganization,DigiCertverifiestheorganization’sidentityandlegalexistenceandtheorganizationisrequiredtoenterintoanagreementauthorizingorrecognizingthataffiliationandrequiringthattheorganizationrequestrevocationofthecertificatewhenthataffiliationends.
DigiCertmaintainsandutilizesascoringsystemtoflagcertificaterequeststhatpotentiallypresentahigherriskoffraud.Thosecertificaterequeststhatareflagged“highrisk”receiveadditionalscrutinyorverificationpriortoissuance,whichmayincludeobtainingadditionaldocumentationfromoradditionalcommunicationwiththeApplicant.BeforeissuinganSSLcertificatewithadomainnamethathasnotbeenpreviouslyverifiedaswithinthescopeofanRA’sorotherDelegatedThirdParty’salloweddomainnames,DigiCertestablishesthattheRAorDelegatedThirdPartyhastherighttousetheDomainNamebyindependentlyverifyingtheauthorizationwiththedomainowner,asdescribedabove,orbyusingotherreliablemeans,suchasperformingaDNSlookuptodeterminewhetherthereisamatchingDNSrecordthatpointstotheDelegatedThirdParty’sIPaddressordomainnamespace.DigiCertverifiestheorganizationname,address,legalexistence,andauthorizationforCAcertificatesthatcross‐certifywiththeFBCA.
3.2.3. AuthenticationofIndividualIdentityIfacertificatewillcontaintheidentityofanindividual,thenDigiCertoranRAvalidatestheidentityoftheindividualusingthefollowingprocedures:
Certificate ValidationOVSSLServerCertificatesandObjectSigningCertificates(issuedtoanindividual)
1. DigiCertortheRAobtainsa legiblecopy,whichdiscerniblyshowstheApplicant’sface,ofatleastonecurrentlyvalidgovernment‐issuedphotoID(passport,driver’slicense,militaryID,nationalID,orequivalentdocumenttype).DigiCertortheRAinspectsthecopyforanyindicationofalterationorfalsification.
2. DigiCertmayadditionallycross‐checktheApplicant’sname
andaddressforconsistencywithavailablethirdpartydatasources.
3. Iffurtherassuranceisrequired,thentheApplicantmust
provideanadditionalformofidentification,suchasrecentutilitybills,financialaccountstatements,creditcard,anadditionalIDcredential,orequivalentdocumenttype.
4. DigiCertortheRAconfirmsthattheApplicantisableto
receivecommunicationbytelephone,postalmail/courier,orfax.
IfDigiCertcannotverifytheApplicant’sidentityusingtheproceduresdescribedabove,thentheApplicantmustsubmita
14
DeclarationofIdentity thatiswitnessedandsignedbyaRegistrationAuthority,TrustedAgent,notary,lawyer,accountant,postalcarrier,oranyentitycertifiedbyaStateorNationalGovernmentasauthorizedtoconfirmidentities.
DeviceCertificateSponsors
Seesection3.2.3.3
EVCertificatesissuedtoabusinessentity
AsspecifiedintheEVGuidelines
Grid‐onlyCertificates EithertheRAresponsibleforthegridcommunityoraTrustedAgentobtainsanidentitydocumentduringaface‐to‐facemeetingwiththeApplicant,oraTrustedAgentatteststhattheApplicantispersonallyknowntotheTrustedAgent.TheRAmustretainsufficientinformationabouttheapplicant’sidentitytoproveuponDigiCert’srequestthattheapplicantwasproperlyidentified.
AuthenticationCertificates Theentitycontrollingthesecurelocationmustrepresentthatthecertificateholderisauthorizedtoaccessthelocation.
Level1ClientCertificates–Personal(emailcertificates)
DigiCertoranRAverifiesApplicant'scontroloftheemailaddressorwebsitelistedinthecertificate.
Level1ClientCertificates‐Enterprise
Anyoneofthefollowing:1. In‐personappearancebeforeapersonperformingidentity
proofingforaRegistrationAuthorityoraTrustedAgentwithpresentmentofanidentitycredential(e.g.,driver'slicenseorbirthcertificate).
2. Usingproceduressimilartothoseusedwhenapplyingforconsumercreditandauthenticatedthroughinformationinconsumercreditdatabasesorgovernmentrecords,suchas:a. theabilitytoplaceorreceivecallsfromagivennumber;orb. theabilitytoobtainmailsenttoaknownphysicaladdress.
3. Throughinformationderivedfromanongoingbusinessrelationshipwiththecredentialproviderorapartnercompany(e.g.,afinancialinstitution,airline,employer,orretailcompany).Acceptableinformationincludes:a. theabilitytoobtainmailatthebillingaddressusedinthe
businessrelationship;b. verificationofinformationestablishedinprevious
transactions(e.g.,previousordernumber);orc. theabilitytoplacecallsfromorreceivephonecallsata
phonenumberusedinpreviousbusinesstransactions.
4. AnymethodusedtoverifytheidentityofanApplicantforaLevel2,3,or4ClientCertificate.
Level2ClientCertificatesandIGTFClassic/MICSCertificates
TheCAoranRAconfirms that thefollowingareconsistentwiththeapplicationandsufficienttoidentifyauniqueindividual: (a) thenameonthegovernment‐issuedphoto‐IDreferencedbelow; (b) dateofbirth;and (c) currentaddressorpersonaltelephonenumber.
15
1. In‐personappearancebeforeapersonperformingidentityproofingforaRegistrationAuthorityoraTrustedAgent(orentitycertifiedbyastate,federal,ornationalentityasauthorizedtoconfirmidentities)withpresentmentofareliableformofcurrentgovernment‐issuedphotoID.
2. TheApplicantmustpossessavalid,current,government‐issued,
photoID.TheRegistrationAuthorityorTrustedAgentperformingidentityproofingmustobtainandreview,whichmaybethroughremoteverification,thefollowinginformationabouttheApplicant:(i)name,dateofbirth,andcurrentaddressortelephonenumber;(ii)serialnumberassignedtotheprimary,government‐issuedphotoID;and(iii)oneadditionalformofIDsuchasanothergovernment‐issuedID,anemployeeorstudentIDcardnumber,telephonenumber,afinancialaccountnumber(e.g.,checkingaccount,savingsaccount,loanorcreditcard),orautilityserviceaccountnumber(e.g.,electricity,gas,orwater)foranaddressmatchingtheapplicant’sresidence.Identityproofingthroughremoteverificationmayrelyondatabaserecordcheckswithanagent/institutionorthroughcreditbureausorsimilardatabases.
DigiCertoranRAmayconfirmanaddressbyissuingcredentialsinamannerthatconfirmstheaddressofrecordorbyverifyingknowledgeofrecentaccountactivityassociatedwiththeApplicant’saddressandmayconfirmatelephonenumberbysendingachallenge‐responseSMStextmessageorbyrecordingtheapplicant’svoiceduringacommunicationafterassociatingthetelephonenumberwiththeapplicantinrecordsavailabletoDigiCertortheRA.
3. WhereDigiCertoranRAhasacurrentandongoingrelationship
withtheApplicant,identitymaybeverifiedthroughtheexchangeofapreviouslyexchangedsharedsecret(e.g.,aPINorpassword)thatmeetsorexceedsNISTSP800‐63Level2entropyrequirements,providedthat:(a)identitywasoriginallyestablishedwiththedegreeofrigorequivalenttothatrequiredin1or2aboveusingagovernment‐issuedphoto‐ID,and(b)anongoingrelationshipexistssufficienttoensuretheApplicant’scontinuedpersonalpossessionofthesharedsecret.
4. Anyofthemethodsusedtoverifytheidentityofanapplicantfor
aDigiCertLevel3or4ClientCertificate.
Level3ClientCertificates
In‐personproofingbeforeanRA,TrustedAgent, oranentitycertifiedbyastate,federal,ornationalentitythatisauthorizedtoconfirmidentities.Theinformationmustbecollectedandstoredinasecuremanner.RequiredidentificationconsistsofoneunexpiredFederal/NationalGovernment‐issuedPictureI.D.(e.g.apassport),aREALID,ortwounexpiredNon‐FederalGovernmentI.D.s,oneofwhichmustbeaphotoI.D.(e.g.,driver’slicense).Thepersonperformingidentityproofingexaminesthecredentialsanddetermineswhethertheyareauthenticandunexpiredandcheckstheprovidedinformation(name,dateofbirth,andcurrent
16
address)toensurelegitimacy. TheApplicantsignsaDeclarationofIdentity,definedbelow,towhichthepersonperformingidentityproofingattests.DigiCertortheRAreviewsandkeepsarecordoftheDeclarationofIdentity.AtrustrelationshipbetweenanRAorTrustedAgentandtheapplicantthatisbasedonanin‐personantecedent(asdefinedinFBCASupplementaryAntecedent,In‐PersonDefinition)sufficesasmeetingthein‐personidentityproofingrequirementprovidedthat(1)itmeetsthethoroughnessandrigorofin‐personproofingdescribedabove,(2)supportingIDproofingartifactsexisttosubstantiatetheantecedentrelationship,and(3)mechanismsareinplacethatbindtheindividualtotheassertedidentity.TheidentityoftheApplicantmustbeestablishedbyin‐personproofingnoearlierthan30dayspriortoinitialcertificateissuance.
Level4ClientCertificates(BiometricIDcertificates)
In‐personproofingbeforeanRA,TrustedAgent, oranentitycertifiedbyastate,federal,ornationalentitythatisauthorizedtoconfirmidentities.AcertifiedentitymustforwardthecollectedinformationdirectlytoanRAinasecuremanner.TheApplicantmustsupplyoneunexpiredFederal/NationalGovernment‐issuedPictureI.D.(e.g.apassport),aREALID,ortwounexpiredNon‐FederalGovernmentI.D.s,oneofwhichmustbeaphotoI.D.(e.g.,driver’slicense).Theentitycollectingthecredentialsmustalsoobtainatleastoneformofbiometricdata(e.g.photographorfingerprints)toensurethattheApplicantcannotrepudiatetheapplication.ThepersonperformingidentityverificationforDigiCertortheRAexaminesthecredentialsforauthenticityandvalidity.TheApplicantsignsaDeclarationofIdentity,definedbelow,towhichthepersonperformingidentityproofingattests.DigiCertortheRAreviewsandkeepsarecordoftheDeclarationofIdentity.Useofanin‐personantecedentisnotallowed.TheidentityoftheApplicantmustbeestablishedbyin‐personproofingnoearlierthan30dayspriortoinitialcertificateissuance.Level4ClientCertificatesareissuedinamannerthatconfirmstheApplicant’saddress.
PIV‐ICertificates PIV‐IHardwarecertificatesare onlyissuedtohumansubscribers.ThefollowingbiometricdataiscollectedbyDigiCert,anRA,oraTrustedAgentduringtheidentityproofingandregistrationprocess:1. Anelectronicfacialimageusedforprintingfacialimageonthe
cardandforvisualauthenticationduringcardusage.Anewfacialimageiscollectedeachtimeacardisissued;and
2. Twoelectronicfingerprintsarestoredonthecardforautomatedauthenticationduringcardusage.
TheSubscribermustalsopresenttwoidentitysourcedocumentsinoriginalformthatcomefromthelistofacceptabledocumentsincludedinFormI‐9,OMBNo.1115‐0136,EmploymentEligibilityVerification.Atleastonedocumentmustbeavalid,unexpiredStateorFederalGovernment‐issuedpictureidentification(ID).ForPIV‐I,theuseofanin‐personantecedentisnotapplicable.Identityisestablishednomorethan30dayspriortoinitialcertificateissuance.
EUQualifiedCertificates Usingidentityandattributevalidationproceduresinaccordancewith
17
nationallaw.Evidenceofidentityischeckeddirectlyagainstaphysicalpersonorindirectlyusingmeanswhichprovidesequivalentassurancetophysicalpresence.
AcceptableformsofgovernmentIDincludeadriver'slicense,state‐issuedphotoIDcard,passport,nationalidentitycard,permanentresidentcard,trustedtravelercard,tribalID,militaryID,orsimilarphotoidentificationdocument.Acceptableformsofnon‐governmentIDincludeavoidedcheckfromacurrentcheckingaccount,recentutilitybillshowingApplicant’sname,address,andutilityaccountnumber,socialsecuritycard,orsimilardocument.ADeclarationofIdentityconsistsof:
1. theidentityofthepersonperformingtheverification;2. asigneddeclarationbytheverifyingpersonstatingthattheyverifiedtheidentityoftheSubscriberas
requiredusingtheformatsetforthat28U.S.C.1746(declarationunderpenaltyofperjury)orcomparableprocedureunderlocallaw,thesignatureonthedeclarationmaybeeitherahandwrittenordigitalsignatureusingacertificatethatisofequalorhigherlevelofassuranceasthecredentialbeingissued;
3. uniqueidentifyingnumber(s)fromtheApplicant’sidentificationdocument(s),orafacsimileoftheID(s);
4. thedateoftheverification;and5. adeclarationofidentitybytheApplicantthatissigned(inhandwritingorusingadigitalsignature
thatisofequivalentorhigherassurancethanthecredentialbeingissued)inthepresenceofthepersonperformingtheverificationusingtheformatsetforthat28U.S.C.1746(declarationunderpenaltyofperjury)orcomparableprocedureunderlocallaw.
Ifin‐personidentityverificationisrequiredandtheApplicantcannotparticipateinface‐to‐faceregistrationalone(e.g.becauseApplicantisanetworkdevice,minor,orpersonnotlegallycompetent),thentheApplicantmaybeaccompaniedbyapersonalreadycertifiedbythePKIorwhohastherequiredidentitycredentialsforacertificateofthesametypeappliedforbytheApplicant.ThepersonaccompanyingtheApplicant(i.e.the“Sponsor”)willpresentinformationsufficientforregistrationatthelevelofthecertificatebeingrequested,forhimselforherself,andfortheApplicant.Forin‐personidentityproofingatLevels3and4andforPIV‐I,DigiCertmayrelyonanentitycertifiedbyastate,federal,ornationalentityasauthorizedtoconfirmidentitiesmayperformtheauthenticationonbehalfoftheRA.ThecertifiedentityshouldforwardtheinformationcollectedfromtheapplicantdirectlytotheRAinasecuremanner.
3.2.3.1. Authentication for Role‐based Client Certificates DigiCertmayissuecertificatesthatidentifyaspecificrolethattheSubscriberholds,providedthattheroleidentifiesaspecificindividualwithinanorganization(e.g.,ChiefInformationOfficerisauniqueindividualwhereasProgramAnalystisnot).Theserole‐basedcertificatesareusedwhennon‐repudiationisdesired.DigiCertonlyissuesrole‐basedcertificatestoSubscriberswhofirstobtainanindividualSubscribercertificatethatisatthesameorhigherassurancelevelastherequestedrole‐basedcertificate.DigiCertmayissuecertificateswiththesameroletomultipleSubscribers.However,DigiCertrequiresthateachcertificatehaveauniquekeypair.Individualsmaynotsharetheirissuedrole‐basedcertificatesandarerequiredtoprotecttherole‐basedcertificateinthesamemannerasindividualcertificates.DigiCertverifiestheidentityoftheindividualrequestingarole‐basedcertificate(thesponsor)inaccordancewithSection3.2.3beforeissuingarole‐basedcertificate.ThesponsormustholdaDigiCert‐issuedclientindividualcertificateatthesameorhigherassurancelevelastherole‐basedcertificate.Ifthecertificateisapseudonymouscertificatecross‐certifiedwiththeFBCAthatidentifiessubjectsbytheirorganizationalroles,thenDigiCertoranRAvalidatesthattheindividualeitherholdsthatroleorhastheauthoritytosignonbehalfoftherole.IGTFandEUQualifiedCertificatesarenotissuedasrole‐basedcertificates.
18
3.2.3.2. Authentication for Group Client Certificates DigiCertissuesgroupcertificates(acertificatethatcorrespondstoaPrivateKeythatissharedbymultipleSubscribers)ifseveralentitiesareactinginonecapacityandifnon‐repudiationisnotrequired.DirectAddressCertificatesandDirectOrganizationalCertificatesareusedasgroupcertificatesconsistentwithapplicablerequirementsoftheDirectProgram.DigiCertortheRArecordstheinformationidentifiedinSection3.2.3forasponsorbeforeissuingagroupcertificate.ThesponsormustbeatleastanInformationSystemsSecurityOfficer(ISSO)oroftheequivalentrankorgreaterwithintheorganization.Thesponsorisresponsibleforensuringcontroloftheprivatekey.ThesponsormustmaintainandcontinuouslyupdatealistofSubscriberswithaccesstotheprivatekeyandaccountforthetimeperiodduringwhicheachSubscriberhadcontrolofthekey.GroupcertificatesmaylisttheidentityofanindividualinthesubjectNameDNprovidedthatthesubjectNameDNfieldalsoincludesatextstring,suchas“DirectGroupCert,”sothatthecertificatespecifiesthesubjectisagroupandnotasingleindividual.Clientcertificatesissuedinthiswaytoanorganizationarealwaysconsideredgroupclientcertificates.
3.2.3.3. Authentication of Devices with Human Sponsors DigiCertissuesLevel1,2,3or4ClientandFederatedDeviceCertificatesforuseoncomputingornetworkdevices,providedthattheentityowningthedeviceislistedasthesubject.Inallcases,thedevicehasahumansponsorwhoprovides:
1. Equipmentidentification(e.g.,serialnumber)orservicename(e.g.,DNSname),2. Equipmentpublickeys,3. Equipmentauthorizationsandattributes(ifanyaretobeincludedinthecertificate),and4. Contactinformation.
Ifthecertificate’ssponsorchanges,thenewsponsorisrequiredtoreviewthestatusofeachdevicetoensureitisstillauthorizedtoreceivecertificates.Eachsponsorisrequiredtoprovideproofthatthedeviceisstillunderthesponsor’scontrolorresponsibilityonrequest.SponsorsarecontractuallyobligatedtonotifyDigiCertiftheequipmentisnolongerinuse,nolongerundertheircontrolorresponsibility,ornolongerrequiresacertificate.Allregistrationisverifiedcommensuratewiththerequestedcertificatetype.
3.2.4. Non‐verifiedSubscriberInformationLevel1‐PersonalClientCertificatesareverifiedbyemail,andthecommonnameisnotverifiedasthelegalnameoftheSubscriber.DVSSLServerCertificatesdonotincludeaverifiedorganizationalidentity.SubjecttothedeprecationdatelistedinSection3.1.1,OVSSLCertificatesmaycontainapseudo‐domainforusewithintheSubscriber’sinternal,non‐public‐DNSnetworks.DigiCertdoesnotissueSSLcertificatestodomainnamesorIPaddressesthataSubscriberdoesnotlegitimatelyownorcontrol.DigiCertmayrelyontheSubscriber’sindicationofthehostorservernamethatformsthefullyqualifieddomainname.Anyothernon‐verifiedinformationincludedinacertificateisdesignatedassuchinthecertificate.UnverifiedinformationisneverincludedinaLevel2,Level,3,Level4,PIV‐I,ObjectSigning,EVSSL,FederatedDevice,orEUQualifiedCertificate.,
3.2.5. ValidationofAuthorityTheauthorizationofacertificaterequestisverifiedasfollows:
Certificate VerificationDVSSLServerCertificate Therequest isverifiedwithanauthorizedcontactlistedwiththe
DomainNameRegistrar,throughapersonwithcontroloverthedomain,orthroughanout‐of‐bandconfirmationwiththeapplicant.Apersonwithaccesstoonemoreofthefollowingemailaddressesisconsideredtohavecontroloverthedomain:[email protected],[email protected],[email protected],hostmaster@domain,postmaster@domain,oranyaddresslistedasacontactfieldofthedomain’sDomainNameRegistrarrecord.
19
OVSSLServerandFederatedDeviceCertificates
TherequestisverifiedinaccordancewithSection11.2.3oftheBaselineRequirementsusingareliablemethodofcommunication.
EVCertificates TherequestisverifiedinaccordancewiththeEVGuidelines.ObjectSigningCertificatesandAdobeSigningCertificates
Ifthecertificatenamesanorganization,therequester’scontactinformationisverifiedwithanauthoritativesourcewithintheapplicant’sorganizationusingareliablemethodofcommunication.Thecontactinformationisthenusedtoconfirmtheauthenticityofthecertificaterequest.
