digicert certification practices statement€¦ · digicert certification practices statement...
TRANSCRIPT
DigiCert
CertificationPracticesStatement
DigiCert,Inc.Version4.16
October9,2018
2801N.ThanksgivingWaySuite500
Lehi,UT84043USA
Tel:1‐801‐877‐2100Fax:1‐801‐705‐0481
www.digicert.com
ii
TABLEOFCONTENTS
1. INTRODUCTION ..................................................................................................................................... 1
1.1. Overview ...................................................................................................................................... 1 1.2. DocumentnameandIdentification ................................................................................................ 1 1.3. PKIParticipants ............................................................................................................................ 4
1.3.1. CertificationAuthorities ........................................................................................................... 4 1.3.2. RegistrationAuthoritiesandOtherDelegatedThirdParties ...................................................... 5 1.3.3. Subscribers .............................................................................................................................. 5 1.3.4. RelyingParties ......................................................................................................................... 5 1.3.5. OtherParticipants .................................................................................................................... 5
1.4. CertificateUsage ........................................................................................................................... 5 1.4.1. AppropriateCertificateUses ..................................................................................................... 5 1.4.2. ProhibitedCertificateUses ....................................................................................................... 7
1.5. Policyadministration .................................................................................................................... 7 1.5.1. OrganizationAdministeringtheDocument ............................................................................... 7 1.5.2. ContactPerson ......................................................................................................................... 7 1.5.3. PersonDeterminingCPSSuitabilityforthePolicy ..................................................................... 8 1.5.4. CPSApprovalProcedures ......................................................................................................... 8
1.6. Definitionsandacronyms .............................................................................................................. 8 1.6.1. Definitions ............................................................................................................................... 8 1.6.2. Acronyms................................................................................................................................. 9 1.6.3. References ............................................................................................................................. 10
2. PUBLICATIONANDREPOSITORYRESPONSIBILITIES ........................................................................... 10 2.1. Repositories ................................................................................................................................ 10 2.2. Publicationofcertificationinformation ....................................................................................... 11 2.3. Timeorfrequencyofpublication ................................................................................................. 11 2.4. Accesscontrolsonrepositories ................................................................................................... 11
3. IDENTIFICATIONANDAUTHENTICATION ............................................................................................ 11 3.1. Naming ....................................................................................................................................... 11
3.1.1. TypesofNames ...................................................................................................................... 11 3.1.2. NeedforNamestobeMeaningful ........................................................................................... 11 3.1.3. AnonymityorPseudonymityofSubscribers ............................................................................ 12 3.1.4. RulesforInterpretingVariousNameForms ............................................................................ 12 3.1.5. UniquenessofNames ............................................................................................................. 12 3.1.6. Recognition,Authentication,andRoleofTrademarks ............................................................. 12
3.2. Initialidentityvalidation ............................................................................................................. 12 3.2.1. MethodtoProvePossessionofPrivateKey ............................................................................. 12 3.2.2. AuthenticationofOrganizationandDomain/EmailControl ..................................................... 13 3.2.3. AuthenticationofIndividualIdentity ...................................................................................... 16 3.2.4. Non‐verifiedSubscriberInformation ...................................................................................... 21 3.2.5. ValidationofAuthority ........................................................................................................... 21
3.3. Identificationandauthenticationforre‐keyrequests ................................................................... 22 3.3.1. IdentificationandAuthenticationforRoutineRe‐key .............................................................. 22 3.3.2. IdentificationandAuthenticationforRe‐keyAfterRevocation ................................................ 23
3.4. Identificationandauthenticationforrevocationrequest .............................................................. 23 4. CERTIFICATELIFE‐CYCLEOPERATIONALREQUIREMENTS .................................................................. 23
4.1. CertificateApplication ................................................................................................................. 23 4.1.1. WhoCanSubmitaCertificateApplication ............................................................................... 23 4.1.2. EnrollmentProcessandResponsibilities ................................................................................. 24
4.2. Certificateapplicationprocessing ................................................................................................ 24 4.2.1. PerformingIdentificationandAuthenticationFunctions ......................................................... 24 4.2.2. ApprovalorRejectionofCertificateApplications .................................................................... 24 4.2.3. TimetoProcessCertificateApplications ................................................................................. 25
4.3. Certificateissuance ..................................................................................................................... 25 4.3.1. CAActionsduringCertificateIssuance .................................................................................... 25 4.3.2. NotificationtoSubscriberbytheCAofIssuanceofCertificate ................................................. 25
4.4. Certificateacceptance ................................................................................................................. 25 4.4.1. ConductConstitutingCertificateAcceptance ........................................................................... 25
iii
4.4.2. PublicationoftheCertificatebytheCA ................................................................................... 25 4.4.3. NotificationofCertificateIssuancebytheCAtoOtherEntities ................................................ 25
4.5. Keypairandcertificateusage ...................................................................................................... 26 4.5.1. SubscriberPrivateKeyandCertificateUsage .......................................................................... 26 4.5.2. RelyingPartyPublicKeyandCertificateUsage ........................................................................ 26
4.6. Certificaterenewal ...................................................................................................................... 26 4.6.1. CircumstanceforCertificateRenewal ..................................................................................... 26 4.6.2. WhoMayRequestRenewal .................................................................................................... 26 4.6.3. ProcessingCertificateRenewalRequests ................................................................................ 26 4.6.4. NotificationofNewCertificateIssuancetoSubscriber ............................................................. 27 4.6.5. ConductConstitutingAcceptanceofaRenewalCertificate ....................................................... 27 4.6.6. PublicationoftheRenewalCertificatebytheCA ..................................................................... 27 4.6.7. NotificationofCertificateIssuancebytheCAtoOtherEntities ................................................ 27
4.7. Certificatere‐key ........................................................................................................................ 27 4.7.1. CircumstanceforCertificateRekey ......................................................................................... 27 4.7.2. WhoMayRequestCertificateRekey ........................................................................................ 27 4.7.3. ProcessingCertificateRekeyRequests .................................................................................... 27 4.7.4. NotificationofCertificateRekeytoSubscriber ........................................................................ 27 4.7.5. ConductConstitutingAcceptanceofaRekeyedCertificate ....................................................... 27 4.7.6. PublicationoftheIssuedCertificatebytheCA ......................................................................... 27 4.7.7. NotificationofCertificateIssuancebytheCAtoOtherEntities ................................................ 28
4.8. Certificatemodification ............................................................................................................... 28 4.8.1. CircumstancesforCertificateModification .............................................................................. 28 4.8.2. WhoMayRequestCertificateModification .............................................................................. 28 4.8.3. ProcessingCertificateModificationRequests .......................................................................... 28 4.8.4. NotificationofCertificateModificationtoSubscriber............................................................... 28 4.8.5. ConductConstitutingAcceptanceofaModifiedCertificate ...................................................... 28 4.8.6. PublicationoftheModifiedCertificatebytheCA ..................................................................... 28 4.8.7. NotificationofCertificateModificationbytheCAtoOtherEntities .......................................... 28
4.9. Certificaterevocationandsuspension ......................................................................................... 28 4.9.1. CircumstancesforRevocation ................................................................................................. 28 4.9.2. WhoCanRequestRevocation ................................................................................................. 30 4.9.3. ProcedureforRevocationRequest .......................................................................................... 30 4.9.4. RevocationRequestGracePeriod ........................................................................................... 31 4.9.5. TimewithinwhichCAMustProcesstheRevocationRequest ................................................... 31 4.9.6. RevocationCheckingRequirementforRelyingParties ............................................................ 31 4.9.7. CRLIssuanceFrequency ......................................................................................................... 31 4.9.8. MaximumLatencyforCRLs .................................................................................................... 32 4.9.9. On‐lineRevocation/StatusCheckingAvailability ..................................................................... 32 4.9.10. On‐lineRevocationCheckingRequirements ............................................................................ 32 4.9.11. OtherFormsofRevocationAdvertisementsAvailable ............................................................. 32 4.9.12. SpecialRequirementsRelatedtoKeyCompromise .................................................................. 32 4.9.13. CircumstancesforSuspension ................................................................................................ 32 4.9.14. WhoCanRequestSuspension ................................................................................................. 32 4.9.15. ProcedureforSuspensionRequest.......................................................................................... 32 4.9.16. LimitsonSuspensionPeriod ................................................................................................... 32
4.10. Certificatestatusservices ............................................................................................................ 33 4.10.1. OperationalCharacteristics .................................................................................................... 33 4.10.2. ServiceAvailability ................................................................................................................. 33 4.10.3. OptionalFeatures ................................................................................................................... 33
4.11. Endofsubscription ..................................................................................................................... 33 4.12. Keyescrowandrecovery ............................................................................................................ 33
4.12.1. KeyEscrowandRecoveryPolicyPractices .............................................................................. 33 4.12.2. SessionKeyEncapsulationandRecoveryPolicyandPractices ................................................. 34
5. FACILITY,MANAGEMENT,ANDOPERATIONALCONTROLS .................................................................. 34 5.1. PhysicalControls ........................................................................................................................ 34
5.1.1. SiteLocationandConstruction ............................................................................................... 34 5.1.2. PhysicalAccess ...................................................................................................................... 34 5.1.3. PowerandAirConditioning .................................................................................................... 35 5.1.4. WaterExposures .................................................................................................................... 35 5.1.5. FirePreventionandProtection ............................................................................................... 35
iv
5.1.6. MediaStorage ........................................................................................................................ 35 5.1.7. WasteDisposal ....................................................................................................................... 35 5.1.8. Off‐siteBackup ....................................................................................................................... 35 5.1.9. CertificateStatusHosting,CMSandExternalRASystems ........................................................ 35
5.2. Proceduralcontrols ..................................................................................................................... 35 5.2.1. TrustedRoles ......................................................................................................................... 35 5.2.2. NumberofPersonsRequiredperTask .................................................................................... 36 5.2.3. IdentificationandAuthenticationforeachRole ....................................................................... 36 5.2.4. RolesRequiringSeparationofDuties ...................................................................................... 36
5.3. Personnelcontrols ...................................................................................................................... 37 5.3.1. Qualifications,Experience,andClearanceRequirements ......................................................... 37 5.3.2. BackgroundCheckProcedures ............................................................................................... 37 5.3.3. TrainingRequirements ........................................................................................................... 37 5.3.4. RetrainingFrequencyandRequirements ................................................................................ 38 5.3.5. JobRotationFrequencyandSequence .................................................................................... 38 5.3.6. SanctionsforUnauthorizedActions ........................................................................................ 38 5.3.7. IndependentContractorRequirements ................................................................................... 38 5.3.8. DocumentationSuppliedtoPersonnel .................................................................................... 38
5.4. Auditloggingprocedures ............................................................................................................ 38 5.4.1. TypesofEventsRecorded....................................................................................................... 38 5.4.2. FrequencyofProcessingLog .................................................................................................. 40 5.4.3. RetentionPeriodforAuditLog ............................................................................................... 41 5.4.4. ProtectionofAuditLog ........................................................................................................... 41 5.4.5. AuditLogBackupProcedures ................................................................................................. 41 5.4.6. AuditCollectionSystem(internalvs.external) ........................................................................ 41 5.4.7. NotificationtoEvent‐causingSubject ...................................................................................... 41 5.4.8. VulnerabilityAssessments ...................................................................................................... 41
5.5. Recordsarchival ......................................................................................................................... 41 5.5.1. TypesofRecordsArchived ..................................................................................................... 41 5.5.2. RetentionPeriodforArchive .................................................................................................. 42 5.5.3. ProtectionofArchive .............................................................................................................. 42 5.5.4. ArchiveBackupProcedures .................................................................................................... 42 5.5.5. RequirementsforTime‐stampingofRecords .......................................................................... 42 5.5.6. ArchiveCollectionSystem(internalorexternal) ..................................................................... 42 5.5.7. ProcedurestoObtainandVerifyArchiveInformation ............................................................. 42
5.6. Keychangeover .......................................................................................................................... 43 5.7. Compromiseanddisasterrecovery ............................................................................................. 43
5.7.1. IncidentandCompromiseHandlingProcedures ...................................................................... 43 5.7.2. ComputingResources,Software,and/orDataAreCorrupted ................................................... 43 5.7.3. EntityPrivateKeyCompromiseProcedures ............................................................................ 44 5.7.4. BusinessContinuityCapabilitiesafteraDisaster ..................................................................... 44
5.8. CAorRAtermination .................................................................................................................. 44 6. TECHNICALSECURITYCONTROLS ........................................................................................................ 45
6.1. Keypairgenerationandinstallation ............................................................................................ 45 6.1.1. KeyPairGeneration ............................................................................................................... 45 6.1.2. PrivateKeyDeliverytoSubscriber .......................................................................................... 45 6.1.3. PublicKeyDeliverytoCertificateIssuer .................................................................................. 46 6.1.4. CAPublicKeyDeliverytoRelyingParties ................................................................................ 46 6.1.5. KeySizes ................................................................................................................................ 46 6.1.6. PublicKeyParametersGenerationandQualityChecking ......................................................... 46 6.1.7. KeyUsagePurposes(asperX.509v3keyusagefield) ............................................................. 46
6.2. PrivateKeyProtectionandCryptographicModuleEngineeringControls ...................................... 47 6.2.1. CryptographicModuleStandardsandControls ....................................................................... 47 6.2.2. PrivateKey(noutofm)Multi‐personControl ......................................................................... 48 6.2.3. PrivateKeyEscrow ................................................................................................................ 48 6.2.4. PrivateKeyBackup ................................................................................................................ 48 6.2.5. PrivateKeyArchival ............................................................................................................... 48 6.2.6. PrivateKeyTransferintoorfromaCryptographicModule ...................................................... 48 6.2.7. PrivateKeyStorageonCryptographicModule ........................................................................ 49 6.2.8. MethodofActivatingPrivateKeys .......................................................................................... 49 6.2.9. MethodofDeactivatingPrivateKeys ....................................................................................... 49
v
6.2.10. MethodofDestroyingPrivateKeys ......................................................................................... 49 6.2.11. CryptographicModuleRating ................................................................................................. 49
6.3. Otheraspectsofkeypairmanagement ........................................................................................ 49 6.3.1. PublicKeyArchival ................................................................................................................ 49 6.3.2. CertificateOperationalPeriodsandKeyPairUsagePeriods .................................................... 49
6.4. Activationdata ............................................................................................................................ 50 6.4.1. ActivationDataGenerationandInstallation ............................................................................ 50 6.4.2. ActivationDataProtection ...................................................................................................... 50 6.4.3. OtherAspectsofActivationData ............................................................................................. 51
6.5. Computersecuritycontrols ......................................................................................................... 51 6.5.1. SpecificComputerSecurityTechnicalRequirements ............................................................... 51 6.5.2. ComputerSecurityRating ....................................................................................................... 51
6.6. Lifecycletechnicalcontrols ......................................................................................................... 51 6.6.1. SystemDevelopmentControls ................................................................................................ 51 6.6.2. SecurityManagementControls ............................................................................................... 52 6.6.3. LifeCycleSecurityControls .................................................................................................... 52
6.7. Networksecuritycontrols ........................................................................................................... 52 6.8. Time‐stamping ............................................................................................................................ 52
7. CERTIFICATE,CRL,ANDOCSPPROFILES .............................................................................................. 53 7.1. Certificateprofile ........................................................................................................................ 53
7.1.1. VersionNumber(s) ................................................................................................................. 53 7.1.2. CertificateExtensions ............................................................................................................. 53 7.1.3. AlgorithmObjectIdentifiers ................................................................................................... 53 7.1.4. NameForms........................................................................................................................... 54 7.1.5. NameConstraints ................................................................................................................... 54 7.1.6. CertificatePolicyObjectIdentifier .......................................................................................... 55 7.1.7. UsageofPolicyConstraintsExtension ..................................................................................... 55 7.1.8. PolicyQualifiersSyntaxandSemantics ................................................................................... 55 7.1.9. ProcessingSemanticsfortheCriticalCertificatePoliciesExtension ......................................... 55
7.2. CRLprofile .................................................................................................................................. 55 7.2.1. Versionnumber(s) ................................................................................................................. 55 7.2.2. CRLandCRLEntryExtensions ................................................................................................ 55
7.3. OCSPprofile ................................................................................................................................ 55 7.3.1. VersionNumber(s) ................................................................................................................. 55 7.3.2. OCSPExtensions .................................................................................................................... 55
8. COMPLIANCEAUDITANDOTHERASSESSMENTS ................................................................................. 55 8.1. Frequencyorcircumstancesofassessment .................................................................................. 56 8.2. Identity/qualificationsofassessor ............................................................................................... 56 8.3. Assessor'srelationshiptoassessedentity .................................................................................... 56 8.4. Topicscoveredbyassessment ..................................................................................................... 56 8.5. Actionstakenasaresultofdeficiency .......................................................................................... 56 8.6. Communicationofresults ............................................................................................................ 56 8.7. Self‐Audits .................................................................................................................................. 56
9. OTHERBUSINESSANDLEGALMATTERS .............................................................................................. 56 9.1. Fees ............................................................................................................................................ 56
9.1.1. CertificateIssuanceorRenewalFees ...................................................................................... 56 9.1.2. CertificateAccessFees ............................................................................................................ 56 9.1.3. RevocationorStatusInformationAccessFees ......................................................................... 56 9.1.4. FeesforOtherServices ........................................................................................................... 57 9.1.5. RefundPolicy ......................................................................................................................... 57
9.2. Financialresponsibility ............................................................................................................... 57 9.2.1. InsuranceCoverage ................................................................................................................ 57 9.2.2. OtherAssets ........................................................................................................................... 57 9.2.3. InsuranceorWarrantyCoverageforEnd‐Entities ................................................................... 57
9.3. Confidentialityofbusinessinformation ....................................................................................... 57 9.3.1. ScopeofConfidentialInformation ........................................................................................... 57 9.3.2. InformationNotWithintheScopeofConfidentialInformation ................................................ 57 9.3.3. ResponsibilitytoProtectConfidentialInformation .................................................................. 57
9.4. Privacyofpersonalinformation .................................................................................................. 57 9.4.1. PrivacyPlan ........................................................................................................................... 57 9.4.2. InformationTreatedasPrivate ............................................................................................... 58
vi
9.4.3. InformationNotDeemedPrivate ............................................................................................ 58 9.4.4. ResponsibilitytoProtectPrivateInformation ......................................................................... 58 9.4.5. NoticeandConsenttoUsePrivateInformation ....................................................................... 58 9.4.6. DisclosurePursuanttoJudicialorAdministrativeProcess ....................................................... 58 9.4.7. OtherInformationDisclosureCircumstances .......................................................................... 58
9.5. Intellectualpropertyrights ......................................................................................................... 58 9.6. Representationsandwarranties .................................................................................................. 58
9.6.1. CARepresentationsandWarranties ....................................................................................... 58 9.6.2. RARepresentationsandWarranties ....................................................................................... 59 9.6.3. SubscriberRepresentationsandWarranties ........................................................................... 59 9.6.4. RelyingPartyRepresentationsandWarranties ....................................................................... 60 9.6.5. RepresentationsandWarrantiesofOtherParticipants ............................................................ 60
9.7. Disclaimersofwarranties ............................................................................................................ 60 9.8. Limitationsofliability ................................................................................................................. 60 9.9. Indemnities ................................................................................................................................ 61
9.9.1. IndemnificationbyDigiCert .................................................................................................... 61 9.9.2. IndemnificationbySubscribers .............................................................................................. 61 9.9.3. IndemnificationbyRelyingParties ......................................................................................... 61
9.10. Termandtermination ................................................................................................................. 61 9.10.1. Term ...................................................................................................................................... 61 9.10.2. Termination ........................................................................................................................... 61 9.10.3. EffectofTerminationandSurvival .......................................................................................... 61
9.11. Individualnoticesandcommunicationswithparticipants ............................................................ 62 9.12. Amendments .............................................................................................................................. 62
9.12.1. ProcedureforAmendment ..................................................................................................... 62 9.12.2. NotificationMechanismandPeriod ........................................................................................ 62 9.12.3. CircumstancesunderwhichOIDMustBeChanged .................................................................. 62
9.13. Disputeresolutionprovisions ...................................................................................................... 62 9.14. Governinglaw ............................................................................................................................. 62 9.15. Compliancewithapplicablelaw .................................................................................................. 62 9.16. Miscellaneousprovisions ............................................................................................................ 63
9.16.1. EntireAgreement ................................................................................................................... 63 9.16.2. Assignment ............................................................................................................................ 63 9.16.3. Severability ............................................................................................................................ 63 9.16.4. Enforcement(attorneys'feesandwaiverofrights) ................................................................. 63 9.16.5. ForceMajeure ........................................................................................................................ 63
9.17. Otherprovisions ......................................................................................................................... 63 AppendixA:SampleOpinionLETTER ............................................................................................................. 64
1
1. INTRODUCTION
1.1. OVERVIEWThisdocumentistheDigiCert,Inc.(“DigiCert”)CertificationPracticesStatement(CPS)thatoutlinestheprinciplesandpracticesrelatedtoDigiCert’scertificationandtime‐stampingservices.ThisCPSappliestoallentitiesparticipatinginorusingDigiCert’scertificateandtime‐stampingservices,excludingparticipantsinDigiCert’sPrivatePKIservices,whicharenotcross‐certifiedorpubliclytrusted.ThisCPSonlyaddressestheactionsofDigiCertandnotthoseofthirdpartiesoperatingwithcrosscertificatesissuedbyDigiCert.SpecificrequirementsregardingthoseCertificatesaresetforthintheindividualagreementswiththeappropriateDigiCertcustomerandinthatthirdparty’sownCPS.ThisCPSdescribesthepracticesusedtocomplywiththecurrentversionsofthefollowingpolicies,guidelines,andrequirements:
theDigiCertCertificatePolicy(the“CP”), theAdobeSystemsInc.(“Adobe”)AATLCertificatePolicy, MozillaRootStorePolicy, theFederalBridgeCertificationAuthority(“FBCA”)CertificatePolicy, theCertificationAuthority/BrowserForum(“CABForum”)BaselineRequirementsCertificatePolicy
fortheIssuanceandManagementofPublicly‐TrustedCertificates(“BaselineRequirements”)locatedathttps://cabforum.org/baseline‐requirements‐documents,
theCABForumGuidelinesfortheIssuanceandManagementofExtendedValidationCertificates(“EVGuidelines”)locatedathttps://cabforum.org/extended‐validation,
theCABForumGuidelinesfortheIssuanceandManagementofExtendedValidationCodeSigningCertificates,
theCABForumNetworkandCertificateSystemSecurityRequirements, theMinimumRequirementsfortheIssuanceandManagementofPublicly‐TrustedCodeSigning
Certificates(“MinimumRequirementsforCodeSigning”)locatedathttps://aka.ms/csbr, theDirectTrustCommunityX.509CertificatePolicy,and theWi‐FiAllianceHotspot2.0Specification.
IfanyinconsistencyexistsbetweenthisCPSandthenormativeprovisionsoftheforegoingpolicies,guidelines,andrequirements(“ApplicableRequirements”),thentheApplicableRequirementstakeprecedenceoverthisCPS.Time‐stampingservicesareprovidedaccordingtoIETFRFC3161andothertechnicalstandards.ThisCPSisonlyoneofseveraldocumentsthatcontrolDigiCert’scertificationservices.Otherimportantdocumentsincludebothprivateandpublicdocuments,suchastheCP,DigiCert’sagreementswithitscustomers,RelyingPartyagreements,andDigiCert’sprivacypolicy.DigiCertmayprovideadditionalcertificatepoliciesorcertificationpracticestatements.Thesesupplementalpoliciesandstatementsareavailabletoapplicableusersorrelyingparties.PursuanttotheIETFPKIXRFC3647CP/CPSframework,thisCPSisdividedintoninepartsthatcoverthesecuritycontrolsandpracticesandproceduresforcertificateandtime‐stampingserviceswithintheDigiCertPKI.TopreservetheoutlinespecifiedbyRFC3647,sectionheadingsthatdonotapplyareaccompaniedwiththestatement"Notapplicable"or"Nostipulation."
1.2. DOCUMENTNAMEANDIDENTIFICATIONThisdocumentistheDigiCertCertificationPracticesStatementandwasfirstapprovedforpublicationon9August2010bytheDigiCertPolicyAuthority(DCPA).Thefollowingrevisionshavebeenmadetotheoriginaldocument:
2
Date Changes Version09‐October‐2018 ClarificationtoemailvalidationmethodsandMozillaCARoot
Policy2.6.1updatesmadethroughoutthedocument.Removedfrequentpasswordchangingpracticefromsection6.4.1tocomplywithNISTSpecialPublication800‐63‐3:DigitalAuthenticationGuidelines.Changesmadetosection3.2.2toclarifydifferencesbetweenLevels1‐4andClass1‐3Certificateissuancepractices.Addedsections1.5.2.1forRevocationReportingContactPersonandadditions/revisionstosection4.9tomeettherevocationrequirementsforCABFballotSC6.
4.16
24‐August‐2018 UpdatesthroughoutforAdobeAATL2.0,addedClass1‐3OIDs,removedunuseddefinitionsandreferencestoEUQualifiedCertificates,updatedsections3.2.2and3.2.3regardingemailvalidation,addedlanguageinsection6.1.1tospecifythatDigiCertdoesnotcreatekeypairsforpubliclytrustedend‐entityTLSCertificates,amendedlimitationofliabilityinsection9.8toaddressNetsureExtendedWarrantyandRelyingPartyAgreement,andremovedline9inAppendixA
4.15
25‐January‐2018 AddedlanguagebasedontheCABForum’sBaselineRequirements,asindicatedbyMozilla’sSelf‐Assessmentprocess
4.14
8‐November‐2017 AddedSymantecCAAidentifyingdomains 4.138‐September‐2017 AddedCAAprocessingprovisions,removedreferencestoPIV‐I,
reviseddescriptionsofprocessesusedforvalidatingidentity,updateddescriptionofphysicalaccessandsecurity,addedtrustedroleofRAAdministrator,andremoved“conflict‐of‐interest”prohibitionfromtrustedroles.
4.12
23‐February‐2017 Updatedaddress,maderevisionsrelatedtotheMinimumRequirementsfortheIssuanceandManagementofPublicly‐TrustedCodeSigningCertificates,andmadeotherchangestoupdatetheCPS.
4.11
9‐September‐2016 Updatedto:includeCybertrustCAsacquiredfromVerizon,clarifyidentityverificationprocess,updatedocumentinaccordancewithFBCACPv.2.29andsec.9.6.3ofBaselineRequirements.
4.10
1‐June‐2015 UpdatedCPStoconformtopracticesforbackup,archival,CAkeygeneration,andcertificateacceptance.
4.09
1‐April‐2015 MinorchangesmadetoupdatewithCA/BrowserForumguidelinesandforconsistencywithDigiCertCPv.4.08
4.08
7‐October‐2014 UpdatedforconsistencywithDigiCertCPv.4.07 4.0714‐May‐2014 Updatedpracticestocomplywithnewpolicyrequirementsand
changestotheDirectTrustCP,BaselineRequirements,EVGuidelines,andEVCodeSigningGuidelines.
4.06
2‐May‐2013 Updatedmailingaddress.Alsoupdatedpracticestocomplywithnewpolicyrequirements,theDirectTrustCP,changestotheAdobeprogram,andCABForumguidelines.
4.05
10‐May‐2012 UpdatedtoincludepracticessetforthintheBaselineRequirements,thecurrentMozillaCAPolicy,EVCodeSigning,theIGTF,andotherpolicybodies.
4.04
3‐May‐2011 IGTFCertificatesaddedandminorupdatesmadetoseveralsections.
4.03
29‐October‐2010 ChangesmadeinresponsetocommentsfromtheFPKICPWGregardingcertificatestatusservices,trustedroles,andoff‐site
4.02
3
Date Changes Versionbackupofarchive.
26‐August‐2010 Updatedtheprocessusedtoauthenticatethecertificaterequester’sauthorityundersection3.2.5forcodesigningCertificatesissuedtoorganizations
4.01
9‐August‐2010 Thisversion4.0replacestheDigiCertCertificatePolicyandCertificationPracticesStatement,Version3.08,datedMay29,2009,andtheDigiCertCertificationPracticeStatementforExtendedValidationCertificates,Version1.0.4,May29,2009.
4.0
TheOIDforDigiCertisjoint‐iso‐ccitt(2)country(16)USA(840)US‐company(1)DigiCert(114412).TheOID‐arcforthisversion4oftheCPSis2.16.840.1.114412.0.2.4.SubsequentrevisionstothisCPSmighthavenewOIDassignments.DigiCertissuesCertificatesandtime‐stamptokenscontainingthefollowingOIDs/OIDarcs:
DigitallySignedObject ObjectIdentifier(OID)DomainVetted(DV)SSL/TLSServerCertificatespertheBaselineRequirements
2.16.840.1.114412.1.2and/or2.23.140.1.2.1(CABForumBaselineReqs.)
OrganizationVetted(OV)SSL/TLSServerCertificatespertheBaselineRequirements
2.16.840.1.114412.1.1and/or2.23.140.1.2.2(CABForumBaselineReqs.)
IndividualVetted(IV)SSL/TLSServerCertificatespertheBaselineRequirements
2.16.840.1.114412.1.1and/or2.23.140.1.2.3(CABForumBaselineReqs.)
