digicert certification practices statement, v. 4 · digicert certification practices statement ......

DigiCert

CertificationPracticesStatement

DigiCert,Inc.Version4.11

February23,2017

2801N.ThanksgivingWaySuite500

Lehi,UT84043USA

Tel:1‐801‐877‐2100Fax:1‐801‐705‐0481

www.digicert.com

TABLEOFCONTENTS1. INTRODUCTION ..................................................................................................................................... 1

1.1. Overview ...................................................................................................................................... 1 1.2. DocumentnameandIdentification ................................................................................................ 1 1.3. PKIParticipants ............................................................................................................................ 4

1.3.1. CertificationAuthorities ........................................................................................................... 4 1.3.2. RegistrationAuthoritiesandOtherDelegatedThirdParties ...................................................... 4 1.3.3. Subscribers .............................................................................................................................. 4 1.3.4. RelyingParties ......................................................................................................................... 4 1.3.5. OtherParticipants .................................................................................................................... 5

1.4. CertificateUsage ........................................................................................................................... 5 1.4.1. AppropriateCertificateUses ..................................................................................................... 5 1.4.2. ProhibitedCertificateUses ....................................................................................................... 6

1.5. Policyadministration .................................................................................................................... 7 1.5.1. OrganizationAdministeringtheDocument ............................................................................... 7 1.5.2. ContactPerson ......................................................................................................................... 7 1.5.3. PersonDeterminingCPSSuitabilityforthePolicy ..................................................................... 7 1.5.4. CPSApprovalProcedures ......................................................................................................... 7

1.6. Definitionsandacronyms .............................................................................................................. 7 1.6.1. Definitions ............................................................................................................................... 7 1.6.2. Acronyms................................................................................................................................. 9 1.6.3. References ............................................................................................................................. 10

2. PUBLICATIONANDREPOSITORYRESPONSIBILITIES ........................................................................... 10 2.1. Repositories ................................................................................................................................ 10 2.2. Publicationofcertificationinformation ....................................................................................... 10 2.3. Timeorfrequencyofpublication ................................................................................................. 10 2.4. Accesscontrolsonrepositories ................................................................................................... 10

3. IDENTIFICATIONANDAUTHENTICATION ............................................................................................ 11 3.1. Naming ....................................................................................................................................... 11

3.1.1. TypesofNames ...................................................................................................................... 11 3.1.2. NeedforNamestobeMeaningful ........................................................................................... 11 3.1.3. AnonymityorPseudonymityofSubscribers ............................................................................ 11 3.1.4. RulesforInterpretingVariousNameForms ............................................................................ 12 3.1.5. UniquenessofNames ............................................................................................................. 12 3.1.6. Recognition,Authentication,andRoleofTrademarks ............................................................. 12

3.2. Initialidentityvalidation ............................................................................................................. 12 3.2.1. MethodtoProvePossessionofPrivateKey ............................................................................. 12 3.2.2. AuthenticationofOrganizationIdentity .................................................................................. 12 3.2.3. AuthenticationofIndividualIdentity ...................................................................................... 14 3.2.4. Non‐verifiedSubscriberInformation ...................................................................................... 19 3.2.5. ValidationofAuthority ........................................................................................................... 20

3.3. Identificationandauthenticationforre‐keyrequests ................................................................... 21 3.3.1. IdentificationandAuthenticationforRoutineRe‐key .............................................................. 21 3.3.2. IdentificationandAuthenticationforRe‐keyAfterRevocation ................................................ 21

3.4. Identificationandauthenticationforrevocationrequest .............................................................. 21 4. CERTIFICATELIFE‐CYCLEOPERATIONALREQUIREMENTS .................................................................. 22

4.1. CertificateApplication ................................................................................................................. 22 4.1.1. WhoCanSubmitaCertificateApplication ............................................................................... 22 4.1.2. EnrollmentProcessandResponsibilities ................................................................................. 22

4.2. Certificateapplicationprocessing ................................................................................................ 22 4.2.1. PerformingIdentificationandAuthenticationFunctions ......................................................... 22 4.2.2. ApprovalorRejectionofCertificateApplications .................................................................... 22 4.2.3. TimetoProcessCertificateApplications ................................................................................. 23

4.3. Certificateissuance ..................................................................................................................... 23 4.3.1. CAActionsduringCertificateIssuance .................................................................................... 23 4.3.2. NotificationtoSubscriberbytheCAofIssuanceofCertificate ................................................. 23

4.4. Certificateacceptance ................................................................................................................. 23 4.4.1. ConductConstitutingCertificateAcceptance ........................................................................... 23 4.4.2. PublicationoftheCertificatebytheCA ................................................................................... 23

4.4.3. NotificationofCertificateIssuancebytheCAtoOtherEntities ................................................ 23 4.5. Keypairandcertificateusage ...................................................................................................... 23

4.5.1. SubscriberPrivateKeyandCertificateUsage .......................................................................... 23 4.5.2. RelyingPartyPublicKeyandCertificateUsage ........................................................................ 24

4.6. Certificaterenewal ...................................................................................................................... 24 4.6.1. CircumstanceforCertificateRenewal ..................................................................................... 24 4.6.2. WhoMayRequestRenewal .................................................................................................... 24 4.6.3. ProcessingCertificateRenewalRequests ................................................................................ 24 4.6.4. NotificationofNewCertificateIssuancetoSubscriber ............................................................. 25 4.6.5. ConductConstitutingAcceptanceofaRenewalCertificate ....................................................... 25 4.6.6. PublicationoftheRenewalCertificatebytheCA ..................................................................... 25 4.6.7. NotificationofCertificateIssuancebytheCAtoOtherEntities ................................................ 25

4.7. Certificatere‐key ........................................................................................................................ 25 4.7.1. CircumstanceforCertificateRekey ......................................................................................... 25 4.7.2. WhoMayRequestCertificateRekey ........................................................................................ 25 4.7.3. ProcessingCertificateRekeyRequests .................................................................................... 25 4.7.4. NotificationofCertificateRekeytoSubscriber ........................................................................ 25 4.7.5. ConductConstitutingAcceptanceofaRekeyedCertificate ....................................................... 25 4.7.6. PublicationoftheIssuedCertificatebytheCA ......................................................................... 25 4.7.7. NotificationofCertificateIssuancebytheCAtoOtherEntities ................................................ 25

4.8. Certificatemodification ............................................................................................................... 26 4.8.1. CircumstancesforCertificateModification .............................................................................. 26 4.8.2. WhoMayRequestCertificateModification .............................................................................. 26 4.8.3. ProcessingCertificateModificationRequests .......................................................................... 26 4.8.4. NotificationofCertificateModificationtoSubscriber............................................................... 26 4.8.5. ConductConstitutingAcceptanceofaModifiedCertificate ...................................................... 26 4.8.6. PublicationoftheModifiedCertificatebytheCA ..................................................................... 26 4.8.7. NotificationofCertificateModificationbytheCAtoOtherEntities .......................................... 26

4.9. Certificaterevocationandsuspension ......................................................................................... 26 4.9.1. CircumstancesforRevocation ................................................................................................. 26 4.9.2. WhoCanRequestRevocation ................................................................................................. 27 4.9.3. ProcedureforRevocationRequest .......................................................................................... 27 4.9.4. RevocationRequestGracePeriod ........................................................................................... 28 4.9.5. TimewithinwhichCAMustProcesstheRevocationRequest ................................................... 28 4.9.6. RevocationCheckingRequirementforRelyingParties ............................................................ 28 4.9.7. CRLIssuanceFrequency ......................................................................................................... 28 4.9.8. MaximumLatencyforCRLs .................................................................................................... 28 4.9.9. On‐lineRevocation/StatusCheckingAvailability ..................................................................... 28 4.9.10. On‐lineRevocationCheckingRequirements ....................................................................... 28 4.9.11. OtherFormsofRevocationAdvertisementsAvailable ........................................................ 28 4.9.12. SpecialRequirementsRelatedtoKeyCompromise ............................................................. 28 4.9.13. CircumstancesforSuspension ........................................................................................... 29 4.9.14. WhoCanRequestSuspension ............................................................................................ 29 4.9.15. ProcedureforSuspensionRequest ..................................................................................... 29 4.9.16. LimitsonSuspensionPeriod .............................................................................................. 29

4.10. Certificatestatusservices ............................................................................................................ 29 4.10.1. OperationalCharacteristics ................................................................................................ 29 4.10.2. ServiceAvailability ............................................................................................................ 29 4.10.3. OptionalFeatures .............................................................................................................. 29

4.11. Endofsubscription ..................................................................................................................... 29 4.12. Keyescrowandrecovery ............................................................................................................ 29

4.12.1. KeyEscrowandRecoveryPolicyPractices ......................................................................... 29 4.12.2. SessionKeyEncapsulationandRecoveryPolicyandPractices ............................................ 30

5. FACILITY,MANAGEMENT,ANDOPERATIONALCONTROLS .................................................................. 30 5.1. PhysicalControls ........................................................................................................................ 30

5.1.1. SiteLocationandConstruction ............................................................................................... 30 5.1.2. PhysicalAccess ...................................................................................................................... 30 5.1.3. PowerandAirConditioning .................................................................................................... 31 5.1.4. WaterExposures .................................................................................................................... 31 5.1.5. FirePreventionandProtection ............................................................................................... 31 5.1.6. MediaStorage ........................................................................................................................ 31

5.1.7. WasteDisposal ....................................................................................................................... 31 5.1.8. Off‐siteBackup ....................................................................................................................... 31 5.1.9. CertificateStatusHosting,CMSandExternalRASystems ........................................................ 31

5.2. Proceduralcontrols ..................................................................................................................... 32 5.2.1. TrustedRoles ......................................................................................................................... 32 5.2.2. NumberofPersonsRequiredperTask .................................................................................... 32 5.2.3. IdentificationandAuthenticationforeachRole ....................................................................... 32 5.2.4. RolesRequiringSeparationofDuties ...................................................................................... 32

5.3. Personnelcontrols ...................................................................................................................... 33 5.3.1. Qualifications,Experience,andClearanceRequirements ......................................................... 33 5.3.2. BackgroundCheckProcedures ............................................................................................... 33 5.3.3. TrainingRequirements ........................................................................................................... 33 5.3.4. RetrainingFrequencyandRequirements ................................................................................ 34 5.3.5. JobRotationFrequencyandSequence .................................................................................... 34 5.3.6. SanctionsforUnauthorizedActions ........................................................................................ 34 5.3.7. IndependentContractorRequirements ................................................................................... 34 5.3.8. DocumentationSuppliedtoPersonnel .................................................................................... 34

5.4. Auditloggingprocedures ............................................................................................................ 34 5.4.1. TypesofEventsRecorded....................................................................................................... 34 5.4.2. FrequencyofProcessingLog .................................................................................................. 36 5.4.3. RetentionPeriodforAuditLog ............................................................................................... 36 5.4.4. ProtectionofAuditLog ........................................................................................................... 37 5.4.5. AuditLogBackupProcedures ................................................................................................. 37 5.4.6. AuditCollectionSystem(internalvs.external) ........................................................................ 37 5.4.7. NotificationtoEvent‐causingSubject ...................................................................................... 37 5.4.8. VulnerabilityAssessments ...................................................................................................... 37

5.5. Recordsarchival ......................................................................................................................... 37 5.5.1. TypesofRecordsArchived ..................................................................................................... 37 5.5.2. RetentionPeriodforArchive .................................................................................................. 38 5.5.3. ProtectionofArchive .............................................................................................................. 38 5.5.4. ArchiveBackupProcedures .................................................................................................... 38 5.5.5. RequirementsforTime‐stampingofRecords .......................................................................... 38 5.5.6. ArchiveCollectionSystem(internalorexternal) ..................................................................... 38 5.5.7. ProcedurestoObtainandVerifyArchiveInformation ............................................................. 38

5.6. Keychangeover .......................................................................................................................... 39 5.7. Compromiseanddisasterrecovery ............................................................................................. 39

5.7.1. IncidentandCompromiseHandlingProcedures ...................................................................... 39 5.7.2. ComputingResources,Software,and/orDataAreCorrupted ................................................... 39 5.7.3. EntityPrivateKeyCompromiseProcedures ............................................................................ 39 5.7.4. BusinessContinuityCapabilitiesafteraDisaster ..................................................................... 40

5.8. CAorRAtermination .................................................................................................................. 40 6. TECHNICALSECURITYCONTROLS ........................................................................................................ 40

6.1. Keypairgenerationandinstallation ............................................................................................ 40 6.1.1. KeyPairGeneration ............................................................................................................... 40 6.1.2. PrivateKeyDeliverytoSubscriber .......................................................................................... 41 6.1.3. PublicKeyDeliverytoCertificateIssuer .................................................................................. 41 6.1.4. CAPublicKeyDeliverytoRelyingParties ................................................................................ 41 6.1.5. KeySizes ................................................................................................................................ 41 6.1.6. PublicKeyParametersGenerationandQualityChecking ......................................................... 42 6.1.7. KeyUsagePurposes(asperX.509v3keyusagefield) ............................................................. 42