Level1ClientCertificates‐Personal(emailcertificates)
Therequestisverifiedthroughtheemailaddresslistedinthecertificate.
Level1ClientCertificates‐Enterprise(emailcertificates)
Therequestisverifiedwithapersonwhohastechnicaloradministrativecontroloverthedomainandtheemailaddresstobelistedinthecertificate.
ClientCertificatesLevels2,3and4andPIV‐ICertificates
TheorganizationnamedinthecertificateconfirmstoDigiCertoranRAthattheindividualisauthorizedtoobtainthecertificate.Theorganizationisrequiredtorequestrevocationofthecertificatewhenthataffiliationends.
DirectAddressandDirectOrganizationCertificates
Theentitynamedinthecertificateauthorizes aHISPtoorderthecertificateandusetherelatedprivatekeyontheentity’sbehalf.TheHISPISSOisresponsiblefortrackingaccesstoandensuringproperuseoftheprivatekey.
IGTFCertificates Anauthorizedindividualapprovesthecertificaterequest.Fordevicecertificates,theRAretainscontactinformationforeachdevice’sregisteredowner.ThedeviceownerisrequiredtonotifytheRAandrequestrevocationifthedevicesponsorisnolongerauthorizedtousethedeviceortheFQDNinthecertificate.
EUQualifiedCertificates DigiCertverifies thattheindividualisassociatedwiththeorganizationlistedinthecertificate(ifany)andthattheorganizationconsentedtotheissuanceofthecertificate.
AnorganizationmaylimitwhoisauthorizedtorequestcertificatesbysendingarequesttoDigiCert.ArequesttolimitauthorizedindividualsisnoteffectiveuntilapprovedbyDigiCert.DigiCertwillrespondtoanorganization’sverifiedrequestforDigiCert’slistofitsauthorizedrequesters.
3.3. IDENTIFICATIONANDAUTHENTICATIONFORRE‐KEYREQUESTS
3.3.1. IdentificationandAuthenticationforRoutineRe‐keySubscribersmayrequestre‐keyofacertificatepriortoacertificate’sexpiration.Afterreceivingarequestforre‐key,DigiCertcreatesanewcertificatewiththesamecertificatecontentsexceptforanewPublicKeyand,optionally,anextendedvalidityperiod.Ifthecertificatehasanextendedvalidityperiod,DigiCertmayperformsomerevalidationoftheApplicantbutmayalsorelyoninformationpreviouslyprovidedorobtained.Subscribersre‐establishtheiridentityasfollows:
Certificate RoutineRe‐KeyAuthentication Re‐VerificationRequiredDVandOVSSLServerandDeviceCertificates
Usernameandpassword Atleastevery39months
EVSSLCertificates Usernameandpassword AccordingtotheEVGuidelinesSubscriberEVCodeSigningCertificates
Usernameandpassword Atleastevery39months
SigningAuthorityEVCodeSigningCertificates
Usernameandpassword Atleastevery123months
20
TimestampEVCodeSigningCertificates
Usernameandpassword Atleastevery123months
ObjectSigningCertificates(includingAdobeSigningCertificates)
Usernameandpassword Atleasteverysixyears
Level1ClientCertificates Usernameandpassword AtleasteverynineyearsLevel2ClientCertificates Currentsignaturekeyormulti‐
factorauthenticationmeetingNISTSP800‐63Level3
Atleasteverynineyears
Level3and4ClientCertificatesandPIV‐ICertificates
Currentsignaturekeyormulti‐factorauthenticationmeetingNISTSP800‐63Level3
Atleasteverynineyears
FederatedDeviceandFederatedDevice‐hardware
Currentsignaturekeyormulti‐factorauthenticationmeetingNIST‐800‐63Level3
Atleasteverynineyears
IGTFCertificates Usernameandpassword,RAattestationaftercomparisonofidentitydocuments,re‐authenticatethroughanapprovedIdM,orthroughassociatedprivatekey
Atleastevery13months.However,certificatesassociatedwithaprivatekeyrestrictedsolelytoahardwaretokenmayberekeyedorrenewedforaperiodofupto5years
AuthenticationCertificates Usernameandpasswordorwithassociatedprivatekey
None
DigiCertdoesnotre‐keyacertificatewithoutadditionalauthenticationifdoingsowouldallowtheSubscribertousethecertificatebeyondthelimitsdescribedabove.
3.3.2. IdentificationandAuthenticationforRe‐keyAfterRevocationIfacertificatewasrevokedforanyreasonotherthanarenewal,update,ormodificationaction,thentheSubscribermustundergotheinitialregistrationprocesspriortorekeyingthecertificate.
3.4. IDENTIFICATIONANDAUTHENTICATIONFORREVOCATIONREQUESTDigiCertoranRAauthenticatesallrevocationrequests.DigiCertmayauthenticaterevocationrequestsbyreferencingtheCertificate’sPublicKey,regardlessofwhethertheassociatedPrivateKeyiscompromised.
4. CERTIFICATELIFE‐CYCLEOPERATIONALREQUIREMENTS
4.1. CERTIFICATEAPPLICATION
4.1.1. WhoCanSubmitaCertificateApplicationEithertheApplicantoranindividualauthorizedtorequestcertificatesonbehalfoftheApplicantmaysubmitcertificaterequests.ApplicantsareresponsibleforanydatathattheApplicantoranagentoftheApplicantsuppliestoDigiCert.EVCertificaterequestsmustbesubmittedbyanauthorizedCertificateRequesterandapprovedbyaCertificateApprover.Thecertificaterequestmustbeaccompaniedbyasigned(inwritingorelectronically)SubscriberAgreementfromaContractSigner.DigiCertdoesnotissuecertificatestoentitiesonagovernmentdeniedlistmaintainedbytheUnitedStatesorthatislocatedinacountrywithwhichthelawsoftheUnitedStatesprohibitdoingbusiness.
4.1.2. EnrollmentProcessandResponsibilitiesInnoparticularorder,theenrollmentprocessincludes:
1. Submittingacertificateapplication,
21
2. Generatingakeypair,3. DeliveringthepublickeyofthekeypairtoDigiCert,4. AgreeingtotheapplicableSubscriberAgreement,and5. Payinganyapplicablefees.
4.2. CERTIFICATEAPPLICATIONPROCESSING
4.2.1. PerformingIdentificationandAuthenticationFunctionsAfterreceivingacertificateapplication,DigiCertoranRAverifiestheapplicationinformationandotherinformationinaccordancewithSection3.2.IfanRAassistsintheverification,theRAmustcreateandmaintainrecordssufficienttoestablishthatithasperformeditsrequiredverificationtasksandcommunicatethecompletionofsuchperformancetoDigiCert.Afterverificationiscomplete,DigiCertevaluatesthecorpusofinformationanddecideswhetherornottoissuethecertificate.Aspartofthisevaluation,DigiCertchecksthecertificateagainstaninternaldatabaseofpreviouslyrevokedcertificatesandrejectedcertificaterequeststoidentifysuspiciouscertificaterequests.IfsomeorallofthedocumentationusedtosupportanapplicationisinalanguageotherthanEnglish,aDigiCertemployee,RA,oragentskilledinthelanguageperformsthefinalcross‐correlationandduediligence.DigiCertconsidersasource’savailability,purpose,andreputationwhendeterminingwhetherathirdpartysourceisreasonablyreliable.DigiCertdoesnotconsideradatabase,source,orformofidentificationreasonablyreliableifDigiCertortheRAisthesolesourceoftheinformation.
4.2.2. ApprovalorRejectionofCertificateApplicationsDigiCertrejectsanycertificateapplicationthatDigiCertoranRAcannotverify.DigiCertmayalsorejectacertificateapplicationifDigiCertbelievesthatissuingthecertificatecoulddamageordiminishDigiCert’sreputationorbusiness.ExceptforEnterpriseEVCertificates,EVCertificateissuanceapprovalrequirestwoseparateDigiCertvalidationspecialists.ThesecondvalidationspecialistcannotbethesameindividualwhocollectedthedocumentationandoriginallyapprovedtheEVCertificate.Thesecondvalidationspecialistreviewsthecollectedinformationanddocumentsanydiscrepanciesordetailsthatrequirefurtherexplanation.Thesecondvalidationspecialistmayrequireadditionalexplanationsanddocumentspriortoauthorizingthecertificate’sissuance.EnterpriseRAsmayperformthefinalcross‐correlationandduediligencedescribedhereinusingasinglepersonrepresentingtheEnterpriseRA.Ifsatisfactoryexplanationsand/oradditionaldocumentsarenotreceivedwithinareasonabletime,DigiCertwillrejecttheEVCertificaterequestandnotifytheApplicantaccordingly.IfthecertificateapplicationisnotrejectedandissuccessfullyvalidatedinaccordancewiththisCPS,DigiCertwillapprovethecertificateapplicationandissuethecertificate.DigiCertisnotliableforanyrejectedcertificateandisnotobligatedtodisclosethereasonsforarejection.RejectedApplicantsmayre‐apply.Subscribersarerequiredtocheckthecertificate’scontentsforaccuracypriortousingthecertificate.
4.2.3. TimetoProcessCertificateApplicationsUndernormalcircumstances,DigiCertverifiesanApplicant’sinformationandissuesadigitalcertificatewithinareasonabletimeframe.IssuancetimeframesaregreatlydependentonwhentheApplicantprovidesthedetailsanddocumentationnecessarytocompletevalidation.Fornon‐EVSSLcertificates,DigiCertwillusuallycompletethevalidationprocessandissueorrejectacertificateapplicationwithintwoworkingdaysafterreceivingallofthenecessarydetailsanddocumentationfromtheApplicant,althougheventsoutsideofthecontrolofDigiCertcandelaytheissuanceprocess.
22
4.3. CERTIFICATEISSUANCE
4.3.1. CAActionsduringCertificateIssuanceDigiCertconfirmsthesourceofacertificaterequestbeforeissuance.DigiCertdoesnotissueendentitycertificatesdirectlyfromitsrootcertificates.DatabasesandCAprocessesoccurringduringcertificateissuanceareprotectedfromunauthorizedmodification.Afterissuanceiscomplete,thecertificateisstoredinadatabaseandsenttotheSubscriber.
4.3.2. NotificationtoSubscriberbytheCAofIssuanceofCertificateDigiCertmaydelivercertificatesinanysecuremannerwithinareasonabletimeafterissuance.Generally,DigiCertdeliverscertificatesviaemailtotheemailaddressdesignatedbytheSubscriberduringtheapplicationprocess.
4.4. CERTIFICATEACCEPTANCE
4.4.1. ConductConstitutingCertificateAcceptanceSubscribersaresolelyresponsibleforinstallingtheissuedcertificateontheSubscriber’scomputerorhardwaresecuritymodule.Certificatesareconsideredacceptedontheearlierof(i)theSubscriber’suseofthecertificateor(ii)30daysafterthecertificate’sissuance.
4.4.2. PublicationoftheCertificatebytheCADigiCertpublishesallCAcertificatesinitsrepository.DigiCertpublishesend‐entitycertificatesbydeliveringthemtotheSubscriber.
4.4.3. NotificationofCertificateIssuancebytheCAtoOtherEntitiesRAsmayreceivenotificationofacertificate’sissuanceiftheRAwasinvolvedintheissuanceprocess.
4.5. KEYPAIRANDCERTIFICATEUSAGE
4.5.1. SubscriberPrivateKeyandCertificateUsageSubscribersarecontractuallyobligatedtoprotecttheirPrivateKeysfromunauthorizeduseordisclosure,discontinueusingaPrivateKeyafterexpirationorrevocationoftheassociatedcertificate,anduseCertificatesinaccordancewiththeirintendedpurpose.
4.5.2. RelyingPartyPublicKeyandCertificateUsageRelyingPartiesmayonlyusesoftwarethatiscompliantwithX.509,IETFRFCs,andotherapplicablestandards.DigiCertdoesnotwarrantthatanythirdpartysoftwarewillsupportorenforcethecontrolsandrequirementsfoundherein.
ARelyingPartyshouldusediscretionwhenrelyingonacertificateandshouldconsiderthetotalityofthecircumstancesandriskoflosspriortorelyingonacertificate.Ifthecircumstancesindicatethatadditionalassurancesarerequired,theRelyingPartymustobtainsuchassurancesbeforeusingthecertificate.AnywarrantiesprovidedbyDigiCertareonlyvalidifaRelyingParty’sreliancewasreasonableandiftheRelyingPartyadheredtotheRelyingPartyAgreementsetforthintheDigiCertrepository.ARelyingPartyshouldrelyonadigitalsignatureorSSL/TLShandshakeonlyif:
1. thedigitalsignatureorSSL/TLSsessionwascreatedduringtheoperationalperiodofavalidcertificateandcanbeverifiedbyreferencingavalidcertificate,
2. thecertificateisnotrevokedandtheRelyingPartycheckedtherevocationstatusofthecertificatepriortothecertificate’susebyreferringtotherelevantCRLsorOCSPresponses,and
3. thecertificateisbeingusedforitsintendedpurposeandinaccordancewiththisCPS.
23
Beforerelyingonatime‐stamptoken,aRelyingPartymust:1. verifythatthetime‐stamptokenhasbeencorrectlysignedandthatthePrivateKeyusedtosignthe
time‐stamptokenhasnotbeencompromisedpriortothetimeoftheverification,2. takeintoaccountanylimitationsontheusageofthetime‐stamptokenindicatedbythetime‐stamp
policy,and3. takeintoaccountanyotherprecautionsprescribedinthisCPSorelsewhere.
4.6. CERTIFICATERENEWAL
4.6.1. CircumstanceforCertificateRenewalDigiCertmayrenewacertificateif:
1. theassociatedpublickeyhasnotreachedtheendofitsvalidityperiod,2. theSubscriberandattributesareconsistent,and3. theassociatedprivatekeyremainsuncompromised.
DigiCertmayalsorenewacertificateifaCAcertificateisre‐keyedorasotherwisenecessarytoprovideservicestoacustomer.DigiCertmaynotifySubscriberspriortoacertificate’sexpirationdate.Certificaterenewalrequirespaymentofadditionalfees.
4.6.2. WhoMayRequestRenewalOnlythecertificatesubjectoranauthorizedrepresentativeofthecertificatesubjectmayrequestrenewaloftheSubscriber’scertificates.Forcertificatescross‐certifiedwiththeFBCA,renewalrequestsareonlyacceptedfromcertificatesubjects,PKIsponsors,orRAs.DigiCertmayrenewacertificatewithoutacorrespondingrequestifthesigningcertificateisre‐keyed.
4.6.3. ProcessingCertificateRenewalRequestsRenewalapplicationrequirementsandproceduresaregenerallythesameasthoseusedduringthecertificate’soriginalissuance.DigiCertmayelecttoreusepreviouslyverifiedinformationinitssolediscretionbutwillrefreshanyinformationthatisolderthantheperiodsspecifiedinSection3.3.1.DigiCertmayrefusetorenewacertificateifitcannotverifyanyrecheckedinformation.Ifanindividualisrenewingaclientcertificateandtherelevantinformationhasnotchanged,thenDigiCertdoesnotrequireanyadditionalidentityvetting. Somedeviceplatforms,e.g.Apache,allowreneweduseofthePrivateKey.IfthePrivateKeyanddomaininformationhasnotchanged,theSubscribermayrenewtheSSLcertificateusingapreviouslyissuedcertificateorprovidedCSR.
4.6.4. NotificationofNewCertificateIssuancetoSubscriberDigiCertmaydeliverthecertificateinanysecurefashion,typicallybyemailorbyprovidingtheSubscriberahypertextlinktoauserid/password‐protectedlocationwherethesubscribermayloginanddownloadthecertificate.
4.6.5. ConductConstitutingAcceptanceofaRenewalCertificateRenewedcertificatesareconsideredacceptedontheearlierof(i)theSubscriber’suseofthecertificateor(ii)30daysafterthecertificate’srenewal.
4.6.6. PublicationoftheRenewalCertificatebytheCADigiCertpublishesarenewedcertificatebydeliveringittotheSubscriber.RenewedCAcertificatesarepublishedinDigiCert’srepository.
4.6.7. NotificationofCertificateIssuancebytheCAtoOtherEntitiesRAsmayreceivenotificationofacertificate’srenewaliftheRAwasinvolvedintheissuanceprocess.
24
4.7. CERTIFICATERE‐KEY
4.7.1. CircumstanceforCertificateRekeyRe‐keyingacertificateconsistsofcreatinganewcertificatewithanewpublickeyandserialnumberwhilekeepingthesubjectinformationthesame.Thenewcertificatemayhaveadifferentvaliditydate,keyidentifiers,CRLandOCSPdistributionpoints,andsigningkey.Afterre‐keyingacertificate,aPIV‐Icertificate,orafederateddevicecertificate,DigiCertmayrevoketheoldcertificatebutmaynotfurtherre‐key,renew,ormodifythepreviouscertificate.Subscribersrequestingre‐keyshouldidentifyandauthenticatethemselvesaspermittedbysection3.3.1.
4.7.2. WhoMayRequestCertificateRekeyDigiCertwillonlyacceptre‐keyrequestsfromthesubjectofthecertificateorthePKIsponsor.DigiCertmayinitiateacertificatere‐keyattherequestofthecertificatesubjectorinDigiCert’sowndiscretion.
4.7.3. ProcessingCertificateRekeyRequestsDigiCertwillonlyacceptre‐keyrequestsfromthesubjectofthecertificateorthePKIsponsor.IfthePrivateKeyandanyidentityanddomaininformationinacertificatehavenotchanged,thenDigiCertcanissueareplacementcertificateusingapreviouslyissuedcertificateorpreviouslyprovidedCSR.DigiCertre‐usesexistingverificationinformationunlessre‐verificationandauthenticationisrequiredundersection3.3.1orifDigiCertbelievesthattheinformationhasbecomeinaccurate.
4.7.4. NotificationofCertificateRekeytoSubscriberDigiCertnotifiestheSubscriberwithinareasonabletimeafterthecertificateissues.
4.7.5. ConductConstitutingAcceptanceofaRekeyedCertificateIssuedcertificatesareconsideredacceptedontheearlierof(i)theSubscriber’suseofthecertificateor(ii)30daysafterthecertificateisrekeyed.
4.7.6. PublicationoftheIssuedCertificatebytheCADigiCertpublishesrekeyedcertificatesbydeliveringthemtoSubscribers.
4.7.7. NotificationofCertificateIssuancebytheCAtoOtherEntitiesRAsmayreceivenotificationofacertificate’srekeyiftheRAwasinvolvedintheissuanceprocess.
4.8. CERTIFICATEMODIFICATION
4.8.1. CircumstancesforCertificateModificationModifyingacertificatemeanscreatinganewcertificateforthesamesubjectwithauthenticatedinformationthatdiffersslightlyfromtheoldcertificate(e.g.,changestoemailaddressornon‐essentialpartsofnamesorattributes)providedthatthemodificationotherwisecomplieswiththisCPS.Thenewcertificatemayhavethesameoradifferentsubjectpublickey.Aftermodifyingacertificatethatiscross‐certifiedwiththeFBCA,DigiCertmayrevoketheoldcertificatebutwillnotfurtherre‐key,renew,ormodifytheoldcertificate.
4.8.2. WhoMayRequestCertificateModificationDigiCertmodifiescertificatesattherequestofcertaincertificatesubjectsorinitsowndiscretion.DigiCertdoesnotmakecertificatemodificationservicesavailabletoallSubscribers.
4.8.3. ProcessingCertificateModificationRequestsAfterreceivingarequestformodification,DigiCertverifiesanyinformationthatwillchangeinthemodifiedcertificate.DigiCertwillonlyissuethemodifiedcertificateaftercompletingtheverificationprocessonallmodifiedinformation.DigiCertwillnotissueamodifiedcertificatethathasavalidityperiodthatexceedstheapplicabletimelimitsfoundinsection3.3.1or6.3.2.