Hotspot2.0OSUServerCertificates 2.16.840.1.114412.1.5FederatedDeviceCertificate 2.16.840.1.114412.1.11FederatedDeviceHardwareCertificate 2.16.840.1.114412.1.12IssuerCA(whereallowedbypolicy) 2.5.29.32.0(anyPolicy)ExtendedValidation(EV)SSL/TLSServerCertificates
2.16.840.1.114412.2.1,2.23.140.1.1(CABForumEVGuidelines), 1.3.6.1.4.1.6334.1.100.1 (originallyregisteredbybeTRUSTed),and/or2.16.840.1.113733.1.7.23.6(originallyregisteredbyVerisign)
ObjectSigningCertificates 2.16.840.1.114412.3 CodeSigningCertificates 2.16.840.1.114412.3.1 MinimumRequirementsforCodeSigning 2.16.840.1.114412.3.1.1and/or
2.23.140.1.4.1 ExtendedValidationCodeSigning 2.16.840.1.114412.3.2and/or2.23.140.1.3 WindowsKernelDriverSigning 2.16.840.1.114412.3.11 AdobeSigningCertificate 2.16.840.1.114412.3.21ClientCertificateOIDArc 2.16.840.1.114412.4 Level1Certificates‐Personal 2.16.840.1.114412.4.1.1 Level1Certificates‐Enterprise 2.16.840.1.114412.4.1.2 Level2Certificates 2.16.840.1.114412.4.2 Level3Certificates‐US 2.16.840.1.114412.4.3.1 Level3Certificates‐CBP 2.16.840.1.114412.4.3.2 Level4Certificates‐US 2.16.840.1.114412.4.4.1 Level4Certificates‐CBP 2.16.840.1.114412.4.4.2Class1‐3Certificates 2.16.840.1.114412.5Class1Certificates 2.16.840.1.113733.1.7.23.1and/or
2.16.840.1.114412.5.1 Class2Certificates 2.16.840.1.113733.1.7.23.2and/or
2.16.840.1.114412.5.2
4
DigitallySignedObject ObjectIdentifier(OID) Class3Certificates
2.16.840.1.113733.1.7.23.3.2(privatehierarchy)and/or2.16.840.1.114412.5.3
GridCertificateOIDArcs 2.16.840.1.114412.4.31or2.16.840.1.114412.31(Grid‐onlyarc)
IGTFClassicX.509Authoritieswithsecuredinfrastructure
2.16.840.1.114412.4.31.1(Clientw/Public),2.16.840.1.114412.31.4.1.1(ClientGridOnly),and/or1.2.840.113612.5.2.2.1.x(IGTF)
IGTFMemberIntegratedX.509CredentialServiceswithSecuredInfrastructureCertificates
2.16.840.1.114412.4.31.5and/or1.2.840.113612.5.2.2.5.x(IGTF)
IGTFGridHost‐PublicTrust 2.16.840.1.114412.1.31.1IGTFGrid‐OnlyHostCertificate 2.16.840.1.114412.31.1.1.1,
1.2.840.113612.5.2.2.1.x(IGTF),and/or1.2.840.113612.5.2.2.5.x(IGTF)
Authentication‐OnlyCertificates 2.16.840.1.114412.6TrustedTime‐stamping 2.16.840.1.114412.7.1Legacyarc 2.16.840.1.114412.81Testarc 2.16.840.1.114412.99AllOIDsmentionedabovebelongtotheirrespectiveowners.ThespecificOIDsusedwhenobjectsaresignedpursuanttothisCPSareindicatedintheobject’srespectiveCertificatePoliciesextension.Forinstance,whenDigiCertissuesaCertificatecontainingoneoftheabove‐specifiedpolicyidentifiersfor“BaselineRequirements,”“MinimumRequirements,”or“ExtendedValidation,”itassertsthattheCertificatewasissuedandismanagedinaccordancewiththoseapplicablerequirements.CommercialBestPractices(“CBP”)differsfrom“US”inthattherearenotrustedrolecitizenshiprequirementsforanIssuerCAissuingunderaCBPpolicy,whereaspoliciesdesignated“US”mustfollowthecitizenshippracticessetforthinSection5.3.1.TheLegacyarcexiststoidentifyCertificatesissuedforpurposeofachievingcompatibilitywithlegacysystemsthatareincapableofprocessingneweralgorithmsthatmightberequiredbycomparableindustrybestpractices.
1.3. PKIPARTICIPANTS
1.3.1. CertificationAuthoritiesDigiCertoperatescertificationauthorities(CAs)thatissuedigitalcertificates.AstheoperatorofseveralCAs,DigiCertperformsfunctionsassociatedwithPublicKeyoperations,includingreceivingcertificaterequests,issuing,revokingandrenewingadigitalCertificate,andmaintaining,issuing,andpublishingCRLsandOCSPresponses.GeneralinformationaboutDigiCert’sproductsandservicesareavailableatwww.digicert.com.DigiCertownsandoperatestheGTECybertrustGlobalRoot,theBaltimoreCybertrustRoot,theCybertrustGlobalRootCA,andtheVerizonGlobalRootCA.Inlimitedcircumstances,theserootCAsareusedtoissuecrossCertificatestoexternalthirdpartiesoperatingtheirownPKIs.An“externalsubordinateCA”isanunaffiliatedthirdpartythatisissuedasubordinateCACertificatebyDigiCertwherethePrivateKeyassociatedwiththatCACertificateisnotmaintainedunderthephysicalcontrolofDigiCert.InaccordancewithrequirementsoftheU.S.FederalPKIPolicyAuthority(FPKIPA),DigiCertnotifiestheFPKIPApriortoissuingaCACertificatechainingtotheFederalBridgeCAtoanexternalsubordinateCA.AllexternalsubordinateCAsareprohibited,eithertechnicallyorcontractually,fromissuingCertificatestodomainnamesorIPaddressesthataSubscriberdoesnotlegitimatelyownorcontrol(i.e.issuanceforpurposesof“trafficmanagement”isprohibited),andexternalsubordinateCAsarerequiredtoimplementproceduresthatareatleastasrestrictiveasthosefoundherein.DigiCertensuresthatnoCAchainingtotheFederalBridgeCAhasmorethanonetrustpathtotheFederalBridgeCA(regardlessofpathvalidationresults).
5
DigiCertisalsoatimestampingauthority(TSA)andprovidesproof‐of‐existencefordataataninstantintimeasdescribedherein.
1.3.2. RegistrationAuthoritiesandOtherDelegatedThirdPartiesExceptfortheauthenticationofdomaincontrolorIPaddressverificationperformedsolelybyDigiCertinaccordancewithSection3.2.2,DigiCertmaydelegatetheperformanceofcertainfunctionstothirdpartyRegistrationAuthorities(RA).ThespecificroleofanRAorDelegatedThirdPartyvariesgreatlybetweenentities,rangingfromsimpletranslationservicestoactualassistanceingatheringandverifyingApplicantinformation.SomeRAsoperateidentitymanagementsystems(IdMs)andmaymanagethecertificatelifecycleforend‐users.ForIGTFCertificates,designatedRAsareresponsibleforvettingtheidentityofeachcertificateapplicant.DigiCertcontractuallyobligateseachDelegatedThirdPartytoabidebythepoliciesandindustrystandardsthatareapplicabletothatDelegatedThirdParty’sdelegatedresponsibilities.RApersonnelinvolvedintheissuanceofpublicly‐trustedSSL/TLSServerCertificatesmustundergotheskillsandtrainingrequiredunderSection5.3.
1.3.3. SubscribersSubscribersuseDigiCert’sservicesandPKItosupporttransactionsandcommunications.SubscribersarenotalwaysthepartyidentifiedinaCertificate,suchaswhenCertificatesareissuedtoanorganization’semployees.TheSubjectofaCertificateisthepartynamedintheCertificate.ASubscriber,asusedherein,mayrefertotheSubjectoftheCertificateandtheentitythatcontractedwithDigiCertfortheCertificate’sissuance.PriortoverificationofidentityandissuanceofaCertificate,aSubscriberisanApplicant.
1.3.4. RelyingPartiesRelyingPartiesareentitiesthatactinrelianceonaCertificateand/ordigitalsignatureissuedbyDigiCert.RelyingpartiesmustchecktheappropriateCRLorOCSPresponsepriortorelyingoninformationfeaturedinaCertificate.ThelocationoftheCRLdistributionpointisdetailedwithintheCertificate.
1.3.5. OtherParticipantsOtherparticipantsincludeAccreditationAuthorities(suchasPolicyManagementAuthorities,FederationOperators,ApplicationSoftwareVendors,andapplicableCommunity‐of‐Interestsponsors);BridgeCAsandCAscross‐certifiedwithDigiCert’sCAsthatserveastrustanchorsinotherPKIcommunities;andTimeSourceEntities,TimeStampTokenRequesters,andTimeStampVerifiersinvolvedintrustedtimestamping.AccreditationAuthoritiesaregrantedanunlimitedrighttore‐distributeDigiCert’srootCertificatesandrelatedinformationinconnectionwiththeaccreditation.DigiCerthascross‐certifiedwiththeFederalBridgeCertificationAuthority(FBCA).DigiCertalsoissuescross‐Certificatestootherthird‐partyCAs.
1.4. CERTIFICATEUSAGEAdigitalCertificate(orCertificate)isformatteddatathatcryptographicallybindsanidentifiedsubscriberwithaPublicKey.AdigitalCertificateallowsanentitytakingpartinanelectronictransactiontoproveitsidentitytootherparticipantsinsuchtransaction.DigitalCertificatesareusedincommercialenvironmentsasadigitalequivalentofanidentificationcard.Atime‐stamptoken(TST)cryptographicallybindsarepresentationofdatatoaparticulartimestamp,thusestablishingevidencethatthedataexistedatacertainpointintime.
1.4.1. AppropriateCertificateUsesCertificatesissuedpursuanttothisCPSmaybeusedforalllegalauthentication,encryption,accesscontrol,anddigitalsignaturepurposes,asdesignatedbythekeyusageandextendedkeyusagefieldsfoundwithintheCertificate.However,thesensitivityoftheinformationprocessedorprotectedbyaCertificatevariesgreatly,andeachRelyingPartymustevaluatetheapplicationenvironmentandassociatedrisksbeforedecidingonwhethertouseaCertificateissuedunderthisCPS.
6
ThisCPScoversseveraldifferenttypesofendentityCertificates/tokenswithvaryinglevelsofassurance.Thefollowingtableprovidesabriefdescriptionoftheappropriateusesofeach.Thedescriptionsareforguidanceonlyandarenotbinding.
Certificate AppropriateUseDVSSL/TLSServerCertificates
Usedtosecureonlinecommunicationwheretherisksandconsequencesofdatacompromisearelow,includingnon‐monetarytransactionsortransactionswithlittleriskoffraudormaliciousaccess.
OVSSL/TLSServerCertificates
Usedtosecureonlinecommunicationwheretherisksandconsequencesofdatacompromisearemoderate,includingtransactionshavingsubstantialmonetaryvalueorriskoffraudorinvolvingaccesstoprivateinformationwherethelikelihoodofmaliciousaccessissubstantial.
EVSSL/TLSServerCertificates
Usedtosecureonlinecommunicationwhererisksandconsequencesofdatacompromisearehigh,includingtransactionshavinghighmonetaryvalue,riskoffraud,orwhereinvolvingaccesstoprivateinformationwherethelikelihoodofmaliciousaccessishigh.
Hotspot2.0OSUServerCertificates
UsedtoauthenticateOSUServerspursuanttotheWi‐FiAlliance’sHotspot2.0specification.
FederatedDeviceCertificates
SimilartoSSL/TLSServerCertificatesabovebutforuseasnecessaryinconnectionwithcross‐certifiedPKIs
CodeSigningCertificates,includingEVCodeSigning
EstablishestheidentityoftheSubscribernamedintheCertificateandthatthesignedcodehasnotbeenmodifiedsincesigning.
RudimentaryLevel1ClientCertificates‐Personal
Providesthelowestdegreeofassuranceconcerningidentityoftheindividualandisgenerallyusedonlytoprovidedataintegritytotheinformationbeingsigned.TheseCertificatesshouldonlybeusedwheretheriskofmaliciousactivityislowandifanauthenticatedtransactionisnotrequired.
Level1ClientCertificates‐EnterpriseandClass1and2Certificates
Usedinenvironmentswheretherearerisksandconsequencesofdatacompromise,butsuchrisksarenotofmajorsignificance.Usersareassumednotlikelytobemalicious.
Level2ClientCertificates(FBCAbasicassurancecertificates)
Issuedtoidentity‐vettedindividuals.Certificatesspecifyifthenameisapseudonym.Usedinenvironmentswheretherearerisksandconsequencesofdatacompromise,butsuchrisksarenotofmajorsignificance.Usersareassumednotlikelytobemalicious.
Level3ClientCertificates(FBCAmediumcertificates)andClass3Certificates
Usedinenvironmentswhererisksandconsequencesofdatacompromisearemoderate,includingtransactionshavingsubstantialmonetaryvalueorriskoffraudorinvolvingaccesstoprivateinformationwherethelikelihoodofmaliciousaccessissubstantial.
Level4ClientCertificates(FBCAmediumhardwareCertificates)
Usedinenvironmentswhererisksandconsequencesofdatacompromisearehigh,includingtransactionshavinghighmonetaryvalueorriskoffraudorinvolvingaccesstoprivateinformationwherethelikelihoodofmaliciousaccessishigh.
DirectCertificates UsedtotransferhealthcareinformationinaccordancewiththeDirectProtocoladoptedbytheONC.DirectCertificatesareissuedasLevel2orLevel3Certificates.
AuthenticationOnly Usedwheretheidentityofthecertificateholderisirrelevantandwheretheriskofunauthorizedaccesstoasecuresiteislow.
IGTFandGrid‐onlyCertificates
SupportidentityassertionsandsystemauthenticationamongstparticipantsintheInternationalGridTrustFederation.IGTFCertificatesincludethoseissuedaspublicly‐trustedclientCertificatesandthoseissuedundertheGrid‐onlyarc.
7
Certificate AppropriateUseAdobeSigningCertificates UsedtosignAdobedocumentsandshowthattheportionofthe
documentsignedbytheauthorhasnotbeenmodifiedsincesigning.TimeStampToken Usedtoidentifytheexistenceofdataatasetperiodoftime.
1.4.2. ProhibitedCertificateUsesCertificatesdonotguaranteethattheSubjectistrustworthy,honest,reputableinitsbusinessdealings,safetodobusinesswith,orcompliantwithanylaws.ACertificateonlyestablishesthattheinformationintheCertificatewasverifiedinaccordancewiththisCPSwhentheCertificateissued.CodesigningCertificatesdonotindicatethatthesignedcodeissafetoinstallorfreefrommalware,bugs,orvulnerabilities.
1.5. POLICYADMINISTRATION
1.5.1. OrganizationAdministeringtheDocumentThisCPSandthedocumentsreferencedhereinaremaintainedbytheDCPA,whichcanbecontactedat:
DigiCertPolicyAuthoritySuite5002801N.ThanksgivingWayLehi,UT84043USATel:1‐801‐701‐9600Fax:1‐801‐705‐[email protected]
1.5.2. ContactPersonAttn:LegalCounselDigiCertPolicyAuthoritySuite5002801N.ThanksgivingWayLehi,[email protected]
1.5.2.1. RevocationReportingContactPersonAttn:SupportDigiCertTechnicalSupportSuite5002801N.ThanksgivingWayLehi,UT84043USAhttps://www.digicert.com/certificate‐revocation.htm TorequestthataCertificateberevoked,pleaseemailrevoke@digicert.com.Entitiessubmittingcertificaterevocationrequestsmustlisttheiridentityandexplainthereasonforrequestingrevocation.DigiCertoranRAwillauthenticateandlogeachrevocationrequestaccordingtoSection4.9oftheDigiCertCPandthisCPS.DigiCertwillalwaysrevokeaCertificateiftherequestisauthenticatedasoriginatingfromtheSubscriberortheAffiliatedOrganizationlistedintheCertificate.IfrevocationisrequestedbysomeoneotherthananauthorizedrepresentativeoftheSubscriberorAffiliatedOrganization,DigiCertoranRAwillinvestigatetheallegedbasisfortherevocationrequestpriortotakingactioninaccordancewithSection4.9.1and4.9.3.
8
1.5.3. PersonDeterminingCPSSuitabilityforthePolicyTheDCPAdeterminesthesuitabilityandapplicabilityofthisCPSbasedontheresultsandrecommendationsreceivedfromanindependentauditor(seeSection8).TheDCPAisalsoresponsibleforevaluatingandactingupontheresultsofcomplianceaudits.
1.5.4. CPSApprovalProceduresTheDCPAapprovestheCPSandanyamendments.AmendmentsaremadeaftertheDCPAhasreviewedtheamendments’consistencywiththeCP,byeitherupdatingtheentireCPSorbypublishinganaddendum.TheDCPAdetermineswhetheranamendmenttothisCPSisconsistentwiththeCP,requiresnotice,oranOIDchange.SeealsoSection9.10andSection9.12below.
1.6. DEFINITIONSANDACRONYMS
1.6.1. Definitions“Applicant”meansanentityapplyingforaCertificate.“ApplicationSoftwareVendor”meansasoftwaredeveloperwhosesoftwaredisplaysorusesDigiCertCertificatesanddistributesDigiCert’srootCertificates.“CABForum”isdefinedinsection1.1.“Certificate”meansanelectronicdocumentthatusesadigitalsignaturetobindaPublicKeyandanidentity.“CertificateApprover”isdefinedintheEVGuidelines.“CertificateRequester”isdefinedintheEVGuidelines.“ContractSigner”isdefinedintheEVGuidelines.“DirectAddress”meansanemailaddressconformingtotheApplicabilityStatementforSecureHealthTransport.“DirectAddressCertificate”meansaCertificatecontaininganentireDirectAddress.“DirectOrganizationalCertificate”meansaCertificatecontainingonlythedomainnameportionofaDirectAddress.“DomainName”isasdefinedintheBaselineRequirements.“EVGuidelines”isdefinedinsection1.1.“KeyPair”meansaPrivateKeyandassociatedPublicKey.“OCSPResponder”meansanonlinesoftwareapplicationoperatedundertheauthorityofDigiCertandconnectedtoitsrepositoryforprocessingcertificatestatusrequests.“PrivateKey”meansthekeyofaKeyPairthatiskeptsecretbytheholderoftheKeyPair,andthatisusedtocreatedigitalsignaturesand/ortodecryptelectronicrecordsorfilesthatwereencryptedwiththecorrespondingPublicKey.“PublicKey”meansthekeyofaKeyPairthatmaybepubliclydisclosedbytheholderofthecorrespondingPrivateKeyandthatisusedbyaRelyingPartytoverifydigitalsignaturescreatedwiththeholder's
9
correspondingPrivateKeyand/ortoencryptmessagessothattheycanbedecryptedonlywiththeholder'scorrespondingPrivateKey.“QualifiedCertificate”meansaCertificatethatmeetstherequirementsofEUlawandisprovidedbyanIssuerCAmeetingtherequirementsofEUlaw.“RelyingParty”meansanentitythatreliesuponeithertheinformationcontainedwithinaCertificateoratime‐stamptoken.“RelyingPartyAgreement”meansanagreementwhichmustbereadandacceptedbytheRelyingPartypriortovalidating,relyingonorusingaCertificateoraccessingorusingDigiCert’sRepository.TheRelyingPartyAgreementisavailableforreferencethroughaDigiCertonlinerepository.“Subscriber”meanseithertheentityidentifiedasthesubjectintheCertificateortheentitythatisreceivingDigiCert’stime‐stampingservices.“SubscriberAgreement”meansanagreementthatgovernstheissuanceanduseofaCertificatethattheApplicantmustreadandacceptbeforereceivingaCertificate.“WebTrust”meansthecurrentversionofCPACanada’sWebTrustProgramforCertificationAuthorities.“WHOIS”InformationretrieveddirectlyfromtheDomainNameRegistrarorregistryoperatorviatheprotocoldefinedinRFC3912,theRegistryDataAccessProtocoldefinedinRFC7482,oranHTTPSwebsite.
1.6.2. AcronymsAATL AdobeApprovedTrustListCA CertificateAuthorityorCertificationAuthorityCAA CertificationAuthorityAuthorizationCAB ”CA/Browser”asin“CABForum”CMS CardManagementSystemCP CertificatePolicyCPS CertificationPracticeStatementCRL CertificateRevocationListCSR CertificateSigningRequestCT CertificateTransparencyDBA DoingBusinessAs(alsoknownas"TradingAs")DCPA DigiCertPolicyAuthorityDV DomainValidatedETSI EuropeanTelecommunicationsStandardsInstituteEU EuropeanUnionEV ExtendedValidationFIPS (USGovernment)FederalInformationProcessingStandardFQDN FullyQualifiedDomainNameFTP FileTransferProtocolHISP HealthInformationServiceProviderHSM HardwareSecurityModuleHTTP HypertextTransferProtocolIANA InternetAssignedNumbersAuthorityICANN InternetCorporationforAssignedNamesandNumbersIdM IdentityManagementSystemIDN InternationalizedDomainNameISSO InformationSystemSecurityOfficerIETF InternetEngineeringTaskForceIGTF InternationalGridTrustFederation
10
ITU InternationalTelecommunicationUnionIV IndividualValidatedMICS Member‐IntegratedCredentialService(IGTF)NIST NationalInstituteofStandardsandTechnologyOCSP OnlineCertificateStatusProtocolOID ObjectIdentifierONC OfficeoftheNationalCoordinatorforHealthcare(U.S.)OSU OnlineSign‐Up(Wi‐FiAllianceHotspot2.0)OV OrganizationValidatedPIN PersonalIdentificationNumber(e.g.asecretaccesscode)PKI PublicKeyInfrastructurePKIX IETFWorkingGrouponPublicKeyInfrastructureRA RegistrationAuthorityRFC RequestforComments(atIETF.org)SAN SubjectAlternativeNameSHA SecureHashingAlgorithmSSL SecureSocketsLayerTLD Top‐LevelDomainTLS TransportLayerSecurityTSA TimeStampingAuthorityTST Time‐StampTokenTTL TimeToLiveUTC CoordinatedUniversalTimeX.509 TheITU‐TstandardforCertificatesandtheircorrespondingauthentication
framework
1.6.3. ReferencesCA/BrowserForumBaselineRequirementsCertificatePolicyfortheIssuanceandManagementofPublicly‐TrustedCertificates(“BaselineRequirements”)CA/BrowserForumGuidelinesfortheIssuanceandManagementofExtendedValidationCertificates(“EVGuidelines”)DirectTrustCommunityX.509CertificatePolicy,v.1.3
FBCASupplementaryAntecedent,In‐PersonDefinition
Wi‐FiAllianceHotspot2.0Release2OnlineSignupCertificatePolicySpecification(Hotspot2.0CP)
X.509CertificatePolicyfortheFederalBridgeCertificationAuthority,v.2.32
MozillaRootStorePolicyv.2.6.1
2. PUBLICATIONANDREPOSITORYRESPONSIBILITIES
2.1. REPOSITORIESDigiCertmakesitsrootCertificates,revocationdataforissueddigitalCertificates,CPs,CPSs,RelyingPartyAgreements,andstandardSubscriberAgreementsavailableinpublicrepositories.DigiCertdevelops,implements,enforces,andannuallyupdatesthisCPStomeetthecompliancestandardsofthedocumentslistedinSection1.6.3.TheseupdatesalsodescribehowthelatestversionoftheBaselineRequirementsareimplemented.AsBaselineRequirementsareupdated,DigiCertreviewsthechangestodeterminetheirimpactonthesepractices.EachsectionimpactedbytheBaselineRequirementswillbeupdatedandprovidedtotheDCPAforapprovalandimplementation.IfanSSL/TLSServerCertificateisintendedtobetrustedinChrome,
11
itispublishedbypostingitinaCertificateTransparencylog.DigiCertdoesnotmaintainanLDAPdirectoryorsearchabledatabaseofthecertificatesitissues.DigiCert’slegalrepositoryformostservicesislocatedathttps://www.digicert.com/legal‐repository/.DigiCert’spubliclytrustedrootCertificatesanditsCRLsandOCSPresponsesareavailablethroughonlineresources24hoursaday,7daysaweekwithsystemsdescribedinSection5tominimizedowntime.
2.2. PUBLICATIONOFCERTIFICATIONINFORMATIONTheDigiCertcertificateservicesandtherepositoryareaccessiblethroughseveralmeansofcommunication:
1. Ontheweb:https://www.digicert.com(andviaURIsincludedinthecertificatesthemselves)2. [email protected]. Bymailaddressedto:DigiCert,Inc.,Suite500,2801N.ThanksgivingWay,Lehi,Utah840434. BytelephoneTel:1‐801‐877‐21005. Byfax:1‐801‐705‐0481
2.3. TIMEORFREQUENCYOFPUBLICATIONCACertificatesarepublishedinarepositoryassoonaspossibleafterissuance.CRLsforend‐userCertificatesareissuedatleastonceperday.CRLsforCACertificatesareissuedatleastevery6months(every31daysforofflineCAschainingtotheFederalBridgeCA),andalsowithin18hoursifaCACertificateisrevoked.Underspecialcircumstances,DigiCertmaypublishnewCRLspriortothescheduledissuanceofthenextCRL.(SeeSection4.9foradditionaldetails.)NewormodifiedversionsoftheCP,thisCPS,SubscriberAgreements,orRelyingPartyWarrantiesaretypicallypublishedwithinsevendaysaftertheirapproval.
2.4. ACCESSCONTROLSONREPOSITORIESRead‐onlyaccesstotherepositoryisunrestricted.Logicalandphysicalcontrolspreventunauthorizedwriteaccesstorepositories.
3. IDENTIFICATIONANDAUTHENTICATION
3.1. NAMING
3.1.1. TypesofNamesCertificatesareissuedwithanon‐nullsubjectDistinguishedName(DN)thatcomplieswithITUX.500standardsexceptthatDigiCertmayissueaLevel1CertificatewithanullsubjectDNifitincludesatleastonealternativenameformthatismarkedcritical.WhenDNsareused,commonnamesmustrespectnamespaceuniquenessrequirementsandmustnotbemisleading.ThisdoesnotprecludetheuseofpseudonymousCertificates,exceptwherestatedotherwiseunderSection3.1.3.DigiCertissuesEVSSL/TLSCertificatesto.oniondomainsinaccordancewithAppendixFoftheEVGuidelines.DigiCertissuesOSUServerCertificateswithsubjectalternativenamesthatcontain:(1)OSUServerFQDN(s)and(2)FriendlyName(s)thatidentifythewifiserviceprovider,inaccordancewithsection3.4oftheHotspot2.0CP.
3.1.2. NeedforNamestobeMeaningfulDigiCertusesdistinguishednamesthatidentifyboththeentity(i.e.person,organization,device,orobject)thatisthesubjectoftheCertificateandtheentitythatistheissueroftheCertificate.DigiCertonlyallowsdirectoryinformationtreesthataccuratelyreflectorganizationstructures.
12
3.1.3. AnonymityorPseudonymityofSubscribersGenerally,DigiCertdoesnotissueanonymousorpseudonymousCertificates;however,forIDNs,DigiCertmayincludethePunycodeversionoftheIDNasasubjectname.DigiCertmayalsoissueotherpseudonymousend‐entityCertificatesiftheyarenotprohibitedbypolicyandanyapplicablenamespaceuniquenessrequirementsaremet.
3.1.4. RulesforInterpretingVariousNameFormsDistinguishedNamesinCertificatesareinterpretedusingX.500standardsandASN.1syntax.SeeRFC2253andRFC2616forfurtherinformationonhowX.500distinguishednamesinCertificatesareinterpretedasUniformResourceIdentifiersandHTTPreferences.
3.1.5. UniquenessofNamesTheuniquenessofeachsubjectnameinaCertificateisenforcedasfollows:
SSL/TLSServerServerCertificates
InclusionofthedomainnameintheCertificate.DomainnameuniquenessiscontrolledbytheInternetCorporationforAssignedNamesandNumbers(ICANN).
ClientCertificates Requiringauniqueemailaddressorauniqueorganizationnamecombined/associatedwithauniqueserialinteger.
IGTFandGrid‐onlyDeviceCertificates
FordeviceCertificates,anFQDNisincludedintheappropriatefields.ForotherCertificates,DigiCertmayappendauniqueIDtoanamelistedintheCertificate.
CodeSigningCertificates(includingCDSCertificates)
Requiringauniqueorganizationnameandaddressorauniqueorganizationnamecombined/associatedwithauniqueserialinteger.
TimeStamping Requiringauniquehashandtimeoruniqueserialintegerassignedtothetimestamp
3.1.6. Recognition,Authentication,andRoleofTrademarksSubscribersmaynotrequestCertificateswithcontentthatinfringesontheintellectualpropertyrightsofanotherentity.ForOSUServerCertificates,DigiCertconductsatrademarksearchoflogosandFriendlyNamesinrelevantmarkregistrationdatabases,suchastheU.S.PatentandTrademarkOfficeorWIPO,toconfirmanapplicant’srighttouseaparticulartrademark.Basedontheresultsofsuchsearch(es),DigiCertissuesanOSUServerCertificatewithoneormorelogotypeextensionscontainingthehashalgorithmandhashvalueoflogosassociatedwiththeserviceprovider.Ifanapplicantdoesnothaveafriendlynameorlogoavailable,DigiCertmayincludealogoandfriendlynamespecifiedbytheWi‐FiAlliance.UnlessotherwisespecificallystatedinthisCPS,DigiCertdoesnotverifyanApplicant’srighttouseatrademarkanddoesnotresolvetrademarkdisputes.DigiCertmayrejectanyapplicationorrequirerevocationofanyCertificatethatispartofatrademarkdispute.
3.2. INITIALIDENTITYVALIDATIONDigiCertmayuseanylegalmeansofcommunicationorinvestigationtoascertaintheidentityofanorganizationalorindividualApplicant.DigiCertmayrefusetoissueaCertificateinitssolediscretion.
3.2.1. MethodtoProvePossessionofPrivateKeyDigiCertestablishesthattheApplicantholdsorcontrolsthePrivateKeycorrespondingtothePublicKeybyperformingsignatureverificationordecryptionondatapurportedtohavebeendigitallysignedorencryptedwiththePrivateKeybyusingthePublicKeyassociatedwiththecertificaterequest.