6.2. PrivateKeyProtectionandCryptographicModuleEngineeringControls ...................................... 43 6.2.1. CryptographicModuleStandardsandControls ....................................................................... 43 6.2.2. PrivateKey(noutofm)Multi‐personControl ......................................................................... 43 6.2.3. PrivateKeyEscrow ................................................................................................................ 44 6.2.4. PrivateKeyBackup ................................................................................................................ 44 6.2.5. PrivateKeyArchival ............................................................................................................... 44 6.2.6. PrivateKeyTransferintoorfromaCryptographicModule ...................................................... 44 6.2.7. PrivateKeyStorageonCryptographicModule ........................................................................ 44 6.2.8. MethodofActivatingPrivateKeys .......................................................................................... 44 6.2.9. MethodofDeactivatingPrivateKeys ....................................................................................... 44 6.2.10. MethodofDestroyingPrivateKeys .................................................................................... 44

6.2.11. CryptographicModuleRating ............................................................................................ 45 6.3. Otheraspectsofkeypairmanagement ........................................................................................ 45

6.3.1. PublicKeyArchival ................................................................................................................ 45 6.3.2. CertificateOperationalPeriodsandKeyPairUsagePeriods .................................................... 45

6.4. Activationdata ............................................................................................................................ 46 6.4.1. ActivationDataGenerationandInstallation ............................................................................ 46 6.4.2. ActivationDataProtection ...................................................................................................... 46 6.4.3. OtherAspectsofActivationData ............................................................................................. 46

6.5. Computersecuritycontrols ......................................................................................................... 46 6.5.1. SpecificComputerSecurityTechnicalRequirements ............................................................... 46 6.5.2. ComputerSecurityRating ....................................................................................................... 47

6.6. Lifecycletechnicalcontrols ......................................................................................................... 47 6.6.1. SystemDevelopmentControls ................................................................................................ 47 6.6.2. SecurityManagementControls ............................................................................................... 47 6.6.3. LifeCycleSecurityControls .................................................................................................... 47

6.7. Networksecuritycontrols ........................................................................................................... 47 6.8. Time‐stamping ............................................................................................................................ 48 6.9. PIV‐ICards .................................................................................................................................. 48

7. CERTIFICATE,CRL,ANDOCSPPROFILES .............................................................................................. 49 7.1. Certificateprofile ........................................................................................................................ 49

7.1.1. VersionNumber(s) ................................................................................................................. 49 7.1.2. CertificateExtensions ............................................................................................................. 49 7.1.3. AlgorithmObjectIdentifiers ................................................................................................... 50 7.1.4. NameForms........................................................................................................................... 50 7.1.5. NameConstraints ................................................................................................................... 50 7.1.6. CertificatePolicyObjectIdentifier .......................................................................................... 50 7.1.7. UsageofPolicyConstraintsExtension ..................................................................................... 50 7.1.8. PolicyQualifiersSyntaxandSemantics ................................................................................... 50 7.1.9. ProcessingSemanticsfortheCriticalCertificatePoliciesExtension ......................................... 50

7.2. CRLprofile .................................................................................................................................. 51 7.2.1. Versionnumber(s) ................................................................................................................. 51 7.2.2. CRLandCRLEntryExtensions ................................................................................................ 51

7.3. OCSPprofile ................................................................................................................................ 51 7.3.1. VersionNumber(s) ................................................................................................................. 51 7.3.2. OCSPExtensions .................................................................................................................... 51

8. COMPLIANCEAUDITANDOTHERASSESSMENTS ................................................................................. 51 8.1. Frequencyorcircumstancesofassessment .................................................................................. 51 8.2. Identity/qualificationsofassessor ............................................................................................... 51 8.3. Assessor'srelationshiptoassessedentity .................................................................................... 52 8.4. Topicscoveredbyassessment ..................................................................................................... 52 8.5. Actionstakenasaresultofdeficiency .......................................................................................... 52 8.6. Communicationofresults ............................................................................................................ 52 8.7. Self‐Audits .................................................................................................................................. 52

9. OTHERBUSINESSANDLEGALMATTERS .............................................................................................. 53 9.1. Fees ............................................................................................................................................ 53

9.1.1. CertificateIssuanceorRenewalFees ...................................................................................... 53 9.1.2. CertificateAccessFees ............................................................................................................ 53 9.1.3. RevocationorStatusInformationAccessFees ......................................................................... 53 9.1.4. FeesforOtherServices ........................................................................................................... 53 9.1.5. RefundPolicy ......................................................................................................................... 53

9.2. Financialresponsibility ............................................................................................................... 53 9.2.1. InsuranceCoverage ................................................................................................................ 53 9.2.2. OtherAssets ........................................................................................................................... 53 9.2.3. InsuranceorWarrantyCoverageforEnd‐Entities ................................................................... 53

9.3. Confidentialityofbusinessinformation ....................................................................................... 53 9.3.1. ScopeofConfidentialInformation ........................................................................................... 53 9.3.2. InformationNotWithintheScopeofConfidentialInformation ................................................ 54 9.3.3. ResponsibilitytoProtectConfidentialInformation .................................................................. 54

9.4. Privacyofpersonalinformation .................................................................................................. 54 9.4.1. PrivacyPlan ........................................................................................................................... 54 9.4.2. InformationTreatedasPrivate ............................................................................................... 54

9.4.3. InformationNotDeemedPrivate ............................................................................................ 54 9.4.4. ResponsibilitytoProtectPrivateInformation ......................................................................... 54 9.4.5. NoticeandConsenttoUsePrivateInformation ....................................................................... 54 9.4.6. DisclosurePursuanttoJudicialorAdministrativeProcess ....................................................... 54 9.4.7. OtherInformationDisclosureCircumstances .......................................................................... 54

9.5. Intellectualpropertyrights ......................................................................................................... 54 9.6. Representationsandwarranties .................................................................................................. 55

9.6.1. CARepresentationsandWarranties ....................................................................................... 55 9.6.2. RARepresentationsandWarranties ....................................................................................... 55 9.6.3. SubscriberRepresentationsandWarranties ........................................................................... 55 9.6.4. RelyingPartyRepresentationsandWarranties ....................................................................... 56 9.6.5. RepresentationsandWarrantiesofOtherParticipants ............................................................ 56

9.7. Disclaimersofwarranties ............................................................................................................ 56 9.8. Limitationsofliability ................................................................................................................. 56 9.9. Indemnities ................................................................................................................................ 57

9.9.1. IndemnificationbyDigiCert .................................................................................................... 57 9.9.2. IndemnificationbySubscribers .............................................................................................. 57 9.9.3. IndemnificationbyRelyingParties ......................................................................................... 57

9.10. Termandtermination ................................................................................................................. 58 9.10.1. Term ................................................................................................................................. 58 9.10.2. Termination ...................................................................................................................... 58 9.10.3. EffectofTerminationandSurvival ..................................................................................... 58

9.11. Individualnoticesandcommunicationswithparticipants ............................................................ 58 9.12. Amendments .............................................................................................................................. 58

9.12.1. ProcedureforAmendment ................................................................................................ 58 9.12.2. NotificationMechanismandPeriod .................................................................................... 58 9.12.3. CircumstancesunderwhichOIDMustBeChanged ............................................................. 58

9.13. Disputeresolutionprovisions ...................................................................................................... 58 9.14. Governinglaw ............................................................................................................................. 58 9.15. Compliancewithapplicablelaw .................................................................................................. 59 9.16. Miscellaneousprovisions ............................................................................................................ 59

9.16.1. EntireAgreement .............................................................................................................. 59 9.16.2. Assignment ....................................................................................................................... 59 9.16.3. Severability ....................................................................................................................... 59 9.16.4. Enforcement(attorneys'feesandwaiverofrights) ............................................................ 59 9.16.5. ForceMajeure ................................................................................................................... 59

9.17. Otherprovisions ......................................................................................................................... 59 AppendixA:SampleOpinionLETTER ............................................................................................................. 60

1. INTRODUCTION

1.1. OVERVIEWThisdocumentistheDigiCert,Inc.(“DigiCert”)CertificationPracticesStatement(CPS)thatoutlinestheprinciplesandpracticesrelatedtoDigiCert’scertificationandtime‐stampingservices.ThisCPSappliestoallentitiesparticipatinginorusingDigiCert’scertificateandtime‐stampingservices,excludingparticipantsinDigiCert’sPrivatePKIservices,whicharenotcross‐certifiedorpubliclytrusted.ThisCPSonlyaddressestheactionsofDigiCertandnotthoseofthirdpartiesoperatingwithcrosscertificatesissuedbyDigiCert.SpecificrequirementsregardingthoseCertificatesaresetforthintheindividualagreementswiththeappropriateDigiCertcustomerorinthatthirdparty’sownCPS.ThisCPSdescribesthepracticesusedtocomplywiththecurrentversionsofthefollowingpolicies,guidelines,andrequirements:

theDigiCertCertificatePolicy(the“CP”), theAdobeSystemsInc.(“Adobe”)AATLCertificatePolicy, theFederalBridgeCertificationAuthority(“FBCA”)CertificatePolicy, theCertificationAuthority/BrowserForum(“CABForum”)BaselineRequirementsCertificatePolicy

fortheIssuanceandManagementofPublicly‐TrustedCertificates(“BaselineRequirements”)locatedathttps://cabforum.org/baseline‐requirements‐documents,

theCABForumGuidelinesfortheIssuanceandManagementofExtendedValidationCertificates(“EVGuidelines”)locatedathttps://cabforum.org/extended‐validation,

theCABForumGuidelinesfortheIssuanceandManagementofExtendedValidationCodeSigningCertificates,

theCABForumNetworkandCertificateSystemSecurityRequirements,and theMinimumRequirementsfortheIssuanceandManagementofPublicly‐TrustedCodeSigning

Certificates(“MinimumRequirementsforCodeSigning”)locatedathttps://aka.ms/csbr.IfanyinconsistencyexistsbetweenthisCPSandthenormativeprovisionsoftheforegoingpolicies,guidelines,andrequirements(“ApplicableRequirements”),thentheApplicableRequirementstakeprecedenceoverthisCPS.Time‐stampingservicesareprovidedaccordingtoIETFRFC3161andothertechnicalstandards.ThisCPSisonlyoneofseveraldocumentsthatcontrolDigiCert’scertificationservices.Otherimportantdocumentsincludebothprivateandpublicdocuments,suchastheCP,DigiCert’sagreementswithitscustomers,RelyingPartyagreements,andDigiCert’sprivacypolicy.DigiCertmayprovideadditionalcertificatepoliciesorcertificationpracticestatements.Thesesupplementalpoliciesandstatementsareavailabletoapplicableusersorrelyingparties.PursuanttotheIETFPKIXRFC3647CP/CPSframework,thisCPSisdividedintoninepartsthatcoverthesecuritycontrolsandpracticesandproceduresforcertificateandtime‐stampingserviceswithintheDigiCertPKI.TopreservetheoutlinespecifiedbyRFC3647,sectionheadingsthatdonotapplyareaccompaniedwiththestatement"Notapplicable"or"Nostipulation."

1.2. DOCUMENTNAMEANDIDENTIFICATIONThisdocumentistheDigiCertCertificationPracticesStatementandwasfirstapprovedforpublicationon9August2010bytheDigiCertPolicyAuthority(DCPA).Thefollowingrevisionshavebeenmadetotheoriginaldocument:

Date Changes Version23‐February‐2017 Updatedaddress, maderevisionsrelatedtotheMinimum

RequirementsfortheIssuanceandManagementofPublicly‐TrustedCodeSigningCertificates,andmadeotherchangestoupdatetheCPS.

4.11

9‐September‐2016 Updatedto:includeCybertrustCAsacquiredfromVerizon, 4.10

Date Changes Versionclarifyidentityverificationprocess,updatedocumentinaccordancewithFBCACPv.2.29andsec.9.6.3ofBaselineRequirements.

1‐June‐2015 UpdatedCPStoconformtopracticesforbackup,archival,CAkeygeneration,andcertificateacceptance.

4.09

1‐April‐2015 MinorchangesmadetoupdatewithCA/BrowserForumguidelinesandforconsistencywithDigiCertCPv.4.08

4.08

7‐October‐2014 UpdatedforconsistencywithDigiCertCPv.4.07 4.0714‐May‐2014 Updatedpracticestocomplywithnewpolicyrequirementsand

changestotheDirectTrustCP,BaselineRequirements,EVGuidelines,andEVCodeSigningGuidelines.