25
4.8.4. NotificationofCertificateModificationtoSubscriberDigiCertnotifiestheSubscriberwithinareasonabletimeafterthecertificateissues.
4.8.5. ConductConstitutingAcceptanceofaModifiedCertificateIssuedcertificatesareconsideredacceptedontheearlierof(i)theSubscriber’suseofthecertificateor(ii)30daysafterthecertificateisrekeyed.
4.8.6. PublicationoftheModifiedCertificatebytheCADigiCertpublishesmodifiedcertificatesbydeliveringthemtoSubscribers.
4.8.7. NotificationofCertificateModificationbytheCAtoOtherEntitiesRAsmayreceivenotificationofacertificate’smodificationiftheRAwasinvolvedintheissuanceprocess.
4.9. CERTIFICATEREVOCATIONANDSUSPENSION
4.9.1. CircumstancesforRevocationRevocationofacertificatepermanentlyendstheoperationalperiodofthecertificatepriortothecertificatereachingtheendofitsstatedvalidityperiod.Priortorevokingacertificate,DigiCertverifiestheidentityandauthorityoftheentityrequestingrevocation.DigiCertmayrevokeanycertificateinitssolediscretion,includingifDigiCertbelievesthat:
1. TheSubscriberrequestedrevocationofitscertificate;2. TheSubscriberdidnotauthorizetheoriginalcertificaterequestanddidnotretroactivelygrant
authorization;3. EitherthePrivateKeyassociatedwiththecertificateorthePrivateKeyusedtosignthecertificate
wascompromisedormisused;4. TheSubscriberbreachedamaterialobligationundertheCP,theCPS,ortherelevantSubscriber
Agreement;5. EithertheSubscriber’sorDigiCert’sobligationsundertheCPorCPSaredelayedorpreventedby
circumstancesbeyondtheparty’sreasonablecontrol,includingcomputerorcommunicationfailure,and,asaresult,anotherentity’sinformationismateriallythreatenedorcompromised;
6. TheSubscriber,sponsor,orotherentitythatwasissuedthecertificatehaslostitsrightstoaname,trademark,device,IPaddress,domainname,orotherattributethatwasassociatedwiththecertificate;
7. Awildcardcertificatewasusedtoauthenticateafraudulentlymisleadingsubordinatedomainname;8. ThecertificatewasnotissuedinaccordancewiththeCP,CPS,orapplicableindustrystandards;9. DigiCertreceivedalawfulandbindingorderfromagovernmentorregulatorybodytorevokethe
certificate;10. DigiCertceasedoperationsanddidnotarrangeforanothercertificateauthoritytoprovide
revocationsupportforthecertificates;11. DigiCert'srighttomanagecertificatesunderapplicableindustrystandardswasterminated(unless
arrangementshavebeenmadetocontinuerevocationservicesandmaintaintheCRL/OCSPRepository);
12. AnyinformationappearingintheCertificatewasorbecameinaccurateormisleading;13. ThetechnicalcontentorformatoftheCertificatepresentsanunacceptablerisktoapplication
softwarevendors,RelyingParties,orothers;14. TheSubscriberwasaddedasadeniedpartyorprohibitedpersontoablacklistorisoperatingfroma
destinationprohibitedunderthelawsoftheUnitedStates;15. ForAdobeSigningCertificates,Adobehasrequestedrevocation;or16. Forcode‐signingcertificates,thecertificatewasusedtosign,publish,ordistributemalware,code
thatisdownloadedwithoutuserconsent,orotherharmfulcontent.DigiCertalwaysrevokesacertificateifthebindingbetweenthesubjectandthesubject’spublickeyinthecertificateisnolongervalidorifanassociatedPrivateKeyiscompromised.
26
DigiCertwillrevokeacross‐certificateifthecross‐certifiedentity(includingDigiCert)nolongermeetsthestipulationsofthecorrespondingpolicies,asindicatedbypolicyOIDslistedinthepolicymappingextensionofthecross‐certificate.
4.9.2. WhoCanRequestRevocationAnyappropriatelyauthorizedparty,suchasarecognizedrepresentativeofasubscriberorcross‐signedpartner,mayrequestrevocationofacertificate.DigiCertmayrevokeacertificatewithoutreceivingarequestandwithoutreason.Thirdpartiesmayrequestcertificaterevocationforproblemsrelatedtofraud,misuse,orcompromise.Certificaterevocationrequestsmustidentifytheentityrequestingrevocationandspecifythereasonforrevocation.
4.9.3. ProcedureforRevocationRequestDigiCertprocessesarevocationrequestasfollows:
1. DigiCertlogstheidentityofentitymakingtherequestorproblemreportandthereasonforrequestingrevocation.DigiCertmayalsoincludeitsownreasonsforrevocationinthelog.
2. DigiCertmayrequestconfirmationoftherevocationfromaknownadministrator,whereapplicable,viaout‐of‐bandcommunication(e.g.,telephone,fax,etc.).
3. IftherequestisauthenticatedasoriginatingfromtheSubscriber,DigiCertrevokesthecertificate.4. Forrequestsfromthirdparties,DigiCertpersonnelbegininvestigatingtherequestwithin24hours
afterreceiptanddecidewhetherrevocationisappropriatebasedonthefollowingcriteria:a. thenatureoftheallegedproblem,b. thenumberofreportsreceivedaboutaparticularcertificateorwebsite,c. theidentityofthecomplainants(forexample,complaintsfromalawenforcementofficial
thatawebsiteisengagedinillegalactivitieshavemoreweightthanacomplaintfromaconsumerallegingtheyneverreceivedthegoodstheyordered),and
d. relevantlegislation.5. IfDigiCertdeterminesthatrevocationisappropriate,DigiCertpersonnelrevokethecertificateand
updatetheCRL.DigiCertmaintainsacontinuous24/7abilitytointernallyrespondtoanyhighpriorityrevocationrequests.Ifappropriate,DigiCertforwardscomplaintstolawenforcement.WheneveraPIV‐ICardisnolongervalid,theRAresponsibleforitsissuanceormaintenanceisrequiredtocollectthePIV‐ICardfromtheSubscriberassoonaspossibleanddestroythePIV‐ICard.TheRAmustlogthecollectionandphysicaldestructionofeachPIV‐ICard.
4.9.4. RevocationRequestGracePeriodSubscribersarerequiredtorequestrevocationwithinonedayafterdetectingthelossorcompromiseofthePrivateKey.DigiCertmaygrantandextendrevocationgraceperiodsonacase‐by‐casebasis.DigiCertreportsthesuspectedcompromiseofitsCAprivatekeyandrequestsrevocationtoboththepolicyauthorityandoperatingauthorityofthesuperiorissuingCAwithinonehourofdiscovery.
4.9.5. TimewithinwhichCAMustProcesstheRevocationRequestDigiCertwillrevokeaCAcertificatewithinonehourafterreceivingclearinstructionsfromtheDCPA.Othercertificatesarerevokedasquicklyaspracticalaftervalidatingtherevocationrequest,generallywithinthefollowingtimeframes:
1. Certificaterevocationrequestsforpublicly‐trustedcertificatesareprocessedwithin18hoursaftertheirreceipt,
2. RevocationrequestsreceivedtwoormorehoursbeforeCRLissuanceareprocessedbeforethenextCRLispublished,and
3. RevocationrequestsreceivedwithintwohoursofCRLissuanceareprocessedbeforethefollowingCRLispublished.
27
4.9.6. RevocationCheckingRequirementforRelyingPartiesPriortorelyingoninformationlistedinacertificate,aRelyingPartymustconfirmthevalidityofeachcertificateinthecertificatepathinaccordancewithIETFPKIXstandards,includingcheckingforcertificatevalidity,issuer‐to‐subjectnamechaining,policyandkeyuseconstraints,andrevocationstatusthroughCRLsorOCSPrespondersidentifiedineachcertificateinthechain.
4.9.7. CRLIssuanceFrequencyDigiCertusesitsofflinerootCAstopublishCRLsforitsintermediateCAsatleastevery6months.ForanofflineCAthathasbeencross‐signedbytheFederalBridgeCAandonlyissuesCAcertificates,certificate‐status‐checkingcertificates,orinternaladministrativecertificates,DigiCertissuesaCRLatleastevery31days.AllotherCRLsarepublishedatleastevery24hours.IfaCertificateisrevokedforreasonofkeycompromise,aninterimCRLispublishedassoonasfeasible,butnolaterthan18hoursafterreceiptofthenoticeofkeycompromise.
4.9.8. MaximumLatencyforCRLsCRLsforcertificatesissuedtoendentitysubscribersarepostedautomaticallytotheonlinerepositorywithinacommerciallyreasonabletimeaftergeneration,usuallywithinminutesofgeneration.Irregular,interim,oremergencyCRLsarepostedwithinfourhoursaftergenerationandwithin18hoursofdeterminingoftheoccurrenceofakeycompromise.RegularlyscheduledCRLsarepostedpriortothenextUpdatefieldinthepreviouslyissuedCRLofthesamescope.
4.9.9. On‐lineRevocation/StatusCheckingAvailabilityDigiCertmakescertificatestatusinformationavailableviaOCSPforSSLandPIV‐Icertificates.OCSPmaynotbeavailableforotherkindsofcertificates.WhereOCSPsupportisrequiredbytheapplicableCP,OCSPresponsesareprovidedwithinacommerciallyreasonabletimeandnolaterthansixsecondsaftertherequestisreceived,subjecttotransmissionlatenciesovertheInternet.
4.9.10. On‐lineRevocationCheckingRequirementsArelyingpartymustconfirmthevalidityofacertificateinaccordancewithsection4.9.6priortorelyingonthecertificate.
4.9.11. OtherFormsofRevocationAdvertisementsAvailableNostipulation.
4.9.12. SpecialRequirementsRelatedtoKeyCompromiseDigiCertusescommerciallyreasonableeffortstonotifypotentialRelyingPartiesifitdiscoversorsuspectsthecompromiseofaPrivateKey.DigiCertwilltransitionanyrevocationreasoncodeinaCRLto“keycompromise”upondiscoveryofsuchreasonorasrequiredbyanapplicableCP.Ifacertificateisrevokedbecauseofcompromise,DigiCertwillissueanewCRLwithin18hoursafterreceivingnoticeofthecompromise.
4.9.13. CircumstancesforSuspensionNotapplicable.
4.9.14. WhoCanRequestSuspensionNotapplicable.
4.9.15. ProcedureforSuspensionRequestNotapplicable.
4.9.16. LimitsonSuspensionPeriodNotapplicable.
28
4.10. CERTIFICATESTATUSSERVICES
4.10.1. OperationalCharacteristicsCertificatestatusinformationisavailableviaCRLandOCSPresponder.TheserialnumberofarevokedcertificateremainsontheCRLuntiloneadditionalCRLispublishedaftertheendofthecertificate’svalidityperiod,exceptforrevokedEVCodeSigningCertificates,whichremainontheCRLforatleast365daysfollowingthecertificate’svalidityperiod.OCSPinformationforsubscribercertificatesisupdatedatleasteveryfourdays.OCSPinformationforsubordinateCAcertificatesisupdatedatleastevery12monthsandwithin24hoursafterrevokingthecertificate.
4.10.2. ServiceAvailabilityCertificatestatusservicesareavailable24x7withoutinterruption.
4.10.3. OptionalFeaturesOCSPRespondersmaynotbeavailableforallcertificatetypes.
4.11. ENDOFSUBSCRIPTIONASubscriber’ssubscriptionserviceendsifitscertificateexpiresorisrevokedoriftheapplicableSubscriberAgreementexpireswithoutrenewal.
4.12. KEYESCROWANDRECOVERY
4.12.1. KeyEscrowandRecoveryPolicyPractices
DigiCertneverescrowsCAPrivateKeys.DigiCertmayescrowSubscriberkeymanagementkeystoprovidekeyrecoveryservices.DigiCertencryptsandprotectsescrowedPrivateKeysusingthesameorahigherlevelofsecurityasusedtogenerateanddeliverthePrivateKey.ASubscriber’sprivatesignaturekeysarenotescrowedexceptasallowedbyothersupersedingpoliciesoragreementsamongSubscribers,RelyingParties,andescrowagents.DigiCertallowsSubscribersandotherauthorizedentitiestorecoverescrowed(decryption)PrivateKeys.DigiCertusesmulti‐personcontrolsduringkeyrecoverytopreventunauthorizedaccesstoaSubscriber’sescrowedPrivateKeys.DigiCertacceptskeyrecoveryrequests:
1. FromtheSubscriberorSubscriber’sorganization,iftheSubscriberhaslostordamagedtheprivate
keytoken;
2. FromtheSubscriber’sorganization,iftheSubscriberisnotavailableorisnolongerpartofthe
organizationthatcontractedwithDigiCertforPrivateKeyescrow;
3. Fromanauthorizedinvestigatororauditor,ifthePrivateKeyispartofarequiredinvestigationor
audit;
4. Fromarequesterauthorizedbyacompetentlegalauthoritytoaccessthecommunicationthatis
encryptedusingthekey;
5. Fromarequesterauthorizedbylaworgovernmentalregulation;or
6. FromanentitycontractingwithDigiCertforescrowofthePrivateKeywhenkeyrecoveryismission
criticalormissionessential.
EntitiesusingDigiCert’skeyescrowservicesarerequiredto:
1. NotifySubscribersthattheirPrivateKeysareescrowed;2. Protectescrowedkeysfromunauthorizeddisclosure;3. ProtectanyauthenticationmechanismsthatcouldbeusedtorecoverescrowedPrivateKeys;4. Releaseanescrowedkeyonlyaftermakingorreceiving(asapplicable)aproperlyauthorizedrequest
forrecovery;and5. Complywithanylegalobligationstodiscloseorkeepconfidentialescrowedkeys,escrowedkey‐
relatedinformation,orthefactsconcerninganykeyrecoveryrequestorprocess.
29
4.12.2. SessionKeyEncapsulationandRecoveryPolicyandPractices
Nostipulation.
5. FACILITY,MANAGEMENT,ANDOPERATIONALCONTROLS
5.1. PHYSICALCONTROLS
5.1.1. SiteLocationandConstructionDigiCertperformsitsCAandTSAoperationsfromsecureandgeographicallydiversecommercialdatacenters.ThedatacentersareequippedwithlogicalandphysicalcontrolsthatmakeDigiCert’sCAandTSAoperationsinaccessibletonon‐trustedpersonnel.DigiCertoperatesunderasecuritypolicydesignedtodetect,deter,andpreventunauthorizedaccesstoDigiCert'soperations.
5.1.2. PhysicalAccessDigiCertprotectsitsequipment(includingcertificatestatusserversandCMSequipmentcontainingPIV‐IContentSigningkeys)fromunauthorizedaccessandimplementsphysicalcontrolstoreducetheriskofequipmenttampering.ThesecurepartsofDigiCertCAhostingfacilitiesareprotectedusingphysicalaccesscontrolsmakingthemaccessibleonlytoappropriatelyauthorizedindividuals.
Accesstosecureareasofthebuildingsrequirestheuseofan"access"or"pass"card.Thebuildingsareequippedwithmotiondetectingsensors,andtheexteriorandinternalpassagewaysofthebuildingsareunderconstantvideosurveillance.DigiCertsecurelystoresallremovablemediaandpapercontainingsensitiveplain‐textinformationrelatedtoitsCAoperationsinsecurecontainersinaccordancewithitsDataClassificationPolicy.
5.1.2.1. Data Center ThedatacenterswhereDigiCert’sCAandTSAsystemsoperatehavesecuritypersonnelondutyfulltime(24hoursperday,365daysperyear).AccesstothedatacentershousingtheCAandTSAplatformsrequirestwo‐factorauthentication—theindividualmusthaveanauthorizedaccesscardandpassbiometricaccesscontrolauthenticators.Thesebiometricauthenticationaccesssystemslogeachuseoftheaccesscard.DigiCertdeactivatesandsecurelystoresitsCAequipmentwhennotinuse.Activation data must either be memorized or recorded and stored in a manner commensurate with the security afforded the cryptographic module. Activation data is never stored with the cryptographic module or removable hardware associated with equipment used to administer DigiCert’s private keys.Cryptographichardwareincludesamechanismtolockthehardwareafteracertainnumberoffailedloginattempts.The DigiCert data centers are continuously attended. However,ifDigiCerteverbecomesawarethatadatacenteristobeleftunattendedorhasbeenleftunattendedforanextendedperiodoftime,DigiCertpersonnelwillperformasecuritycheckofthedatacentertoverifythat:
1. DigiCert’sequipmentisinastateappropriatetothecurrentmodeofoperation,2. Anysecuritycontainersareproperlysecured,3. Physicalsecuritysystems(e.g.,doorlocks)arefunctioningproperly,and4. Theareaissecuredagainstunauthorizedaccess.
DigiCert’sadministratorsareresponsibleformakingthesechecksandmustsignoffthatallnecessaryphysicalprotectionmechanismsareinplaceandactivated.Theidentityoftheindividualmakingthecheckislogged.
5.1.2.2. Support and Vetting Room Controlledaccessandkeyed‐lockdoorssecurethesupportandvettingroomswhereDigiCertpersonnelperformidentityvettingandotherRAfunctions.Accesscarduseisloggedbythebuildingsecuritysystem.Theroomisequippedwithmotion‐activatedvideosurveillancecameras.
30
5.1.3. PowerandAirConditioningDatacentershaveprimaryandsecondarypowersuppliesthatensurecontinuousanduninterruptedaccesstoelectricpower.Uninterruptedpowersupplies(UPS)anddieselgeneratorsprovideredundantbackuppower.DigiCertmonitorscapacitydemandsandmakesprojectionsaboutfuturecapacityrequirementstoensurethatadequateprocessingpowerandstorageareavailable.
DigiCert’sdatacenterfacilitiesusemultipleload‐balancedHVACsystemsforheating,cooling,andairventilationthroughperforated‐tileraisedflooringtopreventoverheatingandtomaintainasuitablehumiditylevelforsensitivecomputersystems.
5.1.4. WaterExposuresThecabinetshousingDigiCert'sCAandTSAsystemsarelocatedonraisedflooring,andthedatacentersareequippedwithmonitoringsystemstodetectexcessmoisture.
5.1.5. FirePreventionandProtectionThedatacentersareequippedwithfiresuppressionmechanisms.
5.1.6. MediaStorageDigiCertprotectsitsmediafromaccidentaldamageandunauthorizedphysicalaccess.Backupfilesarecreatedonadailybasis.Onaweeklybasis,backupmediaareremovedandstoredinabackuplocationthatisseparatefromDigiCert’sprimaryfacility.
5.1.7. WasteDisposalAllunnecessarycopiesofprintedsensitiveinformationareshreddedon‐sitebeforedisposal.Allelectronicmediaarezeroized(alldataisoverwrittenwithbinaryzerossoastopreventtherecoveryofthedata)usingprogramsmeetingU.S.DepartmentofDefenserequirements.
5.1.8. Off‐siteBackupDigiCertmaintainsatleastonefullbackupandmakesregularbackupcopiesofanyinformationnecessarytorecoverfromasystemfailure.Onatleastaweeklybasis,DigiCertmovesmediadesignatedforstorageoff‐sitetoasafedepositboxlocatedinsideafederallyinsuredfinancialinstitution.BackupcopiesofCAPrivateKeysandactivationdataarestoredoff‐siteinlocationsthatareaccessibleonlybytrustedpersonnel.
5.1.9. CertificateStatusHosting,CMSandExternalRASystemsAllphysicalcontrolrequirementsunderSection5.1applyequallytoanyCertificateStatusHosting,CMS,orexternalRAsystem.
5.2. PROCEDURALCONTROLS
5.2.1. TrustedRolesPersonnelactingintrustedrolesincludeCA,TSA,andRAsystemadministrationpersonnel,andpersonnelinvolvedwithidentityvettingandtheissuanceandrevocationofcertificates.ThefunctionsanddutiesperformedbypersonsintrustedrolesaredistributedsothatonepersonalonecannotcircumventsecuritymeasuresorsubvertthesecurityandtrustworthinessofthePKIorTSAoperations.AllpersonnelintrustedrolesmustbefreefromconflictsofinterestthatmightprejudicetheimpartialityoftheDigiCertPKI’soperations.Trustedrolesareappointedbyseniormanagement.Alistofpersonnelappointedtotrustedrolesismaintainedandreviewedannually.PersonsactingintrustedrolesareonlyallowedtoaccessaCMSaftertheyareauthenticatedusingamethodcommensuratewithissuanceandcontrolofPIV‐IHardware.