13
3.2.2. AuthenticationofOrganizationandDomain/EmailControlDVSSL/TLSServerCertificates
DigiCertvalidatestheApplicant’srighttouseorcontroleachdomainnamethatwillbelistedintheSubjectAlternativeNamefieldofaCertificatebyusingatleastoneofthefollowingproceduresfromsection3.2.2.4oftheBaselineRequirements:
1. Thismethod(BRSection3.2.2.4.1)isnolongerusedbecauseitwasdeprecatedasof1‐August‐2018;
2. Email,Fax,SMS,orPostalMailtotheDomainContactbysendingauniqueRandomValue(validfornomorethan30daysfromitscreation)throughemail,fax,SMS,orpostalmail,totheDomainContactandreceivingconfirmationbytheiruseoftheRandomValue,performedinaccordancewithBRSection3.2.2.4.2;
3. PhonecalltotheDomainContact’sphonenumber,asprovidedbytheDomainRegistrar,andreceivingconfirmationthattheApplicanthasrequestedvalidationoftheFQDN,performedinaccordancewithBRSection3.2.2.4.3;
4. ConstructedEmailtoDomainContactestablishingtheApplicant’scontrolovertheFQDNbysendinganemailcreatedbyusing‘admin’,‘administrator’,‘webmaster’,’hostmaster’or‘postmaster’asthelocalpartfollowedbythe(“@”)sign,followedbyanAuthorizationDomainname,includingaRandomValueintheemail,andreceivingaresponseusingtheRandomValue,performedinaccordancewithBRSection3.2.2.4.4;
5. (BRSection3.2.2.4.5)isnolongerusedbecauseitwasdeprecatedasof1‐August‐2018;
6. AnAgreed‐UponChangetotheWebsitebytheApplicantplacinganagreed‐uponRequestTokenorRandomValueinthe“/.well‐known/pki‐validation”directory,performedinaccordancewithBRSection3.2.2.4.6;
7. DNSChangebyconfirmingthepresenceofaRandomValueorRequestTokeninaDNSCNAME,TXT,orCAArecordforeitheranAuthorizationDomainNameoranAuthorizationDomainNameprefixedwithalabelthatbeginswithanunderscorecharacter,performedinaccordanceBRSection3.2.2.4.7;
8. IPAddress‐byconfirmingtheApplicant’scontrolovertheFQDNthroughcontrolofanIPaddressreturnedfromaDNSlookupforAorAAAArecordsfortheFQDN,performedinaccordancewithBRSections3.2.2.5and3.2.2.4.8;
9. (BRSection3.2.2.4.9)isnolongerusedbecauseitwasdeprecateduponpublicationofv.4.16ofthisCPS;
10. (BRSection3.2.2.4.10)isnolongerusedbecauseitwasdeprecateduponpublicationofv.4.16ofthisCPS;
11. (BRSection3.2.2.4.11)isnolongerusedbecauseitwasdeprecatedasof5‐February‐2018;and
12. ConfirmingthattheApplicantistheDomainContactfortheBaseDomainName(providedthattheCAorRAisalsothe
14
DomainNameRegistraroranAffiliateoftheRegistrar),performedinaccordancewithBRSection3.2.2.4.12.
Alloftheabovemethodsforvalidation,exceptIPAddress(BRSection3.2.2.4.8)maybeusedforWildcardCertificateDomainNamevalidationalongwithcurrentbestpracticeofconsultingapublicsuffixlist.
DigiCertverifiesanincludedcountrycodeusing(a)theIPAddressrangeassignmentbycountryforeither(i)thewebsite’sIPaddress,asindicatedbytheDNSrecordforthewebsiteor(ii)theApplicant’sIPaddress;(b)theccTLDoftherequestedDomainName;or(c)informationprovidedbytheDomainNameRegistrar.
IVandOVSSL/TLSServer,OSUServer,ObjectSigning,andDeviceCertificates(excludingdeviceCertificatesissuedundertheGrid‐onlyarc)
DigiCertvalidatestheApplicant’srighttouseorcontroltheDomainName(s)andthecountrycodethatwillbelistedintheCertificateusingtheDVSSL/TLSServerCertificatevalidationproceduresabove.DigiCertalsoverifiestheidentityandaddressoftheApplicantusingtheproceduresfoundinsection3.2.2.1orsection3.2.3oftheBaselineRequirements.DigiCertverifiesanyDBAincludedinaCertificateusingathirdpartyorgovernmentsource,attestationletter,orreliableformofidentificationinaccordancewithsection3.2.2oftheBaselineRequirements.
DeviceCertificatesissuedundertheGrid‐onlyarc
AnRAorTrustedAgentvalidatestheapplicant’sinformationinaccordancewithanRPS(orsimilardocument)applicabletothecommunityofinterest.
EVSSL/TLSServerandEVCodeSigningCertificates
InformationconcerningorganizationidentityrelatedtotheissuanceofEVSSL/TLSServerCertificatesisvalidatedinaccordancewiththeEVGuidelines.
S/MIMECertificatesissuedasLevel1‐4ClientCertificatesusingthenativeDigiCertinfrastructure.1
DigiCertverifiesanindividual’sororganization’srighttouseorcontrolanemailaddresstobecontainedinaCertificatethatwillhavethe“SecureEmail”EKUbydoingoneofthefollowing:
1.Byverifyingdomaincontrolovertheemaildomainusingoneoftheprocedureslistedaboveinthistableundertheheading“DVSSL/TLSServerCertificates”;or
2.bysendinganemailmessagecontainingaRandomValuetotheemailaddresstobeincludedintheCertificateandreceivingaconfirmingresponsethroughuseoftheRandomValuetoindicatethattheApplicantand/orOrganizationownsorcontrolsthatsameemailaddress.
S/MIMECertificatesissuedasClass1‐2CertificatesusingtheacquiredSymantecinfrastructure2
AnRAmayhaveanApplicantassociatedwiththeOrganizationconnectthroughabrowsertocompleteoneofthefollowingthreetypesofauthentication:
1. ManualAuthentication:TheApplicantsubmitsenrollment
1Level1throughLevel4CertificatesaredistinctanddifferentfromClass1through3certificateslistedinthenextrowbecausetheyareissuedwithdifferentpolicyOIDs,asreferencedinsection1.2,andissuedbyaseparatesystem.2Class1throughClass3CertificatesaredistinctanddifferentfromLevel1through4CertificateslistedinthepreviousrowandtheyareissuedwithdifferentpolicyOIDs,asreferencedinsection1.2,andissuedbyaseparatesystem.
15
informationandaPublicKey/CSR.AnRAreviewstheenrollmentinformationreceivedfromtheApplicantinacustomizedinterface.Ifapproved,thesystemautomaticallysendsaPINtotheenrolledemailaddressfortheApplicanttousetoretrievetheCertificateataspecifiedURL.IftheApplicant’sPrivateKeymatches,theCertificateisinstalled.
2. ManualPasscodeAuthentication:Thesystemispre‐populatedwiththeApplicant’sinformation,includinganemailaddress,thattheRAhasreviewedthatcomesfromexistingbusinessrelationsoranemployeedatabase.ThesystemsendsarandomlygeneratedpasscodetotheenrolledemailaddressfortheApplicanttousetoretrievetheCertificateataspecifiedURL.TheApplicant’skeypairandcertificatearegeneratedandinstalledontheApplicant’ssystem;or
AutomatedEnrollmentCode/PasscodeAuthentication:Thesystemispre‐populatedwiththeApplicant’sinformation,includinganemailaddress,andanEnrollmentCode/Passcode.TheEnrollmentCode/PasscodeissenttotheApplicant’semailaddress.TheEnrollmentCode/Passcodeischeckedforvalidityinthesystemandifverified,thesystemwillgeneratetheCertificatebasedonthePublicKeymatchingthePrivateKey
3. AutomatedAdministrativeorWebServiceAPIAuthentication:ProvidedthattheemailaddressordomainhasbeenverifiedpursuanttooneofthemethodsusedforLevels1‐4asdescribedaboveinthistable,theApplicantsubmitsenrollmentinformationandaPublicKey/CSR.Applicantdatareceivedthroughtheportaliscomparedwithatrustedsourceofverifiedemailaddresses(e.g.,anactivedirectory).Uponapproval,thestatusoftherequestissetto“approved”andtheCertificateissentbackthroughanAPI.IftheApplicant’sPrivateKeymatches,theCertificateisinstalled.
Class3CertificatesusingtheacquiredSymantecinfrastructure
AnRAmayconnectthroughacustomizedinterfacetocompleteoneofthefollowingtwotypesofauthentication:
1. ManualAuthentication:TheApplicantsubmitsenrollmentinformationandaPublicKey/CSR.AnRAreviewstheenrollmentinformationreceivedfromtheApplicantassociatedwiththeOrganizationinacustomizedinterface.Ifapproved,thesystemautomaticallysendstheCertificatetotheenrolledemailfortheApplicant whichtheApplicantmustbeabletoaccessinordertoinstallthecertificate.
2. AutomatedAdministrativeorWebServiceAPIAuthentication:TheApplicantsubmitsenrollmentinformationandaPublicKey/CSR.Applicantdatareceivedthroughtheportaliscomparedwithatrustedsource(e.g.,anactivedirectory)thatcontainstheemailaddressordomainthathasbeenverifiedpursuanttomethodsusedforLevels1‐4asdescribedaboveinthistable.Uponapproval,thestatusoftherequestissetto“approved”andtheCertificateissentbackthroughanAPI.IftheApplicant’sPrivateKeymatches,theCertificateisinstalled.
16
DigiCertmaintainsandutilizesascoringsystemtoflagcertificaterequeststhatpotentiallypresentahigherriskoffraud.Thosecertificaterequeststhatareflagged“highrisk”receiveadditionalscrutinyorverificationpriortoissuance,whichmayincludeobtainingadditionaldocumentationfromoradditionalcommunicationwiththeApplicant.BeforeissuinganSSL/TLSServerCertificatewithadomainnamethathasnotbeenpreviouslyverifiedaswithinthescopeofanRA’sorotherDelegatedThirdParty’salloweddomainnames,DigiCertestablishesthattheRAorDelegatedThirdPartyhastherighttousetheDomainNamebyindependentlyverifyingtheauthorizationwiththedomainowner,asdescribedabove.ForeachIPAddresslistedinaCertificate,DigiCertconfirmsthat,asofthedatetheCertificatewasissued,theApplicantcontrolledtheIPAddressby:
1.HavingtheApplicantdemonstratepracticalcontrolovertheIPAddressbymakinganagreed‐uponchangetoinformationfoundonanonlineWebpageidentifiedbyauniformresourceidentifiercontainingtheIPAddress;2.ObtainingdocumentationofIPaddressassignmentfromtheInternetAssignedNumbersAuthority(IANA)oraRegionalInternetRegistry(RIPE,APNIC,ARIN,AfriNIC,LACNIC);or3.Performingareverse‐IPaddresslookupandthenverifyingcontrolovertheresultingDomainName,assetforthabove.
DigiCertverifiestheorganizationname,address,legalexistence,andauthorizationforCACertificatesthatcross‐certifywiththeFBCA.
3.2.3. AuthenticationofIndividualIdentityIfaCertificatewillcontaintheidentityofanindividual,thenDigiCertoranRAvalidatestheidentityoftheindividualusingthefollowingprocedures:
Certificate ValidationIVSSL/TLSServerCertificatesandObjectSigningCertificates(issuedtoanindividual)
1. a.DigiCertortheRAobtainsandreviewsalegiblecopy,whichdiscerniblyshowstheApplicant’sface,ofatleastonecurrentlyvalidgovernment‐issuedphotoID(passport,driver’slicense,militaryID,nationalID,orequivalentdocumenttype).DigiCertortheRAinspectsthecopyforanyindicationofalterationorfalsification.b.ForObjectSigningCertificates,avalidationspecialistalsoengagesinavideoconferencecallwiththeApplicant,whomustpresenttheirphotoIDandsignaDeclarationofIdentity,witnessedbythevalidationspecialist,whichisrecordedasevidence.
2. DigiCertmayadditionallycross‐checktheApplicant’snameandaddressforconsistencywithavailablethird‐partydatasources.
3. Iffurtherassuranceisrequired,thentheApplicantmust
provideanadditionalformofidentification,suchasrecentutilitybills,financialaccountstatements,creditcard,anadditionalIDcredential,orequivalentdocumenttype.
4. DigiCertortheRAconfirmsthattheApplicantisableto
receivecommunicationbytelephone,postalmail/courier,orfax.
IfDigiCertcannotverifytheApplicant’sidentityusingthe
17
Certificate Validationproceduresdescribedabove,thentheApplicantmustsubmitaDeclarationofIdentitythatiswitnessedandsignedbyaRegistrationAuthority,TrustedAgent,notary,lawyer,accountant,postalcarrier,oranyentitycertifiedbyaStateorNationalGovernmentasauthorizedtoconfirmidentities.
DeviceCertificateSponsors
Seesection3.2.3.3
OSUServerCertificates DigiCertverifiesthattherequesterisadulyauthorizedrepresentativeoftheorganizationasanemployee,partner,member,agent,etc.,andisauthorizedtoactonbehalfoftheorganization.
EVCertificatesissuedtoabusinessentity
Asspecifiedinsection11.2.1(3)oftheEVGuidelines
Grid‐onlyCertificates EithertheRAresponsibleforthegridcommunityoraTrustedAgentobtainsanidentitydocumentduringaface‐to‐facemeetingwiththeApplicant,oraTrustedAgentatteststhattheApplicantispersonallyknowntotheTrustedAgent.TheRAmustretainsufficientinformationabouttheapplicant’sidentitytoproveuponDigiCert’srequestthattheapplicantwasproperlyidentified.
Authentication‐OnlyCertificates
Theentitycontrollingthesecurelocationmustrepresentthatthecertificateholderisauthorizedtoaccessthelocation.
Level1ClientCertificates–Personal(emailCertificates)
AsspecifiedinSection3.2.2(noidentityverificationotherthancontroloftheemailaddresslistedintheCertificate).
Level1ClientCertificates‐Enterprise
Anyoneofthefollowing:1. In‐personappearancebeforeapersonperformingidentity
proofingforaRegistrationAuthorityoraTrustedAgentwithpresentmentofanidentitycredential(e.g.,driver'slicenseorbirthcertificate).
2. Usingproceduressimilartothoseusedwhenapplyingforconsumercreditandauthenticatedthroughinformationinconsumercreditdatabasesorgovernmentrecords,suchas:a. theabilitytoplaceorreceivecallsfromagivennumber;orb. theabilitytoobtainmailsenttoaknownphysicaladdress.
3. Throughinformationderivedfromanongoingbusinessrelationshipwiththecredentialproviderorapartnercompany(e.g.,afinancialinstitution,airline,employer,orretailcompany).Acceptableinformationincludes:a. theabilitytoobtainmailatthebillingaddressusedinthe
businessrelationship;b. verificationofinformationestablishedinprevious
transactions(e.g.,previousordernumber);orc. theabilitytoplacecallsfromorreceivephonecallsata
phonenumberusedinpreviousbusinesstransactions.
4. AnymethodusedtoverifytheidentityofanApplicantforaLevel2,3,or4ClientCertificate.
Level2ClientCertificatesandIGTFClassic/MICSCertificates
TheCAoranRAconfirmsthatthefollowingareconsistentwiththeapplicationandsufficienttoidentifyauniqueindividual: (a) thenameonthegovernment‐issuedphoto‐ID
18
Certificate Validation
referencedbelow; (b) dateofbirth;and (c) currentaddressorpersonaltelephonenumber.1. In‐personappearancebeforeapersonperformingidentity
proofingforaRegistrationAuthorityoraTrustedAgent(orentitycertifiedbyastate,federal,ornationalentityasauthorizedtoconfirmidentities)withpresentmentofareliableformofcurrentgovernment‐issuedphotoID.
2. TheApplicantmustpossessavalid,current,government‐issued,
photoID.TheRegistrationAuthorityorTrustedAgentperformingidentityproofingmustobtainandreview,whichmaybethroughremoteverification,thefollowinginformationabouttheApplicant:(i)name,dateofbirth,andcurrentaddressortelephonenumber;(ii)serialnumberassignedtotheprimary,government‐issuedphotoID;and(iii)oneadditionalformofIDsuchasanothergovernment‐issuedID,anemployeeorstudentIDcardnumber,telephonenumber,afinancialaccountnumber(e.g.,checkingaccount,savingsaccount,loanorcreditcard),orautilityserviceaccountnumber(e.g.,electricity,gas,orwater)foranaddressmatchingtheapplicant’sresidence.Identityproofingthroughremoteverificationmayrelyondatabaserecordcheckswithanagent/institutionorthroughcreditbureausorsimilardatabases.DigiCertoranRAmayconfirmanaddressbyissuingcredentialsinamannerthatconfirmstheaddressofrecordorbyverifyingknowledgeofrecentaccountactivityassociatedwiththeApplicant’saddressandmayconfirmatelephonenumberbysendingachallenge‐responseSMStextmessageorbyrecordingtheapplicant’svoiceduringacommunicationafterassociatingthetelephonenumberwiththeapplicantinrecordsavailabletoDigiCertortheRA.
3. WhereDigiCertoranRAhasacurrentandongoingrelationship
withtheApplicant,identitymaybeverifiedthroughtheexchangeofapreviouslyexchangedsharedsecret(e.g.,aPINorpassword)thatmeetsorexceedsNISTSP800‐63Level2entropyrequirements,providedthat:(a)identitywasoriginallyestablishedwiththedegreeofrigorequivalenttothatrequiredin1or2aboveusingagovernment‐issuedphoto‐ID,and(b)anongoingrelationshipexistssufficienttoensuretheApplicant’scontinuedpersonalpossessionofthesharedsecret.
4. Anyofthemethodsusedtoverifytheidentityofanapplicantfor
aDigiCertLevel3or4ClientCertificate.Level3ClientCertificates
In‐personproofingbeforeanRA,TrustedAgent,oranentitycertifiedbyastate,federal,ornationalentitythatisauthorizedtoconfirmidentities.Theinformationmustbecollectedandstoredinasecuremanner.RequiredidentificationconsistsofoneunexpiredFederal/NationalGovernment‐issuedPictureI.D.(e.g.apassport),aREALID,ortwounexpiredNon‐FederalGovernmentI.D.s,oneofwhichmustbeaphotoI.D.AcceptableformsofgovernmentIDincludeadriver'slicense,state‐issuedphotoIDcard,passport,
19
Certificate Validationnationalidentitycard,permanentresidentcard,trustedtravelercard,tribalID,militaryID,orsimilarphotoidentificationdocument.Seee.g.USCISFormI‐9.Thepersonperformingidentityproofingexaminesthecredentialsanddetermineswhethertheyareauthenticandunexpiredandcheckstheprovidedinformation(name,dateofbirth,andcurrentaddress)toensurelegitimacy.TheApplicantsignsaDeclarationofIdentity,definedbelow,towhichthepersonperformingidentityproofingattests.DigiCertortheRAreviewsandkeepsarecordoftheDeclarationofIdentity.DigiCertalsoemploysthein‐personantecedentprocess,definedinFBCASupplementaryAntecedent,In‐PersonDefinition,tomeetthisin‐personidentityproofingrequirement.Underthisdefinition,historicalin‐personidentityproofingissufficientif(1)itmeetsthethoroughnessandrigorofin‐personproofingdescribedabove,(2)supportingIDproofingartifactsexisttosubstantiatetheantecedentrelationship,and(3)mechanismsareinplacethatbindtheindividualtotheassertedidentity.Inoneusecase,theApplicant(e.g.anemployee)hasbeenidentifiedpreviouslybyanemployerusingUSCISFormI‐9andisboundtotheassertedidentityremotelythroughtheuseofknownattributesorsharedsecrets.Inanotherusecase,DigiCertusesathirdpartyIdentityVerificationProviderthatconstructsareal‐time,five‐questionprocess,basedonmultiplehistoricantecedentdatabases,andtheapplicantisgiventwominutestoansweratleastfourofthefivequestionscorrectly.SeeFBCASupplementaryAntecedent,In‐PersonDefinition.TheidentityoftheApplicantmustbeestablishednoearlierthan30dayspriortoinitialcertificateissuance.
Level4ClientCertificates(BiometricIDCertificates)
In‐personproofingbeforeanRA,TrustedAgent,oranentitycertifiedbyastate,federal,ornationalentitythatisauthorizedtoconfirmidentities.AcertifiedentitymustforwardthecollectedinformationdirectlytoanRAinasecuremanner.TheApplicantmustsupplyoneunexpiredFederal/NationalGovernment‐issuedPictureI.D.(e.g.apassport),aREALID,ortwounexpiredNon‐FederalGovernmentI.D.s,oneofwhichmustbeaphotoI.D..AcceptableformsofgovernmentIDincludeadriver'slicense,state‐issuedphotoIDcard,passport,nationalidentitycard,permanentresidentcard,trustedtravelercard,tribalID,militaryID,orsimilarphotoidentificationdocument.Seee.g.USCISFormI‐9.Theentitycollectingthecredentialsmustalsoobtainatleastoneformofbiometricdata(e.g.photographorfingerprints)toensurethattheApplicantcannotrepudiatetheapplication.ThepersonperformingidentityverificationforDigiCertortheRAexaminesthecredentialsforauthenticityandvalidity.TheApplicantsignsaDeclarationofIdentity,definedbelow,towhichthepersonperformingidentityproofingattests.DigiCertortheRAreviewsandkeepsarecordoftheDeclarationofIdentity.Useofanin‐personantecedentisnotallowed.TheidentityoftheApplicantmustbeestablishedbyin‐personproofingnoearlierthan
20
Certificate Validation30dayspriortoinitialcertificateissuance.Level4ClientCertificatesareissuedinamannerthatconfirmstheApplicant’saddress.
ADeclarationofIdentityconsistsof:
1. theidentityofthepersonperformingtheverification;2. asigneddeclarationbytheverifyingpersonstatingthattheyverifiedtheidentityoftheSubscriberas
requiredusingtheformatsetforthat28U.S.C.1746(declarationunderpenaltyofperjury)orcomparableprocedureunderlocallaw,thesignatureonthedeclarationmaybeeitherahandwrittenordigitalsignatureusingaCertificatethatisofequalorhigherlevelofassuranceasthecredentialbeingissued;
3. uniqueidentifyingnumber(s)fromtheApplicant’sidentificationdocument(s),orafacsimileoftheID(s);
4. thedateoftheverification;and5. adeclarationofidentitybytheApplicantthatissigned(inhandwritingorusingadigitalsignature
thatisofequivalentorhigherassurancethanthecredentialbeingissued)inthepresenceofthepersonperformingtheverificationusingtheformatsetforthat28U.S.C.1746(declarationunderpenaltyofperjury)orcomparableprocedureunderlocallaw.
Ifin‐personidentityverificationisrequiredandtheApplicantcannotparticipateinface‐to‐faceregistrationalone(e.g.becauseApplicantisanetworkdevice,minor,orpersonnotlegallycompetent),thentheApplicantmaybeaccompaniedbyapersonalreadycertifiedbythePKIorwhohastherequiredidentitycredentialsforaCertificateofthesametypeappliedforbytheApplicant.ThepersonaccompanyingtheApplicant(i.e.the“Sponsor”)willpresentinformationsufficientforregistrationattheleveloftheCertificatebeingrequested,forhimselforherself,andfortheApplicant.Forin‐personidentityproofingatLevels3and4,DigiCertmayrelyonanentitycertifiedbyastate,federal,ornationalentityasauthorizedtoconfirmidentitiesmayperformtheauthenticationonbehalfoftheRA.ThecertifiedentityshouldforwardtheinformationcollectedfromtheapplicantdirectlytotheRAinasecuremanner.
3.2.3.1. AuthenticationforRole‐basedClientCertificatesDigiCertmayissueCertificatesthatidentifyaspecificrolethattheSubscriberholds,iftheroleidentifiesaspecificindividualwithinanorganization(e.g.,ChiefInformationOfficerisauniqueindividualwhereasProgramAnalystisnot).Theserole‐basedCertificatesareusedwhennon‐repudiationisdesired.DigiCertonlyissuesrole‐basedCertificatestoSubscriberswhofirstobtainanindividualSubscriberCertificatethatisatthesameorhigherassurancelevelastherequestedrole‐basedCertificate.DigiCertmayissueCertificateswiththesameroletomultipleSubscribers.However,DigiCertrequiresthateachCertificatehaveauniqueKeyPair.Individualsmaynotsharetheirissuedrole‐basedCertificatesandarerequiredtoprotecttherole‐basedCertificateinthesamemannerasindividualCertificates.DigiCertverifiestheidentityoftheindividualrequestingarole‐basedCertificate(thesponsor)inaccordancewithSection3.2.3beforeissuingarole‐basedCertificate.ThesponsormustholdaDigiCert‐issuedclientindividualCertificateatthesameorhigherassurancelevelastherole‐basedCertificate.IftheCertificateisapseudonymousCertificatecross‐certifiedwiththeFBCAthatidentifiessubjectsbytheirorganizationalroles,thenDigiCertoranRAvalidatesthattheindividualeitherholdsthatroleorhastheauthoritytosignonbehalfoftherole.Regardingtheissuanceofrole‐basedCertificates,thisCPSrequirescompliancewithallprovisionsofDigiCert’sCPregardingkeygeneration,privatekeyprotection,andSubscriberobligations.IGTFCertificatesarenotissuedasrole‐basedCertificates.
21
3.2.3.2. AuthenticationforGroupClientCertificatesDigiCertissuesgroupCertificates(aCertificatethatcorrespondstoaPrivateKeythatissharedbymultipleSubscribers)ifseveralentitiesareactinginonecapacityandifnon‐repudiationisnotrequired.DirectAddressCertificatesandDirectOrganizationalCertificatesareusedasgroupCertificatesconsistentwithapplicablerequirementsoftheDirectProgram.DigiCertortheRArecordstheinformationidentifiedinSection3.2.3forasponsorbeforeissuingagroupCertificate.ThesponsormustbeatleastanInformationSystemsSecurityOfficer(ISSO)oroftheequivalentrankorgreaterwithintheorganization.ThesponsorisresponsibleforensuringcontrolofthePrivateKey.ThesponsormustmaintainandcontinuouslyupdatealistofSubscriberswithaccesstothePrivateKeyandaccountforthetimeperiodduringwhicheachSubscriberhadcontrolofthekey.GroupCertificatesmaylisttheidentityofanindividualinthesubjectNameDNprovidedthatthesubjectNameDNfieldalsoincludesatextstring,suchas“DirectGroupCert,”sothattheCertificatespecifiesthesubjectisagroupandnotasingleindividual.ClientCertificatesissuedinthiswaytoanorganizationarealwaysconsideredgroupclientCertificates.
3.2.3.3. AuthenticationofDeviceswithHumanSponsorsDigiCertissuesLevel1,2,3or4ClientandFederatedDeviceCertificatesforuseoncomputingornetworkdevices,providedthattheentityowningthedeviceislistedasthesubject.Inallcases,thedevicehasahumansponsorwhoprovides:
Equipmentidentification(e.g.,serialnumber)orservicename(e.g.,DNSname), EquipmentPublicKeys, Equipmentauthorizationsandattributes(ifanyaretobeincludedintheCertificate),and Contactinformation.
IftheCertificate’ssponsorchanges,thenewsponsorisrequiredtoreviewthestatusofeachdevicetoensureitisstillauthorizedtoreceiveCertificates.Eachsponsorisrequiredtoprovideproofthatthedeviceisstillunderthesponsor’scontrolorresponsibilityonrequest.SponsorsarecontractuallyobligatedtonotifyDigiCertiftheequipmentisnolongerinuse,nolongerundertheircontrolorresponsibility,ornolongerrequiresaCertificate.Allregistrationisverifiedcommensuratewiththerequestedcertificatetype.
3.2.4. Non‐verifiedSubscriberInformationThecommonnameofaLevel1‐PersonalClientCertificatesisnotverifiedasthelegalnameoftheSubscriber.DVSSL/TLSServerCertificatesdonotincludeaverifiedorganizationalidentity.Anyothernon‐verifiedinformationincludedinaCertificateisdesignatedassuchintheCertificate.UnverifiedinformationisneverincludedinaLevel2,Level,3,Level4,ObjectSigning,EVSSL/TLSServer,orFederatedDeviceCertificate.
3.2.5. ValidationofAuthorityTheauthorizationofacertificaterequestisverifiedasfollows:
Certificate VerificationDVSSL/TLSServerCertificate
Theauthorityoftherequesterisverifiedbyusingoneormoreoftheprocedureslistedinsection3.2.2.4.oftheBaselineRequirements.
OVSSL/TLSServerandFederatedDeviceCertificates
TherequestisverifiedusingaReliableMethodofCommunication,inaccordancewithsection3.2.5oftheBaselineRequirements.
OSUServerCertificates DigiCertverifiesthattherequesterisadulyauthorizedrepresentativeoftheorganizationasanemployee,partner,member,agent,etc.,andisauthorizedtoactonbehalfoftheorganization.
EVCertificates Therequestisverifiedinaccordancewithsection11.8.3oftheEVGuidelines.
ObjectSigningCertificatesandAdobeSigning
IftheCertificatenamesanorganization,therequester’scontactinformationisverifiedwithanauthoritativesourcewithinthe
22
Certificate VerificationCertificates applicant’sorganizationusingaReliableMethodofCommunication.
Thecontactinformationisthenusedtoconfirmtheauthenticityofthecertificaterequest.
Level1ClientCertificatesPersonal(emailCertificates)andEnterprise(emailCertificates)issuedthroughthenativeDigiCertinfrastructure
TheauthorityoftherequestisverifiedthroughtheemailaddresslistedintheCertificateorwithapersonwhohastechnicaloradministrativecontroloverthedomainortheemailaddresstobelistedintheCertificate.
ClientCertificatesLevels2,3and4CertificatesissuedthroughthenativeDigiCertinfrastructure
TheorganizationnamedintheCertificateconfirmstoDigiCertoranRAthattheindividualisauthorizedtoobtaintheCertificate.TheorganizationisrequiredtorequestrevocationoftheCertificatewhenthataffiliationends.