4.06

2‐May‐2013 Updatedmailingaddress. Alsoupdatedpracticestocomplywithnewpolicyrequirements,theDirectTrustCP,changestotheAdobeprogram,andCABForumguidelines.

4.05

10‐May‐2012 UpdatedtoincludepracticessetforthintheBaselineRequirements,thecurrentMozillaCAPolicy,EVCodeSigning,theIGTF,andotherpolicybodies.

4.04

3‐May‐2011 IGTFCertificatesaddedandminorupdatesmadetoseveralsections.

4.03

29‐October‐2010 ChangesmadeinresponsetocommentsfromtheFPKICPWGregardingcertificatestatusservices,trustedroles,andoff‐sitebackupofarchive.

4.02

26‐August‐2010 Updatedtheprocessusedtoauthenticatethecertificaterequester’sauthorityundersection3.2.5forcodesigningCertificatesissuedtoorganizations

4.01

9‐August‐2010 Thisversion4.0replacestheDigiCertCertificatePolicyandCertificationPracticesStatement,Version3.08,datedMay29,2009,andtheDigiCertCertificationPracticeStatementforExtendedValidationCertificates,Version1.0.4,May29,2009.

4.0

TheOIDforDigiCertisjoint‐iso‐ccitt(2)country(16)USA(840)US‐company(1)DigiCert(114412).TheOID‐arcforthisversion4oftheCPSis2.16.840.1.114412.0.2.4.SubsequentrevisionstothisCPSmighthavenewOIDassignments.DigiCertissuesCertificatesandtime‐stamptokenscontainingthefollowingOIDs/OIDarcs:

DigitallySignedObject ObjectIdentifier(OID)DomainVettedSSLCertificatesandpertheBaselineRequirements

2.16.840.1.114412.1.2and/or2.23.140.1.2.1(CABForumBaselineReqs.)

OrganizationVettedSSLCertificatesandpertheBaselineRequirements


IndividualVettedSSLCertificatespertheBaselineRequirements


Hotspot2.0OSUServerCertificates 2.16.840.1.114412.1.5FederatedDeviceCertificate 2.16.840.1.114412.1.11FederatedDeviceHardwareCertificate 2.16.840.1.114412.1.12IssuerCA(whereallowedbypolicy) 2.5.29.32.0(anyPolicy)ExtendedValidationSSLCertificates 2.16.840.1.114412.2 and/or

2.23.140.1.1(CABForumEVGuidelines)ExtendedValidationSSLCertificates(issuedundertheCybertrustGlobalRoot)

1.3.6.1.4.1.6334.1.100.1(originallyregisteredbybeTRUSTed)

ObjectSigningCertificates 2.16.840.1.114412.3 CodeSigningCertificates 2.16.840.1.114412.3.1

MinimumRequirementsforCodeSigning 2.16.840.1.114412.3.1.1 and/or2.23.140.1.4.1

ExtendedValidationCodeSigning 2.16.840.1.114412.3.2 WindowsKernelDriverSigning 2.16.840.1.114412.3.11 AdobeSigningCertificate 2.16.840.1.114412.3.21ClientCertificateOIDArc 2.16.840.1.114412.4 Level1Certificates‐Personal 2.16.840.1.114412.4.1.1 Level1Certificates‐Enterprise 2.16.840.1.114412.4.1.2 Level2Certificates 2.16.840.1.114412.4.2 Level3Certificates‐US 2.16.840.1.114412.4.3.1 Level3Certificates‐CBP 2.16.840.1.114412.4.3.2 Level4Certificates‐US 2.16.840.1.114412.4.4.1 Level4Certificates‐CBP 2.16.840.1.114412.4.4.2PIV‐IOIDArc 2.16.840.1.114412.4.5

PIV‐IHardware‐keysrequireactivationbythePIV‐ICardholder(PIVAuth,DigSigandKeyManagement)

2.16.840.1.114412.4.5.1

PIV‐ICardAuthentication‐keysdonotrequirePIV‐ICardholderactivation

2.16.840.1.114412.4.5.2

PIV‐IContentSigning–usebyPIV‐I‐compliantCMS

2.16.840.1.114412.4.5.3

GridCertificateOIDArcs 2.16.840.1.114412.4.31or2.16.840.1.114412.31(Grid‐onlyarc)

IGTFClassicX.509Authoritieswithsecuredinfrastructure

2.16.840.1.114412.4.31.1(Clientw/Public),2.16.840.1.114412.31.4.1.1(ClientGridOnly),and/or1.2.840.113612.5.2.2.1.x(IGTF)

IGTFMemberIntegratedX.509CredentialServiceswithSecuredInfrastructureCertificates

2.16.840.1.114412.4.31.5and/or1.2.840.113612.5.2.2.5.x(IGTF)

IGTFGridHost‐PublicTrust 2.16.840.1.114412.1.31.1IGTFGrid‐OnlyHostCertificate 2.16.840.1.114412.31.1.1.1,

1.2.840.113612.5.2.2.1.x(IGTF),and/or1.2.840.113612.5.2.2.5.x(IGTF)

Authentication‐OnlyCertificates 2.16.840.1.114412.6TrustedTime‐stamping 2.16.840.1.114412.7.1Legacyarc 2.16.840.1.114412.81Testarc 2.16.840.1.114412.99EUOIDs

EUQualifiedCertificatesETSITS101456

0.4.0.1456.1.2

EUQConSecureSignatureCreationDeviceETSITS101456

0.4.0.1456.1.1

ETSITS101862‐QualifiedCertificateStatements

0.4.0.1862.1.x

EUQualifiedTime‐stampingETSITS102023

0.4.0.2023.1.x

AllOIDsmentionedabovebelongtotheirrespectiveowners.ThespecificOIDsusedwhenobjectsaresignedpursuanttothisCPSareindicatedintheobject’srespectiveCertificatePoliciesextension.Forinstance,whenDigiCertissuesaCertificatecontainingoneoftheabove‐specifiedpolicyidentifiersfor“BaselineRequirements,”“MinimumRequirements,”or“ExtendedValidation,”itassertsthattheCertificatewasissuedandismanagedinaccordancewiththoseapplicablerequirements.Commercial

BestPractices(“CBP”)differsfrom“US”inthattherearenotrustedrolecitizenshiprequirementsforanIssuerCAissuingunderaCBPpolicy,whereaspoliciesdesignated“US”mustfollowthecitizenshippracticessetforthinSection5.3.1.TheLegacyarcexiststoidentifyCertificatesissuedforpurposeofachievingcompatibilitywithlegacysystemsthatareincapableofprocessingneweralgorithmsthatmightberequiredbycomparableindustrybestpractices.

1.3. PKIPARTICIPANTS

1.3.1. CertificationAuthoritiesDigiCertoperatescertificationauthorities(CAs)thatissuedigitalcertificates.AstheoperatorofseveralCAs,DigiCertperformsfunctionsassociatedwithPublicKeyoperations,includingreceivingcertificaterequests,issuing,revokingandrenewingadigitalCertificate,andmaintaining,issuing,andpublishingCRLsandOCSPresponses.GeneralinformationaboutDigiCert’sproductsandservicesareavailableatwww.digicert.com.DigiCertownsandoperatestheGTECybertrustGlobalRoot,theBaltimoreCybertrustRoot,theCybertrustGlobalRootCA,andtheVerizonGlobalRootCA.Inlimitedcircumstances,theserootCAsareusedtoissuecrossCertificatestoexternalthirdpartiesoperatingtheirownPKI.An“externalsubordinateCA”isanunaffiliatedthirdpartythatisissuedasubordinateCACertificatebyDigiCertwherethePrivateKeyassociatedwiththatCACertificateisnotmaintainedunderthephysicalcontrolofDigiCert.InaccordancewithrequirementsoftheU.S.FederalPKIPolicyAuthority(FPKIPA),DigiCertnotifiestheFPKIPApriortoissuingaCACertificatechainingtotheFederalBridgeCAtoanexternalsubordinateCA.AllexternalsubordinateCAsareprohibited,eithertechnicallyorcontractually,fromissuingCertificatestodomainnamesorIPaddressesthataSubscriberdoesnotlegitimatelyownorcontrol(i.e.issuanceforpurposesof“trafficmanagement”isprohibited),andexternalsubordinateCAsarerequiredtoimplementproceduresthatareatleastasrestrictiveasthosefoundherein.DigiCertisalsoatimestampingauthority(TSA)andprovidesproof‐of‐existencefordataataninstantintimeasdescribedherein.

1.3.2. RegistrationAuthoritiesandOtherDelegatedThirdPartiesDigiCertmaydelegatetheperformanceofcertainfunctionstothirdpartyRegistrationAuthorities(RA).ThespecificroleofanRAorDelegatedThirdPartyvariesgreatlybetweenentities,rangingfromsimpletranslationservicestoactualassistanceingatheringandverifyingApplicantinformation.SomeRAsoperateidentitymanagementsystems(IdMs)andmaymanagethecertificatelifecycleforend‐users.ForIGTFCertificates,designatedRAsareresponsibleforvettingtheidentityofeachcertificateapplicant.DigiCertcontractuallyobligateseachDelegatedThirdPartytoabidebythepoliciesandindustrystandardsthatareapplicabletothatDelegatedThirdParty’sdelegatedresponsibilities.RApersonnelinvolvedintheissuanceofpublicly‐trustedSSLCertificatesmustundergotheskillsandtrainingrequiredunderSection5.3.

1.3.3. SubscribersSubscribersuseDigiCert’sservicesandPKItosupporttransactionsandcommunications.SubscribersarenotalwaysthepartyidentifiedinaCertificate,suchaswhenCertificatesareissuedtoanorganization’semployees.TheSubjectofaCertificateisthepartynamedintheCertificate.ASubscriber,asusedherein,mayrefertotheSubjectoftheCertificateandtheentitythatcontractedwithDigiCertfortheCertificate’sissuance.PriortoverificationofidentityandissuanceofaCertificate,aSubscriberisanApplicant.

1.3.4. RelyingPartiesRelyingPartiesareentitiesthatactinrelianceonaCertificateand/ordigitalsignatureissuedbyDigiCert.RelyingpartiesmustchecktheappropriateCRLorOCSPresponsepriortorelyingoninformationfeaturedinaCertificate.ThelocationoftheCRLdistributionpointisdetailedwithintheCertificate.

1.3.5. OtherParticipantsOtherparticipantsincludeAccreditationAuthorities(suchasPolicyManagementAuthorities,FederationOperators,ApplicationSoftwareVendors,andapplicableCommunity‐of‐Interestsponsors);BridgeCAsandCAscross‐certifiedwithDigiCert’sCAsthatserveastrustanchorsinotherPKIcommunities;CardManagementSystemsandintegrators(CMSs)thatensureproperoperationandprovisioningofPIV‐Icards;andTimeSourceEntities,TimeStampTokenRequesters,andTimeStampVerifiersinvolvedintrustedtimestamping.AccreditationAuthoritiesaregrantedanunlimitedrighttore‐distributeDigiCert’srootCertificatesandrelatedinformationinconnectionwiththeaccreditation.WhenissuingPIV‐Icards,DigiCertusesaCardManagementSystems(CMS)thatmeetstherequirementshereinresponsibleformanagingsmartcardtokencontent.DigiCertdoesnotissueCertificatestoaCMSthatincludeaPIV‐IHardwareorPIV‐ICardAuthenticationpolicyOID.DigiCerthascross‐certifiedwiththeFederalBridgeCertificationAuthority(FBCA).DigiCertalsoissuescross‐Certificatestootherthird‐partyCAs.

1.4. CERTIFICATEUSAGEAdigitalCertificate(orCertificate)isformatteddatathatcryptographicallybindsanidentifiedsubscriberwithaPublicKey.AdigitalCertificateallowsanentitytakingpartinanelectronictransactiontoproveitsidentitytootherparticipantsinsuchtransaction.DigitalCertificatesareusedincommercialenvironmentsasadigitalequivalentofanidentificationcard.Atime‐stamptoken(TST)cryptographicallybindsarepresentationofdatatoaparticulartimestamp,thusestablishingevidencethatthedataexistedatacertainpointintime.

1.4.1. AppropriateCertificateUsesCertificatesissuedpursuanttothisCPSmaybeusedforalllegalauthentication,encryption,accesscontrol,anddigitalsignaturepurposes,asdesignatedbythekeyusageandextendedkeyusagefieldsfoundwithintheCertificate.However,thesensitivityoftheinformationprocessedorprotectedbyaCertificatevariesgreatly,andeachRelyingPartymustevaluatetheapplicationenvironmentandassociatedrisksbeforedecidingonwhethertouseaCertificateissuedunderthisCPS.ThisCPScoversseveraldifferenttypesofendentityCertificates/tokenswithvaryinglevelsofassurance.Thefollowingtableprovidesabriefdescriptionoftheappropriateusesofeach.Thedescriptionsareforguidanceonlyandarenotbinding.