31
5.2.1.1. CA Administrators TheCAAdministratorinstallsandconfigurestheCAsoftware,includingkeygeneration,keybackup,andkeymanagement.TheCAAdministratorperformsandsecurelystoresregularsystembackupsoftheCAsystem.AdministratorsdonotissuecertificatestoSubscribers.
5.2.1.2. CA Officers – CMS, RA, Validation and Vetting Personnel TheCAOfficerroleisresponsibleforissuingandrevokingcertificates,includingenrollment,identityverification,andcompliancewithrequiredissuanceandrevocationstepssuchasmanagingthecertificaterequestqueueandcompletingcertificateapprovalchecklistsasidentityvettingtasksaresuccessfullycompleted.
5.2.1.3. System Administrators/ System Engineers (Operator) TheSystemAdministrator/SystemEngineerinstallsandconfiguressystemhardware,includingservers,routers,firewalls,andnetworkconfigurations.TheSystemAdministrator/SystemEngineeralsokeepsCA,CMSandRAsystemsupdatedwithsoftwarepatchesandothermaintenanceneededforsystemstabilityandrecoverability.
5.2.1.4. Internal Auditors InternalAuditorsareresponsibleforreviewing,maintaining,andarchivingauditlogsandperformingoroverseeinginternalcomplianceauditstodetermineifDigiCert,anIssuerCA,orRAisoperatinginaccordancewiththisCPSoranRA’sRegistrationPracticesStatement.
5.2.2. NumberofPersonsRequiredperTaskDigiCertrequiresthatatleasttwopeopleactinginatrustedrole(onetheCAAdministratorandtheothernotanInternalAuditor)takeactionrequiringatrustedrole,suchasactivatingDigiCert’sPrivateKeys,generatingaCAkeypair,orbackingupaDigiCertprivatekey.TheInternalAuditormayservetofulfilltherequirementofmultipartycontrolforphysicalaccesstotheCAsystembutnotlogicalaccess.NosingleindividualhasthecapabilitytoissueaPIV‐Icredential.
5.2.3. IdentificationandAuthenticationforeachRoleAllpersonnelarerequiredtoauthenticatethemselvestoCA,TSA,andRAsystemsbeforetheyareallowedaccesstosystemsnecessarytoperformtheirtrustedroles.
5.2.4. RolesRequiringSeparationofDutiesRolesrequiringaseparationofdutiesinclude:
1. Thoseperformingauthorizationfunctionssuchastheverificationofinformationincertificateapplicationsandapprovalsofcertificateapplicationsandrevocationrequests,
2. Thoseperformingbackups,recording,andrecordkeepingfunctions;3. Thoseperformingaudit,review,oversight,orreconciliationfunctions;and4. ThoseperformingdutiesrelatedtoCA/TSAkeymanagementorCA/TSAadministration.
Toaccomplishthisseparationofduties,DigiCertspecificallydesignatesindividualstothetrustedrolesdefinedinSection5.2.1above.DigiCertappointsindividualstoonlyoneoftheOfficer,Administrator,Operator,orAuditorroles.DigiCert’ssystemsidentifyandauthenticateindividualsactingintrustedroles,restrictanindividualfromassumingmultipleroles,andpreventanyindividualfromhavingmorethanoneidentity.
5.3. PERSONNELCONTROLS
5.3.1. Qualifications,Experience,andClearanceRequirementsTheDCPAisresponsibleandaccountableforDigiCert’sPKIoperationsandensurescompliancewiththisCPSandtheCP.DigiCert’spersonnelandmanagementpracticesprovidereasonableassuranceofthetrustworthinessandcompetenceofitsemployeesandofthesatisfactoryperformanceoftheirduties.All
32
trustedrolesforCAsissuingFederatedDeviceCertificates,ClientCertificatesatLevels3‐USand4‐US(whichareintendedforinteroperabilitythroughtheFederalBridgeCAatid‐fpki‐certpcy‐mediumAssuranceandid‐fpki‐certpcy‐mediumHardware),andPIV‐ICertificatesareheldbycitizensoftheUnitedStates.AnindividualperformingatrustedroleforanRAmaybeacitizenofthecountrywheretheRAislocated.Thereisnocitizenshiprequirementforpersonnelperformingtrustedrolesassociatedwiththeissuanceofotherkindsofcertificates.Managementandoperationalsupportpersonnelinvolvedintime‐stampoperationspossessexperiencewithinformationsecurityandriskassessmentandknowledgeoftime‐stampingtechnology,digitalsignaturetechnology,mechanismsforcalibrationoftimestampingclockswithUTC,andsecurityprocedures.TheDCPAensuresthatallindividualsassignedtotrustedroleshavetheexperience,qualifications,andtrustworthinessrequiredtoperformtheirdutiesunderthisCPS.
5.3.2. BackgroundCheckProceduresDigiCertverifiestheidentityofeachemployeeappointedtoatrustedroleandperformsabackgroundcheckpriortoallowingsuchpersontoactinatrustedrole.DigiCertrequireseachindividualtoappearin‐personbeforeahumanresourcesemployeewhoseresponsibilityitistoverifyidentity.Thehumanresourcesemployeeverifiestheindividual’sidentityusinggovernment‐issuedphotoidentification(e.g.,passportsand/ordriver’slicensesreviewedpursuanttoU.S.CitizenshipandImmigrationServicesFormI‐9,EmploymentEligibilityVerification,orcomparableprocedureforthejurisdictioninwhichtheindividual’sidentityisbeingverified).Backgroundchecksincludeemploymenthistory,education,characterreferences,socialsecuritynumber,previousresidences,drivingrecordsandcriminalbackground.Checksofpreviousresidencesareoverthepastthreeyears.Allotherchecksareforthepreviousfiveyears.Thehighesteducationdegreeobtainedisverifiedregardlessofthedateawarded.Backgroundchecksarerefreshedatleasteverytenyears.
5.3.3. TrainingRequirementsDigiCertprovidesskillstrainingtoallemployeesinvolvedinDigiCert’sPKIandTSAoperations.Thetrainingrelatestotheperson’sjobfunctionsandcovers:
1. basicPublicKeyInfrastructure(PKI)knowledge,2. softwareversionsusedbyDigiCert,3. authenticationandverificationpoliciesandprocedures,4. DigiCertsecurityprincipalsandmechanisms,5. disasterrecoveryandbusinesscontinuityprocedures,6. commonthreatstothevalidationprocess,includingphishingandothersocialengineeringtactics,
and7. applicableindustryandgovernmentguidelines.
Trainingisprovidedviaamentoringprocessinvolvingseniormembersoftheteamtowhichtheemployeebelongs.DigiCertmaintainsrecordsofwhoreceivedtrainingandwhatleveloftrainingwascompleted.ValidationSpecialistsmusthavetheminimumskillsnecessarytosatisfactorilyperformvalidationdutiesbeforebeinggrantedvalidationprivileges.AllValidationSpecialistsarerequiredtopassaninternalexaminationontheEVGuidelinesandtheBaselineRequirementspriortovalidatingandapprovingtheissuanceofcertificates.Wherecompetenceisdemonstratedinlieuoftraining,DigiCertmaintainssupportingdocumentation.
5.3.4. RetrainingFrequencyandRequirementsEmployeesmustmaintainskilllevelsthatareconsistentwithindustry‐relevanttrainingandperformanceprogramsinordertocontinueactingintrustedroles.DigiCertmakesallemployeesactingintrustedrolesawareofanychangestoDigiCert’soperations.IfDigiCert’soperationschange,DigiCertwillprovidedocumentedtraining,inaccordancewithanexecutedtrainingplan,toallemployeesactingintrustedroles.
5.3.5. JobRotationFrequencyandSequenceNostipulation.
33
5.3.6. SanctionsforUnauthorizedActionsDigiCertemployeesandagentsfailingtocomplywiththisCPS,whetherthroughnegligenceormaliciousintent,aresubjecttoadministrativeordisciplinaryactions,includingterminationofemploymentoragencyandcriminalsanctions.Ifapersoninatrustedroleiscitedbymanagementforunauthorizedorinappropriateactions,thepersonwillbeimmediatelyremovedfromthetrustedrolependingmanagementreview.Aftermanagementhasreviewedanddiscussedtheincidentwiththeemployeeinvolved,managementmayreassignthatemployeetoanon‐trustedroleordismisstheindividualfromemploymentasappropriate.
5.3.7. IndependentContractorRequirementsIndependentcontractorswhoareassignedtoperformtrustedrolesaresubjecttothedutiesandrequirementsspecifiedforsuchrolesinthisSection5.3andaresubjecttosanctionsstatedaboveinSection5.3.6.
5.3.8. DocumentationSuppliedtoPersonnelPersonnelintrustedrolesareprovidedwiththedocumentationnecessarytoperformtheirduties,includingacopyoftheCP,thisCPS,EVGuidelines,andothertechnicalandoperationaldocumentationneededtomaintaintheintegrityofDigiCert'sCAoperations.Personnelarealsogivenaccesstoinformationoninternalsystemsandsecuritydocumentation,identityvettingpoliciesandprocedures,discipline‐specificbooks,treatisesandperiodicals,andotherinformation.
5.4. AUDITLOGGINGPROCEDURES
5.4.1. TypesofEventsRecordedDigiCert’ssystemsrequireidentificationandauthenticationatsystemlogonwithauniqueusernameandpassword.Importantsystemactionsareloggedtoestablishtheaccountabilityoftheoperatorswhoinitiatesuchactions.DigiCertenablesallessentialeventauditingcapabilitiesofitsCAandTSAapplicationsinordertorecordtheeventslistedbelow.IfDigiCert’sapplicationscannotautomaticallyrecordanevent,DigiCertimplementsmanualprocedurestosatisfytherequirements.Foreachevent,DigiCertrecordstherelevant(i)dateandtime,(ii)typeofevent,(iii)successorfailure,and(iv)userorsystemthatcausedtheeventorinitiatedtheaction.DigiCertrecordstheprecisetimeofanysignificantTSAevents.AlleventrecordsareavailabletoauditorsasproofofDigiCert’spractices.
AuditableEventSECURITYAUDITAnychangestotheauditparameters,e.g.,auditfrequency,typeofeventauditedAnyattempttodeleteormodifytheauditlogsAUTHENTICATIONTOSYSTEMSSuccessfulandunsuccessfulattemptstoassumearoleThevalueofmaximumnumberofauthenticationattemptsischangedMaximumnumberofauthenticationattemptsoccurduringuserloginAnadministratorunlocksanaccountthathasbeenlockedasaresultofunsuccessfulauthenticationattemptsAnadministratorchangesthetypeofauthenticator,e.g.,fromapasswordtoabiometricLOCALDATAENTRYAllsecurity‐relevantdatathatisenteredinthesystemREMOTEDATAENTRYAllsecurity‐relevantmessagesthatarereceivedbythesystemDATAEXPORTANDOUTPUTAllsuccessfulandunsuccessfulrequestsforconfidentialandsecurity‐relevantinformationKEYGENERATIONWheneveraCAgeneratesakey(notmandatoryforsinglesessionorone‐timeusesymmetric
34
AuditableEventkeys)PRIVATEKEYLOADANDSTORAGETheloadingofComponentPrivateKeysAllaccesstocertificatesubjectPrivateKeysretainedwithintheCAforkeyrecoverypurposesTRUSTEDPUBLICKEYENTRY,DELETIONANDSTORAGESECRETKEYSTORAGEThemanualentryofsecretkeysusedforauthenticationPRIVATEANDSECRETKEYEXPORTTheexportofprivateandsecretkeys(keysusedforasinglesessionormessageareexcluded)CERTIFICATEREGISTRATIONAllcertificaterequests,includingissuance,re‐key,renewal,andrevocationCertificateissuanceVerificationactivitiesCERTIFICATEREVOCATIONAllcertificaterevocationrequestsCERTIFICATESTATUSCHANGEAPPROVALANDREJECTIONCACONFIGURATIONAnysecurity‐relevantchangestotheconfigurationofaCAsystemcomponentACCOUNTADMINISTRATIONRolesandusersareaddedordeletedTheaccesscontrolprivilegesofauseraccountorarolearemodifiedCERTIFICATEPROFILEMANAGEMENTAllchangestothecertificateprofileREVOCATIONPROFILEMANAGEMENTAllchangestotherevocationprofileCERTIFICATEREVOCATIONLISTPROFILEMANAGEMENTAllchangestothecertificaterevocationlistprofileGenerationofCRLsandOCSPentriesTIMESTAMPINGClocksynchronizationMISCELLANEOUSAppointmentofanindividualtoaTrustedRoleDesignationofpersonnelformultipartycontrolInstallationofanOperatingSystem,PKIApplication,orHardwareSecurityModule RemovalorDestructionofHSMsSystemStartupLogonattemptstoPKIApplicationReceiptofhardware/softwareAttemptstosetormodifypasswordsBackuporrestorationoftheinternalCAdatabaseFilemanipulation(e.g.,creation,renaming,moving)PostingofanymaterialtoarepositoryAccesstotheinternalCAdatabaseAllcertificatecompromisenotificationrequestsLoadingHSMswithCertificatesShipmentofHSMsZeroizingHSMsRe‐keyoftheComponentCONFIGURATIONCHANGESHardwareSoftware
35
AuditableEventOperatingSystemPatchesSecurityProfilesPHYSICALACCESS/SITESECURITYPersonnelaccesstosecureareahousingCAorTSAcomponentAccesstoaCAorTSAcomponentKnownorsuspectedviolationsofphysicalsecurityFirewallandrouteractivitiesANOMALIESSystemcrashesandhardwarefailuresSoftwareerrorconditionsSoftwarecheckintegrityfailuresReceiptofimpropermessagesandmisroutedmessagesNetworkattacks(suspectedorconfirmed)EquipmentfailureElectricalpoweroutagesUninterruptiblePowerSupply(UPS)failureObviousandsignificantnetworkserviceoraccessfailuresViolationsofaCPSResettingOperatingSystemclock
5.4.2. FrequencyofProcessingLogAtleastonceeverytwomonths,aDigiCertadministratorreviewsthelogsgeneratedbyDigiCert’ssystems,makessystemandfileintegritychecks,andconductsavulnerabilityassessment.Theadministratormayperformthechecksusingautomatedtools.Duringthesechecks,theadministrator(1)checkswhetheranyonehastamperedwiththelog,(2)scansforanomaliesorspecificconditions,includinganyevidenceofmaliciousactivity,and(3)preparesawrittensummaryofthereview.Anyanomaliesorirregularitiesfoundinthelogsareinvestigated.ThesummariesincluderecommendationstoDigiCert’soperationsmanagementcommitteeandaremadeavailabletoDigiCert'sauditorsuponrequest.DigiCertdocumentsanyactionstakenasaresultofareview.
5.4.3. RetentionPeriodforAuditLogDigiCertretainsauditlogson‐siteuntilaftertheyarereviewed.TheindividualswhoremoveauditlogsfromDigiCert’sCAsystemsaredifferentthantheindividualswhocontrolDigiCert’ssignaturekeys.
5.4.4. ProtectionofAuditLogCAauditloginformationisretainedonequipmentuntilafteritiscopiedbyasystemadministrator.DigiCert’sCAandTSAsystemsareconfiguredtoensurethat(i)onlyauthorizedpeoplehavereadaccesstologs,(ii)onlyauthorizedpeoplemayarchiveauditlogs,and(iii)auditlogsarenotmodified.Auditlogsareprotectedfromdestructionpriortotheendoftheauditlogretentionperiodandareretainedsecurelyon‐siteuntiltransferredtoabackupsite.DigiCert’soff‐sitestoragelocationisasafeandsecurelocationthatisseparatefromthelocationwherethedatawasgenerated.DigiCertmakestime‐stampingrecordsavailablewhenrequiredtoproveinalegalproceedingthatDigiCert’stime‐stampingservicesareoperatingcorrectly.Auditlogsaremadeavailabletoauditorsuponrequest.
5.4.5. AuditLogBackupProceduresDigiCertmakesregularbackupcopiesofauditlogsandauditlogsummariesandsendsacopyoftheauditlogoff‐siteonamonthlybasis.
36
5.4.6. AuditCollectionSystem(internalvs.external)Automaticauditprocessesbeginonsystemstartupandendatsystemshutdown.Ifanautomatedauditsystemfailsandtheintegrityofthesystemorconfidentialityoftheinformationprotectedbythesystemisatrisk,DigiCert’sAdministratorswillconsidersuspendingitsoperationuntiltheproblemisremedied.
5.4.7. NotificationtoEvent‐causingSubjectNostipulation.
5.4.8. VulnerabilityAssessmentsDigiCertperformsannualriskassessmentsthatidentifyandassessreasonablyforeseeableinternalandexternalthreatsthatcouldresultinunauthorizedaccess,disclosure,misuse,alteration,ordestructionofanycertificatedataorcertificateissuanceprocess.DigiCertalsoroutinelyassessesthesufficiencyofthepolicies,procedures,informationsystems,technology,andotherarrangementsthatDigiCerthasinplacetocontrolsuchrisks.DigiCert’sInternalAuditorsreviewthesecurityauditdatachecksforcontinuityandwillalerttheappropriatepersonnelofanyevents,suchasrepeatedfailedactions,requestsforprivilegedinformation,attemptedaccessofsystemfiles,andunauthenticatedresponses.
5.5. RECORDSARCHIVALDigiCert complies with all record retention policies that apply by law. DigiCert includes sufficient detail in all archived records to show that a certificate or time-stamp token was issued in accordance with this CPS.
5.5.1. TypesofRecordsArchivedDigiCertretainsthefollowinginformationinitsarchives(assuchinformationpertainstoDigiCert’sCA/TSAoperations):
1. AccreditationsofDigiCert,2. CPandCPSversions,3. ContractualobligationsandotheragreementsconcerningtheoperationoftheCA/TSA,4. Systemandequipmentconfigurations,modifications,andupdates,5. Rejectionoracceptanceofacertificaterequest,6. Certificateissuance,rekey,renewal,andrevocationrequests,7. SufficientidentityauthenticationdatatosatisfytheidentificationrequirementsofSection3.2,
includinginformationabouttelephonecallsmadeforverificationpurposes,8. Anydocumentationrelatedtothereceiptoracceptanceofacertificateortoken,9. SubscriberAgreements,10. Issuedcertificates,11. Arecordofcertificatere‐keys,12. CRLandOCSPentries,13. Dataorapplicationsnecessarytoverifyanarchive’scontents,14. Complianceauditorreports,15. ChangestoDigiCert’sauditparameters,16. Anyattempttodeleteormodifyauditlogs,17. Keygeneration,destruction,storage,backup,andrecovery,18. AccesstoPrivateKeysforkeyrecoverypurposes,19. ChangestotrustedPublicKeys,20. ExportofPrivateKeys,21. Approvalorrejectionofacertificatestatuschangerequest,22. Appointmentofanindividualtoatrustedrole,23. Destructionofacryptographicmodule,24. Certificatecompromisenotifications,25. Remedialactiontakenasaresultofviolationsofphysicalsecurity,and26. ViolationsoftheCPorCPS.
37
5.5.2. RetentionPeriodforArchiveDigiCertretainsarchiveddataassociatedwithLevel3orLevel4,federateddevice,andPIV‐Icertificatesforatleast10.5years.DigiCert,ortheRAsupportingissuance,archivesdataforothercertificatetypesforatleast7.5years.
5.5.3. ProtectionofArchiveArchiverecordsarestoredatasecureoff‐sitelocationandaremaintainedinamannerthatpreventsunauthorizedmodification,substitution,ordestruction.ArchivesarenotreleasedexceptasallowedbytheDCPAorasrequiredbylaw.DigiCertmaintainsanysoftwareapplicationrequiredtoprocessthearchivedatauntilthedataiseitherdestroyedortransferredtoanewermedium.IfDigiCertneedstotransferanymediatoadifferentarchivesiteorequipment,DigiCertwillmaintainbotharchivedlocationsand/orpiecesofequipmentuntilthetransferarecomplete.Alltransferstonewarchiveswilloccurinasecuremanner.