Class1‐3ClientCertificatesissuedthroughtheacquiredSymantecinfrastructure
IftheCertificatecontainsorganizationinformation,DigiCertobtainsdocumentationfromtheorganizationsufficienttoconfirmthattheindividualhasanaffiliationwiththeorganizationnamedintheCertificate.
DirectAddressandDirectOrganizationCertificates
TheentitynamedintheCertificateauthorizesaHISPtoordertheCertificateandusetherelatedPrivateKeyontheentity’sbehalf.TheHISPISSOisresponsiblefortrackingaccesstoandensuringproperuseofthePrivateKey.
IGTFCertificates Anauthorizedindividualapprovesthecertificaterequest.FordeviceCertificates,theRAretainscontactinformationforeachdevice’sregisteredowner.ThedeviceownerisrequiredtonotifytheRAandrequestrevocationifthedevicesponsorisnolongerauthorizedtousethedeviceortheFQDNintheCertificate.
AnorganizationmaylimitwhoisauthorizedtorequestCertificatesbysendingarequesttoDigiCert.ArequesttolimitauthorizedindividualsisnoteffectiveuntilapprovedbyDigiCert.DigiCertwillrespondtoanorganization’sverifiedrequestforDigiCert’slistofitsauthorizedrequesters.
3.3. IDENTIFICATIONANDAUTHENTICATIONFORRE‐KEYREQUESTS
3.3.1. IdentificationandAuthenticationforRoutineRe‐keySubscribersmayrequestre‐keyofaCertificatepriortoaCertificate’sexpiration.Afterreceivingarequestforre‐key,DigiCertcreatesanewCertificatewiththesamecertificatecontentsexceptforanewPublicKeyand,optionally,anextendedvalidityperiod.IftheCertificatehasanextendedvalidityperiod,DigiCertmayperformsomerevalidationoftheApplicantbutmayalsorelyoninformationpreviouslyprovidedorobtained.
Subscribersre‐establishtheiridentityasfollows:Certificate RoutineRe‐KeyAuthentication Re‐VerificationRequired
DVandOVSSL/TLSServerandDeviceCertificates
Usernameandpassword AccordingtotheBaselineRequirements
EVSSL/TLSCertificates Usernameandpassword AccordingtotheEVGuidelinesSubscriberCodeSigningCertificates(MinimumRequirementsandEV)
Usernameandpassword Atleastevery39months
SigningAuthorityEVCodeSigningCertificates
Usernameandpassword Atleastevery123months
TimestampEVCodeSigningCertificates
Usernameandpassword Atleastevery123months
ObjectSigningCertificates Usernameandpassword Atleasteverysixyears
23
Certificate RoutineRe‐KeyAuthentication Re‐VerificationRequired(includingAdobeSigningCertificates)Level1ClientCertificatesissuedthroughthenativeDigiCertinfrastructure
Usernameandpassword Atleasteverynineyears
Level2ClientCertificatesissuedthroughthenativeDigiCertinfrastructure
Currentsignaturekeyormulti‐factorauthenticationmeetingNISTSP800‐63Level3
Atleasteverynineyears
Level3and4ClientCertificatesissuedthroughthenativeDigiCertinfrastructure
Currentsignaturekeyormulti‐factorauthenticationmeetingNISTSP800‐63Level3
Atleasteverynineyears
Class1‐3ClientCertificatesissuedthroughtheacquiredSymantecinfrastructure
Challengephrase Atleasteverysixyears
FederatedDeviceandFederatedDevice‐hardware
Currentsignaturekeyormulti‐factorauthenticationmeetingNIST‐800‐63Level3
Atleasteverynineyears
IGTFCertificates Usernameandpassword,RAattestationaftercomparisonofidentitydocuments,re‐authenticatethroughanapprovedIdM,orthroughassociatedPrivateKey
Atleastevery13months.However,CertificatesassociatedwithaPrivateKeyrestrictedsolelytoahardwaretokenmayberekeyedorrenewedforaperiodofupto5years
Authentication‐OnlyCertificates
UsernameandpasswordorwithassociatedPrivateKey
None
DigiCertdoesnotre‐keyaCertificatewithoutadditionalauthenticationifdoingsowouldallowtheSubscribertousetheCertificatebeyondthelimitsdescribedabove.
3.3.2. IdentificationandAuthenticationforRe‐keyAfterRevocationIfaCertificatewasrevokedforanyreasonotherthanarenewal,update,ormodificationaction,thentheSubscribermustundergotheinitialregistrationprocesspriortorekeyingtheCertificate.
3.4. IDENTIFICATIONANDAUTHENTICATIONFORREVOCATIONREQUESTDigiCertoranRAauthenticatesallrevocationrequests.DigiCertmayauthenticaterevocationrequestsbyreferencingtheCertificate’sPublicKey,regardlessofwhethertheassociatedPrivateKeyiscompromised.
4. CERTIFICATELIFE‐CYCLEOPERATIONALREQUIREMENTS
4.1. CERTIFICATEAPPLICATION
4.1.1. WhoCanSubmitaCertificateApplicationEithertheApplicantoranindividualauthorizedtorequestCertificatesonbehalfoftheApplicantmaysubmitcertificaterequests.ApplicantsareresponsibleforanydatathattheApplicantoranagentoftheApplicantsuppliestoDigiCert.EVCertificaterequestsmustbesubmittedbyanauthorizedCertificateRequesterandapprovedbyaCertificateApprover.Thecertificaterequestmustbeaccompaniedbyasigned(inwritingorelectronically)SubscriberAgreementfromaContractSigner.
24
DigiCertdoesnotissueCertificatestoentitiesonagovernmentdeniedlistmaintainedbytheUnitedStatesorthatislocatedinacountrywithwhichthelawsoftheUnitedStatesprohibitdoingbusiness.
4.1.2. EnrollmentProcessandResponsibilitiesInnoparticularorder,theenrollmentprocessincludes:
Submittingacertificateapplication, GeneratingaKeyPair, DeliveringthePublicKeyoftheKeyPairtoDigiCert, AgreeingtotheapplicableSubscriberAgreement,and Payinganyapplicablefees.
4.2. CERTIFICATEAPPLICATIONPROCESSING
4.2.1. PerformingIdentificationandAuthenticationFunctionsAfterreceivingacertificateapplication,DigiCertoranRAverifiestheapplicationinformationandotherinformationinaccordancewithSection3.2.Priortoissuingapublicly‐trustedSSL/TLSServerCertificate,DigiCertcheckstheDNSfortheexistenceofaCAArecordforeachdNSNameinthesubjectAltNameextensionofthecertificatetobeissued,accordingtotheprocedureinRFC6844.IftheCertificateisissued,itwillbeissuedwithintheTTLoftheCAArecord,or8hours,whicheverisgreater.DigiCertprocessesthe“issue”and“issuewild”propertytagsandmaynotdispatchreportsofissuancerequeststothecontact(s)listedinan“iodef”propertytag.CAAcheckingisoptionalforCertificatesissuedbyaTechnicallyConstrainedSubordinateCACertificateassetoutinBaselineRequirementssection7.1.5.TheCertificationAuthorityCAAidentifyingdomainsforCAswithinDigiCert’soperationalcontrolare“digicert.com”,“digicert.ne.jp”,"cybertrust.ne.jp”,“symantec.com”,“thawte.com”,“geotrust.com”,“rapidssl.com”,“digitalcertvalidation.com”(withreseller‐specificlicensedprefixes)andanydomaincontainingthoseidentifyingdomainsassuffixes(e.g.example.digicert.com).IfanRAassistsintheverification,theRAmustcreateandmaintainrecordssufficienttoestablishthatithasperformeditsrequiredverificationtasksandcommunicatethecompletionofsuchperformancetoDigiCert.Afterverificationiscomplete,DigiCertevaluatesthecorpusofinformationanddecideswhetherornottoissuetheCertificate.Aspartofthisevaluation,DigiCertcheckstheCertificateagainstaninternaldatabaseofpreviouslyrevokedCertificatesandrejectedcertificaterequeststoidentifysuspiciouscertificaterequests.IfsomeorallofthedocumentationusedtosupportanapplicationisinalanguageotherthanEnglish,aDigiCertemployee,RA,oragentskilledinthelanguageperformsthefinalcross‐correlationandduediligence.DigiCertconsidersasource’savailability,purpose,andreputationwhendeterminingwhetherathirdpartysourceisreasonablyreliable.DigiCertdoesnotconsideradatabase,source,orformofidentificationreasonablyreliableifDigiCertortheRAisthesolesourceoftheinformation.
4.2.2. ApprovalorRejectionofCertificateApplicationsDigiCertrejectsanycertificateapplicationthatDigiCertoranRAcannotverify.DigiCertdoesnotissueCertificatescontaininganewgTLDunderconsiderationbyICANNuntilthegTLDhasbeenapproved.DigiCertmayalsorejectacertificateapplicationifDigiCertbelievesthatissuingtheCertificatecoulddamageordiminishDigiCert’sreputationorbusiness.ExceptforEnterpriseEVCertificates,EVCertificateissuanceapprovalrequirestwoseparateDigiCertvalidationspecialists.ThesecondvalidationspecialistcannotbethesameindividualwhocollectedthedocumentationandoriginallyapprovedtheEVCertificate.Thesecondvalidationspecialistreviewsthecollectedinformationanddocumentsanydiscrepanciesordetailsthatrequirefurtherexplanation.ThesecondvalidationspecialistmayrequireadditionalexplanationsanddocumentspriortoauthorizingtheCertificate’sissuance.EnterpriseRAsmayperformthefinalcross‐correlationandduediligencedescribedhereinusingasinglepersonrepresentingtheEnterpriseRA.Ifsatisfactoryexplanationsand/oradditional
25
documentsarenotreceivedwithinareasonabletime,DigiCertwillrejecttheEVCertificaterequestandnotifytheApplicantaccordingly.IfthecertificateapplicationisnotrejectedandissuccessfullyvalidatedinaccordancewiththisCPS,DigiCertwillapprovethecertificateapplicationandissuetheCertificate.DigiCertisnotliableforanyrejectedCertificateandisnotobligatedtodisclosethereasonsforarejection.RejectedApplicantsmayre‐apply.SubscribersarerequiredtochecktheCertificate’scontentsforaccuracypriortousingthecertificate.
4.2.3. TimetoProcessCertificateApplicationsUndernormalcircumstances,DigiCertverifiesanApplicant’sinformationandissuesadigitalCertificatewithinareasonabletimeframe.IssuancetimeframesaregreatlydependentonwhentheApplicantprovidesthedetailsanddocumentationnecessarytocompletevalidation.Fornon‐EVSSL/TLSServerCertificates,DigiCertwillusuallycompletethevalidationprocessandissueorrejectacertificateapplicationwithintwoworkingdaysafterreceivingallofthenecessarydetailsanddocumentationfromtheApplicant,althougheventsoutsideofthecontrolofDigiCertcandelaytheissuanceprocess.
4.3. CERTIFICATEISSUANCE
4.3.1. CAActionsduringCertificateIssuanceDigiCertconfirmsthesourceofacertificaterequestbeforeissuance.DigiCertdoesnotissueendentityCertificatesdirectlyfromitsrootCertificates.DigiCertlogsthoseSSL/TLSServerCertificatesintendedtobetrustedinChromeintwoormoreCertificateTransparencydatabases.SeeRFC6962.CertificateissuancebytheRootCArequiresanindividualauthorizedbyDigiCert(i.e.theCAsystemoperator,systemofficer,orPKIadministrator)todeliberatelyissueadirectcommandinorderfortheRootCAtoperformacertificatesigningoperation.DatabasesandCAprocessesoccurringduringcertificateissuanceareprotectedfromunauthorizedmodification.Afterissuanceiscomplete,theCertificateisstoredinadatabaseandsenttotheSubscriber.
4.3.2. NotificationtoSubscriberbytheCAofIssuanceofCertificateDigiCertmaydeliverCertificatesinanysecuremannerwithinareasonabletimeafterissuance.Generally,DigiCertdeliversCertificatesviaemailtotheemailaddressdesignatedbytheSubscriberduringtheapplicationprocess.
4.4. CERTIFICATEACCEPTANCE
4.4.1. ConductConstitutingCertificateAcceptanceSubscribersaresolelyresponsibleforinstallingtheissuedCertificateontheSubscriber’scomputerorhardwaresecuritymodule.Certificatesareconsideredaccepted30daysaftertheCertificate’sissuance,orearlieruponuseoftheCertificatewhenevidenceexiststhattheSubscriberusedtheCertificate.
4.4.2. PublicationoftheCertificatebytheCADigiCertpublishesallCACertificatesinitsrepository.DigiCertpublishesend‐entityCertificatesbydeliveringthemtotheSubscriber.
4.4.3. NotificationofCertificateIssuancebytheCAtoOtherEntitiesRAsmayreceivenotificationofaCertificate’sissuanceiftheRAwasinvolvedintheissuanceprocess.TheFPKIPAwillbenotifiedatleasttwoweekspriortotheissuanceofanewCAcertificateorissuanceofnewinter‐organizationalCAcross‐certificates.ThenotificationshallassertthatthenewCAcross‐certificationdoesnotintroducemultiplepathstoaCAalreadyparticipatingintheFPKI.Inaddition,allnewartifacts(CAcertificates,CRLDP,AIAand/orSIAURLs,etc.)producedasaresultoftheCAcertificateissuanceshallbeprovidedtotheFPKIPAwithin24hoursfollowingissuance.
26
4.5. KEYPAIRANDCERTIFICATEUSAGE
4.5.1. SubscriberPrivateKeyandCertificateUsageSubscribersarecontractuallyobligatedtoprotecttheirPrivateKeysfromunauthorizeduseordisclosure,discontinueusingaPrivateKeyafterexpirationorrevocationoftheassociatedCertificate,anduseCertificatesinaccordancewiththeirintendedpurpose.
4.5.2. RelyingPartyPublicKeyandCertificateUsageRelyingPartiesmayonlyusesoftwarethatiscompliantwithX.509,IETFRFCs,andotherapplicablestandards.DigiCertdoesnotwarrantthatanythirdpartysoftwarewillsupportorenforcethecontrolsandrequirementsfoundherein.ARelyingPartyshouldusediscretionwhenrelyingonaCertificateandshouldconsiderthetotalityofthecircumstancesandriskoflosspriortorelyingonaCertificate.Ifthecircumstancesindicatethatadditionalassurancesarerequired,theRelyingPartymustobtainsuchassurancesbeforeusingtheCertificate.AnywarrantiesprovidedbyDigiCertareonlyvalidifaRelyingParty’sreliancewasreasonableandiftheRelyingPartyadheredtotheRelyingPartyAgreementsetforthintheDigiCertrepository.ARelyingPartyshouldrelyonadigitalsignatureorSSL/TLShandshakeonlyif:
1. thedigitalsignatureorSSL/TLSsessionwascreatedduringtheoperationalperiodofavalidCertificateandcanbeverifiedbyreferencingavalidCertificate,
2. theCertificateisnotrevokedandtheRelyingPartycheckedtherevocationstatusoftheCertificatepriortotheCertificate’susebyreferringtotherelevantCRLsorOCSPresponses,and
3. theCertificateisbeingusedforitsintendedpurposeandinaccordancewiththisCPS.Beforerelyingonatime‐stamptoken,aRelyingPartymust:
1. verifythatthetime‐stamptokenhasbeencorrectlysignedandthatthePrivateKeyusedtosignthetime‐stamptokenhasnotbeencompromisedpriortothetimeoftheverification,
2. takeintoaccountanylimitationsontheusageofthetime‐stamptokenindicatedbythetime‐stamppolicy,and
3. takeintoaccountanyotherprecautionsprescribedinthisCPSorelsewhere.
4.6. CERTIFICATERENEWAL
4.6.1. CircumstanceforCertificateRenewalDigiCertmayrenewaCertificateif:
theassociatedPublicKeyhasnotreachedtheendofitsvalidityperiod, theSubscriberandattributesareconsistent,and theassociatedPrivateKeyremainsuncompromised.
DigiCertmayalsorenewaCertificateifaCACertificateisre‐keyedorasotherwisenecessarytoprovideservicestoacustomer.DigiCertmaynotifySubscriberspriortoaCertificate’sexpirationdate.Certificaterenewalrequirespaymentofadditionalfees.
4.6.2. WhoMayRequestRenewalOnlythecertificatesubjectoranauthorizedrepresentativeofthecertificatesubjectmayrequestrenewaloftheSubscriber’sCertificates.ForCertificatescross‐certifiedwiththeFBCA,renewalrequestsareonlyacceptedfromcertificatesubjects,PKIsponsors,orRAs.DigiCertmayrenewaCertificatewithoutacorrespondingrequestifthesigningCertificateisre‐keyed.
4.6.3. ProcessingCertificateRenewalRequestsRenewalapplicationrequirementsandproceduresaregenerallythesameasthoseusedduringtheCertificate’soriginalissuance.DigiCertmayelecttoreusepreviouslyverifiedinformationinitssolediscretionbutwillrefreshanyinformationthatisolderthantheperiodsspecifiedintheBaseline
27
RequirementsorEVGuidelines,asapplicable.DigiCertmayrefusetorenewaCertificateifitcannotverifyanyrecheckedinformation.IfanindividualisrenewingaclientCertificateandtherelevantinformationhasnotchanged,thenDigiCertdoesnotrequireanyadditionalidentityvetting.Somedeviceplatforms,e.g.Apache,allowreneweduseofthePrivateKey.IfthePrivateKeyanddomaininformationhavenotchanged,theSubscribermayrenewtheSSL/TLSServerCertificateusingapreviouslyissuedCertificateorprovidedCSR.
4.6.4. NotificationofNewCertificateIssuancetoSubscriberDigiCertmaydelivertheCertificateinanysecurefashion,typicallybyemailorbyprovidingtheSubscriberahypertextlinktoauserid/password‐protectedlocationwherethesubscribermayloginanddownloadtheCertificate.
4.6.5. ConductConstitutingAcceptanceofaRenewalCertificateRenewedCertificatesareconsideredaccepted30daysaftertheCertificate’srenewal,orearlieruponuseoftheCertificatewhenevidenceexiststhattheSubscriberusedtheCertificate.
4.6.6. PublicationoftheRenewalCertificatebytheCADigiCertpublishesarenewedCertificatebydeliveringittotheSubscriber.AllrenewedCACertificatesarepublishedinDigiCert’srepository.
4.6.7. NotificationofCertificateIssuancebytheCAtoOtherEntitiesRAsmayreceivenotificationofaCertificate’srenewaliftheRAwasinvolvedintheissuanceprocess.
4.7. CERTIFICATERE‐KEY
4.7.1. CircumstanceforCertificateRekeyRe‐keyingaCertificateconsistsofcreatinganewCertificatewithanewPublicKeyandserialnumberwhilekeepingthesubjectinformationthesame.ThenewCertificatemayhaveadifferentvaliditydate,keyidentifiers,CRLandOCSPdistributionpoints,andsigningkey.Afterre‐keyingaCertificate,DigiCertmayrevoketheoldCertificatebutmaynotfurtherre‐key,renew,ormodifythepreviousCertificate.Subscribersrequestingre‐keyshouldidentifyandauthenticatethemselvesaspermittedbysection3.3.1.
4.7.2. WhoMayRequestCertificateRekeyDigiCertwillonlyacceptre‐keyrequestsfromthesubjectoftheCertificateorthePKIsponsor.DigiCertmayinitiateacertificatere‐keyattherequestofthecertificatesubjectorinDigiCert’sowndiscretion.
4.7.3. ProcessingCertificateRekeyRequestsDigiCertwillonlyacceptre‐keyrequestsfromthesubjectoftheCertificateorthePKIsponsor.IfthePrivateKeyandanyidentityanddomaininformationinaCertificatehavenotchanged,thenDigiCertcanissueareplacementCertificateusingapreviouslyissuedCertificateorpreviouslyprovidedCSR.DigiCertre‐usesexistingverificationinformationunlessre‐verificationandauthenticationisrequiredundersection3.3.1orifDigiCertbelievesthattheinformationhasbecomeinaccurate.
4.7.4. NotificationofCertificateRekeytoSubscriberDigiCertnotifiestheSubscriberwithinareasonabletimeaftertheCertificateissues.
4.7.5. ConductConstitutingAcceptanceofaRekeyedCertificateIssuedCertificatesareconsideredaccepted30daysaftertheCertificateisrekeyed,orearlieruponuseoftheCertificatewhenevidenceexiststhattheSubscriberusedtheCertificate.
4.7.6. PublicationoftheIssuedCertificatebytheCADigiCertpublishesrekeyedCertificatesbydeliveringthemtoSubscribers.
28
4.7.7. NotificationofCertificateIssuancebytheCAtoOtherEntitiesRAsmayreceivenotificationofaCertificate’srekeyiftheRAwasinvolvedintheissuanceprocess.
4.8. CERTIFICATEMODIFICATION
4.8.1. CircumstancesforCertificateModificationModifyingaCertificatemeanscreatinganewCertificateforthesamesubjectwithauthenticatedinformationthatdiffersslightlyfromtheoldCertificate(e.g.,changestoemailaddressornon‐essentialpartsofnamesorattributes)providedthatthemodificationotherwisecomplieswiththisCPS.ThenewCertificatemayhavethesameoradifferentsubjectPublicKey.AftermodifyingaCertificatethatiscross‐certifiedwiththeFBCA,DigiCertmayrevoketheoldCertificatebutwillnotfurtherre‐key,renew,ormodifytheoldCertificate.
4.8.2. WhoMayRequestCertificateModificationDigiCertmodifiesCertificatesattherequestofcertaincertificatesubjectsorinitsowndiscretion.DigiCertdoesnotmakecertificatemodificationservicesavailabletoallSubscribers.
4.8.3. ProcessingCertificateModificationRequestsAfterreceivingarequestformodification,DigiCertverifiesanyinformationthatwillchangeinthemodifiedCertificate.DigiCertwillonlyissuethemodifiedCertificateaftercompletingtheverificationprocessonallmodifiedinformation.DigiCertwillnotissueamodifiedCertificatethathasavalidityperiodthatexceedstheapplicabletimelimitsfoundinsection3.3.1or6.3.2.
4.8.4. NotificationofCertificateModificationtoSubscriberDigiCertnotifiestheSubscriberwithinareasonabletimeaftertheCertificateissues.
4.8.5. ConductConstitutingAcceptanceofaModifiedCertificateModifiedCertificatesareconsideredaccepted30daysaftertheCertificateismodified,orearlieruponuseoftheCertificatewhenevidenceexiststhattheSubscriberusedtheCertificate.
4.8.6. PublicationoftheModifiedCertificatebytheCADigiCertpublishesmodifiedCertificatesbydeliveringthemtoSubscribers.
4.8.7. NotificationofCertificateModificationbytheCAtoOtherEntitiesRAsmayreceivenotificationofaCertificate’smodificationiftheRAwasinvolvedintheissuanceprocess.
4.9. CERTIFICATEREVOCATIONANDSUSPENSION
4.9.1. CircumstancesforRevocationRevocationofaCertificatepermanentlyendstheoperationalperiodoftheCertificatepriortotheCertificatereachingtheendofitsstatedvalidityperiod.PriortorevokingaCertificate,DigiCertverifiestheidentityandauthorityoftheentityrequestingrevocation.DigiCertwillrevokeaCertificatewithin24hoursifoneormoreofthefollowingoccurs:
1. TheSubscriberrequestsinwritingthatDigiCertrevoketheCertificate;
2. TheSubscribernotifiesDigiCertthattheoriginalCertificaterequestwasnotauthorizedanddoesnotretroactivelygrantauthorization;
3. DigiCertobtainsevidencethattheSubscriber’sPrivateKeycorrespondingtothePublicKeyintheCertificatesufferedaKeyCompromise;or
4. DigiCertobtainsevidencethatthevalidationofdomainauthorizationorcontrolforanyFDQNorIPaddressintheCertificateshouldnotbereliedupon.
DigiCertmayrevokeacertificatewithin24hoursandwillrevokeaCertificatewithin5daysifoneormoreofthefollowingoccurs:
29
1. TheCertificatenolongercomplieswiththerequirementsofSections6.1.5and6.1.6oftheCA/Bforumbaselinerequirements;
2. DigiCertobtainsevidencethattheCertificatewasmisused;
3. TheSubscriberorthecross‐certifiedCAbreachedamaterialobligationundertheCP,thisCPS,ortherelevantagreement;
4. DigiCertconfirmsanycircumstanceindicatingthatuseofaFQDNorIPaddressintheCertificateisnolongerlegallypermitted(e.g.acourtorarbitratorhasrevokedaDomainNameregistrant’srighttousetheDomainName,arelevantlicensingorservicesagreementbetweentheDomainNameregistrantandtheApplicanthasterminated,ortheDomainNameregistranthasfailedtorenewtheDomainName);
5. DigiCertconfirmsthataWildcardCertificatehasbeenusedtoauthenticateafraudulentlymisleadingsubordinateFQDN;
6. DigiCertconfirmsamaterialchangeintheinformationcontainedintheCertificate;
7. DigiCertconfirmsthattheCertificatewasnotissuedinaccordancewiththeCA/BforumrequirementsortheDigiCertCPorthisCPS;
8. DigiCertdeterminesorconfirmsthatanyoftheinformationappearingintheCertificateisinaccurate;
9. DigiCert’srighttoissueCertificatesundertheCA/Bforumrequirementsexpiresorisrevokedorterminated,unlessDigiCerthasmadearrangementstocontinuemaintainingtheCRL/OCSPRepository;
10. RevocationisrequiredbytheDigiCertCPand/orthisCPS;or
11. DigiCertconfirmsademonstratedorprovenmethodthatexposestheSubscriber’sPrivateKeytocompromise,methodshavebeendevelopedthatcaneasilycalculateitbasedonthePublicKey(suchasadebianweakkey,seehttp://wiki.debian.org/SSLkeys),orifthereisclearevidencethatthespecificmethodusedtogeneratethePrivateKeywasflawed.
DigiCertmayrevokeanyCertificateinitssolediscretion,includingifDigiCertbelievesthat:
1. EithertheSubscriber’sorDigiCert’sobligationsundertheCPorthisCPSaredelayedorpreventedbycircumstancesbeyondtheparty’sreasonablecontrol,includingcomputerorcommunicationfailure,and,asaresult,anotherentity’sinformationismateriallythreatenedorcompromised;
2. DigiCertreceivedalawfulandbindingorderfromagovernmentorregulatorybodytorevoketheCertificate;
3. DigiCertceasedoperationsanddidnotarrangeforanotherCertificateauthoritytoproviderevocationsupportfortheCertificates;
4. ThetechnicalcontentorformatoftheCertificatepresentsanunacceptablerisktoapplicationsoftwarevendors,RelyingParties,orothers;
5. TheSubscriberwasaddedasadeniedpartyorprohibitedpersontoablacklistorisoperatingfromadestinationprohibitedunderthelawsoftheUnitedStates;
6. ForAdobeSigningCertificates,Adobehasrequestedrevocation;or7. Forcode‐signingCertificates,theCertificatewasusedtosign,publish,ordistributemalware,code
thatisdownloadedwithoutuserconsent,orotherharmfulcontent.DigiCertalwaysrevokesaCertificateifthebindingbetweenthesubjectandthesubject’sPublicKeyinthecertificateisnolongervalidorifanassociatedPrivateKeyiscompromised.DigiCertwillrevokeaSubordinateCACertificatewithinseven(7)daysifoneormoreofthefollowingoccurs:
1. TheSubordinateCArequestsrevocationinwriting;
30
2. TheSubordinateCAnotifiesDigiCertthattheoriginalCertificaterequestwasnotauthorizedanddoesnotretroactivelygrantauthorization;
3. DigiCertobtainsevidencethattheSubordinateCA’sPrivateKeycorrespondingtothePublicKeyintheCertificatesufferedakeycompromiseornolongercomplieswiththerequirementsofSections6.1.5and6.1.6oftheCA/Bforumbaselinerequirements;
4. DigiCertobtainsevidencethattheCACertificatewasmisused;5. DigiCertconfirmsthattheCACertificatewasnotissuedinaccordancewithorthatSubordinateCA
hasnotcompliedwiththisdocumentortheapplicableCertificatePolicyorCertificationPracticeStatement;
6. DigiCertdeterminesthatanyoftheinformationappearingintheCACertificateisinaccurateormisleading;
7. DigiCertortheSubordinateCAceasesoperationsforanyreasonandhasnotmadearrangementsforanotherCAtoproviderevocationsupportfortheCACertificate;
8. DigiCert’sortheSubordinateCA'srighttoissueCertificatesundertheBaselineRequirementsexpiresorisrevokedorterminated,unlessDigiCerthasmadearrangementstocontinuemaintainingtheCRL/OCSPRepository;
9. RevocationisrequiredbyDigiCert’sCertificatePolicyand/orCertificationPracticeStatement;or10.ThetechnicalcontentorformatoftheCACertificatepresentsanunacceptablerisktoapplication
softwaresuppliersorRelyingParties.DigiCertwillrevokeacross‐Certificateifthecross‐certifiedentity(includingDigiCert)nolongermeetsthestipulationsofthecorrespondingpolicies,asindicatedbypolicyOIDslistedinthepolicymappingextensionofthecross‐Certificate.
4.9.2. WhoCanRequestRevocationAnyappropriatelyauthorizedparty,suchasarecognizedrepresentativeofasubscriberorcross‐signedpartner,mayrequestrevocationofaCertificate.DigiCertmayrevokeaCertificatewithoutreceivingarequestandwithoutreason.Thirdpartiesmayrequestcertificaterevocationforproblemsrelatedtofraud,misuse,orcompromise.Certificaterevocationrequestsmustidentifytheentityrequestingrevocationandspecifythereasonforrevocation.
4.9.3. ProcedureforRevocationRequestDigiCertprocessesarevocationrequestasfollows:
1. DigiCertlogstheidentityofentitymakingtherequestorproblemreportandthereasonforrequestingrevocationbasedonthelistinsection4.9.1.DigiCertmayalsoincludeitsownreasonsforrevocationinthelog.