Certificate AppropriateUseDVSSLCertificates Usedtosecureonlinecommunicationwheretherisksand

consequencesofdatacompromisearelow,includingnon‐monetarytransactionsortransactionswithlittleriskoffraudormaliciousaccess.

OVSSLCertificates Usedtosecureonlinecommunicationwheretherisksandconsequencesofdatacompromisearemoderate,includingtransactionshavingsubstantialmonetaryvalueorriskoffraudorinvolvingaccesstoprivateinformationwherethelikelihoodofmaliciousaccessissubstantial.

EVSSLCertificates Usedtosecureonlinecommunicationwhererisksandconsequencesofdatacompromisearehigh,includingtransactionshavinghighmonetaryvalue,riskoffraud,orwhereinvolvingaccesstoprivateinformationwherethelikelihoodofmaliciousaccessishigh.

Hotspot2.0OSUServerCertificates

UsedtoauthenticateOSUServerspursuanttotheWi‐FiAlliance’sHotspot2.0specification.

FederatedDeviceCertificates

SimilartoSSLCertificates abovebutforuseasnecessaryinconnectionwithcross‐certifiedPKIs

CodeSigningCertificates, EstablishestheidentityoftheSubscribernamedintheCertificateand

includingEVCodeSigning thatthesignedcodehasnotbeenmodifiedsincesigning.RudimentaryLevel1ClientCertificates‐Personal

Providesthelowestdegreeofassuranceconcerningidentityoftheindividualandisgenerallyusedonlytoprovidedataintegritytotheinformationbeingsigned.TheseCertificatesshouldonlybeusedwheretheriskofmaliciousactivityislowandifanauthenticatedtransactionisnotrequired.

Level1ClientCertificates‐Enterprise

Usedinenvironmentswheretherearerisksandconsequencesofdatacompromise,butsuchrisksarenotofmajorsignificance.Usersareassumednotlikelytobemalicious.

Level2ClientCertificates(FBCAbasicassurancecertificates)

Issuedtoidentity‐vettedindividuals.Certificatesspecifyifthenameisapseudonym.Usedinenvironmentswheretherearerisksandconsequencesofdatacompromise,butsuchrisksarenotofmajorsignificance.Usersareassumednotlikelytobemalicious.

Level3ClientCertificates(FBCAmediumcertificates)

Usedinenvironmentswhererisksandconsequencesofdatacompromisearemoderate,includingtransactionshavingsubstantialmonetaryvalueorriskoffraudorinvolvingaccesstoprivateinformationwherethelikelihoodofmaliciousaccessissubstantial.

Level4ClientCertificates(FBCAmediumhardwareCertificates)

Usedinenvironmentswhererisksandconsequencesofdatacompromisearehigh,includingtransactionshavinghighmonetaryvalueorriskoffraudorinvolvingaccesstoprivateinformationwherethelikelihoodofmaliciousaccessishigh.

DirectCertificates UsedtotransferhealthcareinformationinaccordancewiththeDirectProtocoladoptedbytheONC.DirectCertificatesareissuedasLevel2orLevel3Certificates.

AuthenticationOnly Usedwheretheidentityofthecertificateholderisirrelevantandwheretheriskofunauthorizedaccesstoasecuresiteislow.

IGTFandGrid‐onlyCertificates

SupportidentityassertionsandsystemauthenticationamongstparticipantsintheInternationalGridTrustFederation.IGTFCertificatesincludethoseissuedaspublicly‐trustedclientCertificatesandthoseissuedundertheGrid‐onlyarc.

PIV‐IHardwarePIV‐ICardAuthenticationPIV‐IContentSigningPIV‐IDigitalSignaturePIV‐IKeyManagement

Thislevelisrelevanttoenvironmentswhererisksandconsequencesofdatacompromisearemoderate.ThismayincludecontactlesssmartcardreaderswhereuseofanactivationPINisnotpractical.PersonalIdentityVerification–Interoperable(PIV‐I)cardsareintendedtotechnicallyinteroperatewithFederalPIVCardreadersandapplications.TherequirementsassociatedwithPIV‐IHardwareandPIV‐IContentSigningareidenticaltoLevel4Certificatesexceptwherespecificallynotedherein.PIV‐IContentSigningpolicyisreservedforCertificatesusedbytheCardManagementSystem(CMS)tosignthePIV‐Icardsecurityobjects

AdobeSigningCertificates UsedtosignAdobedocumentsandshowthattheportionofthedocumentsignedbytheauthorhasnotbeenmodifiedsincesigning.

TimeStampToken Usedtoidentifytheexistenceofdataatasetperiodoftime.

1.4.2. ProhibitedCertificateUsesCertificatesdonotguaranteethattheSubjectistrustworthy,honest,reputableinitsbusinessdealings,compliantwithanylaws,orsafetodobusinesswith.ACertificateonlyestablishesthattheinformationintheCertificatewasverifiedinaccordancewiththisCPSwhentheCertificateissued.CodesigningCertificatesdonotindicatethatthesignedcodeissafetoinstallorfreefrommalware,bugs,orvulnerabilities.

1.5. POLICYADMINISTRATION

1.5.1. OrganizationAdministeringtheDocumentThisCPSandthedocumentsreferencedhereinaremaintainedbytheDCPA,whichcanbecontactedat:

DigiCertPolicyAuthoritySuite5002801N.ThanksgivingWayLehi,UT84043USATel:1‐801‐701‐9600Fax:1‐801‐705‐[email protected]

1.5.2. ContactPersonAttn:LegalCounselDigiCertPolicyAuthoritySuite5002801N.ThanksgivingWayLehi,[email protected]

1.5.3. PersonDeterminingCPSSuitabilityforthePolicyTheDCPAdeterminesthesuitabilityandapplicabilityofthisCPSbasedontheresultsandrecommendationsreceivedfromanindependentauditor(seeSection8).TheDCPAisalsoresponsibleforevaluatingandactingupontheresultsofcomplianceaudits.

1.5.4. CPSApprovalProceduresTheDCPAapprovestheCPSandanyamendments.AmendmentsaremadeaftertheDCPAhasreviewedtheamendments’consistencywiththeCP,byeitherupdatingtheentireCPSorbypublishinganaddendum.TheDCPAdetermineswhetheranamendmenttothisCPSisconsistentwiththeCP,requiresnotice,oranOIDchange.SeealsoSection9.10andSection9.12below.

1.6. DEFINITIONSANDACRONYMS

1.6.1. Definitions“AffiliatedOrganization”meansanorganizationthathasanorganizationalaffiliationwithaSubscriberandthatapprovesorotherwiseallowssuchaffiliationtoberepresentedinaCertificate.“Applicant”meansanentityapplyingforaCertificate.“ApplicationSoftwareVendor”meansasoftwaredeveloperwhosesoftwaredisplaysorusesDigiCertCertificatesanddistributesDigiCert’srootCertificates.“CABForum”isdefinedinsection1.1.“Certificate”meansanelectronicdocumentthatusesadigitalsignaturetobindaPublicKeyandanidentity.“CertificateApprover”isdefinedintheEVGuidelines.“CertificateRequester”isdefinedintheEVGuidelines.

“ContractSigner”isdefinedintheEVGuidelines.“DirectAddress”meansanemailaddressconformingtotheApplicabilityStatementforSecureHealthTransport.“DirectAddressCertificate”meansaCertificatecontaininganentireDirectAddress.“DirectDeviceCertificate”meansaCertificatecontainingtheFQDNorIPaddressofahostmachine.“DirectOrganizationalCertificate”meansaCertificatecontainingonlythedomainnameportionofaDirectAddress.“EVGuidelines”isdefinedinsection1.1.“KeyPair”meansaPrivateKeyandassociatedPublicKey.“OCSPResponder”meansanonlinesoftwareapplicationoperatedundertheauthorityofDigiCertandconnectedtoitsrepositoryforprocessingcertificatestatusrequests.“PIV‐IProfile”meanstheX.509CertificateandCertificateRevocationList(CRL)ExtensionsProfileforPersonalIdentityVerificationInteroperable(PIV‐I)Cards,Ver.1.1,Date:May52015.“PrivateKey”meansthekeyofaKeyPairthatiskeptsecretbytheholderoftheKeyPair,andthatisusedtocreatedigitalsignaturesand/ortodecryptelectronicrecordsorfilesthatwereencryptedwiththecorrespondingPublicKey.“PublicKey”meansthekeyofaKeyPairthatmaybepubliclydisclosedbytheholderofthecorrespondingPrivateKeyandthatisusedbyaRelyingPartytoverifydigitalsignaturescreatedwiththeholder'scorrespondingPrivateKeyand/ortoencryptmessagessothattheycanbedecryptedonlywiththeholder'scorrespondingPrivateKey.“QualifiedCertificate”meansaCertificatethatmeetstherequirementsofEUlawandisprovidedbyanIssuerCAmeetingtherequirementsofEUlaw.“RelyingParty”meansanentitythatreliesuponeithertheinformationcontainedwithinaCertificateoratime‐stamptoken.“RelyingPartyAgreement”meansanagreementwhichmustbereadandacceptedbytheRelyingPartypriortovalidating,relyingonorusingaCertificateoraccessingorusingDigiCert’sRepository.TheRelyingPartyAgreementisavailableforreferencethroughaDigiCertonlinerepository.“SecureSignatureCreationDevice”meansasignature‐creationdevicethatmeetstherequirementslaiddowninEUlaw.“Subscriber”meanseithertheentityidentifiedasthesubjectintheCertificateortheentitythatisreceivingDigiCert’stime‐stampingservices.“SubscriberAgreement”meansanagreementthatgovernstheissuanceanduseofaCertificatethattheApplicantmustreadandacceptbeforereceivingaCertificate.“WebTrust”meansthecurrentversionofCPACanada’sWebTrustProgramforCertificationAuthorities.“WebTrustEVProgram”meanstheadditionalauditproceduresspecifiedforCAsthatissueEVCertificatesbyCPACanadatobeusedinconjunctionwithitsWebTrustProgramforCertificationAuthorities.

1.6.2. AcronymsAATL AdobeApprovedTrustListCA CertificateAuthorityorCertificationAuthorityCAA CertificationAuthorityAuthorizationCAB ”CA/Browser”asin“CABForum”CMS CardManagementSystemCP CertificatePolicyCPS CertificationPracticeStatementCRL CertificateRevocationListCSR CertificateSigningRequestCT CertificateTransparencyDBA DoingBusinessAs(alsoknownas"TradingAs")DCPA DigiCertPolicyAuthorityDV DomainValidatedETSI EuropeanTelecommunicationsStandardsInstituteEU EuropeanUnionEV ExtendedValidationFIPS (USGovernment)FederalInformationProcessingStandardFQDN FullyQualifiedDomainNameFTP FileTransferProtocolHISP HealthInformationServiceProviderHSM HardwareSecurityModuleHTTP HypertextTransferProtocolIANA InternetAssignedNumbersAuthorityICANN InternetCorporationforAssignedNamesandNumbersIdM IdentityManagementSystemIDN InternationalizedDomainNameISSO InformationSystemSecurityOfficerIETF InternetEngineeringTaskForceIGTF InternationalGridTrustFederationITU InternationalTelecommunicationUnionITU‐T ITUTelecommunicationStandardizationSectorIV IndividualValidatedMICS Member‐IntegratedCredentialService(IGTF)OCSP OnlineCertificateStatusProtocolOID ObjectIdentifierONC OfficeoftheNationalCoordinatorforHealthcare(U.S.)OSU OnlineSign‐Up(Wi‐FiAllianceHotspot2.0)OV OrganizationValidatedPIN PersonalIdentificationNumber(e.g.asecretaccesscode)PIV‐I PersonalIdentityVerification‐InteroperablePKI PublicKeyInfrastructurePKIX IETFWorkingGrouponPublicKeyInfrastructurePKCS PublicKeyCryptographyStandardRA RegistrationAuthorityRFC RequestforComments(atIETF.org)SAN SubjectAlternativeNameSHA SecureHashingAlgorithmSSCD SecureSignatureCreationDeviceSSL SecureSocketsLayerTLD Top‐LevelDomainTLS TransportLayerSecurityTSA TimeStampingAuthority

TST Time‐StampTokenURL UniformResourceLocatorUTC CoordinatedUniversalTimeX.509 TheITU‐TstandardforCertificatesandtheircorrespondingauthentication

framework

1.6.3. ReferencesCA/BrowserForumBaselineRequirementsCertificatePolicyfortheIssuanceandManagementofPublicly‐TrustedCertificates(“BaselineRequirements”)CA/BrowserForumGuidelinesfortheIssuanceandManagementofExtendedValidationCertificates(“EVGuidelines”)DirectTrustCommunityX.509CertificatePolicy,v.1.2.1

FBCASupplementaryAntecedent,In‐PersonDefinition

Wi‐FiAllianceHotspot2.0Release2OnlineSignupCertificatePolicySpecification(Hotspot2.0CP)

X.509CertificatePolicyfortheFederalBridgeCertificationAuthority,v.2.28

2. PUBLICATIONANDREPOSITORYRESPONSIBILITIES

2.1. REPOSITORIESDigiCertmakesitsrootCertificates,revocationdataforissueddigitalCertificates,CPs,CPSs,RelyingPartyAgreements,andstandardSubscriberAgreementsavailableinpublicrepositories.DigiCert’slegalrepositoryformostservicesislocatedathttp://www.digicert.com/ssl‐cps‐repository.htm.DigiCert’spubliclytrustedrootCertificatesanditsCRLsandOCSPresponsesareavailablethroughonlineresources24hoursaday,7daysaweekwithsystemsdescribedinSection5tominimizedowntime.