5.5.4. ArchiveBackupProceduresOnasemi‐annualbasis,DigiCertcreatesanarchivediskofthedatalistedinsection5.5.1bygroupingthedatatypestogetherbysourceintoseparate,compressedarchivefiles.Eacharchivefileishashedtoproducechecksumsthatarestoredseparatelyforintegrityverificationatalaterdate.DigiCertstoresthearchivediskinasecureoff‐sitelocationforthedurationofthesetretentionperiod.RAscreateandstorearchivedrecordsinaccordancewiththeapplicabledocumentationretentionpolicy.
5.5.5. RequirementsforTime‐stampingofRecordsDigiCertautomaticallytime‐stampsarchivedrecordswithsystemtime(non‐cryptographicmethod)astheyarecreated.DigiCertsynchronizesitssystemtimeatleasteveryeighthoursusingarealtimevaluedistributedbyarecognizedUTC(k)laboratoryorNationalMeasurementInstitute.Certificateissuanceistime‐stampedasafunctionofthe"ValidFrom"fieldinaccordancewiththeX.509CertificateProfile.Certificaterevocationistime‐stampedasafunctionofthe"RevocationDate"fieldinaccordancewiththeX.509CertificateRevocationListProfile.
5.5.6. ArchiveCollectionSystem(internalorexternal)ArchiveinformationiscollectedinternallybyDigiCert.
5.5.7. ProcedurestoObtainandVerifyArchiveInformationDetailsconcerningthecreationandstorageofarchiveinformationarefoundinsection5.5.4.AfterreceivingarequestmadeforaproperpurposebyaCustomer,itsagent,orapartyinvolvedinadisputeoveratransactioninvolvingtheDigiCertPKI,DigiCertmayelecttoretrievetheinformationfromarchival.Theintegrityofarchiveinformationisverifiedbycomparingahashofthecompressedarchivefilewiththefilechecksumoriginallystoredforthatfile,asdescribedinSection5.5.4.DigiCertmayelecttotransmittherelevantinformationviaasecureelectronicmethodorcourier,oritmayalsorefusetoprovidetheinformationinitsdiscretionandmayrequirepriorpaymentofallcostsassociatedwiththedata.
5.6. KEYCHANGEOVERKeychangeoverproceduresenablethesmoothtransitionfromexpiringCAcertificatestonewCAcertificates.TowardstheendofaCAPrivateKey’slifetime,DigiCertceasesusingtheexpiringCAPrivateKeytosigncertificatesandusestheoldPrivateKeyonlytosignCRLsandOCSPrespondercertificates.AnewCAsigningkeypairiscommissionedandallsubsequentlyissuedcertificatesandCRLsaresignedwiththenewprivatesigningkey.Boththeoldandthenewkeypairsmaybeconcurrentlyactive.ThiskeychangeoverprocesshelpsminimizeanyadverseeffectsfromCAcertificateexpiration.ThecorrespondingnewCAPublicKeycertificateisprovidedtosubscribersandrelyingpartiesthroughthedeliverymethodsdetailedinSection6.1.4.WhereDigiCerthascross‐certifiedanotherCAthatisintheprocessofakeyrollover,DigiCertobtainsanewCApublickey(PKCS#10)ornewCAcertificatefromtheotherCAanddistributesanewCAcrosscertificatefollowingtheproceduresdescribedabove.
38
5.7. COMPROMISEANDDISASTERRECOVERY
5.7.1. IncidentandCompromiseHandlingProceduresDigiCertmaintainsincidentresponseprocedurestoguidepersonnelinresponsetosecurityincidents,naturaldisasters,andsimilareventsthatmaygiverisetosystemcompromise.DigiCertreviews,tests,andupdatesitsincidentresponseplansandproceduresonatleastanannualbasis.
5.7.2. ComputingResources,Software,and/orDataAreCorruptedDigiCertmakesregularsystembackupsonatleastaweeklybasisandmaintainsbackupcopiesofitsPrivateKeys,whicharestoredinasecure,off‐sitelocation.IfDigiCertdiscoversthatanyofitscomputingresources,software,ordataoperationshavebeencompromised,DigiCertassessesthethreatsandrisksthatthecompromisepresentstotheintegrityorsecurityofitsoperationsorthoseofaffectedparties.IfDigiCertdeterminesthatacontinuedoperationcouldposeasignificantrisktoRelyingPartiesorSubscribers,DigiCertsuspendssuchoperationuntilitdeterminesthattheriskismitigated.
5.7.3. EntityPrivateKeyCompromiseProceduresIfDigiCertsuspectsthatoneofitsPrivateKeyshasbeencomprisedorlostthenanemergencyresponseteamwillconveneandassessthesituationtodeterminethedegreeandscopeoftheincidentandtakeappropriateaction.Specifically,DigiCertwill:
1. Collectinformationrelatedtotheincident;2. Begininvestigatingtheincidentanddeterminethedegreeandscopeofthecompromise;3. Haveitsincidentresponseteamdetermineandreportonthecourseofactionorstrategythatshould
betakentocorrecttheproblemandpreventreoccurrence;4. Ifappropriate,contactgovernmentagencies,lawenforcement,andotherinterestedpartiesand
activateanyotherappropriateadditionalsecuritymeasures;5. IfthecompromiseinvolvesaPrivateKeyusedtosigntime‐stamptokens,provideadescriptionofthe
compromisetoSubscribersandRelyingParties;6. Notifyanycross‐certifiedentitiesofthecompromisesothattheycanrevoketheircross‐certificates;7. Makeinformationavailablethatcanbeusedtoidentifywhichcertificatesandtime‐stamptokensare
affected,unlessdoingsowouldbreachtheprivacyofaDigiCertuserorthesecurityofDigiCert’sservices;
8. Monitoritssystem,continueitsinvestigation,ensurethatdataisstillbeingrecordedasevidence,andmakeaforensiccopyofdatacollected;
9. Isolate,contain,andstabilizeitssystems,applyinganyshort‐termfixesneededtoreturnthesystemtoanormaloperatingstate;
10. Prepareandcirculateanincidentreportthatanalyzesthecauseoftheincidentanddocumentsthelessonslearned;and
11. IncorporatelessonslearnedintotheimplementationoflongtermsolutionsandtheIncidentResponsePlan.
DigiCertmaygenerateanewkeypairandsignanewcertificate.IfadisasterphysicallydamagesDigiCert’sequipmentanddestroysallcopiesofDigiCert’ssignaturekeysthenDigiCertwillprovidenoticetoaffectedpartiesattheearliestfeasibletime.
5.7.4. BusinessContinuityCapabilitiesafteraDisasterTomaintaintheintegrityofitsservices,DigiCertimplementsdatabackupandrecoveryproceduresaspartofitsBusinessContinuityManagementPlan(BCMP).StatedgoalsoftheBCMParetoensurethatcertificatestatusservicesbeonlyminimallyaffectedbyanydisasterinvolvingDigiCert’sprimaryfacilityandthatDigiCertbecapableofmaintainingotherservicesorresumingthemasquicklyaspossiblefollowingadisaster.DigiCertreviews,tests,andupdatestheBCMPandsupportingproceduresatleastannually.DigiCert'ssystemsareredundantlyconfiguredatitsprimaryfacilityandaremirroredataseparate,geographicallydiverselocationforfailoverintheeventofadisaster.IfadisastercausesDigiCert’sprimary
39
CAorTSAoperationstobecomeinoperative,DigiCertwillre‐initiateitsoperationsatitssecondarylocationgivingprioritytotheprovisionofcertificatestatusinformationandtimestampingcapabilities,ifaffected.
5.8. CAORRATERMINATIONBeforeterminatingitsCAorTSAactivities,DigiCertwill:
1. Providenoticeandinformationabouttheterminationbysendingnoticebyemailtoitscustomers,ApplicationSoftwareVendors,andcross‐certifyingentitiesandbypostingsuchinformationonDigiCert’swebsite;and
2. Transferallresponsibilitiestoaqualifiedsuccessorentity.Ifaqualifiedsuccessorentitydoesnotexist,DigiCertwill:
1. transferthosefunctionscapableofbeingtransferredtoareliablethirdpartyandarrangetopreserveallrelevantrecordswithareliablethirdpartyoragovernment,regulatory,orlegalbodywithappropriateauthority;
2. revokeallcertificatesthatarestillun‐revokedorun‐expiredonadateasspecifiedinthenoticeandpublishfinalCRLs;
3. destroyallPrivateKeys;and4. makeothernecessaryarrangementsthatareinaccordancewiththisCPS.
DigiCerthasmadearrangementstocoverthecostsassociatedwithfulfillingtheserequirementsincaseDigiCertbecomesbankruptorisunabletocoverthecosts.Anyrequirementsofthissectionthatarevariedbycontractapplyonlythecontractingparties.
6. TECHNICALSECURITYCONTROLS
6.1. KEYPAIRGENERATIONANDINSTALLATION
6.1.1. KeyPairGenerationAllkeysmustbegeneratedusingaFIPS‐approvedmethodorequivalentinternationalstandard.DigiCert'sCAkeypairsaregeneratedbymultipletrustedindividualsactingintrustedrolesandusingacryptographichardwaredeviceaspartofscriptedkeygenerationceremony.ThecryptographichardwareisevaluatedtoFIPS140‐1Level3andEAL4+.Activationofthehardwarerequirestheusetwo‐factorauthenticationtokens.DigiCertcreatesauditableevidenceduringthekeygenerationprocesstoprovethattheCPSwasfollowedandroleseparationwasenforcedduringthekeygenerationprocess.DigiCertrequiresthatanauditorwitnessthegenerationofanyCAkeystobeusedaspubliclytrustedrootcertificatesortosignEVCertificates.ForotherCAkeypairgenerationceremonies,DigiCertestablishesitscompliancewiththisrequirementbyhavinganauditororindependentthirdpartyattendtheceremonyorbyhavinganauditorexaminethesignedanddocumentedrecordofthekeygenerationceremony,asallowedbyapplicablepolicy.Subscribersmustgeneratetheirkeysinamannerthatisappropriateforthecertificatetype.CertificatesissuedatLevel3HardwareoratLevel4BiometricmustbegeneratedonvalidatedhardwarecryptographicmodulesusingaFIPS‐approvedmethod.SubscriberswhogeneratetheirownkeysforaQualifiedCertificateonanSSCDshallensurethattheSSCDmeetstherequirementsofCWA14169andthatthePublicKeytobecertifiedisfromthekeypairgeneratedbytheSSCD.ForAdobeSigningCertificates,SubscribersmustgeneratetheirkeypairsinamediumthatpreventsexportationorduplicationandthatmeetsorexceedsFIPS140‐1Level2certificationstandards.
6.1.2. PrivateKeyDeliverytoSubscriberIfDigiCert,aCMS,oranRAgeneratesakeyforaSubscriber,thenitmustdeliverthePrivateKeysecurelytotheSubscriber.Keysmaybedeliveredelectronically(suchasthroughsecureemailorstoredinacloud‐basedsystem)oronahardwarecryptographicmodule/SSCD.Inallcases:
1. Exceptwhereescrow/backupservicesareauthorizedandpermitted,thekeygeneratormustnotretainaccesstotheSubscriber’sPrivateKeyafterdelivery,
40
2. Thekeygeneratormustprotecttheprivatekeyfromactivation,compromise,ormodificationduringthedeliveryprocess,
3. TheSubscribermustacknowledgereceiptoftheprivatekey(s),typicallybyhavingtheSubscriberusetherelatedcertificate,and
4. ThekeygeneratormustdeliverthePrivateKeyinawaythatensuresthatthecorrecttokensandactivationdataareprovidedtothecorrectSubscribers,including:
a. Forhardwaremodules,thekeygeneratormaintainingaccountabilityforthelocationandstateofthemoduleuntiltheSubscriberacceptspossessionofitand
b. Forelectronicdeliveryofprivatekeys,thekeygeneratorencryptingkeymaterialusingacryptographicalgorithmandkeysizeatleastasstrongastheprivatekey.Thekeygeneratorshalldeliveractivationdatausingaseparatesecurechannel.
TheentityassistingtheSubscriberwithkeygenerationshallmaintainarecordoftheSubscriber’sacknowledgementofreceiptofthedevicecontainingtheSubscriber’sKeyPair.ACMSorRAprovidingkeydeliveryservicesisrequiredtoprovideacopyofthisrecordtoDigiCert.
6.1.3. PublicKeyDeliverytoCertificateIssuerSubscribersgeneratekeypairsandsubmitthePublicKeytoDigiCertinaCSRaspartofthecertificaterequestprocess.TheSubscriber’ssignatureontherequestisauthenticatedpriortoissuingthecertificate.
6.1.4. CAPublicKeyDeliverytoRelyingPartiesDigiCert'sPublicKeysareprovidedtoRelyingPartiesasspecifiedinacertificatevalidationorpathdiscoverypolicyfile,astrustanchorsincommercialbrowsersandoperatingsystemrootstore,and/orasrootssignedbyotherCAs.AllaccreditationauthoritiessupportingDigiCertcertificatesandallapplicationsoftwareprovidersarepermittedtoredistributeDigiCert’srootanchors.DigiCertmayalsodistributePublicKeysthatarepartofanupdatedsignaturekeypairasaself‐signedcertificate,asanewCAcertificate,orinakeyroll‐overcertificate.RelyingPartiesmayobtainDigiCert'sself‐signedCAcertificatesfromDigiCert'swebsiteorbyemail.
6.1.5. KeySizesDigiCertgenerallyfollowstheNISTtimelinesinusingandretiringsignaturealgorithmsandkeysizes.Currently,DigiCertgeneratesandusesatleastthefollowingminimumkeysizes,signaturealgorithms,andhashalgorithmsforsigningcertificates,CRLs,andcertificatestatusserverresponses:
Fornon‐FBCAcertificates:
2048‐bitRSAKeywithSecureHashAlgorithmversion1(SHA‐1)(SHA‐1isbeingphasedout)
Forallcertificates:2048‐bitRSAKeywithSecureHashAlgorithmversion2(SHA‐256)384‐bitECDSAKeywithSecureHashAlgorithmversion2(SHA‐256)
DigiCertrequiresend‐entitycertificatestocontainakeysizethatisatleast2048bitsforRSA,DSA,orDiffie‐Hellmanand224bitsforellipticcurvealgorithms.DigiCertmayrequirehigherbitkeysinitssolediscretion.PIV‐ICertificatescontainpublickeysandalgorithmsthatconformto[NISTSP800‐78].Anycertificates(whetherCAorend‐entity)expiringafter12/31/2030mustbeatleast3072‐bitforRSAand256‐bitforECDSA.SignaturesonCRLs,OCSPresponses,andOCSPrespondercertificatesthatprovidestatusinformationforcertificatesthatweregeneratedusingSHA‐1arealsogeneratedusingtheSHA‐1algorithm.AllothersignaturesonCRLs,OCSPresponses,andOCSPrespondercertificatesusetheSHA‐256hashalgorithmoronethatisequallyormoreresistanttocollisionattack.
41
DigiCertandSubscribersmayfulfilltheirrequirementsundertheCPandthisCPSusingTLSoranotherprotocolthatprovidessimilarsecurity,providedtheprotocolrequiresatleastAES128bitsorequivalentforthesymmetrickeyandatleast2048bitRSAorequivalentfortheasymmetrickeys(andatleast3072bitRSAorequivalentforasymmetrickeysafter12/31/2030).
6.1.6. PublicKeyParametersGenerationandQualityCheckingDigiCertusesacryptomodulethatconformstoFIPS186‐2andprovidesrandomnumbergenerationandon‐boardgenerationofupto4096‐bitRSAPublicKeysandawiderangeofECCcurves.
6.1.7. KeyUsagePurposes(asperX.509v3keyusagefield)DigiCert'scertificatesincludekeyusageextensionfieldsthatspecifytheintendeduseofthecertificateandtechnicallylimitthecertificate’sfunctionalityinX.509v3compliantsoftware.TheuseofaspecifickeyisdeterminedbythekeyusageextensionintheX.509certificate.Subscribercertificatesassertkeyusagesbasedontheintendedapplicationofthekeypair.Inparticular,certificatestobeusedfordigitalsignatures(includingauthentication)setthedigitalSignatureand/ornonRepudiationbits.CertificatestobeusedforkeyordataencryptionshallsetthekeyEnciphermentand/ordataEnciphermentbits.CertificatestobeusedforkeyagreementshallsetthekeyAgreementbit.KeyusagebitsandextendedkeyusagesarespecifiedinthecertificateprofileforeachtypeofcertificateassetforthinDigiCert’sCertificateProfilesdocument.DigiCert’sCAcertificateshaveatleasttwokeyusagebitsset:keyCertSignandcRLSign,andforsigningOCSPresponses,thedigitalSignaturebitisalsoset.Exceptforlegacyapplicationsrequiringasinglekeyfordualusewithbothencryptionandsignature,DigiCertdoesnotissuecertificateswithkeyusageforbothsigningandencryption.Instead,DigiCertissuesSubscriberstwokeypairs—oneforkeymanagementandonefordigitalsignatureandauthentication.ForCertificatesatLevels1,2and3thatareusedforsigningandencryptioninsupportoflegacyapplications,theymust:
1. begeneratedandmanagedinaccordancewiththeirrespectivesignaturecertificaterequirements,exceptwhereotherwisenotedinthisCPS,
2. neverassertthenon‐repudiationkeyusagebit,and3. notbeusedforauthenticatingdatathatwillbeverifiedonthebasisofthedual‐usecertificateata
futuretime.NoLevel4certificatesmayhavesuchdual‐usekeypairs.PIV‐IContentSigningcertificatesalsoincludeanextendedkeyusageofid‐fpki‐pivi‐content‐signing.
6.2. PRIVATEKEYPROTECTIONANDCRYPTOGRAPHICMODULEENGINEERINGCONTROLS
6.2.1. CryptographicModuleStandardsandControlsDigiCert'scryptographicmodulesforallofitsCAandOCSPresponderkeypairsarevalidatedtotheFIPS140Level3andInternationalCommonCriteria(CC)InformationTechnologySecurityEvaluationAssuranceLevel(EAL)14169EAL4+Type3(EAL4AugmentedbyAVA_VLA.4andAVA_MSU.3)intheEuropeanUnion(EU).IGTFCertificateSubscribersmustprotecttheirPrivateKeysinaccordancewiththeapplicableGuidelinesonPrivateKeyProtection,includingtheuseofstrongpassphrasestoprotectprivatekeys.Cryptographicmodulerequirementsforsubscribersandregistrationauthoritiesareshowninthetablebelow.
42
AssuranceLevel Subscriber RegistrationAuthority
EVCodeSigningFIPS140Level2(Hardware)
FIPS140Level2(Hardware)
AdobeSigningFIPS140Level2(Hardware)
FIPS140Level3(Hardware)
Rudimentary N/AFIPS140Level1
(HardwareorSoftware)
Basic,LOA2,andLOA3 FIPS140Level1(HardwareorSoftware)
FIPS140Level1(HardwareorSoftware)
Medium
FIPS140Level1(Software)
FIPS140Level2(Hardware)
FIPS140Level2(Hardware)
MediumHardware,Biometric&PIV‐ICard/HardwareAuthentication
FIPS140Level2(Hardware)
FIPS140Level2(Hardware)
EUQConSSCDEAL4Augmented
(Hardware)EAL4Augmented
(Hardware)
DigiCertensuresthatthePrivateKeyofanEVCodeSigningCertificateisproperlygenerated,used,andstoredinacryptomodulethatmeetsorexceedstherequirementsofFIPS140level2by(i)shippingconformingcryptomoduleswithpreinstalledkeypairs,(ii)communicatingviaPKCS#11cryptoAPIsofcryptomodulesthatDigiCerthasverifiedmeetorexceedrequirements,or(iii)obtaininganITauditfromtheSubscriberthatindicatescompliancewithFIPS140‐2level2ortheequivalent.