2. DigiCertmayrequestconfirmationoftherevocationfromaknownadministrator,whereapplicable,viaout‐of‐bandcommunication(e.g.,telephone,fax,etc.).
3. IftherequestisauthenticatedasoriginatingfromtheSubscriber,DigiCertrevokestheCertificatebasedonthetimeframeslistedin4.9.1aslistedforthereasonforrevocation.
4. Forrequestsfromthirdparties,DigiCertpersonnelbegininvestigatingtherequestwithin24hoursafterreceiptanddecidewhetherrevocationisappropriatebasedonthefollowingcriteria:
a. thenatureoftheallegedproblem,b. thenumberofreportsreceivedaboutaparticularCertificateorwebsite,c. theidentityofthecomplainants(forexample,complaintsfromalawenforcementofficial
thatawebsiteisengagedinillegalactivitieshavemoreweightthanacomplaintfromaconsumerallegingtheyneverreceivedthegoodstheyordered),and
d. relevantlegislation.5. IfDigiCertdeterminesthatrevocationisappropriate,DigiCertpersonnelrevoketheCertificateand
updatetheCRL.IfDigiCertdeemsappropriate,DigiCertmayforwardtherevocationreportstolawenforcement.TheFPKIPAshallbenotifiedatleasttwoweekspriortotherevocationofaCAcertificate,wheneverpossible.Foremergencyrevocation,CAsshallfollowthenotificationproceduresinSection5.7.
31
DigiCertmaintainsacontinuous24/7abilitytointernallyrespondtoanyhighpriorityrevocationrequests.
4.9.4. RevocationRequestGracePeriodSubscribersarerequiredtorequestrevocationwithinonedayafterdetectingthelossorcompromiseofthePrivateKey.DigiCertmaygrantandextendrevocationgraceperiodsonacase‐by‐casebasis.DigiCertreportsthesuspectedcompromiseofitsCAPrivateKeyandrequestsrevocationtoboththepolicyauthorityandoperatingauthorityofthesuperiorissuingCAwithinonehourofdiscovery.
4.9.5. TimewithinwhichCAMustProcesstheRevocationRequestDigiCertwillrevokeaCACertificatewithinonehourafterreceivingclearinstructionsfromtheDCPA.Within24hoursafterreceivingaCertificateproblemreport,DigiCertinvestigatesthefactsandcircumstancesrelatedtoaCertificateproblemreportandwillprovideapreliminaryreportonitsfindingstoboththeSubscriberandtheentitywhofiledtheCertificateproblemreport.Afterreviewingthefactsandcircumstances,DigiCertworkswiththeSubscriberandanyentityreportingtheCertificateproblemreportorotherrevocation‐relatednoticetoestablishwhetherornotthecertificatewillberevoked,andifso,adatewhichDigiCertwillrevokethecertificate.TheperiodfromreceiptoftheCertificateproblemreportorrevocation‐relatednoticetopublishedrevocationmustnotexceedthetimeframesetforthinSection4.9.1.ThedateselectedbyDigiCertwillconsiderthefollowingcriteria:
1. Thenatureoftheallegedproblem(scope,context,severity,magnitude,riskofharm);
2. Theconsequencesofrevocation(directandcollateralimpactstoSubscribersandRelyingParties);
3. ThenumberofCertificateproblemreportsreceivedaboutaparticularCertificateorSubscriber;
4. Theentitymakingthecomplaint(forexample,acomplaintfromalawenforcementofficialthataWebsiteisengagedinillegalactivitiesshouldcarrymoreweightthanacomplaintfromaconsumerallegingthatshedidn’treceivethegoodssheordered);and
5. Relevantlegislation.
Undernormaloperatingcircumstances,DigiCertwillrevokeCertificatesasquicklyaspracticalaftervalidatingtherevocationrequestfollowingtheguidelinesofthissectionandSection4.9.1,generallywithinthefollowingtimeframes:
Certificaterevocationrequestsforpublicly‐trustedCertificatesareprocessedwithin18hoursaftertheirreceipt,
RevocationrequestsreceivedtwoormorehoursbeforeCRLissuanceareprocessedbeforethenextCRLispublished,and
RevocationrequestsreceivedwithintwohoursofCRLissuanceareprocessedbeforethefollowingCRLispublished.
4.9.6. RevocationCheckingRequirementforRelyingPartiesPriortorelyingoninformationlistedinaCertificate,aRelyingPartymustconfirmthevalidityofeachCertificateinthecertificatepathinaccordancewithIETFPKIXstandards,includingcheckingforcertificatevalidity,issuer‐to‐subjectnamechaining,policyandkeyuseconstraints,andrevocationstatusthroughCRLsorOCSPrespondersidentifiedineachCertificateinthechain.
4.9.7. CRLIssuanceFrequencyDigiCertusesitsofflinerootCAstopublishCRLsforitsintermediateCAsatleastevery6months.ForanofflineCAthathasbeencross‐signedbytheFederalBridgeCAandonlyissuesCACertificates,certificate‐status‐checkingcertificates,orinternaladministrativeCertificates,DigiCertissuesaCRLatleastevery31days.AllotherCRLsarepublishedatleastevery24hours.IfaCertificateisrevokedforreasonofkeycompromise,aninterimCRLispublishedassoonasfeasible,butnolaterthan18hoursafterreceiptofthenoticeofkeycompromise.
32
4.9.8. MaximumLatencyforCRLsCRLsforCertificatesissuedtoendentitysubscribersarepostedautomaticallytotheonlinerepositorywithinacommerciallyreasonabletimeaftergeneration,usuallywithinminutesofgeneration.Irregular,interim,oremergencyCRLsandallCRLsforCAschainingtotheFederalBridgearepostedwithinfourhoursaftergeneration.RegularlyscheduledCRLsarepostedpriortothenextUpdatefieldinthepreviouslyissuedCRLofthesamescope.
4.9.9. On‐lineRevocation/StatusCheckingAvailabilityDigiCertmakescertificatestatusinformationavailableviaOCSPforSSL/TLSServerCertificates.OCSPmaynotbeavailableforotherkindsofCertificates.WhereOCSPsupportisrequiredbytheapplicableCP,OCSPresponsesareprovidedwithinacommerciallyreasonabletimeandnolaterthansixsecondsaftertherequestisreceived,subjecttotransmissionlatenciesovertheInternet.OCSPresponsesconformtoRFC5019and/orRFC6960.OCSPresponseseither:
1. AresignedbytheCAthatissuedtheCertificateswhoserevocationstatusisbeingchecked,or2. AresignedbyanOCSPResponderwhoseCertificateissignedbytheCAthatissuedthe
Certificatewhoserevocationstatusisbeingchecked.Inthelattercase,theOCSPsigningCertificatecontainsanextensionoftypeid‐pkix‐ocsp‐nocheck,asdefinedbyRFC6960.
4.9.10. On‐lineRevocationCheckingRequirementsArelyingpartymustconfirmthevalidityofaCertificateinaccordancewithsection4.9.6priortorelyingontheCertificate.DigiCertsupportsanOCSPcapabilityusingtheGETmethodforCertificatesissuedinaccordancewiththeBaselineRequirements.OCSPRespondersunderDigiCert’sdirectcontrolwillnotrespondwitha"good"statusforacertificatethathasnotbeenissued.
4.9.11. OtherFormsofRevocationAdvertisementsAvailableNostipulation.
4.9.12. SpecialRequirementsRelatedtoKeyCompromiseDigiCertusescommerciallyreasonableeffortstonotifypotentialRelyingPartiesifitdiscoversorsuspectsthecompromiseofaPrivateKey.DigiCertwilltransitionanyrevocationreasoncodeinaCRLto“keycompromise”upondiscoveryofsuchreasonorasrequiredbyanapplicableCP.IfaCertificateisrevokedbecauseofcompromise,DigiCertwillissueanewCRLwithin18hoursafterreceivingnoticeofthecompromise.
4.9.13. CircumstancesforSuspensionNotapplicable.
4.9.14. WhoCanRequestSuspensionNotapplicable.
4.9.15. ProcedureforSuspensionRequestNotapplicable.
4.9.16. LimitsonSuspensionPeriodNotapplicable.
33
4.10. CERTIFICATESTATUSSERVICES
4.10.1. OperationalCharacteristicsCertificatestatusinformationisavailableviaCRLandOCSPresponder.TheserialnumberofarevokedCertificateremainsontheCRLuntiloneadditionalCRLispublishedaftertheendoftheCertificate’svalidityperiod,exceptforrevokedCodeSigningCertificatesandEVCodeSigningCertificates,whichremainontheCRLforatleast10yearsfollowingtheCertificate’svalidityperiod.OCSPinformationforsubscriberCertificatesisupdatedatleasteveryfourdays.OCSPinformationforsubordinateCACertificatesisupdatedatleastevery12monthsandwithin24hoursafterrevokingtheCertificate.
4.10.2. ServiceAvailabilityCertificatestatusservicesareavailable24x7withoutinterruption.ThisincludestheonlinerepositorythatapplicationsoftwarecanusetoautomaticallycheckthecurrentstatusofallunexpiredCertificatesissuedbyDigiCert.DigiCertoperatesandmaintainsitsCRLandOCSPcapabilitywithresourcessufficienttoprovidearesponsetimeoftensecondsorlessundernormaloperatingconditions.DigiCertalsomaintainsacontinuous24x7abilitytorespondinternallytoahigh‐priorityCertificateProblemReport,andwhereappropriate,forwardsuchacomplainttolawenforcementauthorities,and/orrevokeaCertificatethatisthesubjectofsuchacomplaint.
4.10.3. OptionalFeaturesOCSPRespondersmaynotbeavailableforallcertificatetypes.
4.11. ENDOFSUBSCRIPTIONASubscriber’ssubscriptionserviceendsifitsCertificateexpiresorisrevokedoriftheapplicableSubscriberAgreementexpireswithoutrenewal.
4.12. KEYESCROWANDRECOVERY
4.12.1. KeyEscrowandRecoveryPolicyPractices
DigiCertneverescrowsCAPrivateKeys.DigiCertmayescrowSubscriberkeymanagementkeystoprovidekeyrecoveryservices.DigiCertencryptsandprotectsescrowedPrivateKeysusingthesameorahigherlevelofsecurityasusedtogenerateanddeliverthePrivateKey.ForCertificatescross‐certifiedwiththeFBCA,thirdpartiesarenotpermittedtoholdtheSubscribersignaturekeysintrust.DigiCertallowsSubscribersandotherauthorizedentitiestorecoverescrowed(decryption)PrivateKeys.DigiCertusesmulti‐personcontrolsduringkeyrecoverytopreventunauthorizedaccesstoaSubscriber’sescrowedPrivateKeys.DigiCertacceptskeyrecoveryrequests:
FromtheSubscriberorSubscriber’sorganization,iftheSubscriberhaslostordamagedtheprivate‐keytoken;
FromtheSubscriber’sorganization,iftheSubscriberisnotavailableorisnolongerpartoftheorganizationthatcontractedwithDigiCertforPrivateKeyescrow;
Fromanauthorizedinvestigatororauditor,ifthePrivateKeyispartofarequiredinvestigationoraudit;
Fromarequesterauthorizedbyacompetentlegalauthoritytoaccessthecommunicationthatisencryptedusingthekey;
Fromarequesterauthorizedbylaworgovernmentalregulation;or FromanentitycontractingwithDigiCertforescrowofthePrivateKeywhenkeyrecoveryismission
criticalormissionessential.EntitiesusingDigiCert’skeyescrowservicesarerequiredto:
34
NotifySubscribersthattheirPrivateKeysareescrowed; Protectescrowedkeysfromunauthorizeddisclosure; ProtectanyauthenticationmechanismsthatcouldbeusedtorecoverescrowedPrivateKeys; Releaseanescrowedkeyonlyaftermakingorreceiving(asapplicable)aproperlyauthorizedrequest
forrecovery;and Complywithanylegalobligationstodiscloseorkeepconfidentialescrowedkeys,escrowedkey‐
relatedinformation,orthefactsconcerninganykeyrecoveryrequestorprocess.
4.12.2. SessionKeyEncapsulationandRecoveryPolicyandPractices
Nostipulation.
5. FACILITY,MANAGEMENT,ANDOPERATIONALCONTROLS
5.1. PHYSICALCONTROLS
5.1.1. SiteLocationandConstructionDigiCertperformsitsCAandTSAoperationsfromsecureandgeographicallydiversecommercialdatacenters.ThedatacentersareequippedwithlogicalandphysicalcontrolsthatmakeDigiCert’sCAandTSAoperationsinaccessibletonon‐trustedpersonnel.DigiCertoperatesunderasecuritypolicydesignedtodetect,deter,andpreventunauthorizedaccesstoDigiCert'soperations.
5.1.2. PhysicalAccess
5.1.2.1. DataCentersDigiCertprotectsitsequipment(includingcertificatestatusserversandCMSequipment)fromunauthorizedaccessandimplementsphysicalcontrolstoreducetheriskofequipmenttampering.ThedatacenterswhereDigiCert’sCAandTSAsystemsoperatehavesecuritypersonnelondutyfulltime(24hoursperday,365daysperyear).AccesstothedatacentershousingtheCAandTSAplatformsrequirestwo‐factorauthentication—theindividualmusthaveanauthorizedaccesscardandpassbiometricaccesscontrolauthenticators.Thesebiometricauthenticationaccesssystemslogeachuseoftheaccesscard.DigiCertdeactivatesandsecurelystoresitsCAequipmentwhennotinuse.Activationdatamusteitherbememorizedorrecordedandstoredinamannercommensuratewiththesecurityaffordedthecryptographicmodule.ActivationdataisneverstoredwiththecryptographicmoduleorremovablehardwareassociatedwithequipmentusedtoadministerDigiCert’sPrivateKeys.Cryptographichardwareincludesamechanismtolockthehardwareafteracertainnumberoffailedloginattempts.TheDigiCertdatacentersarecontinuouslyattended.However,ifDigiCerteverbecomesawarethatadatacenteristobeleftunattendedorhasbeenleftunattendedforanextendedperiodoftime,DigiCertpersonnelwillperformasecuritycheckofthedatacentertoverifythat:
1. DigiCert’sequipmentisinastateappropriatetothecurrentmodeofoperation,2. Anysecuritycontainersareproperlysecured,3. Physicalsecuritysystems(e.g.,doorlocks)arefunctioningproperly,and4. Theareaissecuredagainstunauthorizedaccess.
DigiCert’sadministratorsareresponsibleformakingthesechecksandmustsignoffthatallnecessaryphysicalprotectionmechanismsareinplaceandactivated.Theidentityoftheindividualmakingthecheckislogged.
5.1.2.2. RAOperationsAreasDigiCert’sRAoperationsareprotectedusingphysicalaccesscontrolsmakingthemaccessibleonlytoappropriatelyauthorizedindividuals.Accesstosecureareasofbuildingsrequirestheuseofan"access"or"pass"card.Accesscarduseisloggedbythebuildingsecuritysystem.Theexteriorandinternalpassagewaysofbuildingsareequippedwithmotiondetectingsensorsandvideocameras.Similarly,thesupportandvettingroomswhereDigiCertpersonnelperformidentityvettingandotherRAfunctionsare
35
equippedwithmotion‐activatedvideosurveillancecameras.Accesscardlogsandvideorecordsarereviewedonaregularbasis.DigiCertsecurelystoresallremovablemediaandpapercontainingsensitiveplain‐textinformationrelatedtoitsCAoperationsinsecurecontainers.
5.1.2.3. CAKeyGenerationandStorageDigiCertsecurelystoresthecryptomodulesusedtogenerateandstoreCAPrivateKeys.Accesstotheroomsusedforkeystorageandkeygenerationactivitiesiscontrolledandloggedbythebuildingaccesscardsystem.Whennotinuseduringakeyceremony,CAcryptomodulesarelockedinasafethatprovidestwo‐personphysicalaccesscontrol.Accesstothesafeismanuallylogged.Accesscardlogsandthemanuallogsofaccesstothesafearereviewedonaregularbasis.
5.1.3. PowerandAirConditioningDatacentershaveprimaryandsecondarypowersuppliesthatensurecontinuousanduninterruptedaccesstoelectricpower.Uninterruptedpowersupplies(UPS)anddieselgeneratorsprovideredundantbackuppower.DigiCertmonitorscapacitydemandsandmakesprojectionsaboutfuturecapacityrequirementstoensurethatadequateprocessingpowerandstorageareavailable.DigiCert’sdatacenterfacilitiesusemultipleload‐balancedHVACsystemsforheating,cooling,andairventilationthroughperforated‐tileraisedflooringtopreventoverheatingandtomaintainasuitablehumiditylevelforsensitivecomputersystems.
5.1.4. WaterExposuresThecabinetshousingDigiCert'sCAandTSAsystemsarelocatedonraisedflooring,andthedatacentersareequippedwithmonitoringsystemstodetectexcessmoisture.
5.1.5. FirePreventionandProtectionThedatacentersareequippedwithfiresuppressionmechanisms.
5.1.6. MediaStorageDigiCertprotectsitsmediafromaccidentaldamageandunauthorizedphysicalaccess.Backupfilesarecreatedonadailybasis.DigiCert’sbackupfilesaremaintainedatlocationsseparatefromDigiCert’sprimarydataoperationsfacility.
5.1.7. WasteDisposalAllunnecessarycopiesofprintedsensitiveinformationareshreddedon‐sitebeforedisposal.Allelectronicmediaarephysicallydestroyedorareoverwrittenmultipletimestopreventtherecoveryofthedata.
5.1.8. Off‐siteBackupDigiCertmaintainsatleastonefullbackupandmakesregularbackupcopiesofanyinformationnecessarytorecoverfromasystemfailure.BackupcopiesofCAPrivateKeysandactivationdataarestoredfordisasterrecoverypurposesoff‐siteinsafedepositboxeslocatedinsidefederallyinsuredfinancialinstitutionsandareaccessibleonlybytrustedpersonnel.
5.1.9. CertificateStatusHosting,CMSandExternalRASystemsAllphysicalcontrolrequirementsunderSection5.1applyequallytoanyCertificateStatusHosting,CMS,orexternalRAsystem.
5.2. PROCEDURALCONTROLS
5.2.1. TrustedRolesPersonnelactingintrustedrolesincludeCA,TSA,andRAsystemadministrationpersonnel,andpersonnelinvolvedwithidentityvettingandtheissuanceandrevocationofCertificates.ThefunctionsanddutiesperformedbypersonsintrustedrolesaredistributedsothatonepersonalonecannotcircumventsecuritymeasuresorsubvertthesecurityandtrustworthinessofthePKIorTSAoperations.Trustedrolesare
36
appointedbyseniormanagement.Alistofpersonnelappointedtotrustedrolesismaintainedandreviewedannually.
5.2.1.1. CAAdministratorsTheCAAdministratorinstallsandconfigurestheCAsoftware,includingkeygeneration,keybackup,andkeymanagement.TheCAAdministratorperformsandsecurelystoresregularsystembackupsoftheCAsystem.AdministratorsdonotissueCertificatestoSubscribers.
5.2.1.2. RegistrationOfficers–CMS,RA,ValidationandVettingPersonnelTheRegistrationOfficerroleisresponsibleforissuingandrevokingCertificates,includingenrollment,identityverification,andcompliancewithrequiredissuanceandrevocationstepssuchasmanagingthecertificaterequestqueueandcompletingcertificateapprovalchecklistsasidentityvettingtasksaresuccessfullycompleted.
5.2.1.3. SystemAdministrators/SystemEngineers(Operator)TheSystemAdministrator/SystemEngineerinstallsandconfiguressystemhardware,includingservers,routers,firewalls,andnetworkconfigurations.TheSystemAdministrator/SystemEngineeralsokeepsCA,CMSandRAsystemsupdatedwithsoftwarepatchesandothermaintenanceneededforsystemstabilityandrecoverability.
5.2.1.4. InternalAuditorsInternalAuditorsareresponsibleforreviewing,maintaining,andarchivingauditlogsandperformingoroverseeinginternalcomplianceauditstodetermineifDigiCert,anIssuerCA,orRAisoperatinginaccordancewiththisCPSoranRA’sRegistrationPracticesStatement.
5.2.1.5. RAAdministratorsRAAdministratorsinstall,configureandmanagetheRAsoftware,includingtheassignmentofIssuingCAsandcertificateprofilestocustomeraccounts.
5.2.2. NumberofPersonsRequiredperTaskDigiCertrequiresthatatleasttwopeopleactinginatrustedrole(onetheCAAdministratorandtheothernotanInternalAuditor)takeactionrequiringatrustedrole,suchasactivatingDigiCert’sPrivateKeys,generatingaCAKeyPair,orbackingupaDigiCertPrivateKey.TheInternalAuditormayservetofulfilltherequirementofmultipartycontrolforphysicalaccesstotheCAsystembutnotlogicalaccess.
5.2.3. IdentificationandAuthenticationforeachRoleAllpersonnelarerequiredtoauthenticatethemselvestoCA,TSA,andRAsystemsbeforetheyareallowedaccesstosystemsnecessarytoperformtheirtrustedroles.
5.2.4. RolesRequiringSeparationofDutiesRolesrequiringaseparationofdutiesinclude:
1. Thoseperformingauthorizationfunctionssuchastheverificationofinformationincertificateapplicationsandapprovalsofcertificateapplicationsandrevocationrequests,
2. Thoseperformingbackups,recording,andrecordkeepingfunctions;3. Thoseperformingaudit,review,oversight,orreconciliationfunctions;and4. ThoseperformingdutiesrelatedtoCA/TSAkeymanagementorCA/TSAadministration.
Toaccomplishthisseparationofduties,DigiCertspecificallydesignatesindividualstothetrustedrolesdefinedinSection5.2.1above.DigiCertappointsindividualstoonlyoneoftheRegistrationOfficer,Administrator,Operator,orInternalAuditorroles.IndividualsdesignatedasRegistrationOfficerorAdministratormayperformOperatorduties,butanInternalAuditormaynotassumeanyotherrole.DigiCert’ssystemsidentifyandauthenticateindividualsactingintrustedroles,restrictanindividualfromassumingmultipleroles,andpreventanyindividualfromhavingmorethanoneidentity.
37
5.3. PERSONNELCONTROLS
5.3.1. Qualifications,Experience,andClearanceRequirementsTheDCPAisresponsibleandaccountableforDigiCert’sPKIoperationsandensurescompliancewiththisCPSandtheCP.DigiCert’spersonnelandmanagementpracticesprovidereasonableassuranceofthetrustworthinessandcompetenceofitsemployeesandofthesatisfactoryperformanceoftheirduties.AlltrustedrolesforCAsissuingFederatedDeviceCertificates,ClientCertificatesatLevels3‐USand4‐US(whichareintendedforinteroperabilitythroughtheFederalBridgeCAatid‐fpki‐certpcy‐mediumAssuranceandid‐fpki‐certpcy‐mediumHardware)areheldbycitizensoftheUnitedStates.AnindividualperformingatrustedroleforanRAmaybeacitizenofthecountrywheretheRAislocated.ThereisnocitizenshiprequirementforpersonnelperformingtrustedrolesassociatedwiththeissuanceofotherkindsofCertificates.Managementandoperationalsupportpersonnelinvolvedintime‐stampoperationspossessexperiencewithinformationsecurityandriskassessmentandknowledgeoftime‐stampingtechnology,digitalsignaturetechnology,mechanismsforcalibrationoftimestampingclockswithUTC,andsecurityprocedures.TheDCPAensuresthatallindividualsassignedtotrustedroleshavetheexperience,qualifications,andtrustworthinessrequiredtoperformtheirdutiesunderthisCPS.
5.3.2. BackgroundCheckProceduresDigiCertverifiestheidentityofeachemployeeappointedtoatrustedroleandperformsabackgroundcheckpriortoallowingsuchpersontoactinatrustedrole.DigiCertrequireseachindividualtoappearin‐personbeforeahumanresourcesemployeewhoseresponsibilityitistoverifyidentity.Thehumanresourcesemployeeverifiestheindividual’sidentityusinggovernment‐issuedphotoidentification(e.g.,passportsand/ordriver’slicensesreviewedpursuanttoU.S.CitizenshipandImmigrationServicesFormI‐9,EmploymentEligibilityVerification,orcomparableprocedureforthejurisdictioninwhichtheindividual’sidentityisbeingverified).Backgroundchecksincludeemploymenthistory,education,characterreferences,socialsecuritynumber,previousresidences,drivingrecordsandcriminalbackground.Checksofpreviousresidencesareoverthepastthreeyears.Allotherchecksareforthepreviousfiveyears.Thehighesteducationdegreeobtainedisverifiedregardlessofthedateawarded.Basedupontheinformationobtainedduringthebackgroundcheck,thehumanresourcesdepartmentmakesanadjudicationdecision,withtheassistanceoflegalcounselwhennecessary,astowhethertheindividualissuitableforthepositiontowhichtheywillbeassigned.Backgroundchecksarerefreshedandre‐adjudicationoccursatleasteverytenyears.
5.3.3. TrainingRequirementsDigiCertprovidesskillstrainingtoallemployeesinvolvedinDigiCert’sPKIandTSAoperations.Thetrainingrelatestotheperson’sjobfunctionsandcovers:
1. basicPublicKeyInfrastructure(PKI)knowledge,2. softwareversionsusedbyDigiCert,3. authenticationandverificationpoliciesandprocedures,4. DigiCertsecurityprinciplesandmechanisms,5. disasterrecoveryandbusinesscontinuityprocedures,6. commonthreatstothevalidationprocess,includingphishingandothersocialengineeringtactics,
and7. CA/BrowserForumGuidelinesandotherapplicableindustryandgovernmentguidelines.Trainingisprovidedviaamentoringprocessinvolvingseniormembersoftheteamtowhichtheemployeebelongs.DigiCertmaintainsrecordsofwhoreceivedtrainingandwhatleveloftrainingwascompleted.RegistrationOfficersmusthavetheminimumskillsnecessarytosatisfactorilyperformvalidationdutiesbeforebeinggrantedvalidationprivileges.AllRegistrationOfficersarerequiredtopassaninternalexaminationontheEVGuidelinesandtheBaselineRequirementspriortovalidatingandapprovingtheissuanceofCertificates.Wherecompetenceisdemonstratedinlieuoftraining,DigiCertmaintainssupportingdocumentation.
38
5.3.4. RetrainingFrequencyandRequirementsEmployeesmustmaintainskilllevelsthatareconsistentwithindustry‐relevanttrainingandperformanceprogramsinordertocontinueactingintrustedroles.DigiCertmakesallemployeesactingintrustedrolesawareofanychangestoDigiCert’soperations.IfDigiCert’soperationschange,DigiCertwillprovidedocumentedtraining,inaccordancewithanexecutedtrainingplan,toallemployeesactingintrustedroles.
5.3.5. JobRotationFrequencyandSequenceNostipulation.
5.3.6. SanctionsforUnauthorizedActionsDigiCertemployeesandagentsfailingtocomplywiththisCPS,whetherthroughnegligenceormaliciousintent,aresubjecttoadministrativeordisciplinaryactions,includingterminationofemploymentoragencyandcriminalsanctions.Ifapersoninatrustedroleiscitedbymanagementforunauthorizedorinappropriateactions,thepersonwillbeimmediatelyremovedfromthetrustedrolependingmanagementreview.Aftermanagementhasreviewedanddiscussedtheincidentwiththeemployeeinvolved,managementmayreassignthatemployeetoanon‐trustedroleordismisstheindividualfromemploymentasappropriate.
5.3.7. IndependentContractorRequirementsIndependentcontractorswhoareassignedtoperformtrustedrolesaresubjecttothedutiesandrequirementsspecifiedforsuchrolesinthisSection5.3andaresubjecttosanctionsstatedaboveinSection5.3.6.
5.3.8. DocumentationSuppliedtoPersonnelPersonnelintrustedrolesareprovidedwiththedocumentationnecessarytoperformtheirduties,includingacopyoftheCP,thisCPS,EVGuidelines,andothertechnicalandoperationaldocumentationneededtomaintaintheintegrityofDigiCert'sCAoperations.Personnelarealsogivenaccesstoinformationoninternalsystemsandsecuritydocumentation,identityvettingpoliciesandprocedures,discipline‐specificbooks,treatisesandperiodicals,andotherinformation.
5.4. AUDITLOGGINGPROCEDURES
5.4.1. TypesofEventsRecordedDigiCert’ssystemsrequireidentificationandauthenticationatsystemlogonwithauniqueusernameandpassword.Importantsystemactionsareloggedtoestablishtheaccountabilityoftheoperatorswhoinitiatesuchactions.DigiCertenablesallessentialeventauditingcapabilitiesofitsCAandTSAapplicationsinordertorecordtheeventslistedbelow.IfDigiCert’sapplicationscannotautomaticallyrecordanevent,DigiCertimplementsmanualprocedurestosatisfytherequirements.Foreachevent,DigiCertrecordstherelevant(i)dateandtime,(ii)typeofevent,(iii)successorfailure,and(iv)userorsystemthatcausedtheeventorinitiatedtheaction.DigiCertrecordstheprecisetimeofanysignificantTSAevents.AlleventrecordsareavailabletoauditorsasproofofDigiCert’spractices.