2.2. PUBLICATIONOFCERTIFICATIONINFORMATIONTheDigiCertcertificateservicesandtherepositoryareaccessiblethroughseveralmeansofcommunication:

1. Ontheweb:www.digicert.com(andviaURIsincludedinthecertificatesthemselves)2. [email protected]. Bymailaddressedto:DigiCert,Inc.,Suite500,2801N.ThanksgivingWay,Lehi,Utah840434. BytelephoneTel:1‐801‐877‐21005. Byfax:1‐801‐705‐0481

2.3. TIMEORFREQUENCYOFPUBLICATIONCACertificatesarepublishedinarepositoryassoonaspossibleafterissuance.CRLsforend‐userCertificatesareissuedatleastonceperday.CRLsforCACertificatesareissuedatleastevery6months(every31daysforofflineCAschainingtotheFederalBridgeCA),andalsowithin18hoursifaCACertificateisrevoked.Underspecialcircumstances,DigiCertmaypublishnewCRLspriortothescheduledissuanceofthenextCRL.(SeeSection4.9foradditionaldetails.)NewormodifiedversionsoftheCP,thisCPS,SubscriberAgreements,orRelyingPartyWarrantiesaretypicallypublishedwithinsevendaysaftertheirapproval.

2.4. ACCESSCONTROLSONREPOSITORIESRead‐onlyaccesstotherepositoryisunrestricted.Logicalandphysicalcontrolspreventunauthorizedwriteaccesstorepositories.

3. IDENTIFICATIONANDAUTHENTICATION

3.1. NAMING

3.1.1. TypesofNamesCertificatesareissuedwithanon‐nullsubjectDistinguishedName(DN)thatcomplieswithITUX.500standardsexceptthatDigiCertmayissueaLevel1CertificatewithanullsubjectDNifitincludesatleastonealternativenameformthatismarkedcritical.WhenDNsareused,commonnamesmustrespectnamespaceuniquenessrequirementsandmustnotbemisleading.ThisdoesnotprecludetheuseofpseudonymousCertificates,exceptwherestatedotherwiseunderSection3.1.3.DigiCertissuesEVSSL/TLSCertificatesto.oniondomainsinaccordancewithAppendixFoftheEVGuidelines.DigiCertissuesOSUServerCertificateswithsubjectalternativenamesthatcontain:(1)OSUServerFQDN(s)and(2)FriendlyName(s)thatidentifythewifiserviceprovider,inaccordancewithsection3.4oftheHotspot2.0CP.CertificatesforPIV‐Icardsincludebothanon‐nullsubjectnameandsubjectalternativename.EachPIV‐IHardwareCertificateindicateswhetherornottheSubscriberisassociatedwithanAffiliatedOrganizationbytakingoneofthefollowingforms:

ForCertificateswithanAffiliatedOrganization:cn=Subscriber'sfullname,ou=AffiliatedOrganizationName,{BaseDN}

ForCertificateswithnoAffiliatedOrganization:cn=Subscriber'sfullname,ou=Unaffiliated,ou=EntityCA’sName,{BaseDN}

EachPIV‐IContentSigningcertificatealsoclearlyindicatestheorganizationadministeringtheCMS.PIV‐ICardAuthenticationsubscriberCertificatedonotincludeaSubscribercommonname.EachPIV‐ICardAuthenticationCertificateindicateswhetherornottheSubscriberisassociatedwithanAffiliatedOrganizationbytakingoneofthefollowingforms:

ForCertificateswithanAffiliatedOrganization:serialNumber=UUID,ou=AffiliatedOrganizationName,{BaseDN}

ForCertificateswithnoAffiliatedOrganization:serialNumber=UUID,ou=Unaffiliated,ou=EntityCA’sName,{BaseDN}

TheUUIDisencodedwithintheserialNumberattributeusingtheUUIDstringrepresentationdefinedinSection3ofRFC4122(e.g.,"f81d4fae‐7dec‐11d0‐a765‐00a0c91e6bf6").ThesubjectnameineachEUQualifiedCertificatecomplieswithsection3.1.2ofRFC3739

3.1.2. NeedforNamestobeMeaningfulDigiCertusesdistinguishednamesthatidentifyboththeentity(i.e.person,organization,device,orobject)thatisthesubjectoftheCertificateandtheentitythatistheissueroftheCertificate.DigiCertonlyallowsdirectoryinformationtreesthataccuratelyreflectorganizationstructures.

3.1.3. AnonymityorPseudonymityofSubscribersGenerally,DigiCertdoesnotissueanonymousorpseudonymousCertificates;however,forIDNs,DigiCertmayincludethePunycodeversionoftheIDNasasubjectname.DigiCertmayalsoissueotherpseudonymousend‐entityCertificatesiftheyarenotprohibitedbypolicyandanyapplicablenamespaceuniquenessrequirementsaremet.

3.1.4. RulesforInterpretingVariousNameFormsDistinguishedNamesinCertificatesareinterpretedusingX.500standardsandASN.1syntax.SeeRFC2253andRFC2616forfurtherinformationonhowX.500distinguishednamesinCertificatesareinterpretedasUniformResourceIdentifiersandHTTPreferences.

3.1.5. UniquenessofNamesTheuniquenessofeachsubjectnameinaCertificateisenforcedasfollows:

SSLServerCertificates

InclusionofthedomainnameintheCertificate.DomainnameuniquenessiscontrolledbytheInternetCorporationforAssignedNamesandNumbers(ICANN).

ClientCertificates Requiringauniqueemailaddressorauniqueorganizationnamecombined/associatedwithauniqueserialinteger.

IGTFandGrid‐onlyDeviceCertificates

FordeviceCertificates,anFQDNisincludedintheappropriatefields.ForotherCertificates,DigiCertmayappendauniqueIDtoanamelistedintheCertificate.

CodeSigningCertificates(includingCDSCertificates)

Requiringauniqueorganizationnameandaddressorauniqueorganizationnamecombined/associatedwithauniqueserialinteger.

TimeStamping Requiringauniquehashandtimeoruniqueserialintegerassignedtothetimestamp

3.1.6. Recognition,Authentication,andRoleofTrademarksSubscribersmaynotrequestCertificateswithcontentthatinfringesontheintellectualpropertyrightsofanotherentity.ForOSUServerCertificates,DigiCertconductsatrademarksearchoflogosandFriendlyNamesinrelevantmarkregistrationdatabases,suchastheU.S.PatentandTrademarkOfficeorWIPO,toconfirmanapplicant’srighttouseaparticulartrademark.Basedontheresultsofsuchsearch(es),DigiCertissuesanOSUServerCertificatewithoneormorelogotypeextensionscontainingthehashalgorithmandhashvalueoflogosassociatedwiththeserviceprovider.Ifanapplicantdoesnothaveafriendlynameorlogoavailable,DigiCertmayincludealogoandfriendlynamespecifiedbytheWi‐FiAlliance.UnlessotherwisespecificallystatedinthisCPS,DigiCertdoesnotverifyanApplicant’srighttouseatrademarkanddoesnotresolvetrademarkdisputes.DigiCertmayrejectanyapplicationorrequirerevocationofanyCertificatethatispartofatrademarkdispute.

3.2. INITIALIDENTITYVALIDATIONDigiCertmayuseanylegalmeansofcommunicationorinvestigationtoascertaintheidentityofanorganizationalorindividualApplicant.DigiCertmayrefusetoissueaCertificateinitssolediscretion.

3.2.1. MethodtoProvePossessionofPrivateKeyDigiCertestablishesthattheApplicantholdsorcontrolsthePrivateKeycorrespondingtothePublicKeybyperformingsignatureverificationordecryptionondatapurportedtohavebeendigitallysignedorencryptedwiththePrivateKeybyusingthePublicKeyassociatedwiththecertificaterequest.

3.2.2. AuthenticationofOrganizationIdentityDVSSLServerCertificates DigiCertvalidatestheApplicant’srighttouseorcontrolthedomain

namesthatwillbelistedintheCertificateusingoneormoreofthefollowingprocedures:

1. RelyingonpubliclyavailablerecordsfromtheDomainNameRegistrar,suchasWHOISorotherDNSrecordinformation;

2. Communicatingwithoneofthefollowingemailaddresses:[email protected],[email protected],[email protected],hostmaster@domain,postmaster@domain,oranyaddresslistedinthetechnical,registrant,oradministrativecontactfieldofthedomain’sRegistrarrecord;

3. Requiringapracticaldemonstrationofdomaincontrol(e.g.,requiringtheApplicanttomakeaspecifiedchangetoaDNSzonefileoralivepageonthegivendomain);and/or

4. Adomainauthorizationletter,providedthelettercontainsthesignatureofanauthorizedrepresentativeofthedomainholder,adatethatisonorafterthecertificaterequest,alistoftheapprovedfully‐qualifieddomainname(s),andastatementgrantingtheApplicanttherighttousethedomainnamesintheCertificate.DigiCertalsocontactsthedomainnameholderusingareliablethird‐partydatasourcetoconfirmtheauthenticityofthedomainauthorizationletter;and/or

5. AsimilarprocedurethatoffersanequivalentlevelofassuranceintheApplicant’sownership,control,orrighttousetheDomainName.

DigiCertverifiesanincludedcountrycodeusing(a)theIPAddressrangeassignmentbycountryforeither(i)thewebsite’sIPaddress,asindicatedbytheDNSrecordforthewebsiteor(ii)theApplicant’sIPaddress;(b)theccTLDoftherequestedDomainName;or(c)informationprovidedbytheDomainNameRegistrar.

IVandOVSSLServer,OSUServer,ObjectSigning,andDeviceCertificates(excludingdeviceCertificatesissuedundertheGrid‐onlyarc)

DigiCertvalidatestheApplicant’srighttouseorcontroltheDomainName(s)thatwillbelistedintheCertificateusingtheDVSSLServerCertificatevalidationproceduresabove.DigiCertalsoverifiestheidentityandaddressoftheApplicantusing:

1. areliablethirdparty/governmentdatabasesorthroughcommunicationwiththeentityorjurisdictiongoverningtheorganization’slegalcreation,existence,orrecognition;

2. asitevisit;3. anattestationletterthatissignedbyanaccountant,

lawyer,governmentofficial,orotherreliablethirdparty;or

4. foraddressonly,autilitybill,bankstatement,creditcardstatement,taxdocument,orotherreliableformofidentification.

DigiCertverifiesanyDBAincludedinaCertificateusingathirdpartyorgovernmentsource,attestationletter,orreliableformofidentification.

DeviceCertificatesissuedundertheGrid‐onlyarc

AnRAorTrustedAgentvalidatestheapplicant’sinformationinaccordancewithanRPS(orsimilardocument)applicabletothecommunityofinterest.

EVSSLandEVCodeSigningCertificates

InformationconcerningorganizationidentityrelatedtotheissuanceofEVCertificatesisvalidatedinaccordancewiththeEVGuidelines.


DigiCertverifies organizationalcontrolovertheemaildomainusingauthenticationproceduressimilartothoseusedwhenestablishing

domaincontrolbeforeissuanceofaDVorOVSSLServerCertificate.Level2,3,and4ClientCertificates

IftheCertificatecontainsorganizationinformation,DigiCertobtainsdocumentationfromtheorganizationsufficienttoconfirmthattheindividualhasanaffiliationwiththeorganizationnamedintheCertificate.

PIV‐I Forcertificate requests thatassertanorganizationalaffiliationbetweenahumansubscriberandanorganization,DigiCertverifiestheorganization’sidentityandlegalexistenceandtheorganizationisrequiredtoenterintoanagreementauthorizingorrecognizingthataffiliationandrequiringthattheorganizationrequestrevocationoftheCertificatewhenthataffiliationends.