6.2.2. PrivateKey(noutofm)Multi‐personControlDigiCert'sauthenticationmechanismsareprotectedsecurelywhennotinuseandmayonlybeaccessedbyactionsofmultipletrustedpersons. BackupsofCAPrivateKeysaresecurelystoredoff‐siteandrequiretwo‐personaccess.Re‐activationofabacked‐upCAPrivateKey(unwrapping)requiresthesamesecurityandmulti‐personcontrolaswhenperformingothersensitiveCAPrivateKeyoperations.
6.2.3. PrivateKeyEscrowDigiCertdoesnotescrowitssignaturekeys.SubscribersmaynotescrowtheirprivatesignaturekeysordualusekeysexceptasallowedbyothersupersedingpoliciesoragreementsamongSubscribers,RelyingParties,andescrowagents.DigiCertmayprovideescrowservicesforothertypesofcertificatesinordertoprovidekeyrecoveryasdescribedinsection4.12.1.
6.2.4. PrivateKeyBackupDigiCert'sPrivateKeysaregeneratedandstoredinsideDigiCert’scryptographicmodule,whichhasbeenevaluatedtoatleastFIPS140Level3andEAL4+.Whenkeysaretransferredtoothermediaforbackupanddisasterrecoverypurposes,thekeysaretransferredandstoredinanencryptedform.DigiCert'sCAkeypairsarebackedupbymultipletrustedindividualsusingacryptographichardwaredeviceaspartofscriptedandvideotapedkeybackupprocess.
43
DigiCertmayprovidebackupservicesforPrivateKeysthatarenotrequiredtobekeptonahardwaredevice.AccesstobackupcertificatesisprotectedinamannerthatonlytheSubscribercancontroltheprivatekey.DigiCertmayrequirebackupofPIV‐IContentSigningprivatesignaturekeystofacilitatedisasterrecovery,providedthatallbackupisperformedundermulti‐personcontrol.Backedupkeysareneverstoredinaplaintextformoutsideofthecryptographicmodule.
6.2.5. PrivateKeyArchivalDigiCertdoesnotarchivePrivateKeys.
6.2.6. PrivateKeyTransferintoorfromaCryptographicModuleAllkeysmustbegeneratedbyandinacryptographicmodule.PrivateKeysareexportedfromthecryptographicmoduleonlyforbackuppurposes.ThePrivateKeysareencryptedwhentransferredoutofthemoduleandneverexistinplaintextform.Whentransportedbetweencryptographicmodules,DigiCertencryptstheprivatekeyandprotectsthekeysusedforencryptionfromdisclosure.PrivateKeysusedtoencryptbackupsaresecurelystoredandrequiretwo‐personaccess.
6.2.7. PrivateKeyStorageonCryptographicModuleDigiCert'sPrivateKeysaregeneratedandstoredinsideDigiCert’scryptographicmodule,whichhasbeenevaluatedtoatleastFIPS140Level3andEAL4+.
6.2.8. MethodofActivatingPrivateKeysDigiCert'sPrivateKeysareactivatedaccordingtothespecificationsofthecryptographicmodulemanufacturer.Activationdataentryisprotectedfromdisclosure.
SubscribersaresolelyresponsibleforprotectingtheirPrivateKeys.SubscribersshoulduseastrongpasswordorequivalentauthenticationmethodtopreventunauthorizedaccessoruseoftheSubscriber’sPrivateKey.Ataminimum,Subscribersarerequiredtoauthenticatethemselvestothecryptographicmodulebeforeactivatingtheirprivatekeys.SeealsoSection6.4.
6.2.9. MethodofDeactivatingPrivateKeysDigiCert’sPrivateKeysaredeactivatedvialogoutproceduresontheapplicableHSMdevicewhennotinuse.RootPrivateKeysarefurtherdeactivatedbyremovingthementirelyfromthestoragepartitionontheHSMdevice.DigiCertneverleavesitsHSMdevicesinanactiveunlockedorunattendedstate.
SubscribersshoulddeactivatetheirPrivateKeysvialogoutandremovalprocedureswhennotinuse.
6.2.10. MethodofDestroyingPrivateKeysDigiCertpersonnel,actingintrustedroles,destroyCA,RA,andstatusserverPrivateKeyswhennolongerneeded.SubscribersshalldestroytheirPrivateKeyswhenthecorrespondingcertificateisrevokedorexpiredorifthePrivateKeyisnolongerneeded.DigiCertmaydestroyaPrivateKeybydeletingitfromallknownstoragepartitions.DigiCertalsozeroizestheHSMdeviceandassociatedbackuptokensaccordingtothespecificationsofthehardwaremanufacturer.Thisreinitializesthedeviceandoverwritesthedatawithbinaryzeros.Ifthezeroizationorre‐initializationprocedurefails,DigiCertwillcrush,shred,and/orincineratethedeviceinamannerthatdestroystheabilitytoextractanyPrivateKey.
6.2.11. CryptographicModuleRatingSeeSection6.2.1.
44
6.3. OTHERASPECTSOFKEYPAIRMANAGEMENT
6.3.1. PublicKeyArchivalDigiCertarchivescopiesofPublicKeysinaccordancewithSection5.5.
6.3.2. CertificateOperationalPeriodsandKeyPairUsagePeriodsDigiCertcertificateshavemaximumvalidityperiodsof:
Type PrivateKeyUse CertificateTermRootCA 20 years 25yearsSubCA* 12 years 15yearsFBCAorIGTFCross‐certifiedSubCA* 6years 15yearsCRLandOCSPrespondersigning 3 years 31days†OVSSL Nostipulation 42monthsEVSSL Nostipulation 27monthsTimeStampingAuthority Nostipulation 123months
CodeSigningCertificate Nostipulation 123months
EVCodeSigningCertificateissuedtoSubscriber
No stipulation 39months
EVCodeSigningCertificateissuedtoSigningAuthority
123months 123months
AdobeSigningCertificate 39months 5years
EndEntityClientusedforsignatures,includingEUQualifiedCertificates,codeandcontentsignatures
36months 36months
EndEntityClientusedforkeymanagement 36months 36months
Clientcross‐certifiedwithFBCA 36months 36months
EndEntityClientforallotherpurposes(nonFBCAandIGTFcerts)
42months 42months
PIV‐ICards 36 months 36 months
IGTF(2048‐bitRSAkeys)onhardware 60 months 13 months
IGTF(1024‐bitRSAkeys)onhardware 36 months 13 months
IGTFnotonhardware 13 months 13 months
*IGTFsigningcertificateshavealifetimethatisatleasttwicethemaximumlifetimeofanendentitycertificate.†OCSPresponderandCRLsigningcertificatesassociatedwithaPIV‐Icertificateonlyhaveamaximumcertificatevalidityperiodof31days.Relyingpartiesmaystillvalidatesignaturesgeneratedwiththesekeysafterexpirationofthecertificate.Privatekeysassociatedwithself‐signedrootcertificatesthataredistributedastrustanchorsareusedforamaximumof20years.DigiCertdoesnotissuePIV‐IsubscribercertificatesthatexpirelaterthantheexpirationdateofthePIV‐Ihardwaretokenonwhichthecertificatesreside.DigiCertmayvoluntarilyretireitsCAPrivateKeysbeforetheperiodslistedabovetoaccommodatekeychangeoverprocesses.DigiCertdoesnotissueSubscribercertificateswithanexpirationdatethatispastthesigningroot’spublickeyexpirationdateorthatexceedstheroutinere‐keyidentificationrequirementsspecifiedinSection3.1.1.
45
6.4. ACTIVATIONDATA
6.4.1. ActivationDataGenerationandInstallationDigiCertactivatesthecryptographicmodulecontainingitsCAPrivateKeysaccordingtothespecificationsofthehardwaremanufacturer.ThismethodhasbeenevaluatedasmeetingtherequirementsofFIPS140‐2Level3.Thecryptographichardwareisheldundertwo‐personcontrolasexplainedinSection5.2.2andelsewhereinthisCPS.DigiCertwillonlytransmitactivationdataviaanappropriatelyprotectedchannelandatatimeandplacethatisdistinctfromthedeliveryoftheassociatedcryptographicmodule.
AllDigiCertpersonnelandSubscribersareinstructedtousestrongpasswordsandtoprotectPINsandpasswords.DigiCertemployeesarerequiredtocreatenon‐dictionary,alphanumericpasswordswithaminimumlengthandtochangetheirpasswordsonaregularbasis.IfDigiCertusespasswordsasactivationdataforasigningkey,DigiCertwillchangetheactivationdatachangeuponrekeyoftheCAcertificate.
6.4.2. ActivationDataProtectionDigiCert protects data used to unlock private keys from disclosure using a combination of cryptographic and physical access control mechanisms. Protection mechanisms include keepingactivationmechanismssecureusingrole‐basedphysicalcontrol.AllDigiCertpersonnelareinstructedtomemorizeandnottowritedowntheirpasswordorshareitwithanotherindividual.DigiCertlocksaccountsusedtoaccesssecureCAprocessesifacertainnumberoffailedpasswordattemptsoccur.
6.4.3. OtherAspectsofActivationDataIfDigiCertmustresetactivationdataassociatedwithaPIV‐IcertificatethenDigiCertoranRAperformsasuccessfulbiometric1:1matchoftheapplicantagainstthebiometricscollectedinSection3.2.3.
6.5. COMPUTERSECURITYCONTROLS
6.5.1. SpecificComputerSecurityTechnicalRequirementsDigiCertsecuresitsCAsystemsandauthenticatesandprotectscommunicationsbetweenitssystemsandtrustedroles.DigiCert'sCAserversandsupport‐and‐vettingworkstationsrunontrustworthysystemsthatareconfiguredandhardenedusingindustrybestpractices.AllCAsystemsarescannedformaliciouscodeandprotectedagainstspywareandviruses.DigiCert’sCAsystems,includinganyremoteworkstations,areconfiguredto:
1. authenticatetheidentityofusersbeforepermittingaccesstothesystemorapplications,2. managetheprivilegesofusersandlimituserstotheirassignedroles,3. generateandarchiveauditrecordsforalltransactions,4. enforcedomainintegrityboundariesforsecuritycriticalprocesses,and5. supportrecoveryfromkeyorsystemfailure.
AllCertificateStatusServers:
1. authenticatetheidentityofusersbeforepermittingaccesstothesystemorapplications,2. manageprivilegestolimituserstotheirassignedroles,3. enforcedomainintegrityboundariesforsecuritycriticalprocesses,and4. supportrecoveryfromkeyorsystemfailure.
6.5.2. ComputerSecurityRatingNostipulation.
6.6. LIFECYCLETECHNICALCONTROLS
6.6.1. SystemDevelopmentControlsDigiCerthasmechanismsinplacetocontrolandmonitortheacquisitionanddevelopmentofitsCAsystems.Changerequestsrequiretheapprovalofatleastoneadministratorwhoisdifferentfromtheperson
46
submittingtherequest.DigiCertonlyinstallssoftwareonCAsystemsifthesoftwareispartoftheCA’soperation.CAhardwareandsoftwarearededicatedtoperformingoperationsoftheCA.Vendorsareselectedbasedontheirreputationinthemarket,abilitytodeliverqualityproduct,andlikelihoodofremainingviableinthefuture.Managementisinvolvedinthevendorselectionandpurchasedecisionprocess.Non‐PKIhardwareandsoftwareispurchasedwithoutidentifyingthepurposeforwhichthecomponentwillbeused.Allhardwareandsoftwareareshippedunderstandardconditionstoensuredeliveryofthecomponentdirectlytoatrustedemployeewhoensuresthattheequipmentisinstalledwithoutopportunityfortampering.SomeofthePKIsoftwarecomponentsusedbyDigiCertaredevelopedin‐houseorbyconsultantsusingstandardsoftwaredevelopmentmethodologies.Allsuchsoftwareisdesignedanddevelopedinacontrolledenvironmentandsubjectedtoqualityassurancereview.Othersoftwareispurchasedcommercialoff‐the‐shelf(COTS).Qualityassuranceismaintainedthroughouttheprocessthroughtestinganddocumentationorbypurchasingfromtrustedvendorsasdiscussedabove.Updatesofequipmentandsoftwarearepurchasedordevelopedinthesamemannerastheoriginalequipmentorsoftwareandareinstalledandtestedbytrustedandtrainedpersonnel.AllhardwareandsoftwareessentialtoDigiCert’soperationsisscannedformaliciouscodeonfirstuseandperiodicallythereafter.
6.6.2. SecurityManagementControlsDigiCerthasmechanismsinplacetocontrolandmonitorthesecurity‐relatedconfigurationsofitsCAsystems.WhenloadingsoftwareontoaCAsystem,DigiCertverifiesthatthesoftwareisthecorrectversionandissuppliedbythevendorfreeofanymodifications.DigiCertverifiestheintegrityofsoftwareusedwithitsCAprocessesatleastonceaweek.
6.6.3. LifeCycleSecurityControlsNostipulation.
6.7. NETWORKSECURITYCONTROLSDigiCertdocumentsandcontrolstheconfigurationofitssystems,includinganyupgradesormodificationsmade.DigiCert'sCAsystemisconnectedtooneinternalnetworkandisprotectedbyfirewallsandNetworkAddressTranslationforallinternalIPaddresses(e.g.,192.168.x.x).DigiCert'scustomersupportandvettingworkstationsarealsoprotectedbyfirewall(s)andonlyuseinternalIPaddresses.RootKeysarekeptofflineandbroughtonlineonlywhennecessarytosigncertificate‐issuingsubordinateCAs,OCSPResponderCertificates,orperiodicCRLs.Firewallsandboundarycontroldevicesareconfiguredtoallowaccessonlybytheaddresses,ports,protocolsandcommandsrequiredforthetrustworthyprovisionofPKIservicesbysuchsystems.DigiCert'ssecuritypolicyistoblockallportsandprotocolsandopenonlyportsnecessarytoenableCAfunctions.AllCAequipmentisconfiguredwithaminimumnumberofservicesandallunusednetworkportsandservicesaredisabled.DigiCert'snetworkconfigurationisavailableforreviewon‐sitebyitsauditorsandconsultantsunderanappropriatenon‐disclosureagreement.
6.8. TIME‐STAMPINGThesystemtimeonDigiCert’scomputersisupdatedusingtheNetworkTimeProtocol(NTP)tosynchronizesystemclocksatleastonceeveryeighthours(Windowsdefault).AlltimesaretraceabletoarealtimevaluedistributedbyaUTC(k)laboratoryorNationalMeasurementInstituteandareupdatedwhenaleapsecondoccursasnotifiedbytheappropriatebody.DigiCertmaintainsaninternalNTPserverthatsynchronizeswithcellulartelephonenetworksandmaintainstheaccuracyofitsclockwithinonesecondorless.ForeachtimestamprequesttheinternalNTPserverisqueriedforthecurrenttime.However,RelyingPartiesshouldbeawarethatalltimesincludedinatime‐stamptokenaresynchronizedwithUTCwithintheaccuracydefinedinthetime‐stamptokenitself,ifpresent.
47
DigiCertwillnotissueatime‐stamptokenusinganyclockthatisdetectedasinaccurate.Allclocksusedfortime‐stampingarehousedintheDigiCert’ssecurefacilitiesandareprotectedagainstthreatsthatcouldresultinanunexpectedchangetotheclock’stime.DigiCert'sfacilitiesautomaticallydetectandreportanyclockthatdriftsorjumpsoutofsynchronizationwithUTC.Clockadjustmentsareauditableevents.SomeaspectsofRFC3161timestampsdifferfromMicrosoftAuthenticodetimestamps.ForRFC3161‐complianttimestamps,DigiCertincludesauniqueintegerforeachnewlygeneratedtime‐stamptoken.DigiCertonlytime‐stampshashrepresentationsofdata,notthedataitself.Informationcanbehashedfortime‐stampingusingSHA‐1orSHA‐256withRSAencryptionandeither1024or2048bitkeysizeforsignaturecreation.(SHA‐1,SHA‐256,SHA‐384,SHA‐512,MD5,MD4,andMD2aresupportedforRFC3161‐basedrequests.)DigiCertdoesnotexaminetheimprintbeingtime‐stampedotherthantochecktheimprint’slength.DigiCertalsodoesnotincludeanyidentificationoftheTimeStampTokenRequester(TSTRequester)inthetime‐stamptoken.Alltime‐stamptokensaresignedusingakeygeneratedexclusivelyforthatpurposesandhavethepropertyofthekeyindicatedinthecertificate.TSTRequestersrequesttime‐stamptokensbysendingarequesttoDigiCert.AftertheTSTRequesterreceivesaresponsefromDigiCert,itmustverifythestatuserrorreturnedintheresponse.Ifanerrorwasnotreturned,theTSTRequestermustthenverifythefieldscontainedinthetime‐stamptokenandthevalidityofthetime‐stamptoken’sdigitalsignature.Inparticular,theTSTRequestermustverifythatthetime‐stampeddatacorrespondstowhatwasrequestedandthatthetime‐stamptokencontainsthecorrectcertificateidentifier,thecorrectdataimprint,andthecorrecthashalgorithmOID.TheTSTRequestermustalsoverifythetimelinessoftheresponsebyverifyingtheresponseagainstalocaltrustedtimereference.TheTSTRequesterisrequiredtonotifyDigiCertimmediatelyifanyinformationcannotbeverified.TimeStampVerifiersshallverifythedigitalsignatureonthetime‐stamptokenandconfirmthatthedatacorrespondstothehashvalueinthetime‐stamptoken.
6.9. PIV‐ICARDSThefollowingrequirementsapplytoPIV‐ICards:
1. ToensureinteroperabilitywithFederalsystems,PIV‐ICardsuseasmartcardplatformthatisonGSA’sFIPS201EvaluationProgramApprovedProductList(APL)andusethePIVapplicationidentifier(AID).
2. AllPIV‐ICardsconformto[NISTSP800‐731].3. ThemandatoryX.509CertificateforAuthenticationisonlyissuedunderapolicythatiscross
certifiedwiththeFBCAPIV‐IHardwarepolicyOID.4. PIV‐IcertificatesconformtothePIV‐IProfile.5. AnasymmetricX.509CertificateforCardAuthenticationisincludedineachPIV‐Icard.The
Certificate:a. conformstoPIV‐IProfile,b. conformsto[NISTSP800‐73],andc. isissuedunderthePIV‐ICardAuthenticationpolicy.
6. TheCMSincludesanelectronicrepresentation(asspecifiedinSP800‐73andSP800‐76)ofthecardholder’sfacialimageineachPIV‐Icard.
7. TheX.509CertificatesforDigitalSignatureandKeyManagementdescribedin[NISTSP800‐73]areoptionalforPIV‐ICards.
8. TheCMSmakesitsPIV‐ICardsvisuallydistinctfromaFederalPIVCardtopreventcreationofafraudulentFederalPIVCard.Ataminimum,theCMSdoesnotallowedimagesorlogosonaPIV‐ICardtobeplacedwithinZone11,AgencySeal,asdefinedby[FIPS201].
9. TheCMSrequiresthefollowingitemsonthefrontofacard:a. Cardholderfacialimage,b. Cardholderfullname,c. OrganizationalAffiliation,ifexists;otherwisetheissuerofthecard,andd. Cardexpirationdate.
10. PIV‐Icardsareissuedwithanexpirationdatethatisfiveyearsorless.11. AllPIV‐ICardsexpirelaterthanthePIV‐IContentSigningcertificateonthecard.
48
12. ApolicyOIDthathasbeenmappedtotheFBCAPIV‐IContentSigningpolicyOIDisincludedinthedigitalsignaturecertificateusedtosignobjectsonthePIV‐ICard.ThePIV‐IContentSigningcertificateconformstothePIV‐IProfile.
13. ThePIV‐IContentSigningcertificateandcorrespondingprivatekeyaremanagedwithinatrustedCardManagementSystem.
14. Atissuance,thePIV‐ICardisactivatedandreleasedtothesubscriberonlyafterasuccessful1:1biometricmatchoftheapplicantagainstthebiometricscollectedinSection3.2.3.