AuditableEventSECURITYAUDITAnychangestotheauditparameters,e.g.,auditfrequency,typeofeventauditedAnyattempttodeleteormodifytheauditlogsAUTHENTICATIONTOSYSTEMSSuccessfulandunsuccessfulattemptstoassumearoleThevalueofmaximumnumberofauthenticationattemptsischangedMaximumnumberofauthenticationattemptsoccurduringuserloginAnadministratorunlocksanaccountthathasbeenlockedasaresultofunsuccessfulauthenticationattempts
39
AuditableEventAnadministratorchangesthetypeofauthenticator,e.g.,fromapasswordtoabiometricLOCALDATAENTRYAllsecurity‐relevantdatathatisenteredinthesystemREMOTEDATAENTRYAllsecurity‐relevantmessagesthatarereceivedbythesystemDATAEXPORTANDOUTPUTAllsuccessfulandunsuccessfulrequestsforconfidentialandsecurity‐relevantinformationKEYGENERATIONWheneveraCAgeneratesakey(notmandatoryforsinglesessionorone‐timeusesymmetrickeys)CAKEYLIFECYCLEMANAGEMENTKeygeneration,backup,storage,recovery,archival,anddestructionCryptographicdevicelifecyclemanagementeventsCAANDSUBSCRIBERCERTIFICATELIFECYCLEMANAGEMENTAllverificationactivitiesstipulatedintheBaselineRequirementsandthisCPSDate,time,phonenumberused,personsspokento,andendresultsofverificationtelephonecallsAcceptanceandrejectionofcertificaterequestsIssuanceofCertificatesGenerationofCertificateRevocationListsandOCSPentries.PRIVATEKEYLOADANDSTORAGETheloadingofComponentPrivateKeysAllaccesstocertificatesubjectPrivateKeysretainedwithintheCAforkeyrecoverypurposesTRUSTEDPUBLICKEYENTRY,DELETIONANDSTORAGESECRETKEYSTORAGEThemanualentryofsecretkeysusedforauthenticationPRIVATEANDSECRETKEYEXPORTTheexportofprivateandsecretkeys(keysusedforasinglesessionormessageareexcluded)CERTIFICATEREGISTRATIONAllcertificaterequests,includingissuance,re‐key,renewal,andrevocationCertificateissuanceVerificationactivitiesCERTIFICATEREVOCATIONAllcertificaterevocationrequestsCERTIFICATESTATUSCHANGEAPPROVALANDREJECTIONCACONFIGURATIONAnysecurity‐relevantchangestotheconfigurationofaCAsystemcomponentACCOUNTADMINISTRATIONRolesandusersareaddedordeletedTheaccesscontrolprivilegesofauseraccountorarolearemodifiedCERTIFICATEPROFILEMANAGEMENTAllchangestothecertificateprofileREVOCATIONPROFILEMANAGEMENTAllchangestotherevocationprofileCERTIFICATEREVOCATIONLISTPROFILEMANAGEMENTAllchangestothecertificaterevocationlistprofileGenerationofCRLsandOCSPentriesTIMESTAMPINGClocksynchronizationMISCELLANEOUSAppointmentofanindividualtoaTrustedRoleDesignationofpersonnelformultipartycontrol
40
AuditableEventInstallationofanOperatingSystem,PKIApplication,orHardwareSecurityModuleRemovalorDestructionofHSMsSystemStartupLogonattemptstoPKIApplicationReceiptofhardware/softwareAttemptstosetormodifypasswordsBackuporrestorationoftheinternalCAdatabaseFilemanipulation(e.g.,creation,renaming,moving)PostingofanymaterialtoarepositoryAccesstotheinternalCAdatabaseAllcertificatecompromisenotificationrequestsLoadingHSMswithCertificatesShipmentofHSMsZeroizingHSMsRe‐keyoftheComponentCONFIGURATIONCHANGESHardwareSoftwareOperatingSystemPatchesSecurityProfilesPHYSICALACCESS/SITESECURITYPersonnelaccesstosecureareahousingCAorTSAcomponentAccesstoaCAorTSAcomponentKnownorsuspectedviolationsofphysicalsecurityFirewallandrouteractivitiesEntriestoandexitsfromtheCAfacility,PKIandsecuritysystemactionsperformedANOMALIESSystemcrashesandhardwarefailuresSoftwareerrorconditionsSoftwarecheckintegrityfailuresReceiptofimpropermessagesandmisroutedmessagesNetworkattacks(suspectedorconfirmed)EquipmentfailureElectricalpoweroutagesUninterruptiblePowerSupply(UPS)failureObviousandsignificantnetworkserviceoraccessfailuresViolationsofaCPSResettingOperatingSystemclock
5.4.2. FrequencyofProcessingLogAtleastonceeverytwomonths,aDigiCertadministratorreviewsthelogsgeneratedbyDigiCert’ssystems,makessystemandfileintegritychecks,andconductsavulnerabilityassessment.Theadministratormayperformthechecksusingautomatedtools.Duringthesechecks,theadministrator(1)checkswhetheranyonehastamperedwiththelog,(2)scansforanomaliesorspecificconditions,includinganyevidenceofmaliciousactivity,and(3)preparesawrittensummaryofthereview.Anyanomaliesorirregularitiesfoundinthelogsareinvestigated.ThesummariesincluderecommendationstoDigiCert’soperationsmanagementcommitteeandaremadeavailabletoDigiCert'sauditorsuponrequest.DigiCertdocumentsanyactionstakenasaresultofareview.
41
5.4.3. RetentionPeriodforAuditLogAuditlogsrelatedtopubliclytrustedSSL/TLSCertificatesareretainedforatleastseven(7)years.DigiCertretainsauditlogson‐siteuntilaftertheyarereviewed.TheindividualswhoremoveauditlogsfromDigiCert’sCAsystemsaredifferentthantheindividualswhocontrolDigiCert’ssignaturekeys.
5.4.4. ProtectionofAuditLogCAauditloginformationisretainedonequipmentuntilafteritiscopiedbyasystemadministrator.DigiCert’sCAandTSAsystemsareconfiguredtoensurethat(i)onlyauthorizedpeoplehavereadaccesstologs,(ii)onlyauthorizedpeoplemayarchiveauditlogs,and(iii)auditlogsarenotmodified.Auditlogsareprotectedfromdestructionpriortotheendoftheauditlogretentionperiodandareretainedsecurelyon‐siteuntiltransferredtoabackupsite.DigiCert’soff‐sitestoragelocationisasafeandsecurelocationthatisseparatefromthelocationwherethedatawasgenerated.DigiCertmakestime‐stampingrecordsavailablewhenrequiredtoproveinalegalproceedingthatDigiCert’stime‐stampingservicesareoperatingcorrectly.Auditlogsaremadeavailabletoauditorsuponrequest.
5.4.5. AuditLogBackupProceduresDigiCertmakesregularbackupcopiesofauditlogsandauditlogsummariesandsavesacopyoftheauditlogtoasecure,off‐sitelocationonatleastamonthlybasis.
5.4.6. AuditCollectionSystem(internalvs.external)Automaticauditprocessesbeginonsystemstartupandendatsystemshutdown.Ifanautomatedauditsystemfailsandtheintegrityofthesystemorconfidentialityoftheinformationprotectedbythesystemisatrisk,DigiCert’sAdministratorsandtheDCPAshallbenotifiedandtheDCPAwillconsidersuspendingtheCA’sorRA’soperationsuntiltheproblemisremedied.
5.4.7. NotificationtoEvent‐causingSubjectNostipulation.
5.4.8. VulnerabilityAssessmentsDigiCertperformsannualriskassessmentsthatidentifyandassessreasonablyforeseeableinternalandexternalthreatsthatcouldresultinunauthorizedaccess,disclosure,misuse,alteration,ordestructionofanycertificatedataorcertificateissuanceprocess.DigiCertalsoroutinelyassessesthesufficiencyofthepolicies,procedures,informationsystems,technology,andotherarrangementsthatDigiCerthasinplacetocontrolsuchrisks.DigiCert’sInternalAuditorsreviewthesecurityauditdatachecksforcontinuity.DigiCert’sauditlogmonitoringtoolsalerttheappropriatepersonnelofanyevents,suchasrepeatedfailedactions,requestsforprivilegedinformation,attemptedaccessofsystemfiles,andunauthenticatedresponses.
5.5. RECORDSARCHIVALDigiCertcomplieswithallrecordretentionpoliciesthatapplybylaw.DigiCertincludessufficientdetailinallarchivedrecordstoshowthataCertificateortime‐stamptokenwasissuedinaccordancewiththisCPS.
5.5.1. TypesofRecordsArchivedDigiCertretainsthefollowinginformationinitsarchives(assuchinformationpertainstoDigiCert’sCA/TSAoperations):
1. AccreditationsofDigiCert,2. CPandCPSversions,3. ContractualobligationsandotheragreementsconcerningtheoperationoftheCA/TSA,4. Systemandequipmentconfigurations,modifications,andupdates,5. Rejectionoracceptanceofacertificaterequest,6. Certificateissuance,rekey,renewal,andrevocationrequests,7. SufficientidentityauthenticationdatatosatisfytheidentificationrequirementsofSection3.2,
includinginformationabouttelephonecallsmadeforverificationpurposes,8. AnydocumentationrelatedtothereceiptoracceptanceofaCertificateortoken,
42
9. SubscriberAgreements,10. IssuedCertificates,11. Arecordofcertificatere‐keys,12. CRLsforCAscross‐certifiedwiththeFederalBridgeCA,13. Dataorapplicationsnecessarytoverifyanarchive’scontents,14. Complianceauditorreports,15. ChangestoDigiCert’sauditparameters,16. Anyattempttodeleteormodifyauditlogs,17. CAKeygenerationanddestruction,18. AccesstoPrivateKeysforkeyrecoverypurposes,19. ChangestotrustedPublicKeys,20. ExportofPrivateKeys,21. Approvalorrejectionofarevocationrequest,22. Appointmentofanindividualtoatrustedrole,23. Destructionofacryptographicmodule,24. Certificatecompromisenotifications,25. Remedialactiontakenasaresultofviolationsofphysicalsecurity,and26. ViolationsoftheCPorCPS.
5.5.2. RetentionPeriodforArchiveDigiCertretainsarchiveddataassociatedwithLevel3orLevel4,andfederateddeviceCertificatesforatleast10.5years.DigiCert,ortheRAsupportingissuance,archivesdataforothercertificatetypesforatleast7.5years.
5.5.3. ProtectionofArchiveArchiverecordsarestoredatasecureoff‐sitelocationandaremaintainedinamannerthatpreventsunauthorizedmodification,substitution,ordestruction.ArchivesarenotreleasedexceptasallowedbytheDCPAorasrequiredbylaw.DigiCertmaintainsanysoftwareapplicationrequiredtoprocessthearchivedatauntilthedataiseitherdestroyedortransferredtoanewermedium.IfDigiCertneedstotransferanymediatoadifferentarchivesiteorequipment,DigiCertwillmaintainbotharchivedlocationsand/orpiecesofequipmentuntilthetransferarecomplete.Alltransferstonewarchiveswilloccurinasecuremanner.
5.5.4. ArchiveBackupProceduresOnatleastanannualbasis,DigiCertcreatesanarchivediskofthedatalistedinsection5.5.1bygroupingthedatatypestogetherbysourceintoseparate,compressedarchivefiles.Eacharchivefileishashedtoproducechecksumsthatarestoredseparatelyforintegrityverificationatalaterdate.DigiCertstoresthearchivediskinasecureoff‐sitelocationforthedurationofthesetretentionperiod.RAscreateandstorearchivedrecordsinaccordancewiththeapplicabledocumentationretentionpolicy.
5.5.5. RequirementsforTime‐stampingofRecordsDigiCertautomaticallytime‐stampsarchivedrecordswithsystemtime(non‐cryptographicmethod)astheyarecreated.DigiCertsynchronizesitssystemtimeatleasteveryeighthoursusingarealtimevaluedistributedbyarecognizedUTC(k)laboratoryorNationalMeasurementInstitute.
5.5.6. ArchiveCollectionSystem(internalorexternal)ArchiveinformationiscollectedinternallybyDigiCert.
5.5.7. ProcedurestoObtainandVerifyArchiveInformationDetailsconcerningthecreationandstorageofarchiveinformationarefoundinsection5.5.4.AfterreceivingarequestmadeforaproperpurposebyaCustomer,itsagent,orapartyinvolvedinadisputeoveratransactioninvolvingtheDigiCertPKI,DigiCertmayelecttoretrievetheinformationfromarchival.Theintegrityofarchiveinformationisverifiedbycomparingahashofthecompressedarchivefilewiththefile
43
checksumoriginallystoredforthatfile,asdescribedinSection5.5.4.DigiCertmayelecttotransmittherelevantinformationviaasecureelectronicmethodorcourier,oritmayalsorefusetoprovidetheinformationinitsdiscretionandmayrequirepriorpaymentofallcostsassociatedwiththedata.
5.6. KEYCHANGEOVERKeychangeoverproceduresenablethesmoothtransitionfromexpiringCACertificatestonewCACertificates.TowardstheendofaCAPrivateKey’slifetime,DigiCertceasesusingtheexpiringCAPrivateKeytosignCertificatesandusestheoldPrivateKeyonlytosignCRLsandOCSPresponderCertificates.AnewCAsigningKeyPairiscommissionedandallsubsequentlyissuedCertificatesandCRLsaresignedwiththenewprivatesigningkey.BoththeoldandthenewKeyPairsmaybeconcurrentlyactive.ThiskeychangeoverprocesshelpsminimizeanyadverseeffectsfromCAcertificateexpiration.ThecorrespondingnewCAPublicKeyCertificateisprovidedtosubscribersandrelyingpartiesthroughthedeliverymethodsdetailedinSection6.1.4.WhereDigiCerthascross‐certifiedanotherCAthatisintheprocessofakeyrollover,DigiCertobtainsanewCAPublicKey(PKCS#10)ornewCACertificatefromtheotherCAanddistributesanewCAcrossCertificatefollowingtheproceduresdescribedabove.
5.7. COMPROMISEANDDISASTERRECOVERY
5.7.1. IncidentandCompromiseHandlingProceduresDigiCertmaintainsincidentresponseprocedurestoguidepersonnelinresponsetosecurityincidents,naturaldisasters,andsimilareventsthatmaygiverisetosystemcompromise.DigiCertreviews,tests,andupdatesitsincidentresponseplansandproceduresonatleastanannualbasis.ForCAsthatarecross‐certifiedwiththeFBCA,DigiCertwillnotifytheFPKIPAwithin24hoursandprovidepreliminaryremediationanalysisofthefollowing:
•suspectedordetectedcompromiseoftheCAsystems;•physicalorelectronicattemptstopenetrateCAsystems;•denialofserviceattacksonCAcomponents;or•anyincidentpreventingtheCAfromissuingaCRLwithin24hoursofthetimespecifiedinthenextupdatefieldofitscurrentlyvalidCRL.
Within10businessdaysofincidentresolution,DigiCertwillpostanoticeonitspublicwebpageidentifyingtheincidentandprovidenotificationtotheFPKIPA.Thepublicnoticeshallincludethefollowing:
1. WhichCAcomponentswereaffectedbytheincident2. DigiCert'sinterpretationoftheincident.3. Whoisimpactedbytheincident4. Whentheincidentwasdiscovered5. Acompletelistofallcertificatesthatwereeitherissuederroneouslyornotcompliantwiththe
CP/CPSasaresultoftheincident6. Astatementthattheincidenthasbeenfullyremediated
ThenotificationprovideddirectlytotheFPKIPAshallalsoincludedetailedmeasurestakentoremediatetheincident.
5.7.2. ComputingResources,Software,and/orDataAreCorruptedDigiCertmakesregularsystembackupsonatleastaweeklybasisandmaintainsbackupcopiesofitsPrivateKeys,whicharestoredinasecure,off‐sitelocation.IfDigiCertdiscoversthatanyofitscomputingresources,software,ordataoperationshavebeencompromised,DigiCertassessesthethreatsandrisksthatthecompromisepresentstotheintegrityorsecurityofitsoperationsorthoseofaffectedparties.IfDigiCertdeterminesthatacontinuedoperationcouldposeasignificantrisktoRelyingPartiesorSubscribers,DigiCertsuspendssuchoperationuntilitdeterminesthattheriskismitigated.
44
5.7.3. EntityPrivateKeyCompromiseProceduresIfDigiCertsuspectsthatoneofitsPrivateKeyshasbeencomprisedorlostthenanemergencyresponseteamwillconveneandassessthesituationtodeterminethedegreeandscopeoftheincidentandtakeappropriateaction.Specifically,DigiCertwill:
1. Collectinformationrelatedtotheincident;2. Begininvestigatingtheincidentanddeterminethedegreeandscopeofthecompromise;3. Haveitsincidentresponseteamdetermineandreportonthecourseofactionorstrategythatshould
betakentocorrecttheproblemandpreventreoccurrence;4. Ifappropriate,contactgovernmentagencies,lawenforcement,andotherinterestedpartiesand
activateanyotherappropriateadditionalsecuritymeasures;5. IfthecompromiseinvolvesaPrivateKeyusedtosigntime‐stamptokens,provideadescriptionofthe
compromisetoSubscribersandRelyingParties;6. Notifyanycross‐certifiedentitiesofthecompromisesothattheycanrevoketheircross‐Certificates;7. MakeinformationavailablethatcanbeusedtoidentifywhichCertificatesandtime‐stamptokensare
affected,unlessdoingsowouldbreachtheprivacyofaDigiCertuserorthesecurityofDigiCert’sservices;
8. Monitoritssystem,continueitsinvestigation,ensurethatdataisstillbeingrecordedasevidence,andmakeaforensiccopyofdatacollected;
9. Isolate,contain,andstabilizeitssystems,applyinganyshort‐termfixesneededtoreturnthesystemtoanormaloperatingstate;
10. Prepareandcirculateanincidentreportthatanalyzesthecauseoftheincidentanddocumentsthelessonslearned;and
11. IncorporatelessonslearnedintotheimplementationoflongtermsolutionsandtheIncidentResponsePlan.
DigiCertmaygenerateanewKeyPairandsignanewCertificate.IfadisasterphysicallydamagesDigiCert’sequipmentanddestroysallcopiesofDigiCert’ssignaturekeysthenDigiCertwillprovidenoticetoaffectedpartiesattheearliestfeasibletime.
5.7.4. BusinessContinuityCapabilitiesafteraDisasterTomaintaintheintegrityofitsservices,DigiCertimplementsdatabackupandrecoveryproceduresaspartofitsBusinessContinuityManagementPlan(BCMP).StatedgoalsoftheBCMParetoensurethatcertificatestatusservicesbeonlyminimallyaffectedbyanydisasterinvolvingDigiCert’sprimaryfacilityandthatDigiCertbecapableofmaintainingotherservicesorresumingthemasquicklyaspossiblefollowingadisaster.DigiCertreviews,tests,andupdatestheBCMPandsupportingproceduresatleastannually.DigiCert'ssystemsareredundantlyconfiguredatitsprimaryfacilityandaremirroredataseparate,geographicallydiverselocationforfailoverintheeventofadisaster.IfadisastercausesDigiCert’sprimaryCAorTSAoperationstobecomeinoperative,DigiCertwillre‐initiateitsoperationsatitssecondarylocationgivingprioritytotheprovisionofcertificatestatusinformationandtimestampingcapabilities,ifaffected.
5.8. CAORRATERMINATIONBeforeterminatingitsCAorTSAactivities,DigiCertwill:
1. Providenoticeandinformationabouttheterminationbysendingnoticebyemailtoitscustomers,ApplicationSoftwareVendors,andcross‐certifyingentitiesandbypostingsuchinformationonDigiCert’swebsite;and
2. Transferallresponsibilitiestoaqualifiedsuccessorentity.Ifaqualifiedsuccessorentitydoesnotexist,DigiCertwill:
1. transferthosefunctionscapableofbeingtransferredtoareliablethirdpartyandarrangetopreserveallrelevantrecordswithareliablethirdpartyoragovernment,regulatory,orlegalbodywithappropriateauthority;
2. revokeallCertificatesthatarestillun‐revokedorun‐expiredonadateasspecifiedinthenoticeandpublishfinalCRLs;
3. destroyallPrivateKeys;and
45
4. makeothernecessaryarrangementsthatareinaccordancewiththisCPS.DigiCerthasmadearrangementstocoverthecostsassociatedwithfulfillingtheserequirementsincaseDigiCertbecomesbankruptorisunabletocoverthecosts.Anyrequirementsofthissectionthatarevariedbycontractapplyonlythecontractingparties.Wheneverpossible,theFPKIPAshallbenotifiedatleasttwoweekspriortotheterminationofanyCAcross‐certifiedwiththeFBCA.Foremergencytermination,theCAshallfollowthenotificationproceduresinSection5.7.
6. TECHNICALSECURITYCONTROLS
6.1. KEYPAIRGENERATIONANDINSTALLATION
6.1.1. KeyPairGeneration
AllkeysmustbegeneratedusingaFIPS‐approvedmethodorequivalentinternationalstandard.DigiCert'sCAKeyPairsaregeneratedbymultipletrustedindividualsactingintrustedrolesandusingacryptographichardwaredeviceaspartofscriptedkeygenerationceremony.ThecryptographichardwareisevaluatedtoFIPS140‐1Level3andEAL4+.Activationofthehardwarerequirestheuseoftwo‐factorauthenticationtokens.DigiCertcreatesauditableevidenceduringthekeygenerationprocesstoprovethattheCPSwasfollowedandroleseparationwasenforcedduringthekeygenerationprocess.DigiCertrequiresthatanexternalauditorwitnessthegenerationofanyCAkeystobeusedaspubliclytrustedrootCertificatesortosignEVCertificates.ForotherCAkeypairgenerationceremonies,anInternalAuditor,externalauditor,orindependentthirdpartyattendstheceremony,oranexternalauditorexaminesthesignedanddocumentedrecordofthekeygenerationceremony,asallowedbyapplicablepolicy.Subscribersmustgeneratetheirkeysinamannerthatisappropriateforthecertificatetype.DigiCertnevercreateskeypairsforpubliclytrustedSSL/TLSServerCertificates.CertificatesissuedatLevel3HardwareoratLevel4BiometricmustbegeneratedonvalidatedhardwarecryptographicmodulesusingaFIPS‐approvedmethod.ForAdobeSigningCertificates,SubscribersmustgeneratetheirKeyPairsinamediumthatpreventsexportationorduplicationandthatmeetsorexceedsFIPS140‐1Level2certificationstandards.
6.1.2. PrivateKeyDeliverytoSubscriberIfDigiCert,aCMS,oranRAgeneratesakeyforaSubscriber,thenitmustdeliverthePrivateKeysecurelytotheSubscriber.Keysmaybedeliveredelectronically(suchasthroughsecureemailorstoredinacloud‐basedsystem)oronahardwarecryptographicmodule.Inallcases:
1. Exceptwhereescrow/backupservicesareauthorizedandpermitted,thekeygeneratormustnotretainaccesstotheSubscriber’sPrivateKeyafterdelivery,
2. ThekeygeneratormustprotectthePrivateKeyfromactivation,compromise,ormodificationduringthedeliveryprocess,
3. TheSubscribermustacknowledgereceiptofthePrivateKey(s),typicallybyhavingtheSubscriberusetherelatedCertificate,and
4. ThekeygeneratormustdeliverthePrivateKeyinawaythatensuresthatthecorrecttokensandactivationdataareprovidedtothecorrectSubscribers,including:
a. Forhardwaremodules,thekeygeneratormaintainingaccountabilityforthelocationandstateofthemoduleuntiltheSubscriberacceptspossessionofitand
b. ForelectronicdeliveryofPrivateKeys,thekeygeneratorencryptingkeymaterialusingacryptographicalgorithmandkeysizeatleastasstrongasthePrivateKey.Thekeygeneratorshalldeliveractivationdatausingaseparatesecurechannel.
TheentityassistingtheSubscriberwithkeygenerationshallmaintainarecordoftheSubscriber’sacknowledgementofreceiptofthedevicecontainingtheSubscriber’sKeyPair.ACMSorRAprovidingkeydeliveryservicesisrequiredtoprovideacopyofthisrecordtoDigiCert.
46
6.1.3. PublicKeyDeliverytoCertificateIssuerSubscribersgenerateKeyPairsandsubmitthePublicKeytoDigiCertinaCSRaspartofthecertificaterequestprocess.TheSubscriber’ssignatureontherequestisauthenticatedpriortoissuingtheCertificate.
6.1.4. CAPublicKeyDeliverytoRelyingPartiesDigiCert'sPublicKeysareprovidedtoRelyingPartiesasspecifiedinacertificatevalidationorpathdiscoverypolicyfile,astrustanchorsincommercialbrowsersandoperatingsystemrootstore,and/orasrootssignedbyotherCAs.AllaccreditationauthoritiessupportingDigiCertCertificatesandallapplicationsoftwareprovidersarepermittedtoredistributeDigiCert’srootanchors.DigiCertmayalsodistributePublicKeysthatarepartofanupdatedsignatureKeyPairasaself‐signedCertificate,asanewCACertificate,orinakeyroll‐overCertificate.RelyingPartiesmayobtainDigiCert'sself‐signedCACertificatesfromDigiCert'swebsiteorbyemail.
6.1.5. KeySizesDigiCertgenerallyfollowstheNISTtimelinesinusingandretiringsignaturealgorithmsandkeysizes.Accordingly,DigiCertisphasingoutitsuseoftheSHA‐1hashalgorithm.Currently,DigiCertgeneratesandusesatleastthefollowingminimumkeysizes,signaturealgorithms,andhashalgorithmsforsigningCertificates,CRLs,andcertificatestatusserverresponsesforpolicyOIDarcsof2.16.840.1.114412.1,2.16.840.1.114412.2,or2.16.840.1.114412.4(forFBCACertificates):
2048‐bitRSAKeyor384‐bitECDSAKeywithSecureHashAlgorithmversion2(SHA‐256)orahashalgorithmthatisequally
ormoreresistanttoacollisionattack).Certificatesthatdonotassertthesecertificatepolicies(seeotherpolicieslistedinSection1.2)mayalsobesignedusingtheSHA‐1hashalgorithm,providedthatitsuseotherwisecomplieswithrequirementsoftheCA/BrowserForumortherelevantCP.SignaturesonCRLs,OCSPresponses,andOCSPresponderCertificatesthatprovidestatusinformationforCertificatesthatweregeneratedusingSHA‐1maycontinuetobegeneratedusingtheSHA‐1algorithm.AllothersignaturesonCRLs,OCSPresponses,andOCSPresponderCertificatesmustusetheSHA‐256hashalgorithmoronethatisequallyormoreresistanttocollisionattack.DigiCertrequiresend‐entityCertificatestocontainakeysizethatisatleast2048bitsforRSA,DSA,orDiffie‐Hellmanand224bitsforellipticcurvealgorithms.DigiCertmayrequirehigherbitkeysinitssolediscretion.AnyCertificates(whetherCAorend‐entity)expiringafter12/31/2030mustbeatleast3072‐bitforRSAand256‐bitforECDSA.DigiCertandSubscribersmayfulfillthetransmissionsecurityrequirementsundertheCPandthisCPSusingTLSoranotherprotocolthatprovidessimilarsecurity,providedtheprotocolrequiresatleastAES128bitsorequivalentforthesymmetrickeyandatleast2048‐bitRSAorequivalentfortheasymmetrickeys(andatleast3072bitRSAorequivalentforasymmetrickeysafter12/31/2030).
6.1.6. PublicKeyParametersGenerationandQualityCheckingDigiCertusesacryptomodulethatconformstoFIPS186‐2andprovidesrandomnumbergenerationandon‐boardgenerationofupto4096‐bitRSAPublicKeysandawiderangeofECCcurves.Thevalueofthispublicexponentequatestoanoddnumberequaltothreeormore.
6.1.7. KeyUsagePurposes(asperX.509v3keyusagefield)DigiCert'sCertificatesincludekeyusageextensionfieldsthatspecifytheintendeduseoftheCertificateandtechnicallylimittheCertificate’sfunctionalityinX.509v3‐compliantsoftware.TheuseofaspecifickeyisdeterminedbythekeyusageextensionintheX.509Certificate.
47
PrivateKeyscorrespondingtoRootCACertificatesarenotusedtosignCertificatesexceptinthefollowingcases:
1.Self‐signedCertificatestorepresenttheRootCAitself;2.CertificatesforSubordinateCAsandCrossCertificates;3.Certificatesforinfrastructurepurposes(e.g.administrativerolecertificates,internalCAoperationaldevicecertificates;and4.CertificatesforOCSPResponseverification
SubscriberCertificatesassertkeyusagesbasedontheintendedapplicationoftheKeyPair.Inparticular,Certificatestobeusedfordigitalsignatures(includingauthentication)setthedigitalSignatureand/ornonRepudiationbits.CertificatestobeusedforkeyordataencryptionshallsetthekeyEnciphermentand/ordataEnciphermentbits.CertificatestobeusedforkeyagreementshallsetthekeyAgreementbit.KeyusagebitsandextendedkeyusagesarespecifiedinthecertificateprofileforeachtypeofCertificateDigiCert’sCACertificateshaveatleasttwokeyusagebitsset:keyCertSignandcRLSign,andforsigningOCSPresponses,thedigitalSignaturebitisalsoset.Exceptforlegacyapplicationsrequiringasinglekeyfordualusewithbothencryptionandsignature,DigiCertdoesnotissueCertificateswithkeyusageforbothsigningandencryption.Instead,DigiCertissuesSubscriberstwoKeyPairs—oneforkeymanagementandonefordigitalsignatureandauthentication.ForCertificatesatLevels1,2and3thatareusedforsigningandencryptioninsupportoflegacyapplications,theymust:
begeneratedandmanagedinaccordancewiththeirrespectivesignaturecertificaterequirements,exceptwhereotherwisenotedinthisCPS,
neverassertthenon‐repudiationkeyusagebit,and notbeusedforauthenticatingdatathatwillbeverifiedonthebasisofthedual‐useCertificateata
futuretime.NoLevel4Certificatesmayhavesuchdual‐useKeyPairs.
6.2. PRIVATEKEYPROTECTIONANDCRYPTOGRAPHICMODULEENGINEERINGCONTROLS
6.2.1. CryptographicModuleStandardsandControlsDigiCert'scryptographicmodulesforallofitsCAandOCSPresponderKeyPairsarevalidatedtotheFIPS140Level3.IGTFCertificateSubscribersmustprotecttheirPrivateKeysinaccordancewiththeapplicableGuidelinesonPrivateKeyProtection,includingtheuseofstrongpassphrasestoprotectPrivateKeys.Cryptographicmodulerequirementsforsubscribersandregistrationauthoritiesareshowninthetablebelow.