DigiCertmaintainsandutilizesascoringsystemtoflagcertificaterequeststhatpotentiallypresentahigherriskoffraud.Thosecertificaterequeststhatareflagged“highrisk”receiveadditionalscrutinyorverificationpriortoissuance,whichmayincludeobtainingadditionaldocumentationfromoradditionalcommunicationwiththeApplicant.BeforeissuinganSSLCertificatewithadomainnamethathasnotbeenpreviouslyverifiedaswithinthescopeofanRA’sorotherDelegatedThirdParty’salloweddomainnames,DigiCertestablishesthattheRAorDelegatedThirdPartyhastherighttousetheDomainNamebyindependentlyverifyingtheauthorizationwiththedomainowner,asdescribedabove,orbyusingotherreliablemeans,suchasperformingaDNSlookuptodeterminewhetherthereisamatchingDNSrecordthatpointstotheDelegatedThirdParty’sIPaddressordomainnamespace.DigiCertverifiestheorganizationname,address,legalexistence,andauthorizationforCACertificatesthatcross‐certifywiththeFBCA.

3.2.3. AuthenticationofIndividualIdentityIfaCertificatewillcontaintheidentityofanindividual,thenDigiCertoranRAvalidatestheidentityoftheindividualusingthefollowingprocedures:

Certificate ValidationIVSSLServerCertificatesandObjectSigningCertificates(issuedtoanindividual)

1. DigiCertortheRAobtainsa legiblecopy,whichdiscerniblyshowstheApplicant’sface,ofatleastonecurrentlyvalidgovernment‐issuedphotoID(passport,driver’slicense,militaryID,nationalID,orequivalentdocumenttype).DigiCertortheRAinspectsthecopyforanyindicationofalterationorfalsification.

2. DigiCertmayadditionallycross‐checktheApplicant’sname

andaddressforconsistencywithavailablethirdpartydatasources.

3. Iffurtherassuranceisrequired,thentheApplicantmust

provideanadditionalformofidentification,suchasrecentutilitybills,financialaccountstatements,creditcard,anadditionalIDcredential,orequivalentdocumenttype.

4. DigiCertortheRAconfirmsthattheApplicantisableto

receivecommunicationbytelephone,postalmail/courier,orfax.

IfDigiCertcannotverifytheApplicant’sidentityusingtheproceduresdescribedabove,thentheApplicantmustsubmitaDeclarationofIdentitythatiswitnessedandsignedbya

RegistrationAuthority,TrustedAgent,notary,lawyer,accountant,postalcarrier,oranyentitycertifiedbyaStateorNationalGovernmentasauthorizedtoconfirmidentities.

DeviceCertificateSponsors

Seesection3.2.3.3

OSUServerCertificates DigiCertverifiesthattherequesterisadulyauthorizedrepresentativeoftheorganizationasanemployee,partner,member,agent,etc.,andisauthorizedtoactonbehalfoftheorganization.

EVCertificatesissuedtoabusinessentity

AsspecifiedintheEVGuidelines

Grid‐onlyCertificates EithertheRAresponsibleforthegridcommunityoraTrustedAgentobtainsanidentitydocumentduringaface‐to‐facemeetingwiththeApplicant,oraTrustedAgentatteststhattheApplicantispersonallyknowntotheTrustedAgent.TheRAmustretainsufficientinformationabouttheapplicant’sidentitytoproveuponDigiCert’srequestthattheapplicantwasproperlyidentified.

Authentication‐OnlyCertificates

Theentitycontrollingthesecurelocationmustrepresentthatthecertificateholderisauthorizedtoaccessthelocation.

Level1ClientCertificates–Personal(emailCertificates)

DigiCertoranRAverifiesApplicant'scontroloftheemailaddressorwebsitelistedintheCertificate.


Anyoneofthefollowing:1. In‐personappearancebeforeapersonperformingidentity

proofingforaRegistrationAuthorityoraTrustedAgentwithpresentmentofanidentitycredential(e.g.,driver'slicenseorbirthcertificate).

2. Usingproceduressimilartothoseusedwhenapplyingforconsumercreditandauthenticatedthroughinformationinconsumercreditdatabasesorgovernmentrecords,suchas:a. theabilitytoplaceorreceivecallsfromagivennumber;orb. theabilitytoobtainmailsenttoaknownphysicaladdress.

3. Throughinformationderivedfromanongoingbusinessrelationshipwiththecredentialproviderorapartnercompany(e.g.,afinancialinstitution,airline,employer,orretailcompany).Acceptableinformationincludes:a. theabilitytoobtainmailatthebillingaddressusedinthe

businessrelationship;b. verificationofinformationestablishedinprevious

transactions(e.g.,previousordernumber);orc. theabilitytoplacecallsfromorreceivephonecallsata

phonenumberusedinpreviousbusinesstransactions.

4. AnymethodusedtoverifytheidentityofanApplicantforaLevel2,3,or4ClientCertificate.

Level2ClientCertificatesandIGTFClassic/MICSCertificates

TheCAoranRAconfirmsthatthefollowingareconsistentwiththeapplicationandsufficienttoidentifyauniqueindividual: (a) thenameonthegovernment‐issuedphoto‐IDreferencedbelow; (b) dateofbirth;and

(c) currentaddressorpersonaltelephonenumber.1. In‐personappearancebeforeapersonperformingidentity

proofingforaRegistrationAuthorityoraTrustedAgent(orentitycertifiedbyastate,federal,ornationalentityasauthorizedtoconfirmidentities)withpresentmentofareliableformofcurrentgovernment‐issuedphotoID.

2. TheApplicantmustpossessavalid,current,government‐issued,

photoID.TheRegistrationAuthorityorTrustedAgentperformingidentityproofingmustobtainandreview,whichmaybethroughremoteverification,thefollowinginformationabouttheApplicant:(i)name,dateofbirth,andcurrentaddressortelephonenumber;(ii)serialnumberassignedtotheprimary,government‐issuedphotoID;and(iii)oneadditionalformofIDsuchasanothergovernment‐issuedID,anemployeeorstudentIDcardnumber,telephonenumber,afinancialaccountnumber(e.g.,checkingaccount,savingsaccount,loanorcreditcard),orautilityserviceaccountnumber(e.g.,electricity,gas,orwater)foranaddressmatchingtheapplicant’sresidence.Identityproofingthroughremoteverificationmayrelyondatabaserecordcheckswithanagent/institutionorthroughcreditbureausorsimilardatabases.

DigiCertoranRAmayconfirmanaddressbyissuingcredentialsinamannerthatconfirmstheaddressofrecordorbyverifyingknowledgeofrecentaccountactivityassociatedwiththeApplicant’saddressandmayconfirmatelephonenumberbysendingachallenge‐responseSMStextmessageorbyrecordingtheapplicant’svoiceduringacommunicationafterassociatingthetelephonenumberwiththeapplicantinrecordsavailabletoDigiCertortheRA.

3. WhereDigiCertoranRAhasacurrentandongoingrelationship

withtheApplicant,identitymaybeverifiedthroughtheexchangeofapreviouslyexchangedsharedsecret(e.g.,aPINorpassword)thatmeetsorexceedsNISTSP800‐63Level2entropyrequirements,providedthat:(a)identitywasoriginallyestablishedwiththedegreeofrigorequivalenttothatrequiredin1or2aboveusingagovernment‐issuedphoto‐ID,and(b)anongoingrelationshipexistssufficienttoensuretheApplicant’scontinuedpersonalpossessionofthesharedsecret.

4. Anyofthemethodsusedtoverifytheidentityofanapplicantfor

aDigiCertLevel3or4ClientCertificate.

Level3ClientCertificates

In‐personproofingbeforeanRA,TrustedAgent,oranentitycertifiedbyastate,federal,ornationalentitythatisauthorizedtoconfirmidentities.Theinformationmustbecollectedandstoredinasecuremanner.RequiredidentificationconsistsofoneunexpiredFederal/NationalGovernment‐issuedPictureI.D.(e.g.apassport),aREALID,ortwounexpiredNon‐FederalGovernmentI.D.s,oneofwhichmustbeaphotoI.D.AcceptableformsofgovernmentIDincludeadriver'slicense,state‐issuedphotoIDcard,passport,nationalidentitycard,permanentresidentcard,trustedtravelercard,

tribalID,militaryID,orsimilarphotoidentificationdocument.Seee.g.USCISFormI‐9.Thepersonperformingidentityproofingexaminesthecredentialsanddetermineswhethertheyareauthenticandunexpiredandcheckstheprovidedinformation(name,dateofbirth,andcurrentaddress)toensurelegitimacy.TheApplicantsignsaDeclarationofIdentity,definedbelow,towhichthepersonperformingidentityproofingattests.DigiCertortheRAreviewsandkeepsarecordoftheDeclarationofIdentity.DigiCertalsoemploysthein‐personantecedentprocess,definedinFBCASupplementaryAntecedent,In‐PersonDefinition,tomeetthisin‐personidentityproofingrequirement.Underthisdefinition,historicalin‐personidentityproofingissufficientif(1)itmeetsthethoroughnessandrigorofin‐personproofingdescribedabove,(2)supportingIDproofingartifactsexisttosubstantiatetheantecedentrelationship,and(3)mechanismsareinplacethatbindtheindividualtotheassertedidentity.Inoneusecase,theApplicant(e.g.anemployee)hasbeenidentifiedpreviouslybyanemployerusingUSCISFormI‐9andisboundtotheassertedidentityremotelythroughtheuseofknownattributesorsharedsecrets.Inanotherusecase,DigiCertusesathirdpartyIdentityVerificationProviderthatconstructsareal‐time,five‐questionprocess,basedonmultiplehistoricantecedentdatabases,andtheapplicantisgiventwominutestoansweratleastfourofthefivequestionscorrectly.SeeFBCASupplementaryAntecedent,In‐PersonDefinition.TheidentityoftheApplicantmustbeestablishednoearlierthan30dayspriortoinitialcertificateissuance.

Level4ClientCertificates(BiometricIDCertificates)

In‐personproofingbeforeanRA,TrustedAgent,oranentitycertifiedbyastate,federal,ornationalentitythatisauthorizedtoconfirmidentities.AcertifiedentitymustforwardthecollectedinformationdirectlytoanRAinasecuremanner.TheApplicantmustsupplyoneunexpiredFederal/NationalGovernment‐issuedPictureI.D.(e.g.apassport),aREALID,ortwounexpiredNon‐FederalGovernmentI.D.s,oneofwhichmustbeaphotoI.D..AcceptableformsofgovernmentIDincludeadriver'slicense,state‐issuedphotoIDcard,passport,nationalidentitycard,permanentresidentcard,trustedtravelercard,tribalID,militaryID,orsimilarphotoidentificationdocument.Seee.g.USCISFormI‐9.Theentitycollectingthecredentialsmustalsoobtainatleastoneformofbiometricdata(e.g.photographorfingerprints)toensurethattheApplicantcannotrepudiatetheapplication.ThepersonperformingidentityverificationforDigiCertortheRAexaminesthecredentialsforauthenticityandvalidity.TheApplicantsignsaDeclarationofIdentity,definedbelow,towhichthepersonperformingidentityproofingattests.DigiCertortheRAreviewsandkeepsarecordoftheDeclarationofIdentity.Useofanin‐personantecedentisnotallowed.TheidentityoftheApplicantmustbeestablishedbyin‐personproofingnoearlierthan30dayspriortoinitialcertificateissuance.Level4ClientCertificates

areissuedinamannerthatconfirmstheApplicant’saddress.PIV‐ICertificates PIV‐IHardwareCertificatesareonlyissuedtohumansubscribers.

ThefollowingbiometricdataiscollectedbyDigiCert,anRA,oraTrustedAgentduringtheidentityproofingandregistrationprocess:1. Anelectronicfacialimageusedforprintingfacialimageonthe

cardandforvisualauthenticationduringcardusage.Anewfacialimageiscollectedeachtimeacardisissued;and

2. Twoelectronicfingerprintsarestoredonthecardforautomatedauthenticationduringcardusage.

TheSubscribermustalsopresenttwoidentitysourcedocumentsinoriginalformthatcomefromthelistofacceptabledocumentsincludedinFormI‐9.Atleastonedocumentmustbeavalid,unexpiredStateorFederalGovernment‐issuedpictureidentification(ID).ForPIV‐I,theuseofanin‐personantecedentisnotapplicable.Identityisestablishednomorethan30dayspriortoinitialcertificateissuance.

EUQualifiedCertificates Usingidentityandattributevalidationproceduresinaccordancewithnationallaw.Evidenceofidentityischeckeddirectlyagainstaphysicalpersonorindirectlyusingmeanswhichprovidesequivalentassurancetophysicalpresence.