15. PIV‐ICardsmaysupportcardactivationbythecardmanagementsystemtosupportcardpersonalizationandpost‐issuancecardupdate.Toactivatethecardforpersonalizationorupdate,thecardmanagementsystemperformsachallengeresponseprotocolusingcryptographickeysstoredonthecardinaccordancewith[SP800‐73].Whencardsarepersonalized,cardmanagementkeysaresettobespecifictoeachPIV‐ICard.Thatis,eachPIV‐ICardcontainsauniquecardmanagementkey.CardmanagementkeysmeetthealgorithmandkeysizerequirementsstatedinSpecialPublication800‐78,CryptographicAlgorithmsandKeySizesforPersonalIdentityVerification.[SP800‐78].
7. CERTIFICATE,CRL,ANDOCSPPROFILESDigiCertusestheITUX.509,version3standardtoconstructdigitalcertificatesforusewithintheDigiCertPKI.DigiCertaddscertaincertificateextensionstothebasiccertificatestructureforthepurposesintendedbyX.509v3asperAmendment1toISO/IEC9594‐8,1995.ForPIV‐ICertificates,DigiCertfollowstheFPKIPA’sX.509CertificateandCertificateRevocationList(CRL)ExtensionsProfileforPersonalIdentityVerificationInteroperable(PIV‐I)Cards.ForQualifiedCertificates,DigiCertfollowsETSITS101862.
7.1. CERTIFICATEPROFILE
7.1.1. VersionNumber(s)AllcertificatesareX.509version3certificates.
7.1.2. CertificateExtensionsSeeDigiCert’sCertificateProfilesdocument.IGTFcertificatescomplywiththeGridCertificateProfileasdefinedbytheOpenGridForumGFD.125.PIV‐ICertificatescomplywiththeX.509CertificateandCertificateRevocationList(CRL)ExtensionsProfileforPersonalIdentityVerificationInteroperable(PIV‐I)Cards,Date:April232010,assetforthat:http://www.idmanagement.gov/fpkipa/documents/pivi_certificate_crl_profile.pdf.
7.1.3. AlgorithmObjectIdentifiersDigiCertcertificatesaresignedusingoneofthefollowingalgorithms:sha‐1WithRSAEncryption [iso(1)member‐body(2)us(840)rsadsi(113549)pkcs(1)pkcs‐1(1)5]sha256WithRSAEncryption [iso(1)member‐body(2)us(840)rsadsi(113549)pkcs(1)pkcs‐1(1)
11]
ecdsa‐with‐sha384 [iso(1)member‐body(2)us(840)ansi‐X9‐62(10045)signatures(4)ecdsa‐with‐SHA2(3)3]
DigiCertdoesnotcurrentlysigncertificatesusingRSAwithPSSpadding.DigiCertandSubscribersmaygenerateKeyPairsusingthefollowing:id‐dsa [iso(1)member‐body(2)us(840)x9‐57(10040)x9cm(4)1]RsaEncryption [iso(1)member‐body(2)us(840)rsadsi(113549)pkcs(1)pkcs‐1(1)1]Dhpublicnumber [iso(1)member‐body(2)us(840)ansi‐x942(10046)number‐type(2)1]
id‐keyExchangeAlgorithm[joint‐iso‐ccitt(2)country(16)us(840)organization(1)gov(101)dod(2)infosec(1)algorithms(1)22]
id‐ecPublicKey[iso(1)member‐body(2)us(840)ansi‐X9‐62(10045)id‐publicKeyType(2)1]
49
EllipticcurvepublickeyssubmittedtoDigiCertforinclusioninendentitycertificatesshouldallbebasedonNIST“SuiteB”curves.SignaturealgorithmsforPIV‐IcertificatesarelimitedtothoseidentifiedbyNISTSP800‐78.
7.1.4. NameFormsEachcertificateincludesauniqueserialnumberthatisneverreused.OptionalsubfieldsinthesubjectofanSSLCertificatemusteithercontaininformationverifiedbyDigiCertorbeleftempty.SSLCertificatescannotcontainmetadatasuchas‘.’,‘‐‘and‘‘charactersoranyotherindicationthatthefieldisnotapplicable.DigiCertlogicallyrestrictsOUfieldsfromcontainingSubscriberinformationthathasnotbeenverifiedinaccordancewithSection3. TheDistinguishedNameforeachCertificatetypeissetforthinDigiCert’scertificateprofilesdocument.ThecontentsofthefieldsinEVCertificatesmustmeettherequirementsinSection8.1oftheEVGuidelines.
7.1.5. NameConstraintsNostipulation.
7.1.6. CertificatePolicyObjectIdentifierAnobjectidentifier(OID)isauniquenumberthatidentifiesanobjectorpolicy.TheOIDsusedbyDigiCertarelistedinSection1.2andinDigiCert’sCertificateProfilesdocument.
7.1.7. UsageofPolicyConstraintsExtensionNotapplicable.
7.1.8. PolicyQualifiersSyntaxandSemanticsDigiCertincludesbriefstatementsincertificatesaboutthelimitationsofliabilityandothertermsassociatedwiththeuseofacertificateinthePolicyQualifierfieldoftheCertificatesPolicyextension.
7.1.9. ProcessingSemanticsfortheCriticalCertificatePoliciesExtensionNostipulation.
7.2. CRLPROFILEForPIV‐ICertificates,DigiCertfollowstheFPKIPA’sX.509CertificateandCertificateRevocationList(CRL)ExtensionsProfileforPersonalIdentityVerificationInteroperable(PIV‐I)Cards.
7.2.1. Versionnumber(s)DigiCertissuesversion2CRLsthatcontainthefollowingfields:
Field ValueIssuerSignatureAlgorithm sha‐1WithRSAEncryption[12840113549115] OR
sha‐256WithRSAEncryption[128401135491111]ORecdsa‐with‐sha384[1284010045433]
IssuerDistinguishedName DigiCertthisUpdate CRLissuedateinUTCformatnextUpdate DatewhenthenextCRLwillissueinUTCformat.RevokedCertificatesList
Listofrevokedcertificates,includingtheserialnumberandrevocationdate
Issuer’sSignature [Signature]
7.2.2. CRLandCRLEntryExtensionsCRLshavethefollowingextensions:
Extension ValueCRLNumber Neverrepeatedmonotonicallyincreasinginteger
50
AuthorityKeyIdentifier SameastheAuthorityKeyIdentifierlistedinthecertificateInvalidityDate OptionaldateinUTCformatReasonCode Optional reasonforrevocation
7.3. OCSPPROFILEForPIV‐ICertificates,DigiCertfollowstheFPKIPA’sX.509CertificateandCertificateRevocationList(CRL)ExtensionsProfileforPersonalIdentityVerificationInteroperable(PIV‐I)Cards.
7.3.1. VersionNumber(s)DigiCert’sOCSPrespondersconformtoversion1ofRFC2560.
7.3.2. OCSPExtensionsNostipulation.
8. COMPLIANCEAUDITANDOTHERASSESSMENTSThepracticesinthisCPSaredesignedtomeetorexceedtherequirementsofgenerallyacceptedindustrystandards,includingthelatestversionoftheEVGuidelinesandtheAICPA/CICAWebTrustProgramforCertificationAuthorities,ANSX9.79/ISO21188PKIPracticesandPolicyFramework("CAWebTrust/ISO21188").ForpurposesofinteroperationwiththeU.S.Government,compliancecanbedeterminedbyreferencetoanycurrentauditorletterofcompliancemeetingtheFPKIPA’sAuditorLetterofComplianceRequirements,datedOctober28,2009(FPKIPAAuditRequirements).
8.1. FREQUENCYORCIRCUMSTANCESOFASSESSMENTDigiCertreceivesanannualauditbyanindependentexternalauditortoassessDigiCert'scompliancewiththisCPS,anyapplicableCPs,andtheCAWebTrust/ISO21188andWebTrustEVProgramcriteria.TheauditcoversDigiCert’sRAsystems,SubCAs,andOCSPResponders.
8.2. IDENTITY/QUALIFICATIONSOFASSESSORWebTrustauditorsmustmeettherequirementsofSection14.1.14oftheEVGuidelines.Specifically:
(1) Qualificationsandexperience:Auditingmustbetheauditor’sprimarybusinessfunction.TheindividualoratleastonememberoftheauditgroupmustbequalifiedasaCertifiedInformationSystemsAuditor(CISA),anAICPACertifiedInformationTechnologyProfessional(CPA.CITP),aCertifiedInternalAuditor(CIA),orhaveanotherrecognizedinformationsecurityauditingcredential.Auditorsmustbesubjecttodisciplinaryactionbyitslicensingbody.
(2) Expertise:TheindividualorgroupmustbetrainedandskilledintheauditingofsecureinformationsystemsandbefamiliarwithPublicKeyinfrastructures,certificationsystems,andInternetsecurityissues.
(3) Rulesandstandards:Theauditormustconformtoapplicablestandards,rules,andbestpracticespromulgatedbytheAmericanInstituteofCertifiedPublicAccountants(AICPA),theCanadianInstituteofCharteredAccountants(CICA),theInstituteofCharteredAccountantsofEngland&Wales(ICAEW),theInternationalAccountingStandardsadoptedbytheEuropeanCommission(IAS),InformationSystemsAuditandControlAssociation(ISACA),theInstituteofInternalAuditors(IIA),oranotherqualifiedauditingstandardsbody.
(4) Reputation:Thefirmmusthaveareputationforconductingitsauditingbusinesscompetentlyandcorrectly.
(5) Insurance:EVauditorsmustmaintainProfessionalLiability/ErrorsandOmissionsInsurance,withpolicylimitsofatleast$1millionincoverage.
51
8.3. ASSESSOR'SRELATIONSHIPTOASSESSEDENTITYDigiCert’sWebTrustauditordoesnothaveafinancialinterest,businessrelationship,orcourseofdealingthatcouldforeseeablycreateasignificantbiasfororagainstDigiCert.
8.4. TOPICSCOVEREDBYASSESSMENTTheauditcoversDigiCert'sbusinesspracticesdisclosure,theintegrityofDigiCert'sPKIoperations,andDigiCert’scompliancewiththeEVGuidelines.TheauditverifiesthatDigiCertiscompliantwiththeCP,thisCPS,andanyMOAbetweenitandanyotherPKI.
8.5. ACTIONSTAKENASARESULTOFDEFICIENCYIfanauditreportsamaterialnoncompliancewithapplicablelaw,thisCPS,theCP,oranyothercontractualobligationsrelatedtoDigiCert’sservices,then(1)theauditorwilldocumentthediscrepancy,(2)theauditorwillpromptlynotifyDigiCert,and(3)DigiCertwilldevelopaplantocurethenoncompliance.DigiCertwillsubmittheplantotheDCPAforapprovalandtoanythirdpartythatDigiCertislegallyobligatedtosatisfy.TheDCPAmayrequireadditionalactionifnecessarytorectifyanysignificantissuescreatedbythenon‐compliance,includingrequiringrevocationofaffectedcertificates.
8.6. COMMUNICATIONOFRESULTSTheresultsofeachauditarereportedtotheDCPAandtoanythirdpartyentitieswhichareentitledbylaw,regulation,oragreementtoreceiveacopyoftheauditresults.Onanannualbasis,DigiCertsubmitsareportofitsauditcompliancetovariousparties,suchasMozilla,theFederalPKIPolicyAuthority,CAlicensingbodies,etc.
8.7. SELF‐AUDITSOnatleastaquarterlybasis,DigiCertperformsregularinternalauditsagainstarandomlyselectedsampleofatleastthreepercentofthecertificatesissuedsincethelastinternalaudit.InternalauditsonEVCertificatesareperformedinaccordancewithsection14.1.2oftheEVGuidelines.
9. OTHERBUSINESSANDLEGALMATTERS
9.1. FEES
9.1.1. CertificateIssuanceorRenewalFeesDigiCertchargesfeesforcertificateissuanceandrenewal.DigiCertmaychangeitsfeesatanytimeinaccordancewiththeapplicablecustomeragreement.
9.1.2. CertificateAccessFeesDigiCertmaychargeareasonablefeeforaccesstoitscertificatedatabases.
9.1.3. RevocationorStatusInformationAccessFeesDigiCertdoesnotchargeacertificaterevocationfeeorafeeforcheckingthevaliditystatusofanissuedcertificateusingaCRL.DigiCertmaychargeafeeforprovidingcertificatestatusinformationviaOCSP.
9.1.4. FeesforOtherServicesNostipulation.
9.1.5. RefundPolicySubscribersmustrequestrefunds,inwriting,within30daysafteracertificateissues.Afterreceivingtherefundrequest,DigiCertmayrevokethecertificateandrefundtheamountpaidbytheApplicant,minusanyapplicableapplicationprocessingfees.
52
9.2. FINANCIALRESPONSIBILITY
9.2.1. InsuranceCoverageDigiCertmaintainsCommercialGeneralLiabilityinsurancewithapolicylimitofatleast$2millionincoverageandProfessionalLiability/Errors&Omissionsinsurancewithapolicylimitofatleast$5millionincoverage.InsuranceiscarriedthroughcompaniesratednolessthanA‐astoPolicyHolder’sRatinginthecurrenteditionofBest’sInsuranceGuide(orwithanassociationofcompanies,eachofthemembersofwhicharesorated).
9.2.2. OtherAssetsNostipulation.
9.2.3. InsuranceorWarrantyCoverageforEnd‐EntitiesInsurancecoverageforend‐entitiesisspecifiedinDigiCert’sRelyingPartyAgreement.
9.3. CONFIDENTIALITYOFBUSINESSINFORMATION
9.3.1. ScopeofConfidentialInformationThefollowinginformationisconsideredconfidentialandprotectedagainstdisclosureusingareasonabledegreeofcare:
1. PrivateKeys;2. ActivationdatausedtoaccessPrivateKeysortogainaccesstotheCAsystem;3. Businesscontinuity,incidentresponse,contingency,anddisasterrecoveryplans;4. Othersecuritypracticesusedtoprotecttheconfidentiality,integrity,oravailabilityofinformation;5. InformationheldbyDigiCertasprivateinformationinaccordancewithSection9.4;6. Auditlogsandarchiverecords;and7. Transactionrecords,financialauditrecords,andexternalorinternalaudittrailrecordsandanyaudit
reports(withtheexceptionofanauditor’sletterconfirmingtheeffectivenessofthecontrolssetforthinthisCPS).
9.3.2. InformationNotWithintheScopeofConfidentialInformationAnyinformationnotlistedasconfidentialisconsideredpublicinformation.Publishedcertificateandrevocationdataisconsideredpublicinformation.
9.3.3. ResponsibilitytoProtectConfidentialInformationDigiCert’semployees,agents,andcontractorsareresponsibleforprotectingconfidentialinformationandarecontractuallyobligatedtodoso.Employeesreceivetrainingonhowtohandleconfidentialinformation.
9.4. PRIVACYOFPERSONALINFORMATION
9.4.1. PrivacyPlanDigiCertfollowstheprivacypolicypostedonitswebsitewhenhandlingpersonalinformation.Personalinformationisonlydisclosedwhenthedisclosureisrequiredbylaworwhenrequestedbythesubjectofthepersonalinformation.
9.4.2. InformationTreatedasPrivateDigiCerttreatsallpersonalinformationaboutanindividualthatisnotpubliclyavailableinthecontentsofacertificateorCRLasprivateinformation.DigiCertprotectsprivateinformationusingappropriatesafeguardsandareasonabledegreeofcare.
9.4.3. InformationNotDeemedPrivatePrivateinformationdoesnotincludecertificates,CRLs,ortheircontents.
53
9.4.4. ResponsibilitytoProtectPrivateInformationDigiCertemployeesandcontractorsareexpectedtohandlepersonalinformationinstrictconfidenceandmeettherequirementsofUSandEuropeanlawconcerningtheprotectionofpersonaldata.Allsensitiveinformationissecurelystoredandprotectedagainstaccidentaldisclosure.
9.4.5. NoticeandConsenttoUsePrivateInformationPersonalinformationobtainedfromanapplicantduringtheapplicationoridentityverificationprocessisconsideredprivateinformationiftheinformationisnotincludedinacertificate.DigiCertwillonlyuseprivateinformationafterobtainingthesubject'sconsentorasrequiredbyapplicablelaworregulation.AllSubscribersmustconsenttotheglobaltransferandpublicationofanypersonaldatacontainedinacertificate.
9.4.6. DisclosurePursuanttoJudicialorAdministrativeProcessDigiCertmaydiscloseprivateinformation,withoutnotice,ifDigiCertbelievesthedisclosureisrequiredbylaworregulation.
9.4.7. OtherInformationDisclosureCircumstancesNostipulation.
9.5. INTELLECTUALPROPERTYRIGHTSDigiCertand/oritsbusinesspartnersowntheintellectualpropertyrightsinDigiCert’sservices,includingthecertificates,trademarksusedinprovidingtheservices,andthisCPS.“DigiCert”isaregisteredtrademarkofDigiCert,Inc.
CertificateandrevocationinformationarethepropertyofDigiCert.DigiCertgrantspermissiontoreproduceanddistributecertificatesonanon‐exclusiveandroyalty‐freebasis,providedthattheyarereproducedanddistributedinfull.DigiCertdoesnotallowderivativeworksofitscertificatesorproductswithoutpriorwrittenpermission.PrivateandPublicKeysremainthepropertyoftheSubscriberswhorightfullyholdthem.Allsecretshares(distributedelements)oftheDigiCertPrivateKeysarethepropertyofDigiCert.
9.6. REPRESENTATIONSANDWARRANTIES
9.6.1. CARepresentationsandWarrantiesExceptasexpresslystatedinthisCPSorinaseparateagreementwithaSubscriber,DigiCertdoesnotmakeanyrepresentationsregardingitsproductsorservices.DigiCertrepresents,totheextentspecifiedinthisCPS,that:
1. DigiCertcomplies,inallmaterialaspects,withtheCP,thisCPS,andallapplicablelawsandregulations,
2. DigiCertpublishesandupdatesCRLsandOCSPresponsesonaregularbasis,3. AllcertificatesissuedunderthisCPSwillbeverifiedinaccordancewiththisCPSandmeetthe
minimumrequirementsfoundhereinandintheBaselineRequirements,4. DigiCertwillmaintainarepositoryofpublicinformationonitswebsite,and5. InformationpublishedonaqualifiedcertificatemeetstherequirementsspecifiedinEUDirective
99/93.
TotheextentallowedunderEUDirective99/93,DigiCert:1. Doesnotwarranttheaccuracy,authenticity,completeness,orfitnessofanyunverified
information,includingnameverificationfor(1)certificatesintendedforemailandintranetuse,(2)UnifiedCommunicationsCertificates,and(3)othercertificatesissuedtoindividualsandintranets.
2. IsnotresponsibleforinformationcontainedinacertificateexceptasstatedinthisCPS,3. Doesnotwarrantthequality,function,orperformanceofanysoftwareorhardwaredevice,and4. IsnotresponsibleforfailingtocomplywiththisCPSbecauseofcircumstancesoutsideof
DigiCert’scontrol.
54
ForEVCertificates,DigiCertrepresentstoSubscribers,Subjects,ApplicationSoftwareVendorsthatdistributeDigiCert’srootcertificates,andRelyingPartiesthatuseaDigiCertcertificatewhilethecertificateisvalidthatDigiCertfollowedtheEVGuidelineswhenverifyinginformationandissuingEVCertificates.ThisrepresentationislimitedsolelytoDigiCert’scompliancewiththeEVGuidelines(e.g.,DigiCertmayrelyonerroneousinformationprovidedinanattorney’sopinionoraccountant’sletterthatischeckedinaccordancewiththeGuidelines).ForPIVCertificates,DigiCertmaintainsanagreementwithAffiliatedOrganizationsthatincludesobligationsrelatedtoauthorizingaffiliationwithSubscribersofPIV‐Icertificates.
9.6.2. RARepresentationsandWarrantiesRAsrepresentthat:
1. TheRA’scertificateissuanceandmanagementservicesconformtotheDigiCertCPandthisCPS,2. InformationprovidedbytheRAdoesnotcontainanyfalseormisleadinginformation,3. TranslationsperformedbytheRAareanaccuratetranslationoftheoriginalinformation,and4. AllcertificatesrequestedbytheRAmeettherequirementsofthisCPS.