AssuranceLevel Subscriber RegistrationAuthority
EVCodeSigning FIPS140Level2(Hardware)
FIPS140Level2(Hardware)
AdobeSigning FIPS140Level2(Hardware)
FIPS140Level2(Hardware)
Rudimentary N/A FIPS140Level1(HardwareorSoftware)
48
Basic,LOA2,andLOA3FIPS140Level1
(HardwareorSoftware)FIPS140Level1
(HardwareorSoftware)
Medium
FIPS140Level1(Software)
FIPS140Level2(Hardware)
FIPS140Level2(Hardware)
MediumHardware,Biometric/Hardware
Authentication
FIPS140Level2(Hardware)
FIPS140Level2(Hardware)
DigiCertensuresthatthePrivateKeyofanEVCodeSigningCertificateisproperlygenerated,used,andstoredinacryptomodulethatmeetsorexceedstherequirementsofFIPS140level2by(i)shippingconformingcryptomoduleswithpreinstalledKeyPairs,(ii)communicatingviaPKCS#11cryptoAPIsofcryptomodulesthatDigiCerthasverifiedmeetorexceedrequirements,or(iii)obtaininganITauditfromtheSubscriberthatindicatescompliancewithFIPS140‐2level2ortheequivalent.
6.2.2. PrivateKey(noutofm)Multi‐personControlDigiCert'sauthenticationmechanismsareprotectedsecurelywhennotinuseandmayonlybeaccessedbyactionsofmultipletrustedpersons.BackupsofCAPrivateKeysaresecurelystoredoff‐siteandrequiretwo‐personaccess.Re‐activationofabacked‐upCAPrivateKey(unwrapping)requiresthesamesecurityandmulti‐personcontrolaswhenperformingothersensitiveCAPrivateKeyoperations.
6.2.3. PrivateKeyEscrowDigiCertdoesnotescrowitssignaturekeys.Subscribersmaynotescrowtheirprivatesignaturekeys.DigiCertmayprovideescrowservicesforothertypesofCertificatesinordertoprovidekeyrecoveryasdescribedinsection4.12.1.
6.2.4. PrivateKeyBackupDigiCert'sPrivateKeysaregeneratedandstoredinsideDigiCert’scryptographicmodule,whichhasbeenevaluatedtoatleastFIPS140Level3andEAL4+.Whenkeysaretransferredtoothermediaforbackupanddisasterrecoverypurposes,thekeysaretransferredandstoredinanencryptedform.DigiCert'sCAKeyPairsarebackedupbymultipletrustedindividualsusingacryptographichardwaredeviceaspartofscriptedandvideo‐recordedkeybackupprocess.DigiCertmayprovidebackupservicesforPrivateKeysthatarenotrequiredtobekeptonahardwaredevice.AccesstobackupCertificatesisprotectedinamannerthatonlytheSubscribercancontrolthePrivateKey.Backedupkeysareneverstoredinaplaintextformoutsideofthecryptographicmodule.
6.2.5. PrivateKeyArchivalDigiCertdoesnotarchivePrivateKeys.
6.2.6. PrivateKeyTransferintoorfromaCryptographicModuleAllkeysmustbegeneratedbyandinacryptographicmodule.PrivateKeysareexportedfromthecryptographicmoduleintobackuptokensonlyforHSMtransfer,offlinestorage,andbackuppurposes.ThePrivateKeysareencryptedwhentransferredoutofthemoduleandneverexistinplaintextform.Whentransportedbetweencryptographicmodules,DigiCertencryptsthePrivateKeyandprotectsthekeysusedforencryptionfromdisclosure.PrivateKeysusedtoencryptbackupsaresecurelystoredandrequiretwo‐personaccess.IfDigiCertbecomesawarethataSubordinateCA’sPrivateKeyhasbeencommunicatedtoanunauthorizedpersonoranorganizationnotaffiliatedwiththeSubordinateCA,thenDigiCertwillrevokeallcertificatesthatincludethePublicKeycorrespondingtothecommunicatedPrivateKey.
49
6.2.7. PrivateKeyStorageonCryptographicModuleDigiCert'sPrivateKeysaregeneratedandstoredinsideDigiCert’scryptographicmodule,whichhasbeenevaluatedtoatleastFIPS140Level3andEAL4+.RootPrivateKeysarestoredofflineincryptographicmodulesorbackuptokensasdescribedaboveinSections6.2.2,6.2.4,and6.2.6.
6.2.8. MethodofActivatingPrivateKeysDigiCert'sPrivateKeysareactivatedaccordingtothespecificationsofthecryptographicmodulemanufacturer.Activationdataentryisprotectedfromdisclosure.SubscribersaresolelyresponsibleforprotectingtheirPrivateKeys.SubscribersshoulduseastrongpasswordorequivalentauthenticationmethodtopreventunauthorizedaccessoruseoftheSubscriber’sPrivateKey.Ataminimum,SubscribersarerequiredtoauthenticatethemselvestothecryptographicmodulebeforeactivatingtheirPrivateKeys.SeealsoSection6.4.
6.2.9. MethodofDeactivatingPrivateKeysDigiCert’sPrivateKeysaredeactivatedvialogoutproceduresontheapplicableHSMdevicewhennotinuse.DigiCertneverleavesitsHSMdevicesinanactiveunlockedorunattendedstate.SubscribersshoulddeactivatetheirPrivateKeysvialogoutandremovalprocedureswhennotinuse.
6.2.10. MethodofDestroyingPrivateKeysDigiCertpersonnel,actingintrustedroles,destroyCA,RA,andstatusserverPrivateKeyswhennolongerneeded.SubscribersshalldestroytheirPrivateKeyswhenthecorrespondingCertificateisrevokedorexpiredorifthePrivateKeyisnolongerneeded.DigiCertmaydestroyaPrivateKeybydeletingitfromallknownstoragepartitions.DigiCertalsozeroizestheHSMdeviceandassociatedbackuptokensaccordingtothespecificationsofthehardwaremanufacturer.Thisreinitializesthedeviceandoverwritesthedatawithbinaryzeros.Ifthezeroizationorre‐initializationprocedurefails,DigiCertwillcrush,shred,and/orincineratethedeviceinamannerthatdestroystheabilitytoextractanyPrivateKey.
6.2.11. CryptographicModuleRatingSeeSection6.2.1.
6.3. OTHERASPECTSOFKEYPAIRMANAGEMENT
6.3.1. PublicKeyArchivalDigiCertarchivescopiesofPublicKeysinaccordancewithSection5.5.
6.3.2. CertificateOperationalPeriodsandKeyPairUsagePeriodsDigiCertCertificateshavemaximumvalidityperiodsof:Type PrivateKeyUse CertificateTermRootCA 20years 25yearsSubCA* 12years 15yearsFBCA‐Cross‐certifiedSubCAs 6years(periodof
keyuseforsigningCertificates)
10years(keystillsignsCRLs,OCSPresponses,andOCSPresponder
Certificates)IGTFCross‐certifiedSubCA* 6years 15yearsCRLandOCSPrespondersigning 3years 31days†OVSSL/TLSServer Nostipulation 825daysEVSSL/TLSServer Nostipulation 825daysTimeStampingAuthority 15months 135monthsObjectSigningCertificateandDocument Nostipulation‡ 123months
50
Type PrivateKeyUse CertificateTermSigningCodeSigningCertificateissuedtoSubscriberundertheMinimumRequirementsforCodeSigningCertificatesortheEVCodeSigningGuidelines
Nostipulation 39months
EVCodeSigningCertificateissuedtoSigningAuthority
123months 123months
AdobeSigningCertificate 39months 5yearsFBCAandIGTFEndEntityClientusedforsignatures
36months 36months
FBCAandIGTFClientusedforkeymanagement.
36months 36months
EndEntityClientforallotherpurposes(FBCAorIGTFcompliant)
36months 36months
EndEntity/Clientforallotherpurposes(non‐FBCAandnon‐IGTFcerts)
NoStipulation 60months
IGTFonhardware 60months 13monthsHotspot2.0OSUServerCertificates Nostipulation 2years
*IGTFsigningCertificateshavealifetimethatisatleasttwicethemaximumlifetimeofanendentityCertificate.‡Codeandcontentsignerscross‐certifiedwithFBCAmayusetheirPrivateKeysforthreeyears;thelifetimeoftheassociatedPublicKeysshallnotexceedeightyears.RelyingpartiesmaystillvalidatesignaturesgeneratedwiththesekeysafterexpirationoftheCertificate.PrivateKeysassociatedwithself‐signedrootCertificatesthataredistributedastrustanchorsareusedforamaximumof20years.DigiCertmayvoluntarilyretireitsCAPrivateKeysbeforetheperiodslistedabovetoaccommodatekeychangeoverprocesses.DigiCertdoesnotissueSubscriberCertificateswithanexpirationdatethatispasttheIssuerCA’spublickeyexpirationdateorthatexceedstheroutinere‐keyidentificationrequirementsspecifiedinSection3.1.1.
6.4. ACTIVATIONDATA
6.4.1. ActivationDataGenerationandInstallationDigiCertactivatesthecryptographicmodulecontainingitsCAPrivateKeysaccordingtothespecificationsofthehardwaremanufacturer.ThismethodhasbeenevaluatedasmeetingtherequirementsofFIPS140‐2Level3.Thecryptographichardwareisheldundertwo‐personcontrolasexplainedinSection5.2.2andelsewhereinthisCPS.DigiCertwillonlytransmitactivationdataviaanappropriatelyprotectedchannelandatatimeandplacethatisdistinctfromthedeliveryoftheassociatedcryptographicmodule.AllDigiCertpersonnelandSubscribersareinstructedtousestrongpasswordsandtoprotectPINsandpasswords.IfDigiCertusespasswordsasactivationdataforasigningkey,DigiCertwillchangetheactivationdatachangeuponrekeyoftheCACertificate.
6.4.2. ActivationDataProtectionDigiCertprotectsdatausedtounlockPrivateKeysfromdisclosureusingacombinationofcryptographicandphysicalaccesscontrolmechanisms.Protectionmechanismsincludekeepingactivationmechanismssecureusingrole‐basedphysicalcontrol.AllDigiCertpersonnelareinstructedtomemorizeandnottowritedowntheirpasswordorshareitwithanotherindividual.DigiCertlocksaccountsusedtoaccesssecureCAprocessesifacertainnumberoffailedpasswordattemptsoccur.
51
6.4.3. OtherAspectsofActivationDataNostipulation.
6.5. COMPUTERSECURITYCONTROLS
6.5.1. SpecificComputerSecurityTechnicalRequirementsDigiCertsecuresitsCAsystemsandauthenticatesandprotectscommunicationsbetweenitssystemsandtrustedroles.DigiCert'sCAserversandsupport‐and‐vettingworkstationsrunontrustworthysystemsthatareconfiguredandhardenedusingindustrybestpractices.AllCAsystemsarescannedformaliciouscodeandprotectedagainstspywareandviruses.DigiCert’sCAsystems,includinganyremoteworkstations,areconfiguredto:
1. authenticatetheidentityofusersbeforepermittingaccesstothesystemorapplications,2. managetheprivilegesofusersandlimituserstotheirassignedroles,3. generateandarchiveauditrecordsforalltransactions,4. enforcedomainintegrityboundariesforsecuritycriticalprocesses,and5. supportrecoveryfromkeyorsystemfailure.
AllCertificateStatusServers:
authenticatetheidentityofusersbeforepermittingaccesstothesystemorapplications, manageprivilegestolimituserstotheirassignedroles, enforcedomainintegrityboundariesforsecuritycriticalprocesses,and supportrecoveryfromkeyorsystemfailure.
DigiCertenforcesmulti‐factorauthenticationonanyaccountcapableofdirectlycausingCertificateissuance.
6.5.2. ComputerSecurityRatingNostipulation.
6.6. LIFECYCLETECHNICALCONTROLS
6.6.1. SystemDevelopmentControlsDigiCerthasmechanismsinplacetocontrolandmonitortheacquisitionanddevelopmentofitsCAsystems.Changerequestsrequiretheapprovalofatleastoneadministratorwhoisdifferentfromthepersonsubmittingtherequest.DigiCertonlyinstallssoftwareonCAsystemsifthesoftwareispartoftheCA’soperation.CAhardwareandsoftwarearededicatedtoperformingoperationsoftheCA.Vendorsareselectedbasedontheirreputationinthemarket,abilitytodeliverqualityproduct,andlikelihoodofremainingviableinthefuture.Managementisinvolvedinthevendorselectionandpurchasedecisionprocess.Non‐PKIhardwareandsoftwareispurchasedwithoutidentifyingthepurposeforwhichthecomponentwillbeused.Allhardwareandsoftwareareshippedunderstandardconditionstoensuredeliveryofthecomponentdirectlytoatrustedemployeewhoensuresthattheequipmentisinstalledwithoutopportunityfortampering.SomeofthePKIsoftwarecomponentsusedbyDigiCertaredevelopedin‐houseorbyconsultantsusingstandardsoftwaredevelopmentmethodologies.Allsuchsoftwareisdesignedanddevelopedinacontrolledenvironmentandsubjectedtoqualityassurancereview.Othersoftwareispurchasedcommercialoff‐the‐shelf(COTS).Qualityassuranceismaintainedthroughouttheprocessthroughtestinganddocumentationorbypurchasingfromtrustedvendorsasdiscussedabove.Updatesofequipmentandsoftwarearepurchasedordevelopedinthesamemannerastheoriginalequipmentorsoftwareandareinstalledandtestedbytrustedandtrainedpersonnel.AllhardwareandsoftwareessentialtoDigiCert’soperationsisscannedformaliciouscodeonfirstuseandperiodicallythereafter.
52
6.6.2. SecurityManagementControlsDigiCerthasmechanismsinplacetocontrolandmonitorthesecurity‐relatedconfigurationsofitsCAsystems.WhenloadingsoftwareontoaCAsystem,DigiCertverifiesthatthesoftwareisthecorrectversionandissuppliedbythevendorfreeofanymodifications.DigiCertverifiestheintegrityofsoftwareusedwithitsCAprocessesatleastonceaweek.
6.6.3. LifeCycleSecurityControlsNostipulation.
6.7. NETWORKSECURITYCONTROLSDigiCertdocumentsandcontrolstheconfigurationofitssystems,includinganyupgradesormodificationsmade.DigiCert'sCAsystemisconnectedtooneinternalnetworkandisprotectedbyfirewallsandNetworkAddressTranslationforallinternalIPaddresses(e.g.,192.168.x.x).DigiCert'scustomersupportandvettingworkstationsarealsoprotectedbyfirewall(s)andonlyuseinternalIPaddresses.RootKeysarekeptofflineandbroughtonlineonlywhennecessarytosignCertificate‐issuingsubordinateCAs,OCSPResponderCertificates,orperiodicCRLs.Firewallsandboundarycontroldevicesareconfiguredtoallowaccessonlybytheaddresses,ports,protocolsandcommandsrequiredforthetrustworthyprovisionofPKIservicesbysuchsystems.DigiCert'ssecuritypolicyistoblockallportsandprotocolsandopenonlyportsnecessarytoenableCAfunctions.AllCAequipmentisconfiguredwithaminimumnumberofservicesandallunusednetworkportsandservicesaredisabled.DigiCert'snetworkconfigurationisavailableforreviewon‐sitebyitsauditorsandconsultantsunderanappropriatenon‐disclosureagreement.
6.8. TIME‐STAMPINGThesystemtimeonDigiCert’scomputersisupdatedusingtheNetworkTimeProtocol(NTP)tosynchronizesystemclocksatleastonceeveryeighthours(Windowsdefault).AlltimesaretraceabletoarealtimevaluedistributedbyaUTC(k)laboratoryorNationalMeasurementInstituteandareupdatedwhenaleapsecondoccursasnotifiedbytheappropriatebody.DigiCertmaintainsaninternalNTPserverthatsynchronizeswithcellulartelephonenetworksandmaintainstheaccuracyofitsclockwithinonesecondorless.ForeachtimestamprequesttheinternalNTPserverisqueriedforthecurrenttime.However,RelyingPartiesshouldbeawarethatalltimesincludedinatime‐stamptokenaresynchronizedwithUTCwithintheaccuracydefinedinthetime‐stamptokenitself,ifpresent.DigiCertwillnotissueatime‐stamptokenusinganyclockthatisdetectedasinaccurate.Allclocksusedfortime‐stampingarehousedintheDigiCert’ssecurefacilitiesandareprotectedagainstthreatsthatcouldresultinanunexpectedchangetotheclock’stime.DigiCert'sfacilitiesautomaticallydetectandreportanyclockthatdriftsorjumpsoutofsynchronizationwithUTC.Clockadjustmentsareauditableevents.SomeaspectsofRFC3161timestampsdifferfromMicrosoftAuthenticodetimestamps.ForRFC3161‐complianttimestamps,DigiCertincludesauniqueintegerforeachnewlygeneratedtime‐stamptoken.DigiCertonlytime‐stampshashrepresentationsofdata,notthedataitself.Informationcanbehashedfortime‐stampingusingSHA‐1orSHA‐256withRSAencryptionandeither1024or2048bitkeysizeforsignaturecreation.(SHA‐1,SHA‐256,SHA‐384,SHA‐512,MD5,MD4,andMD2aresupportedforRFC3161‐basedrequests.)DigiCertdoesnotexaminetheimprintbeingtime‐stampedotherthantochecktheimprint’slength.DigiCertalsodoesnotincludeanyidentificationoftheTimeStampTokenRequester(TSTRequester)inthetime‐stamptoken.Alltime‐stamptokensaresignedusingakeygeneratedexclusivelyforthatpurposesandhavethepropertyofthekeyindicatedintheCertificate.TSTRequestersrequesttime‐stamptokensbysendingarequesttoDigiCert.AftertheTSTRequesterreceivesaresponsefromDigiCert,itmustverifythestatuserrorreturnedintheresponse.Ifanerrorwasnotreturned,theTSTRequestermustthenverifythefieldscontainedinthetime‐stamptokenandthevalidityofthetime‐stamptoken’sdigitalsignature.Inparticular,theTSTRequestermustverifythatthetime‐stampeddatacorrespondstowhatwasrequestedandthatthetime‐stamptokencontainsthecorrectcertificate
53
identifier,thecorrectdataimprint,andthecorrecthashalgorithmOID.TheTSTRequestermustalsoverifythetimelinessoftheresponsebyverifyingtheresponseagainstalocaltrustedtimereference.TheTSTRequesterisrequiredtonotifyDigiCertimmediatelyifanyinformationcannotbeverified.TimeStampVerifiersshallverifythedigitalsignatureonthetime‐stamptokenandconfirmthatthedatacorrespondstothehashvalueinthetime‐stamptoken.
7. CERTIFICATE,CRL,ANDOCSPPROFILESDigiCertusestheITUX.509,version3standardtoconstructdigitalCertificatesforusewithintheDigiCertPKI.DigiCertaddscertaincertificateextensionstothebasiccertificatestructureforthepurposesintendedbyX.509v3asperAmendment1toISO/IEC9594‐8,1995.DigiCertgeneratesnon‐sequentialCertificateserialnumbers(positivenumbersgreaterthanzero)thatcontainatleast64bitsofoutputfromaCSPRNG.
7.1. CERTIFICATEPROFILE
7.1.1. VersionNumber(s)AllCertificatesareX.509version3Certificates.
7.1.2. CertificateExtensionsIGTFCertificatescomplywiththeGridCertificateProfileasdefinedbytheOpenGridForumGFD.125.SubordinateCACertificatescreatedafterJanuary1,2019forpubliclytrustedcertificates,withtheexceptionofcross‐certificatesthatshareaprivatekeywithacorrespondingrootcertificate:willcontainanEKUextension;andcannotincludetheanyExtendedKeyUsageKeyPurposeId;DigiCertnolongerincludesboththe
id‐kp‐serverAuthandid‐kp‐emailProtectionKeyPurposeIdsinthesamecertificate.DigiCert’sTechnicallyConstrainedSubordinateCACertificatesincludeanExtendedKeyUsage(EKU)extensionspecifyingallextendedkeyusagesforwhichtheSubordinateCACertificateisauthorizedtoissuecertificates.TheanyExtendedKeyUsageKeyPurposeIddoesnotappearintheEKUextensionofpubliclytrustedcertificates.
7.1.3. AlgorithmObjectIdentifiersDigiCertCertificatesaresignedusingoneofthefollowingalgorithms:sha‐1WithRSAEncryption [iso(1)member‐body(2)us(840)rsadsi(113549)pkcs(1)pkcs‐1(1)5]sha256WithRSAEncryption [iso(1)member‐body(2)us(840)rsadsi(113549)pkcs(1)pkcs‐1(1)
11]ecdsa‐with‐sha384 [iso(1)member‐body(2)us(840)ansi‐X9‐62(10045)signatures(4)
ecdsa‐with‐SHA2(3)3]DigiCertdoesnotcurrentlysignCertificatesusingRSAwithPSSpadding.SSL/TLSServerCertificatesandOCSPCertificatesarenotsignedwithsha‐1WithRSAEncryption.DigiCertandSubscribersmaygenerateKeyPairsusingthefollowing:id‐dsa [iso(1)member‐body(2)us(840)x9‐57(10040)x9cm(4)1]RsaEncryption [iso(1)member‐body(2)us(840)rsadsi(113549)pkcs(1)pkcs‐1(1)1]Dhpublicnumber [iso(1)member‐body(2)us(840)ansi‐x942(10046)number‐type(2)1]
id‐keyExchangeAlgorithm[joint‐iso‐ccitt(2)country(16)us(840)organization(1)gov(101)dod(2)infosec(1)algorithms(1)22]
id‐ecPublicKey[iso(1)member‐body(2)us(840)ansi‐X9‐62(10045)id‐publicKeyType(2)1]
EllipticcurvePublicKeyssubmittedtoDigiCertforinclusioninendentityCertificatesshouldallbebasedonNIST“SuiteB”curves.
54
DigiCertdoesnotissuepubliclytrustedSSL/TLSCertificatestoaReservedIPaddressorInternalName.
7.1.4. NameFormsEachCertificateincludesauniqueserialnumberthatisneverreused.OptionalsubfieldsinthesubjectofanSSLCertificatemusteithercontaininformationverifiedbyDigiCertorbeleftempty.SSL/TLSServerCertificatescannotcontainmetadatasuchas‘.’,‘‐‘and‘‘charactersoranyotherindicationthatthefieldisnotapplicable.DigiCertlogicallyrestrictsOUfieldsfromcontainingSubscriberinformationthathasnotbeenverifiedinaccordancewithSection3.ForCAcertificates,thecommonNameattributeispresentandthecontentsisanidentifierthatuniquelyidentifiestheCAanddistinguishesitfromotherCAs. ThecontentoftheCertificateIssuerDistinguishedNamefieldmatchestheSubjectDNoftheIssuerCAtosupportnamechainingasspecifiedinRFC5280,section4.1.2.4.ThecontentsofthefieldsinEVCertificatesmustmeettherequirementsinSection8.1oftheEVGuidelines.
7.1.5. NameConstraintsDigiCertmayincludenameconstraintsinthenameConstraintsfieldwhenappropriate.
7.1.5.1. Name‐ConstrainedserverAuthCAsIftheSubordinateCACertificateincludestheid‐kp‐serverAuthextendedkeyusage,thenatechnicallyconstrainedSubordinateCACertificateincludestheNameConstraintsX.509v3extensionwithconstraintsondNSName,iPAddressandDirectoryNameasfollows:
(a)ForeachdNSNameinpermittedSubtrees,theDigiCertconfirmsthattheApplicanthasregisteredthedNSNameorhasbeenauthorizedbythedomainregistranttoactontheregistrant'sbehalfinlinewiththeverificationpracticesofBaselineRequirementssection3.2.2.4.(b)ForeachiPAddressrangeinpermittedSubtrees,DigiCertconfirmsthattheApplicanthasbeenassignedtheiPAddressrangeorhasbeenauthorizedbytheassignertoactontheassignee'sbehalf.(c)ForeachDirectoryNameinpermittedSubtreestheDigiCertconfirmstheApplicant’sand/orSubsidiary’sOrganizationalname(s)andlocation(s)suchthatendentitycertificatesissuedfromthesubordinateCACertificatewillcomplywithsection7.1.2.4and7.1.2.5oftheBaselineRequirements.IftheSubordinateCACertificateisnotallowedtoissuecertificateswithaniPAddress,thentheSubordinateCACertificatespecifiestheentireIPv4andIPv6addressrangesinexcludedSubtrees.TheSubordinateCACertificateincludeswithinexcludedSubtreesaniPAddressGeneralNameof8zerooctets(coveringtheIPv4addressrangeof0.0.0.0/0).TheSubordinateCACertificatealsoincludeswithinexcludedSubtreesaniPAddressGeneralNameof32zerooctets(coveringtheIPv6addressrangeof::0/0).Otherwise,theSubordinateCACertificateincludesatleastoneiPAddressinpermittedSubtrees.
IftheSubordinateCAisnotallowedtoissuecertificateswithdNSNames,thentheSubordinateCACertificateincludesazero‐lengthdNSNameinexcludedSubtrees.Otherwise,theSubordinateCACertificateincludesatleastonedNSNameinpermittedSubtrees.
7.1.5.2. Name‐ConstrainedemailProtectionCAsIfthetechnicallyconstrainedSubordinateCAcertificateincludestheid‐kp‐emailProtectionextendedkeyusage,italsoincludestheNameConstraintsX.509v3extensionwithconstraintsonrfc822Name,withatleastonenameinpermittedSubtrees,eachsuchnamehavingitsownershipvalidatedaccordingtosection3.2.2.4oftheBaselineRequirements.
55
7.1.6. CertificatePolicyObjectIdentifierAnobjectidentifier(OID)isauniquenumberthatidentifiesanobjectorpolicy.TheOIDsusedbyDigiCertarelistedinSection1.2.
7.1.7. UsageofPolicyConstraintsExtensionNotapplicable.
7.1.8. PolicyQualifiersSyntaxandSemanticsDigiCertincludesbriefstatementsinCertificatesaboutthelimitationsofliabilityandothertermsassociatedwiththeuseofaCertificateinthePolicyQualifierfieldoftheCertificatesPolicyextension.
7.1.9. ProcessingSemanticsfortheCriticalCertificatePoliciesExtensionNostipulation.
7.2. CRLPROFILE
7.2.1. Versionnumber(s)DigiCertissuesversion2CRLsthatcontainthefollowingfields:
Field ValueIssuerSignatureAlgorithm sha‐1WithRSAEncryption[12840113549115]OR
sha‐256WithRSAEncryption[128401135491111]ORecdsa‐with‐sha384[1284010045433]
IssuerDistinguishedName DigiCertthisUpdate CRLissuedateinUTCformatnextUpdate DatewhenthenextCRLwillissueinUTCformat.RevokedCertificatesList
ListofrevokedCertificates,includingtheserialnumberandrevocationdate
Issuer’sSignature [Signature]
7.2.2. CRLandCRLEntryExtensionsCRLshavethefollowingextensions:
Extension ValueCRLNumber NeverrepeatedmonotonicallyincreasingintegerAuthorityKeyIdentifier SameastheAuthorityKeyIdentifierlistedintheCertificateInvalidityDate OptionaldateinUTCformatReasonCode Optionalreasonforrevocation
7.3. OCSPPROFILE
7.3.1. VersionNumber(s)DigiCert’sOCSPrespondersconformtoversion1ofRFC6960.
7.3.2. OCSPExtensionsNostipulation.
8. COMPLIANCEAUDITANDOTHERASSESSMENTSThepracticesinthisCPSaredesignedtomeetorexceedtherequirementsofgenerallyacceptedindustrystandards,includingthelatestversionsoftheWebTrustProgramsforCertificationAuthorities. ForpurposesofinteroperationwiththeU.S.Government,compliancecanbedeterminedbyreferencetoanycurrentauditorletterofcompliancemeetingFPKIPAAuditRequirements.(Note:Forbusinesspurposes,cross‐signedCAsoperatedbythirdpartiesinEurope,whooperateundertheirownCPSs,areauditedinaccordancewithETSIauditcriteria.)
56
8.1. FREQUENCYORCIRCUMSTANCESOFASSESSMENTDigiCertreceivesanannualperiodintimeauditbyanindependentexternalauditortoassessDigiCert'scompliancewiththisCPS,referencedrequirements,anyapplicableCPs,FPKIPAAuditRequirements,andtheWebTrustforCAprogramscriteria.TheauditcoversDigiCert’sRAsystems,SubCAs,andOCSPResponders.
8.2. IDENTITY/QUALIFICATIONSOFASSESSORWebTrustauditorsmustmeettherequirementsofSection8.2oftheBaselineRequirements.
8.3. ASSESSOR'SRELATIONSHIPTOASSESSEDENTITYDigiCert’sWebTrust/FederalPKIauditordoesnothaveafinancialinterest,businessrelationship,orcourseofdealingthatcouldforeseeablycreateasignificantbiasfororagainstDigiCert.
8.4. TOPICSCOVEREDBYASSESSMENTTheauditcoversDigiCert'sbusinesspracticesdisclosure,theintegrityofDigiCert'sPKIoperations,andDigiCert’scompliancewiththisCPSandreferencedrequirements.TheauditverifiesthatDigiCertiscompliantwiththeCP,thisCPS,andanyMOAbetweenitandanyotherPKI.
8.5. ACTIONSTAKENASARESULTOFDEFICIENCYIfanauditreportsamaterialnoncompliancewithapplicablelaw,thisCPS,theCP,oranyothercontractualobligationsrelatedtoDigiCert’sservices,then(1)theauditorwilldocumentthediscrepancy,(2)theauditorwillpromptlynotifyDigiCert,and(3)DigiCertwilldevelopaplantocurethenoncompliance.DigiCertwillsubmittheplantotheDCPAforapprovalandtoanythirdpartythatDigiCertislegallyobligatedtosatisfy.TheDCPAmayrequireadditionalactionifnecessarytorectifyanysignificantissuescreatedbythenon‐compliance,includingrequiringrevocationofaffectedCertificates.