ADeclarationofIdentityconsistsof:

1. theidentityofthepersonperformingtheverification;2. asigneddeclarationbytheverifyingpersonstatingthattheyverifiedtheidentityoftheSubscriberas

requiredusingtheformatsetforthat28U.S.C.1746(declarationunderpenaltyofperjury)orcomparableprocedureunderlocallaw,thesignatureonthedeclarationmaybeeitherahandwrittenordigitalsignatureusingaCertificatethatisofequalorhigherlevelofassuranceasthecredentialbeingissued;

3. uniqueidentifyingnumber(s)fromtheApplicant’sidentificationdocument(s),orafacsimileoftheID(s);

4. thedateoftheverification;and5. adeclarationofidentitybytheApplicantthatissigned(inhandwritingorusingadigitalsignature

thatisofequivalentorhigherassurancethanthecredentialbeingissued)inthepresenceofthepersonperformingtheverificationusingtheformatsetforthat28U.S.C.1746(declarationunderpenaltyofperjury)orcomparableprocedureunderlocallaw.

Ifin‐personidentityverificationisrequiredandtheApplicantcannotparticipateinface‐to‐faceregistrationalone(e.g.becauseApplicantisanetworkdevice,minor,orpersonnotlegallycompetent),thentheApplicantmaybeaccompaniedbyapersonalreadycertifiedbythePKIorwhohastherequiredidentitycredentialsforaCertificateofthesametypeappliedforbytheApplicant.ThepersonaccompanyingtheApplicant(i.e.the“Sponsor”)willpresentinformationsufficientforregistrationattheleveloftheCertificatebeingrequested,forhimselforherself,andfortheApplicant.Forin‐personidentityproofingatLevels3and4andforPIV‐I,DigiCertmayrelyonanentitycertifiedbyastate,federal,ornationalentityasauthorizedtoconfirmidentitiesmayperformtheauthenticationonbehalfoftheRA.ThecertifiedentityshouldforwardtheinformationcollectedfromtheapplicantdirectlytotheRAinasecuremanner.

3.2.3.1. AuthenticationforRole‐basedClientCertificatesDigiCertmayissueCertificatesthatidentifyaspecificrolethattheSubscriberholds,iftheroleidentifiesaspecificindividualwithinanorganization(e.g.,ChiefInformationOfficerisauniqueindividualwhereasProgramAnalystisnot).Theserole‐basedCertificatesareusedwhennon‐repudiationisdesired.DigiCert

onlyissuesrole‐basedCertificatestoSubscriberswhofirstobtainanindividualSubscriberCertificatethatisatthesameorhigherassurancelevelastherequestedrole‐basedCertificate.DigiCertmayissueCertificateswiththesameroletomultipleSubscribers.However,DigiCertrequiresthateachCertificatehaveauniqueKeyPair.Individualsmaynotsharetheirissuedrole‐basedCertificatesandarerequiredtoprotecttherole‐basedCertificateinthesamemannerasindividualCertificates.DigiCertverifiestheidentityoftheindividualrequestingarole‐basedCertificate(thesponsor)inaccordancewithSection3.2.3beforeissuingarole‐basedCertificate.ThesponsormustholdaDigiCert‐issuedclientindividualCertificateatthesameorhigherassurancelevelastherole‐basedCertificate.IftheCertificateisapseudonymousCertificatecross‐certifiedwiththeFBCAthatidentifiessubjectsbytheirorganizationalroles,thenDigiCertoranRAvalidatesthattheindividualeitherholdsthatroleorhastheauthoritytosignonbehalfoftherole.Regardingtheissuanceofrole‐basedCertificates,thisCPSrequirescompliancewithallprovisionsofDigiCert’sCPregardingkeygeneration,privatekeyprotection,andSubscriberobligations.IGTFandEUQualifiedCertificatesarenotissuedasrole‐basedCertificates.

3.2.3.2. AuthenticationforGroupClientCertificatesDigiCertissuesgroupCertificates(aCertificatethatcorrespondstoaPrivateKeythatissharedbymultipleSubscribers)ifseveralentitiesareactinginonecapacityandifnon‐repudiationisnotrequired.DirectAddressCertificatesandDirectOrganizationalCertificatesareusedasgroupCertificatesconsistentwithapplicablerequirementsoftheDirectProgram.DigiCertortheRArecordstheinformationidentifiedinSection3.2.3forasponsorbeforeissuingagroupCertificate.ThesponsormustbeatleastanInformationSystemsSecurityOfficer(ISSO)oroftheequivalentrankorgreaterwithintheorganization.ThesponsorisresponsibleforensuringcontrolofthePrivateKey.ThesponsormustmaintainandcontinuouslyupdatealistofSubscriberswithaccesstothePrivateKeyandaccountforthetimeperiodduringwhicheachSubscriberhadcontrolofthekey.GroupCertificatesmaylisttheidentityofanindividualinthesubjectNameDNprovidedthatthesubjectNameDNfieldalsoincludesatextstring,suchas“DirectGroupCert,”sothattheCertificatespecifiesthesubjectisagroupandnotasingleindividual.ClientCertificatesissuedinthiswaytoanorganizationarealwaysconsideredgroupclientCertificates.

3.2.3.3. AuthenticationofDeviceswithHumanSponsorsDigiCertissuesLevel1,2,3or4ClientandFederatedDeviceCertificatesforuseoncomputingornetworkdevices,providedthattheentityowningthedeviceislistedasthesubject.Inallcases,thedevicehasahumansponsorwhoprovides:

Equipmentidentification(e.g.,serialnumber)orservicename(e.g.,DNSname), EquipmentPublicKeys, Equipmentauthorizationsandattributes(ifanyaretobeincludedintheCertificate),and Contactinformation.

IftheCertificate’ssponsorchanges,thenewsponsorisrequiredtoreviewthestatusofeachdevicetoensureitisstillauthorizedtoreceiveCertificates.Eachsponsorisrequiredtoprovideproofthatthedeviceisstillunderthesponsor’scontrolorresponsibilityonrequest.SponsorsarecontractuallyobligatedtonotifyDigiCertiftheequipmentisnolongerinuse,nolongerundertheircontrolorresponsibility,ornolongerrequiresaCertificate.Allregistrationisverifiedcommensuratewiththerequestedcertificatetype.

3.2.4. Non‐verifiedSubscriberInformationThecommonnameofaLevel1‐PersonalClientCertificatesisnotverifiedasthelegalnameoftheSubscriber.DVSSLServerCertificatesdonotincludeaverifiedorganizationalidentity.Anyothernon‐verifiedinformationincludedinaCertificateisdesignatedassuchintheCertificate.UnverifiedinformationisneverincludedinaLevel2,Level,3,Level4,PIV‐I,ObjectSigning,EVSSL,FederatedDevice,orEUQualifiedCertificate.

3.2.5. ValidationofAuthorityTheauthorizationofacertificaterequestisverifiedasfollows:

Certificate VerificationDVSSLServerCertificate Therequest isverifiedwithanauthorizedcontactlistedwiththe

DomainNameRegistrar,throughapersonwithcontroloverthedomain,orthroughanout‐of‐bandconfirmationwiththeapplicant.ApersonwithcontroloverthedomainnameisconsideredtohaveauthoritytorequestDVSSLCertificates,includinganyindividualwithaccesstoonemoreofthefollowingemailaddresses:[email protected],[email protected],[email protected],hostmaster@domain,postmaster@domain,oranyaddresslistedasacontactfieldofthedomain’sDomainNameRegistrarrecord.

OVSSLServerandFederatedDeviceCertificates

TherequestisverifiedusingaReliableMethodofCommunication,inaccordancewiththeBaselineRequirements.

OSUServerCertificates DigiCertverifiesthattherequesterisadulyauthorizedrepresentativeoftheorganizationasanemployee,partner,member,agent,etc.,andisauthorizedtoactonbehalfoftheorganization.

EVCertificates TherequestisverifiedinaccordancewiththeEVGuidelines.ObjectSigningCertificatesandAdobeSigningCertificates

IftheCertificatenamesanorganization,therequester’scontactinformationisverifiedwithanauthoritativesourcewithintheapplicant’sorganizationusingaReliableMethodofCommunication.Thecontactinformationisthenusedtoconfirmtheauthenticityofthecertificaterequest.

Level1ClientCertificatesPersonal(emailCertificates)

TherequestisverifiedthroughtheemailaddresslistedintheCertificate.

Level1ClientCertificates–Enterprise(emailCertificates)

TherequestisverifiedwithapersonwhohastechnicaloradministrativecontroloverthedomainandtheemailaddresstobelistedintheCertificate.

ClientCertificatesLevels2,3and4andPIV‐ICertificates

TheorganizationnamedintheCertificateconfirmstoDigiCertoranRAthattheindividualisauthorizedtoobtaintheCertificate.TheorganizationisrequiredtorequestrevocationoftheCertificatewhenthataffiliationends.

DirectAddressandDirectOrganizationCertificates

TheentitynamedintheCertificateauthorizes aHISPtoordertheCertificateandusetherelatedPrivateKeyontheentity’sbehalf.TheHISPISSOisresponsiblefortrackingaccesstoandensuringproperuseofthePrivateKey.

IGTFCertificates Anauthorizedindividualapprovesthecertificaterequest.FordeviceCertificates,theRAretainscontactinformationforeachdevice’sregisteredowner.ThedeviceownerisrequiredtonotifytheRAandrequestrevocationifthedevicesponsorisnolongerauthorizedtousethedeviceortheFQDNintheCertificate.

EUQualifiedCertificates DigiCertverifiesthattheindividualisassociatedwiththeorganizationlistedintheCertificate(ifany)andthattheorganizationconsentedtotheissuanceoftheCertificate.

AnorganizationmaylimitwhoisauthorizedtorequestCertificatesbysendingarequesttoDigiCert.ArequesttolimitauthorizedindividualsisnoteffectiveuntilapprovedbyDigiCert.DigiCertwillrespondtoanorganization’sverifiedrequestforDigiCert’slistofitsauthorizedrequesters.

3.3. IDENTIFICATIONANDAUTHENTICATIONFORRE‐KEYREQUESTS

3.3.1. IdentificationandAuthenticationforRoutineRe‐keySubscribersmayrequestre‐keyofaCertificatepriortoaCertificate’sexpiration.Afterreceivingarequestforre‐key,DigiCertcreatesanewCertificatewiththesamecertificatecontentsexceptforanewPublicKeyand,optionally,anextendedvalidityperiod.IftheCertificatehasanextendedvalidityperiod,DigiCertmayperformsomerevalidationoftheApplicantbutmayalsorelyoninformationpreviouslyprovidedorobtained.Subscribersre‐establishtheiridentityasfollows:

Certificate RoutineRe‐KeyAuthentication Re‐VerificationRequiredDVandOVSSLServerandDeviceCertificates

Usernameandpassword Atleastevery39months

EVSSLCertificates Usernameandpassword AccordingtotheEVGuidelinesSubscriberCodeSigningCertificates(MinimumRequirementsandEV)


SigningAuthorityEVCodeSigningCertificates


TimestampEVCodeSigningCertificates


ObjectSigningCertificates(includingAdobeSigningCertificates)

Usernameandpassword Atleasteverysixyears

Level1ClientCertificates Usernameandpassword AtleasteverynineyearsLevel2ClientCertificates Currentsignaturekeyormulti‐

factorauthenticationmeetingNISTSP800‐63Level3

Atleasteverynineyears

Level3and4ClientCertificatesandPIV‐ICertificates

Currentsignaturekeyormulti‐factorauthenticationmeetingNISTSP800‐63Level3


FederatedDeviceandFederatedDevice‐hardware

Currentsignaturekeyormulti‐factorauthenticationmeetingNIST‐800‐63Level3


IGTFCertificates Usernameandpassword,RAattestationaftercomparisonofidentitydocuments,re‐authenticatethroughanapprovedIdM,orthroughassociatedPrivateKey

Atleastevery13months.However,CertificatesassociatedwithaPrivateKeyrestrictedsolelytoahardwaretokenmayberekeyedorrenewedforaperiodofupto5years

Authentication‐OnlyCertificates

UsernameandpasswordorwithassociatedPrivateKey

None

DigiCertdoesnotre‐keyaCertificatewithoutadditionalauthenticationifdoingsowouldallowtheSubscribertousetheCertificatebeyondthelimitsdescribedabove.

3.3.2. IdentificationandAuthenticationforRe‐keyAfterRevocationIfaCertificatewasrevokedforanyreasonotherthanarenewal,update,ormodificationaction,thentheSubscribermustundergotheinitialregistrationprocesspriortorekeyingtheCertificate.

3.4. IDENTIFICATIONANDAUTHENTICATIONFORREVOCATIONREQUESTDigiCertoranRAauthenticatesallrevocationrequests.DigiCertmayauthenticaterevocationrequestsbyreferencingtheCertificate’sPublicKey,regardlessofwhethertheassociatedPrivateKeyiscompromised.