DigiCert’sagreementwiththeRAmaycontainadditionalrepresentations.
9.6.3. SubscriberRepresentationsandWarrantiesPriortobeingissuedandreceivingaCertificate,subscribersaresolelyresponsibleforanymisrepresentationstheymaketothirdpartiesandforalltransactionsthatuseSubscriber’sPrivateKey,regardlessofwhethersuchusewasauthorized.SubscribersarerequiredtonotifyDigiCertandanyapplicableRAifachangeoccursthatcouldaffectthestatusofthecertificate.SubscribersrepresenttoDigiCert,ApplicationSoftwareVendors,andRelyingPartiesthat,foreachcertificate,theSubscriberwill:
1. SecurelygenerateitsPrivateKeysandprotectitsPrivateKeysfromcompromise,2. ProvideaccurateandcompleteinformationwhencommunicatingwithDigiCert,3. Confirmtheaccuracyofthecertificatedatapriortousingthecertificate,4. PromptlyceaseusingacertificateandnotifyDigiCertif(i)anyinformationthatwassubmitted
toDigiCertorisincludedinacertificatechangesorbecomesmisleadingor(ii)thereisanyactualorsuspectedmisuseorcompromiseofthePrivateKeyassociatedwiththecertificate,
5. Ensurethatindividualsusingcertificatesonbehalfofanorganizationhavereceivedsecuritytrainingappropriatetothecertificate,
6. Usethecertificateonlyforauthorizedandlegalpurposes,consistentwiththecertificatepurpose,thisCPS,anyapplicableCP,andtherelevantSubscriberAgreement,includingonlyinstallingSSLcertificatesonserversaccessibleatthedomainlistedinthecertificateandnotusingcodesigningcertificatestosignmaliciouscodeoranycodethatisdownloadedwithoutauser’sconsent,and
7. PromptlyceaseusingthecertificateandrelatedPrivateKeyafterthecertificate’sexpiration.
9.6.4. RelyingPartyRepresentationsandWarrantiesEachRelyingPartyrepresentsthat,priortorelyingonaDigiCertcertificate,it:
1. ObtainedsufficientknowledgeontheuseofdigitalcertificatesandPKI,2. StudiedtheapplicablelimitationsontheusageofcertificatesandagreestoDigiCert’slimitationson
liabilityrelatedtotheuseofcertificates,3. Hasread,understands,andagreestotheDigiCertRelyingPartyAgreementandthisCPS,4. VerifiedboththeDigiCertcertificateandthecertificatesinthecertificatechainusingtherelevant
CRLorOCSP,5. WillnotuseaDigiCertcertificateifthecertificatehasexpiredorbeenrevoked,and6. Willtakeallreasonablestepstominimizetheriskassociatedwithrelyingonadigitalsignature,
includingonlyrelyingonaDigiCertcertificateafterconsidering:a) applicablelawandthelegalrequirementsforidentificationofaparty,protectionofthe
confidentialityorprivacyofinformation,andenforceabilityofthetransaction;b) theintendeduseofthecertificateaslistedinthecertificateorthisCPS,c) thedatalistedinthecertificate,
55
d) theeconomicvalueofthetransactionorcommunication,e) thepotentiallossordamagethatwouldbecausedbyanerroneousidentificationoralossof
confidentialityorprivacyofinformationintheapplication,transaction,orcommunication,f) theRelyingParty’spreviouscourseofdealingwiththeSubscriber,g) theRelyingParty’sunderstandingoftrade,includingexperiencewithcomputer‐based
methodsoftrade,andh) anyotherindiciaofreliabilityorunreliabilitypertainingtotheSubscriberand/orthe
application,communication,ortransaction.Anyunauthorizedrelianceonacertificateisataparty’sownrisk.
9.6.5. RepresentationsandWarrantiesofOtherParticipantsNostipulation.
9.7. DISCLAIMERSOFWARRANTIESEXCEPTASEXPRESSLYSTATEDINSECTION9.6.1,ALLCERTIFICATESANDANYRELATEDSOFTWAREANDSERVICESAREPROVIDED"ASIS"AND"ASAVAILABLE”.TOTHEMAXIMUMEXTENTPERMITTEDBYLAW,DIGICERTDISCLAIMSALLEXPRESSANDIMPLIEDWARRANTIES,INCLUDINGALLWARRANTIESOFMERCHANTABILITY,FITNESSFORAPARTICULARPURPOSE,ANDNON‐INFRINGEMENT.DIGICERTDOESNOTWARRANTTHATANYSERVICEORPRODUCTWILLMEETANYEXPECTATIONSORTHATACCESSTOCERTIFICIATESWILLBETIMELYORERROR‐FREE.DigiCertdoesnotguaranteetheavailabilityofanyproductsorservicesandmaymodifyordiscontinueanyproductorserviceofferingatanytime.AfiduciarydutyisnotcreatedsimplybecauseanentityusesDigiCert’sservices.
9.8. LIMITATIONSOFLIABILITYNOTHINGHEREINLIMITSLIABILTYRELATEDTO(I)DEATHORPERSONALINJURYRESULTINGFROMDIGICERT’SNEGLIGENCEOR(II)FRAUDCOMMITTEDBYDIGICERT.EXCEPTASSTATEDABOVE,ANYENTITYUSINGADIGICERTCERTIFICATEORSERVICEWAIVESALLLIABILITYOFDIGICERTRELATEDTOSUCHUSE,PROVIDEDTHATDIGICERTHASMATERIALLYCOMPLIEDWITHTHISCPSINPROVIDINGTHECERTIFICATEORSERVICE.DIGICERT’SLIABILITYFORCERTIFICATESANDSERVICESTHATDONOTMATERIALLYCOMPLYWITHTHISCPSISLIMITEDASFOLLOWS:
1. NOLIABILITYIFTHEDAMAGEORLOSSRELATESTOACERTIFICATEOTHERTHANASSLCERTIFICATEORCODESIGNINGCERTIFICATE,
2. AMAXIMUMLIABILITYOF$1,000PERTRANSACTIONFORSSLCERTIFICATES,3. ANAGGREGATEMAXIMUMLIABILITYOF$10,000FORALLCLAIMSRELATEDTOASINGLE
CERTIFICATEORSERVICE,4. ANDANAGGREGATEMAXIMUMLIABILITYOF$1MILLIONFORALLCLAIMS,REGARDLESSOF
THENUMBERORSOURCEOFTHECLAIMS.DIGICERTAPPORTIONSPAYMENTSRELATEDTOANAGGREGATEMAXIMUMLIMITATIONONLIABILITYUNDERTHISSECTIONTOTHEFIRSTCLAIMSTHATACHIEVEFINALRESOLUTION.Allliabilityislimitedtoactualandlegallyprovabledamages.DigiCertisnotliablefor:
1. Anyindirect,consequential,special,orpunitivedamagesoranylossofprofit,revenue,data,oropportunity,evenifDigiCertisawareofthepossibilityofsuchdamages;
2. LiabilityrelatedtofraudorwillfulmisconductoftheApplicant;3. Liabilityrelatedtouseofacertificatethatexceedsthelimitationsonuse,value,ortransactionsas
statedeitherinthecertificateorthisCPS;4. Liabilityrelatedtothesecurity,usability,orintegrityofproductsnotsuppliedbyDigiCert,including
theSubscriber’sandRelyingParty’shardware;or5. LiabilityrelatedtothecompromiseofaSubscriber’sPrivateKey.
Thelimitationsinthissectionapplytothemaximumextentpermittedbylawandapplyregardlessof(i)thereasonforornatureoftheliability,includingtortclaims,(ii)thenumberofclaimsofliability,(iii)theextent
56
ornatureofthedamages,(iv)whetherDigiCertfailedtofollowanyprovisionofthisCPS,or(v)whetheranyprovisionofthisCPSwasprovenineffective.ThedisclaimersandlimitationsonliabilitiesinthisCPSarefundamentaltermstotheuseofDigiCert’scertificatesandservices.
9.9. INDEMNITIES
9.9.1. IndemnificationbyDigiCertDigiCertshallindemnifyeachApplicationSoftwareVendoragainstanyclaim,damage,orlosssufferedbyanApplicationSoftwareVendorrelatedtoanEVCertificateissuedbyDigiCert,regardlessofthecauseofactionorlegaltheoryinvolved,exceptwheretheclaim,damage,orlosssufferedbytheApplicationSoftwareVendorwasdirectlycausedbytheApplicationSoftwareVendor’ssoftwaredisplayingeither(1)avalidandtrustworthyEVCertificateasnotvalidortrustworthyor(2)displayingastrustworthy(i)anEVCertificatethathasexpiredor(ii)arevokedEVCertificatewheretherevocationstatusisavailableonlinebuttheApplicationSoftwareVendor’ssoftwarefailedtocheckorignoredthestatus.
9.9.2. IndemnificationbySubscribersTotheextentpermittedbylaw,eachSubscribershallindemnifyDigiCert,itspartners,andanycross‐signedentities,andtheirrespectivedirectors,officers,employees,agents,andcontractorsagainstanyloss,damage,orexpense,includingreasonableattorney’sfees,relatedto(i)anymisrepresentationoromissionofmaterialfactbySubscriber,regardlessofwhetherthemisrepresentationoromissionwasintentionalorunintentional;(ii)Subscriber’sbreachoftheSubscriberAgreement,thisCPS,orapplicablelaw;(iii)thecompromiseorunauthorizeduseofacertificateorPrivateKeycausedbytheSubscriber’snegligenceorintentionalacts;or(iv)Subscriber’smisuseofthecertificateorPrivateKey.
9.9.3. IndemnificationbyRelyingPartiesTotheextentpermittedbylaw,eachRelyingPartyshallindemnifyDigiCert,itspartners,andanycross‐signedentities,andtheirrespectivedirectors,officers,employees,agents,andcontractorsagainstanyloss,damage,orexpense,includingreasonableattorney’sfees,relatedtotheRelyingParty’s(i)breachoftheRelyingPartyAgreement,anEnd‐UserLicenseAgreement,thisCPS,orapplicablelaw;(ii)unreasonablerelianceonacertificate;or(iii)failuretocheckthecertificate’sstatuspriortouse.
9.10. TERMANDTERMINATION
9.10.1. TermThisCPSandanyamendmentstotheCPSareeffectivewhenpublishedtoDigiCert’sonlinerepositoryandremainineffectuntilreplacedwithanewerversion.
9.10.2. TerminationThisCPSandanyamendmentsremainineffectuntilreplacedbyanewerversion.
9.10.3. EffectofTerminationandSurvivalDigiCertwillcommunicatetheconditionsandeffectofthisCPS’sterminationviatheDigiCertRepository.Thecommunicationwillspecifywhichprovisionssurvivetermination.Ataminimum,allresponsibilitiesrelatedtoprotectingconfidentialinformationwillsurvivetermination.AllSubscriberAgreementsremaineffectiveuntilthecertificateisrevokedorexpired,evenifthisCPSterminates.
9.11. INDIVIDUALNOTICESANDCOMMUNICATIONSWITHPARTICIPANTSDigiCertacceptsnoticesrelatedtothisCPSatthelocationsspecifiedinSection2.2.NoticesaredeemedeffectiveafterthesenderreceivesavalidanddigitallysignedacknowledgmentofreceiptfromDigiCert.Ifanacknowledgementofreceiptisnotreceivedwithinfivedays,thesendermustresendthenoticeinpaperformtothestreetaddressspecifiedinSection2.2usingeitheracourierservicethatconfirmsdeliveryor
57
viacertifiedorregisteredmailwithpostageprepaidandreturnreceiptrequested.DigiCertmayallowotherformsofnoticeinitsSubscriberAgreements.
9.12. AMENDMENTS
9.12.1. ProcedureforAmendmentThisCPSisreviewedannually.AmendmentsaremadebypostinganupdatedversionoftheCPStotheonlinerepository.ControlsareinplacetoreasonablyensurethatthisCPSisnotamendedandpublishedwithoutthepriorauthorizationoftheDCPA.
9.12.2. NotificationMechanismandPeriodDigiCertpostsCPSrevisionstoitswebsite.DigiCertdoesnotguaranteeorsetanotice‐and‐commentperiodandmaymakechangestothisCPSwithoutnoticeandwithoutchangingtheversionnumber.Majorchangesaffectingaccreditedcertificatesareannouncedandapprovedbytheaccreditingagencypriortobecomingeffective.TheDCPAisresponsiblefordeterminingwhatconstitutesamaterialchangeoftheCPS.
9.12.3. CircumstancesunderwhichOIDMustBeChangedTheDCPAissolelyresponsiblefordeterminingwhetheranamendmenttotheCPSrequiresanOIDchange.
9.13. DISPUTERESOLUTIONPROVISIONSPartiesarerequiredtonotifyDigiCertandattempttoresolvedisputesdirectlywithDigiCertbeforeresortingtoanydisputeresolutionmechanism,includingadjudicationoranytypeofalternativedisputeresolution.
9.14. GOVERNINGLAWThenationallawoftherelevantmemberstategovernsanydisputeinvolvingQualifiedCertificates.ExceptfordisputesinvolvingQualifiedCertificates,thelawsofthestateofUtahgoverntheinterpretation,construction,andenforcementofthisCPSandallproceedingsrelatedtoDigiCert’sproductsandservices,includingtortclaims,withoutregardtoanyconflictsoflawprinciples.ThestateofUtahhasnon‐exclusivevenueandjurisdictionoveranyproceedingsrelatedtotheCPSoranyDigiCertproductorservice.
9.15. COMPLIANCEWITHAPPLICABLELAWThisCPSissubjecttoallapplicablelawsandregulations,includingUnitedStatesrestrictionsontheexportofsoftwareandcryptographyproducts.Subjecttosection9.4.5’sNoticeandConsenttoUsePrivateInformationcontainedinCertificates,DigiCertmeetstherequirementsoftheEuropeandataprotectiondirective95/46/ECandhasestablishedappropriatetechnicalandorganizationmeasuresagainstunauthorizedorunlawfulprocessingofpersonaldataandagainsttheloss,damage,ordestructionofpersonaldata.
9.16. MISCELLANEOUSPROVISIONS
9.16.1. EntireAgreementDigiCertcontractuallyobligateseachRAtocomplywiththisCPSandapplicableindustryguidelines.DigiCertalsorequireseachpartyusingitsproductsandservicestoenterintoanagreementthatdelineatesthetermsassociatedwiththeproductorservice.IfanagreementhasprovisionsthatdifferfromthisCPS,thentheagreementwiththatpartycontrols,butsolelywithrespecttothatparty.Thirdpartiesmaynotrelyonorbringactiontoenforcesuchagreement.
9.16.2. AssignmentAnyentitiesoperatingunderthisCPSmaynotassigntheirrightsorobligationswithoutthepriorwrittenconsentofDigiCert.Unlessspecifiedotherwiseinacontactwithaparty,DigiCertdoesnotprovidenoticeofassignment.
58
9.16.3. SeverabilityIfanyprovisionofthisCPSisheldinvalidorunenforceablebyacompetentcourtortribunal,theremainderoftheCPSwillremainvalidandenforceable.EachprovisionofthisCPSthatprovidesforalimitationofliability,disclaimerofawarranty,oranexclusionofdamagesisseverableandindependentofanyotherprovision.
9.16.4. Enforcement(attorneys'feesandwaiverofrights)DigiCertmayseekindemnificationandattorneys'feesfromapartyfordamages,losses,andexpensesrelatedtothatparty'sconduct.DigiCert’sfailuretoenforceaprovisionofthisCPSdoesnotwaiveDigiCert’srighttoenforcethesameprovisionlaterorrighttoenforceanyotherprovisionofthisCPS.Tobeeffective,waiversmustbeinwritingandsignedbyDigiCert.
9.16.5. ForceMajeureDigiCertisnotliableforanydelayorfailuretoperformanobligationunderthisCPStotheextentthatthedelayorfailureiscausedbyanoccurrencebeyondDigiCert’sreasonablecontrol.TheoperationoftheInternetisbeyondDigiCert’sreasonablecontrol.
9.17. OTHERPROVISIONSNostipulation.
59
APPENDIXA:SAMPLEOPINIONLETTER
[Date]To: DigiCert,Inc. 2600WestExecutiveParkway Suite500 Lehi,UT84043 Email:[email protected] Fax:801‐705‐0481Re: DigitalCertificatefor[Exactcompanynameofclient–seefootnote1](“Client”)
ThisfirmrepresentsClient,whoaskedthatI,asits[accountant,lawyer,solicitors,barrister,advocate,etc.],attesttothefollowinginformationsolelyasrelatedtotheClient’sapplicationforadigitalcertificate.
AfterreviewingtheClient’srecordsandbasedonmyinvestigation,myprofessionalopinionisthat:
1. Clientisadulyformed[corporation,LLC,etc.]underthelawsofthe[state/province]of[nameof
governingjurisdictionwhereClientisincorporatedorregistered];is“active,”“valid,”“current,”ortheequivalent;andisnotunderanyknownlegaldisability.
2. [Ifapplicable]TheRomanizedtransliterationofClient’sformallegalnameis:[Romanizedname].
3. [Ifapplicable]Clientconductsbusinessunderthe[assumed/DBA/trade]nameof[assumednameofClient].Clienthasacurrentlyvalidregistrationofthenamewiththegovernmentagencythathasjurisdictionovertheplaceofbusinesslistedbelow.
4. Theaddresswhere[Client,Client’sparent,orClient’ssubsidiary–selectone]conductsbusinessoperationsis:[Insertplaceofbusiness–thisshouldmatchtheaddressonthecertificateapplication]
5. AmaintelephonenumberatClient’splaceofbusinessis:
[Insertprimarytelephonenumberofbusiness]
6. [NameofClient’sRepresentative–seefootnote2]isanindividual(orareindividuals)withtheauthoritytoactonbehalfofClientto:a) ProvideinformationabouttheClientcontainedinthereferencedapplication,b) Requestoneormoredigitalcertificatesanddesignateotherpersonstorequestdigital
certificates,andc) AgreetothecontractualobligationscontainedinDigiCert’sagreements.
7. [NameandtitleofClient’sRepresentative],whoisClient’s[TitleofClientRepresentative],canbecontactedat:Email:[EmailaddressofClientRepresentative]Phone:[PhonenumberofClientRepresentative]
8. Clienthaseitheroperatedasabusinessforthreeormoreyearsorhasanactivedepositaccountheldatabankorotherfinancialinstitutionwherefundsdepositedarepayableondemand.
9. Clienthastheexclusiverighttousethefollowingdomainname(s)inidentifyingitselfontheInternetandisawarethatithassuchcontrol:[Insertdomainnames]
60
Althoughwedidnotfindanyexceptionstotheaboveidentificationprocedures,theseproceduresdonot
constituteanauditoropinionofClient'sapplicationforadigitalcertificate.WearenotexpressinganopiniononClient'sdigitalcertificateapplicationandhaveprovidedthislettersolelyforthebenefitofDigiCertinconnectionwithClient'sapplicationforadigitalcertificate.Nootherpersonorentitymayrelyonthisletterwithoutmyexpresswrittenconsent.Thislettershallnotbequotedinwholeorinpart,used,publishedorotherwisereferredtoorrelieduponinanymanner,including,withoutlimitation,inanyfinancialstatementorotherdocument.Signature:__________________________________________________PrintAccountant/AttorneyName:______________________________________________________PhoneNumber:_____________________________________________Email:_____________________________________________FirmName:_____________________________________________Licensedin:___________________________________Licensenumber,ifany:__________________________________Contactinformationforlicensingagencywherethisaccountant's/attorney'slicenseinformationmaybeverified:___________________________________________________________________Note1:ThismustbetheClient’sexactcorporatenameasregisteredwiththerelevantIncorporatingAgency
intheClient’sJurisdictionofIncorporation.Note2:APowerofAttorneyfromanofficeroftheClientwhohasthepowertodelegateauthorityissufficient
toestablishtheClientRepresentative’sactualauthority.Multiplerepresentativesmaybelisted.Note3:In‐housecounseloftheClientmaysubmitthisletterifpermittedbytherulesofyourjurisdiction.Note4: Thislettermaybesubmittedbymail,fax,oremail.