8.6. COMMUNICATIONOFRESULTSTheresultsofeachauditarereportedtotheDCPAandtoanythirdpartyentitieswhichareentitledbylaw,regulation,oragreementtoreceiveacopyoftheauditresults.CopiesofDigiCert’sWebTrustforCAsauditreportscanbefoundat:https://www.digicert.com/webtrust‐audits.Onanannualbasisandwithinthreemonthsofcompletion,DigiCertsubmitscopiesofrelevantauditcompliancereportstovariousparties,suchasMozilla,Adobe,theFederalPKIPolicyAuthority,CAlicensingbodies,etc.
8.7. SELF‐AUDITSOnatleastaquarterlybasis,DigiCertperformsregularinternalauditsagainstarandomlyselectedsampleofatleastthreepercentofitsSSL/TLSServerCertificatesandEVCodeSigningCertificatesissuedsincethelastinternalaudit.Self‐auditsonserverandcodesigningCertificatesareperformedinaccordancewithGuidelinesadoptedbytheCA/BrowserForum.
9. OTHERBUSINESSANDLEGALMATTERS
9.1. FEES
9.1.1. CertificateIssuanceorRenewalFeesDigiCertchargesfeesforcertificateissuanceandrenewal.DigiCertmaychangeitsfeesatanytimeinaccordancewiththeapplicablecustomeragreement.
9.1.2. CertificateAccessFeesDigiCertmaychargeareasonablefeeforaccesstoitscertificatedatabases.
9.1.3. RevocationorStatusInformationAccessFeesDigiCertdoesnotchargeacertificaterevocationfeeorafeeforcheckingthevaliditystatusofanissuedCertificateusingaCRL.DigiCertmaychargeafeeforprovidingcertificatestatusinformationviaOCSP.
57
9.1.4. FeesforOtherServicesNostipulation.
9.1.5. RefundPolicySubscribersmustrequestrefunds,inwriting,within30daysafteraCertificateissues.Afterreceivingtherefundrequest,DigiCertmayrevoketheCertificateandrefundtheamountpaidbytheApplicant,minusanyapplicableapplicationprocessingfees.
9.2. FINANCIALRESPONSIBILITY
9.2.1. InsuranceCoverageDigiCertmaintainsCommercialGeneralLiabilityinsurancewithapolicylimitofatleast$2millionincoverageandProfessionalLiability/Errors&Omissionsinsurancewithapolicylimitofatleast$5millionincoverage.InsuranceiscarriedthroughcompaniesratednolessthanA‐astoPolicyHolder’sRatinginthecurrenteditionofBest’sInsuranceGuide(orwithanassociationofcompanies,eachofthemembersofwhicharesorated).
9.2.2. OtherAssetsNostipulation.
9.2.3. InsuranceorWarrantyCoverageforEnd‐EntitiesDigiCertprovidesawarrantytoSubscribersaccordingtothetermsoftheNetsureExtendedWarrantyProtectionPlan.DigiCertprovidesalimitedwarrantytoRelyingPartiesinDigiCert’sRelyingPartyAgreement.
9.3. CONFIDENTIALITYOFBUSINESSINFORMATION
9.3.1. ScopeofConfidentialInformationThefollowinginformationisconsideredconfidentialandprotectedagainstdisclosureusingareasonabledegreeofcare:
PrivateKeys; ActivationdatausedtoaccessPrivateKeysortogainaccesstotheCAsystem; Businesscontinuity,incidentresponse,contingency,anddisasterrecoveryplans; Othersecuritypracticesusedtoprotecttheconfidentiality,integrity,oravailabilityofinformation; InformationheldbyDigiCertasprivateinformationinaccordancewithSection9.4; Auditlogsandarchiverecords;and Transactionrecords,financialauditrecords,andexternalorinternalaudittrailrecordsandanyaudit
reports(withtheexceptionofanauditor’sletterconfirmingtheeffectivenessofthecontrolssetforthinthisCPS).
9.3.2. InformationNotWithintheScopeofConfidentialInformationAnyinformationnotlistedasconfidentialisconsideredpublicinformation.PublishedCertificateandrevocationdataisconsideredpublicinformation.
9.3.3. ResponsibilitytoProtectConfidentialInformationDigiCert’semployees,agents,andcontractorsareresponsibleforprotectingconfidentialinformationandarecontractuallyobligatedtodoso.Employeesreceivetrainingonhowtohandleconfidentialinformation.
9.4. PRIVACYOFPERSONALINFORMATION
9.4.1. PrivacyPlanDigiCertfollowstheprivacypolicypostedonitswebsitewhenhandlingpersonalinformation.Personalinformationisonlydisclosedwhenthedisclosureisrequiredbylaworwhenrequestedbythesubjectofthepersonalinformation.
58
9.4.2. InformationTreatedasPrivateDigiCerttreatsallpersonalinformationaboutanindividualthatisnotpubliclyavailableinthecontentsofaCertificateorCRLasprivateinformation.DigiCertprotectsprivateinformationusingappropriatesafeguardsandareasonabledegreeofcare.
9.4.3. InformationNotDeemedPrivatePrivateinformationdoesnotincludeCertificates,CRLs,ortheircontents.
9.4.4. ResponsibilitytoProtectPrivateInformationDigiCertemployeesandcontractorsareexpectedtohandlepersonalinformationinstrictconfidenceandmeettherequirementsofUSandEuropeanlawconcerningtheprotectionofpersonaldata.Allsensitiveinformationissecurelystoredandprotectedagainstaccidentaldisclosure.
9.4.5. NoticeandConsenttoUsePrivateInformationPersonalinformationobtainedfromanapplicantduringtheapplicationoridentityverificationprocessisconsideredprivateinformationiftheinformationisnotincludedinaCertificate.DigiCertwillonlyuseprivateinformationafterobtainingthesubject'sconsentorasrequiredbyapplicablelaworregulation.AllSubscribersmustconsenttotheglobaltransferandpublicationofanypersonaldatacontainedinaCertificate.
9.4.6. DisclosurePursuanttoJudicialorAdministrativeProcessDigiCertmaydiscloseprivateinformation,withoutnotice,ifDigiCertbelievesthedisclosureisrequiredbylaworregulation.
9.4.7. OtherInformationDisclosureCircumstancesNostipulation.
9.5. INTELLECTUALPROPERTYRIGHTSDigiCertand/oritsbusinesspartnersowntheintellectualpropertyrightsinDigiCert’sservices,includingtheCertificates,trademarksusedinprovidingtheservices,andthisCPS.“DigiCert”isaregisteredtrademarkofDigiCert,Inc.CertificateandrevocationinformationarethepropertyofDigiCert.DigiCertgrantspermissiontoreproduceanddistributeCertificatesonanon‐exclusiveandroyalty‐freebasis,providedthattheyarereproducedanddistributedinfull.DigiCertdoesnotallowderivativeworksofitsCertificatesorproductswithoutpriorwrittenpermission.PrivateandPublicKeysremainthepropertyoftheSubscriberswhorightfullyholdthem.Allsecretshares(distributedelements)oftheDigiCertPrivateKeysarethepropertyofDigiCert.
9.6. REPRESENTATIONSANDWARRANTIES
9.6.1. CARepresentationsandWarrantiesExceptasexpresslystatedinthisCPSorinaseparateagreementwithaSubscriber,DigiCertdoesnotmakeanyrepresentationsregardingitsproductsorservices.DigiCertrepresents,totheextentspecifiedinthisCPS,that:
DigiCertcomplies,inallmaterialaspects,withtheCP,thisCPS,andallapplicablelawsandregulations,
DigiCertpublishesandupdatesCRLsandOCSPresponsesonaregularbasis, AllCertificatesissuedunderthisCPSwillbeverifiedinaccordancewiththisCPSandmeetthe
minimumrequirementsfoundhereinandintheBaselineRequirements, DigiCertwillmaintainarepositoryofpublicinformationonitswebsite,and InformationpublishedonaqualifiedCertificatemeetstherequirementsspecifiedinEUlaw.
TotheextentallowedunderEUlaw,DigiCert:
59
Doesnotwarranttheaccuracy,authenticity,completeness,orfitnessofanyunverifiedinformation,includingnameverificationfor(1)Certificatesintendedforemailandintranetuse,(2)Multi‐SANCertificates,and(3)otherCertificatesissuedtoindividualsandintranets.
IsnotresponsibleforinformationcontainedinaCertificateexceptasstatedinthisCPS, Doesnotwarrantthequality,function,orperformanceofanysoftwareorhardwaredevice,and IsnotresponsibleforfailingtocomplywiththisCPSbecauseofcircumstancesoutsideof
DigiCert’scontrol.ForEVCertificates,DigiCertrepresentstoSubscribers,Subjects,ApplicationSoftwareVendorsthatdistributeDigiCert’srootCertificates,andRelyingPartiesthatuseaDigiCertCertificatewhiletheCertificateisvalidthatDigiCertfollowedtheEVGuidelineswhenverifyinginformationandissuingEVCertificates.ThisrepresentationislimitedsolelytoDigiCert’scompliancewiththeEVGuidelines(e.g.,DigiCertmayrelyonerroneousinformationprovidedinanattorney’sopinionoraccountant’sletterthatischeckedinaccordancewiththeGuidelines).
9.6.2. RARepresentationsandWarrantiesRAsrepresentthat:
1. TheRA’scertificateissuanceandmanagementservicesconformtotheDigiCertCPandthisCPS,2. InformationprovidedbytheRAdoesnotcontainanyfalseormisleadinginformation,3. TranslationsperformedbytheRAareanaccuratetranslationoftheoriginalinformation,and4. AllCertificatesrequestedbytheRAmeettherequirementsofthisCPS.
DigiCert’sagreementwiththeRAmaycontainadditionalrepresentations.
9.6.3. SubscriberRepresentationsandWarrantiesPriortobeingissuedandreceivingaCertificate,subscribersaresolelyresponsibleforanymisrepresentationstheymaketothirdpartiesandforalltransactionsthatuseSubscriber’sPrivateKey,regardlessofwhethersuchusewasauthorized.SubscribersarerequiredtonotifyDigiCertandanyapplicableRAifachangeoccursthatcouldaffectthestatusoftheCertificate.DigiCertrequires,aspartoftheSubscriberAgreementorTermsofUse,thattheApplicantmakethecommitmentsandwarrantiesinthissectionforthebenefitofDigiCertandtheCertificateBeneficiaries.PriortotheissuanceofaCertificate,DigiCertwillobtain,fortheexpressbenefitofDigiCertandtheCertificateBeneficiaries,either:
1.TheApplicant’sagreementtotheSubscriberAgreementwithDigiCert,or2.TheApplicant’sacknowledgementoftheTermsofUse.
SubscribersrepresenttoDigiCert,ApplicationSoftwareVendors,andRelyingPartiesthat,foreachCertificate,theSubscriberwill:
1. SecurelygenerateitsPrivateKeysandprotectitsPrivateKeysfromcompromise,2. ProvideaccurateandcompleteinformationwhencommunicatingwithDigiCert,3. ConfirmtheaccuracyofthecertificatedatapriortousingtheCertificate,4. Promptly(i)requestrevocationofaCertificate,ceaseusingitanditsassociatedPrivateKey,and
notifyDigiCertifthereisanyactualorsuspectedmisuseorcompromiseofthePrivateKeyassociatedwiththePublicKeyincludedinthecertificate,and(ii)requestrevocationoftheCertificate,andceaseusingit,ifanyinformationintheCertificateisorbecomesincorrectorinaccurate,
5. EnsurethatindividualsusingCertificatesonbehalfofanorganizationhavereceivedsecuritytrainingappropriatetotheCertificate,
6. UsetheCertificateonlyforauthorizedandlegalpurposes,consistentwiththecertificatepurpose,thisCPS,anyapplicableCP,andtherelevantSubscriberAgreement,includingonlyinstallingSSL/TLSServerCertificatesonserversaccessibleatthedomainlistedintheCertificateandnotusingcode
60
signingCertificatestosignmaliciouscodeoranycodethatisdownloadedwithoutauser’sconsent,and
7. PromptlyceaseusingtheCertificateandrelatedPrivateKeyaftertheCertificate’sexpiration.
9.6.4. RelyingPartyRepresentationsandWarrantiesEachRelyingPartyrepresentsthat,priortorelyingonaDigiCertCertificate,it:
1. ObtainedsufficientknowledgeontheuseofdigitalCertificatesandPKI,2. StudiedtheapplicablelimitationsontheusageofCertificatesandagreestoDigiCert’slimitationson
liabilityrelatedtotheuseofCertificates,3. Hasread,understands,andagreestotheDigiCertRelyingPartyAgreementandthisCPS,4. VerifiedboththeDigiCertCertificateandtheCertificatesinthecertificatechainusingtherelevant
CRLorOCSP,5. WillnotuseaDigiCertCertificateiftheCertificatehasexpiredorbeenrevoked,and6. Willtakeallreasonablestepstominimizetheriskassociatedwithrelyingonadigitalsignature,
includingonlyrelyingonaDigiCertCertificateafterconsidering:a) applicablelawandthelegalrequirementsforidentificationofaparty,protectionofthe
confidentialityorprivacyofinformation,andenforceabilityofthetransaction;b) theintendeduseoftheCertificateaslistedinthecertificateorthisCPS,c) thedatalistedintheCertificate,d) theeconomicvalueofthetransactionorcommunication,e) thepotentiallossordamagethatwouldbecausedbyanerroneousidentificationoralossof
confidentialityorprivacyofinformationintheapplication,transaction,orcommunication,f) theRelyingParty’spreviouscourseofdealingwiththeSubscriber,g) theRelyingParty’sunderstandingoftrade,includingexperiencewithcomputer‐based
methodsoftrade,andh) anyotherindiciaofreliabilityorunreliabilitypertainingtotheSubscriberand/orthe
application,communication,ortransaction.AnyunauthorizedrelianceonaCertificateisataparty’sownrisk.
9.6.5. RepresentationsandWarrantiesofOtherParticipantsNostipulation.
9.7. DISCLAIMERSOFWARRANTIESEXCEPTASEXPRESSLYSTATEDINSECTION9.6.1,ALLCERTIFICATESANDANYRELATEDSOFTWAREANDSERVICESAREPROVIDED"ASIS"AND"ASAVAILABLE”.TOTHEMAXIMUMEXTENTPERMITTEDBYLAW,DIGICERTDISCLAIMSALLEXPRESSANDIMPLIEDWARRANTIES,INCLUDINGALLWARRANTIESOFMERCHANTABILITY,FITNESSFORAPARTICULARPURPOSE,ANDNON‐INFRINGEMENT.DIGICERTDOESNOTWARRANTTHATANYSERVICEORPRODUCTWILLMEETANYEXPECTATIONSORTHATACCESSTOCERTIFICATESWILLBETIMELYORERROR‐FREE.DigiCertdoesnotguaranteetheavailabilityofanyproductsorservicesandmaymodifyordiscontinueanyproductorserviceofferingatanytime.AfiduciarydutyisnotcreatedsimplybecauseanentityusesDigiCert’sservices.
9.8. LIMITATIONSOFLIABILITYNOTHINGHEREINLIMITSLIABILTYRELATEDTO(I)DEATHORPERSONALINJURYRESULTINGFROMDIGICERT’SNEGLIGENCEOR(II)FRAUDCOMMITTEDBYDIGICERT.EXCEPTASSTATEDABOVE,ANYENTITYUSINGADIGICERTCERTIFICATEORSERVICEWAIVESALLLIABILITYOFDIGICERTRELATEDTOSUCHUSE,PROVIDEDTHATDIGICERTHASMATERIALLYCOMPLIEDWITHTHISCPSINPROVIDINGTHECERTIFICATEORSERVICE.DIGICERT’SLIABILITYFORCERTIFICATESANDSERVICESTHATDONOTMATERIALLYCOMPLYWITHTHISCPSISLIMITEDASSETFORTHINTHENETSUREEXTENDEDWARRANTYPROTECTIONPLANANDTHEDIGICERTRELYINGPARTYAGREEMENT.
Allliabilityislimitedtoactualandlegallyprovabledamages.DigiCertisnotliablefor:1. Anyindirect,consequential,special,orpunitivedamagesoranylossofprofit,revenue,data,or
opportunity,evenifDigiCertisawareofthepossibilityofsuchdamages;
61
2. LiabilityrelatedtofraudorwillfulmisconductoftheApplicant;3. LiabilityrelatedtouseofaCertificatethatexceedsthelimitationsonuse,value,ortransactionsas
statedeitherintheCertificateorthisCPS;4. Liabilityrelatedtothesecurity,usability,orintegrityofproductsnotsuppliedbyDigiCert,including
theSubscriber’sandRelyingParty’shardware;or5. LiabilityrelatedtothecompromiseofaSubscriber’sPrivateKey.
Thelimitationsinthissectionapplytothemaximumextentpermittedbylawandapplyregardlessof(i)thereasonforornatureoftheliability,includingtortclaims,(ii)thenumberofclaimsofliability,(iii)theextentornatureofthedamages,(iv)whetherDigiCertfailedtofollowanyprovisionofthisCPS,or(v)whetheranyprovisionofthisCPSwasprovenineffective.ThedisclaimersandlimitationsonliabilitiesinthisCPSarefundamentaltermstotheuseofDigiCert’sCertificatesandservices.
9.9. INDEMNITIES
9.9.1. IndemnificationbyDigiCertDigiCertshallindemnifyeachApplicationSoftwareVendoragainstanyclaim,damage,orlosssufferedbyanApplicationSoftwareVendorrelatedtoanEVCertificateissuedbyDigiCert,regardlessofthecauseofactionorlegaltheoryinvolved,exceptwheretheclaim,damage,orlosssufferedbytheApplicationSoftwareVendorwasdirectlycausedbytheApplicationSoftwareVendor’ssoftwaredisplayingeither(1)avalidandtrustworthyEVCertificateasnotvalidortrustworthyor(2)displayingastrustworthy(i)anEVCertificatethathasexpiredor(ii)arevokedEVCertificatewheretherevocationstatusisavailableonlinebuttheApplicationSoftwareVendor’ssoftwarefailedtocheckorignoredthestatus.
9.9.2. IndemnificationbySubscribersTotheextentpermittedbylaw,eachSubscribershallindemnifyDigiCert,itspartners,andanycross‐signedentities,andtheirrespectivedirectors,officers,employees,agents,andcontractorsagainstanyloss,damage,orexpense,includingreasonableattorney’sfees,relatedto(i)anymisrepresentationoromissionofmaterialfactbySubscriber,regardlessofwhetherthemisrepresentationoromissionwasintentionalorunintentional;(ii)Subscriber’sbreachoftheSubscriberAgreement,thisCPS,orapplicablelaw;(iii)thecompromiseorunauthorizeduseofaCertificateorPrivateKeycausedbytheSubscriber’snegligenceorintentionalacts;or(iv)Subscriber’smisuseoftheCertificateorPrivateKey.
9.9.3. IndemnificationbyRelyingPartiesTotheextentpermittedbylaw,eachRelyingPartyshallindemnifyDigiCert,itspartners,andanycross‐signedentities,andtheirrespectivedirectors,officers,employees,agents,andcontractorsagainstanyloss,damage,orexpense,includingreasonableattorney’sfees,relatedtotheRelyingParty’s(i)breachoftheRelyingPartyAgreement,anEnd‐UserLicenseAgreement,thisCPS,orapplicablelaw;(ii)unreasonablerelianceonaCertificate;or(iii)failuretochecktheCertificate’sstatuspriortouse.
9.10. TERMANDTERMINATION
9.10.1. TermThisCPSandanyamendmentstotheCPSareeffectivewhenpublishedtoDigiCert’sonlinerepositoryandremainineffectuntilreplacedwithanewerversion.
9.10.2. TerminationThisCPSandanyamendmentsremainineffectuntilreplacedbyanewerversion.
9.10.3. EffectofTerminationandSurvivalDigiCertwillcommunicatetheconditionsandeffectofthisCPS’sterminationviatheDigiCertRepository.Thecommunicationwillspecifywhichprovisionssurvivetermination.Ataminimum,allresponsibilitiesrelated
62
toprotectingconfidentialinformationwillsurvivetermination.AllSubscriberAgreementsremaineffectiveuntiltheCertificateisrevokedorexpired,evenifthisCPSterminates.
9.11. INDIVIDUALNOTICESANDCOMMUNICATIONSWITHPARTICIPANTSDigiCertacceptsnoticesrelatedtothisCPSatthelocationsspecifiedinSection2.2.NoticesaredeemedeffectiveafterthesenderreceivesavalidanddigitallysignedacknowledgmentofreceiptfromDigiCert.Ifanacknowledgementofreceiptisnotreceivedwithinfivedays,thesendermustresendthenoticeinpaperformtothestreetaddressspecifiedinSection2.2usingeitheracourierservicethatconfirmsdeliveryorviacertifiedorregisteredmailwithpostageprepaidandreturnreceiptrequested.DigiCertmayallowotherformsofnoticeinitsSubscriberAgreements.DigiCertwillnotifytheFPKIPAatleasttwoweekspriortoimplementationofanyplannedchangetotheinfrastructurethathasthepotentialtoaffecttheFPKIoperationalenvironment,andallnewartifacts(CAcertificates,CRLDP,AIAand/orSIAURLs,etc.)producedasaresultofthechangewillbeprovidedtotheFPKIPAwithin24hoursfollowingimplementation.DigiCertwillnotifyAdobeamonthinadvanceofanyupdatesorchangeswiththepotentialtoaffectcompliancewiththeAATLprogram,including:
1. AdditionsofRootCAsandSubordinateCAs2. AdditionalCPsattheRootCAlevel3. ChangesinCertificateissuanceprocedures4. TerminationsortransitionofownershipofRootCAsorSubordinateCAs.
9.12. AMENDMENTS
9.12.1. ProcedureforAmendmentThisCPSisreviewedannually.AmendmentsaremadebypostinganupdatedversionoftheCPStotheonlinerepository.ControlsareinplacetoreasonablyensurethatthisCPSisnotamendedandpublishedwithoutthepriorauthorizationoftheDCPA.
9.12.2. NotificationMechanismandPeriodDigiCertpostsCPSrevisionstoitswebsite.DigiCertdoesnotguaranteeorsetanotice‐and‐commentperiodandmaymakechangestothisCPSwithoutnoticeandwithoutchangingtheversionnumber.MajorchangesaffectingaccreditedCertificatesareannouncedandapprovedbytheaccreditingagencypriortobecomingeffective.TheDCPAisresponsiblefordeterminingwhatconstitutesamaterialchangeoftheCPS.
9.12.3. CircumstancesunderwhichOIDMustBeChangedTheDCPAissolelyresponsiblefordeterminingwhetheranamendmenttotheCPSrequiresanOIDchange.
9.13. DISPUTERESOLUTIONPROVISIONSPartiesarerequiredtonotifyDigiCertandattempttoresolvedisputesdirectlywithDigiCertbeforeresortingtoanydisputeresolutionmechanism,includingadjudicationoranytypeofalternativedisputeresolution.
9.14. GOVERNINGLAWThenationallawoftherelevantmemberstategovernsanydisputeinvolvingQualifiedCertificates.ExceptfordisputesinvolvingQualifiedCertificates,thelawsofthestateofUtahgoverntheinterpretation,construction,andenforcementofthisCPSandallproceedingsrelatedtoDigiCert’sproductsandservices,includingtortclaims,withoutregardtoanyconflictsoflawprinciples.ThestateofUtahhasnon‐exclusivevenueandjurisdictionoveranyproceedingsrelatedtotheCPSoranyDigiCertproductorservice.
9.15. COMPLIANCEWITHAPPLICABLELAWThisCPSissubjecttoallapplicablelawsandregulations,includingUnitedStatesrestrictionsontheexportofsoftwareandcryptographyproducts.Subjecttosection9.4.5’sNoticeandConsenttoUsePrivateInformation
63
containedinCertificates,DigiCertmeetstherequirementsoftheEuropeandataprotectionlawsandhasestablishedappropriatetechnicalandorganizationmeasuresagainstunauthorizedorunlawfulprocessingofpersonaldataandagainsttheloss,damage,ordestructionofpersonaldata.
9.16. MISCELLANEOUSPROVISIONS
9.16.1. EntireAgreementDigiCertcontractuallyobligateseachRAtocomplywiththisCPSandapplicableindustryguidelines.DigiCertalsorequireseachpartyusingitsproductsandservicestoenterintoanagreementthatdelineatesthetermsassociatedwiththeproductorservice.IfanagreementhasprovisionsthatdifferfromthisCPS,thentheagreementwiththatpartycontrols,butsolelywithrespecttothatparty.Thirdpartiesmaynotrelyonorbringactiontoenforcesuchagreement.
9.16.2. AssignmentAnyentitiesoperatingunderthisCPSmaynotassigntheirrightsorobligationswithoutthepriorwrittenconsentofDigiCert.Unlessspecifiedotherwiseinacontactwithaparty,DigiCertdoesnotprovidenoticeofassignment.
9.16.3. SeverabilityIfanyprovisionofthisCPSisheldinvalidorunenforceablebyacompetentcourtortribunal,theremainderoftheCPSwillremainvalidandenforceable.EachprovisionofthisCPSthatprovidesforalimitationofliability,disclaimerofawarranty,oranexclusionofdamagesisseverableandindependentofanyotherprovision.
9.16.4. Enforcement(attorneys'feesandwaiverofrights)DigiCertmayseekindemnificationandattorneys'feesfromapartyfordamages,losses,andexpensesrelatedtothatparty'sconduct.DigiCert’sfailuretoenforceaprovisionofthisCPSdoesnotwaiveDigiCert’srighttoenforcethesameprovisionlaterorrighttoenforceanyotherprovisionofthisCPS.Tobeeffective,waiversmustbeinwritingandsignedbyDigiCert.
9.16.5. ForceMajeureDigiCertisnotliableforanydelayorfailuretoperformanobligationunderthisCPStotheextentthatthedelayorfailureiscausedbyanoccurrencebeyondDigiCert’sreasonablecontrol.TheoperationoftheInternetisbeyondDigiCert’sreasonablecontrol.
9.17. OTHERPROVISIONSNostipulation.
64
APPENDIXA:SAMPLEOPINIONLETTER
[Date]To: DigiCert,Inc. 2801N.ThanksgivingWay Suite500 Lehi,UT84043 Email:[email protected] Fax:801‐705‐0481Re: DigitalCertificatefor[Exactcompanynameofclient–seefootnote1](“Client”)
ThisfirmrepresentsClient,whoaskedthatI,asits[accountant,lawyer,solicitors,barrister,advocate,etc.],attesttothefollowinginformationsolelyasrelatedtotheClient’sapplicationforadigitalcertificate.
AfterreviewingtheClient’srecordsandbasedonmyinvestigation,myprofessionalopinionisthat:
1. Clientisadulyformed[corporation,LLC,etc.]underthelawsofthe[state/province]of[nameof
governingjurisdictionwhereClientisincorporatedorregistered];is“active,”“valid,”“current,”ortheequivalent;andisnotunderanyknownlegaldisability.
2. [Ifapplicable]TheRomanizedtransliterationofClient’sformallegalnameis:[Romanizedname].
3. [Ifapplicable]Clientconductsbusinessunderthe[assumed/DBA/trade]nameof[assumednameofClient].Clienthasacurrentlyvalidregistrationofthenamewiththegovernmentagencythathasjurisdictionovertheplaceofbusinesslistedbelow.
4. Theaddresswhere[Client,Client’sparent,orClient’ssubsidiary–selectone]conductsbusinessoperationsis:[Insertplaceofbusiness–thisshouldmatchtheaddressonthecertificateapplication]
5. AmaintelephonenumberatClient’splaceofbusinessis:
[Insertprimarytelephonenumberofbusiness]
6. [NameofClient’sRepresentative–seefootnote2]isanindividual(orareindividuals)withtheauthoritytoactonbehalfofClientto:a) ProvideinformationabouttheClientcontainedinthereferencedapplication,b) Requestoneormoredigitalcertificatesanddesignateotherpersonstorequestdigital
certificates,andc) AgreetothecontractualobligationscontainedinDigiCert’sagreements.
7. [NameandtitleofClient’sRepresentative],whoisClient’s[TitleofClientRepresentative],canbecontactedat:Email:[EmailaddressofClientRepresentative]Phone:[PhonenumberofClientRepresentative]
8. Clienthaseitheroperatedasabusinessforthreeormoreyearsorhasanactivedepositaccountheldatabankorotherfinancialinstitutionwherefundsdepositedarepayableondemand.
Althoughwedidnotfindanyexceptionstotheaboveidentificationprocedures,theseproceduresdonot
constituteanauditoropinionofClient'sapplicationforadigitalcertificate.Wearenotexpressinganopinion
65
onClient'sdigitalcertificateapplicationandhaveprovidedthislettersolelyforthebenefitofDigiCertinconnectionwithClient'sapplicationforadigitalcertificate.Nootherpersonorentitymayrelyonthisletterwithoutmyexpresswrittenconsent.Thislettershallnotbequotedinwholeorinpart,used,publishedorotherwisereferredtoorrelieduponinanymanner,including,withoutlimitation,inanyfinancialstatementorotherdocument.Signature:__________________________________________________PrintAccountant/AttorneyName:______________________________________________________PhoneNumber:_____________________________________________Email:_____________________________________________FirmName:_____________________________________________Licensedin:___________________________________Licensenumber,ifany:__________________________________Contactinformationforlicensingagencywherethisaccountant's/attorney'slicenseinformationmaybeverified:___________________________________________________________________Note1:ThismustbetheClient’sexactcorporatenameasregisteredwiththerelevantIncorporatingAgency
intheClient’sJurisdictionofIncorporation.Note2:APowerofAttorneyfromanofficeroftheClientwhohasthepowertodelegateauthorityissufficient
toestablishtheClientRepresentative’sactualauthority.Multiplerepresentativesmaybelisted.Note3:In‐housecounseloftheClientmaysubmitthisletterifpermittedbytherulesofyourjurisdiction.Note4: Thislettermaybesubmittedbymail,fax,oremail.