4. CERTIFICATELIFE‐CYCLEOPERATIONALREQUIREMENTS

4.1. CERTIFICATEAPPLICATION

4.1.1. WhoCanSubmitaCertificateApplicationEithertheApplicantoranindividualauthorizedtorequestCertificatesonbehalfoftheApplicantmaysubmitcertificaterequests.ApplicantsareresponsibleforanydatathattheApplicantoranagentoftheApplicantsuppliestoDigiCert.EVCertificaterequestsmustbesubmittedbyanauthorizedCertificateRequesterandapprovedbyaCertificateApprover.Thecertificaterequestmustbeaccompaniedbyasigned(inwritingorelectronically)SubscriberAgreementfromaContractSigner.DigiCertdoesnotissueCertificatestoentitiesonagovernmentdeniedlistmaintainedbytheUnitedStatesorthatislocatedinacountrywithwhichthelawsoftheUnitedStatesprohibitdoingbusiness.

4.1.2. EnrollmentProcessandResponsibilitiesInnoparticularorder,theenrollmentprocessincludes:

Submittingacertificateapplication, GeneratingaKeyPair, DeliveringthePublicKeyoftheKeyPairtoDigiCert, AgreeingtotheapplicableSubscriberAgreement,and Payinganyapplicablefees.

4.2. CERTIFICATEAPPLICATIONPROCESSING

4.2.1. PerformingIdentificationandAuthenticationFunctionsAfterreceivingacertificateapplication,DigiCertoranRAverifiestheapplicationinformationandotherinformationinaccordancewithSection3.2.Duringtheinitialvalidationprocess,DigiCertcheckstheDNSfortheexistenceofaCAArecord.IfaCAArecordexiststhatdoesnotlistDigiCertasanauthorizedCA,DigiCertverifiesthattheapplicanthasauthorizedissuance,despitetheCAArecord.IfanRAassistsintheverification,theRAmustcreateandmaintainrecordssufficienttoestablishthatithasperformeditsrequiredverificationtasksandcommunicatethecompletionofsuchperformancetoDigiCert.Afterverificationiscomplete,DigiCertevaluatesthecorpusofinformationanddecideswhetherornottoissuetheCertificate.Aspartofthisevaluation,DigiCertcheckstheCertificateagainstaninternaldatabaseofpreviouslyrevokedCertificatesandrejectedcertificaterequeststoidentifysuspiciouscertificaterequests.IfsomeorallofthedocumentationusedtosupportanapplicationisinalanguageotherthanEnglish,aDigiCertemployee,RA,oragentskilledinthelanguageperformsthefinalcross‐correlationandduediligence.DigiCertconsidersasource’savailability,purpose,andreputationwhendeterminingwhetherathirdpartysourceisreasonablyreliable.DigiCertdoesnotconsideradatabase,source,orformofidentificationreasonablyreliableifDigiCertortheRAisthesolesourceoftheinformation.

4.2.2. ApprovalorRejectionofCertificateApplicationsDigiCertrejectsanycertificateapplicationthatDigiCertoranRAcannotverify.DigiCertmayalsorejectacertificateapplicationifDigiCertbelievesthatissuingtheCertificatecoulddamageordiminishDigiCert’sreputationorbusiness.ExceptforEnterpriseEVCertificates,EVCertificateissuanceapprovalrequirestwoseparateDigiCertvalidationspecialists.ThesecondvalidationspecialistcannotbethesameindividualwhocollectedthedocumentationandoriginallyapprovedtheEVCertificate.Thesecondvalidationspecialistreviewsthecollectedinformationanddocumentsanydiscrepanciesordetailsthatrequirefurtherexplanation.Thesecondvalidationspecialistmayrequireadditionalexplanationsanddocumentspriortoauthorizingthe

Certificate’sissuance.EnterpriseRAsmayperformthefinalcross‐correlationandduediligencedescribedhereinusingasinglepersonrepresentingtheEnterpriseRA.Ifsatisfactoryexplanationsand/oradditionaldocumentsarenotreceivedwithinareasonabletime,DigiCertwillrejecttheEVCertificaterequestandnotifytheApplicantaccordingly.IfthecertificateapplicationisnotrejectedandissuccessfullyvalidatedinaccordancewiththisCPS,DigiCertwillapprovethecertificateapplicationandissuetheCertificate.DigiCertisnotliableforanyrejectedCertificateandisnotobligatedtodisclosethereasonsforarejection.RejectedApplicantsmayre‐apply.SubscribersarerequiredtochecktheCertificate’scontentsforaccuracypriortousingthecertificate.

4.2.3. TimetoProcessCertificateApplicationsUndernormalcircumstances,DigiCertverifiesanApplicant’sinformationandissuesadigitalCertificatewithinareasonabletimeframe.IssuancetimeframesaregreatlydependentonwhentheApplicantprovidesthedetailsanddocumentationnecessarytocompletevalidation.Fornon‐EVSSLCertificates,DigiCertwillusuallycompletethevalidationprocessandissueorrejectacertificateapplicationwithintwoworkingdaysafterreceivingallofthenecessarydetailsanddocumentationfromtheApplicant,althougheventsoutsideofthecontrolofDigiCertcandelaytheissuanceprocess.

4.3. CERTIFICATEISSUANCE

4.3.1. CAActionsduringCertificateIssuanceDigiCertconfirmsthesourceofacertificaterequestbeforeissuance.DigiCertdoesnotissueendentityCertificatesdirectlyfromitsrootCertificates.DigiCertlogsitsEVCertificatesintwoormoreCertificateTransparencydatabases.SeeRFC6962.DatabasesandCAprocessesoccurringduringcertificateissuanceareprotectedfromunauthorizedmodification.Afterissuanceiscomplete,theCertificateisstoredinadatabaseandsenttotheSubscriber.

4.3.2. NotificationtoSubscriberbytheCAofIssuanceofCertificateDigiCertmaydeliverCertificatesinanysecuremannerwithinareasonabletimeafterissuance.Generally,DigiCertdeliversCertificatesviaemailtotheemailaddressdesignatedbytheSubscriberduringtheapplicationprocess.

4.4. CERTIFICATEACCEPTANCE

4.4.1. ConductConstitutingCertificateAcceptanceSubscribersaresolelyresponsibleforinstallingtheissuedCertificateontheSubscriber’scomputerorhardwaresecuritymodule.Certificatesareconsideredaccepted30daysaftertheCertificate’sissuance,orearlieruponuseoftheCertificatewhenevidenceexiststhattheSubscriberusedtheCertificate.

4.4.2. PublicationoftheCertificatebytheCADigiCertpublishesallCACertificatesinitsrepository.DigiCertpublishesend‐entityCertificatesbydeliveringthemtotheSubscriber.

4.4.3. NotificationofCertificateIssuancebytheCAtoOtherEntitiesRAsmayreceivenotificationofaCertificate’sissuanceiftheRAwasinvolvedintheissuanceprocess.

4.5. KEYPAIRANDCERTIFICATEUSAGE

4.5.1. SubscriberPrivateKeyandCertificateUsageSubscribersarecontractuallyobligatedtoprotecttheirPrivateKeysfromunauthorizeduseordisclosure,discontinueusingaPrivateKeyafterexpirationorrevocationoftheassociatedCertificate,anduseCertificatesinaccordancewiththeirintendedpurpose.

4.5.2. RelyingPartyPublicKeyandCertificateUsageRelyingPartiesmayonlyusesoftwarethatiscompliantwithX.509,IETFRFCs,andotherapplicablestandards.DigiCertdoesnotwarrantthatanythirdpartysoftwarewillsupportorenforcethecontrolsandrequirementsfoundherein.ARelyingPartyshouldusediscretionwhenrelyingonaCertificateandshouldconsiderthetotalityofthecircumstancesandriskoflosspriortorelyingonaCertificate.Ifthecircumstancesindicatethatadditionalassurancesarerequired,theRelyingPartymustobtainsuchassurancesbeforeusingtheCertificate.AnywarrantiesprovidedbyDigiCertareonlyvalidifaRelyingParty’sreliancewasreasonableandiftheRelyingPartyadheredtotheRelyingPartyAgreementsetforthintheDigiCertrepository.ARelyingPartyshouldrelyonadigitalsignatureorSSL/TLShandshakeonlyif:

1. thedigitalsignatureorSSL/TLSsessionwascreatedduringtheoperationalperiodofavalidCertificateandcanbeverifiedbyreferencingavalidCertificate,

2. theCertificateisnotrevokedandtheRelyingPartycheckedtherevocationstatusoftheCertificatepriortotheCertificate’susebyreferringtotherelevantCRLsorOCSPresponses,and

3. theCertificateisbeingusedforitsintendedpurposeandinaccordancewiththisCPS.Beforerelyingonatime‐stamptoken,aRelyingPartymust:

1. verifythatthetime‐stamptokenhasbeencorrectlysignedandthatthePrivateKeyusedtosignthetime‐stamptokenhasnotbeencompromisedpriortothetimeoftheverification,

2. takeintoaccountanylimitationsontheusageofthetime‐stamptokenindicatedbythetime‐stamppolicy,and

3. takeintoaccountanyotherprecautionsprescribedinthisCPSorelsewhere.

4.6. CERTIFICATERENEWAL

4.6.1. CircumstanceforCertificateRenewalDigiCertmayrenewaCertificateif:

theassociatedPublicKeyhasnotreachedtheendofitsvalidityperiod, theSubscriberandattributesareconsistent,and theassociatedPrivateKeyremainsuncompromised.

DigiCertmayalsorenewaCertificateifaCACertificateisre‐keyedorasotherwisenecessarytoprovideservicestoacustomer.DigiCertmaynotifySubscriberspriortoaCertificate’sexpirationdate.Certificaterenewalrequirespaymentofadditionalfees.

4.6.2. WhoMayRequestRenewalOnlythecertificatesubjectoranauthorizedrepresentativeofthecertificatesubjectmayrequestrenewaloftheSubscriber’sCertificates.ForCertificatescross‐certifiedwiththeFBCA,renewalrequestsareonlyacceptedfromcertificatesubjects,PKIsponsors,orRAs.DigiCertmayrenewaCertificatewithoutacorrespondingrequestifthesigningCertificateisre‐keyed.

4.6.3. ProcessingCertificateRenewalRequestsRenewalapplicationrequirementsandproceduresaregenerallythesameasthoseusedduringtheCertificate’soriginalissuance.DigiCertmayelecttoreusepreviouslyverifiedinformationinitssolediscretionbutwillrefreshanyinformationthatisolderthantheperiodsspecifiedinSection3.3.1.DigiCertmayrefusetorenewaCertificateifitcannotverifyanyrecheckedinformation.IfanindividualisrenewingaclientCertificateandtherelevantinformationhasnotchanged,thenDigiCertdoesnotrequireanyadditionalidentityvetting.Somedeviceplatforms,e.g.Apache,allowreneweduseofthePrivateKey.IfthePrivateKeyanddomaininformationhavenotchanged,theSubscribermayrenewtheSSLCertificateusingapreviouslyissuedCertificateorprovidedCSR.

4.6.4. NotificationofNewCertificateIssuancetoSubscriberDigiCertmaydelivertheCertificateinanysecurefashion,typicallybyemailorbyprovidingtheSubscriberahypertextlinktoauserid/password‐protectedlocationwherethesubscribermayloginanddownloadtheCertificate.

4.6.5. ConductConstitutingAcceptanceofaRenewalCertificateRenewedCertificatesareconsideredaccepted30daysaftertheCertificate’srenewal,orearlieruponuseoftheCertificatewhenevidenceexiststhattheSubscriberusedtheCertificate.

4.6.6. PublicationoftheRenewalCertificatebytheCADigiCertpublishesarenewedCertificatebydeliveringittotheSubscriber.AllrenewedCACertificatesarepublishedinDigiCert’srepository.

4.6.7. NotificationofCertificateIssuancebytheCAtoOtherEntitiesRAsmayreceivenotificationofaCertificate’srenewaliftheRAwasinvolvedintheissuanceprocess.

4.7. CERTIFICATERE‐KEY

4.7.1. CircumstanceforCertificateRekeyRe‐keyingaCertificateconsistsofcreatinganewCertificatewithanewPublicKeyandserialnumberwhilekeepingthesubjectinformationthesame.ThenewCertificatemayhaveadifferentvaliditydate,keyidentifiers,CRLandOCSPdistributionpoints,andsigningkey.Afterre‐keyingaCertificate,aPIV‐ICertificate,orafederateddeviceCertificate,DigiCertmayrevoketheoldCertificatebutmaynotfurtherre‐key,renew,ormodifythepreviousCertificate.Subscribersrequestingre‐keyshouldidentifyandauthenticatethemselvesaspermittedbysection3.3.1.

4.7.2. WhoMayRequestCertificateRekeyDigiCertwillonlyacceptre‐keyrequestsfromthesubjectoftheCertificateorthePKIsponsor.DigiCertmayinitiateacertificatere‐keyattherequestofthecertificatesubjectorinDigiCert’sowndiscretion.

4.7.3. ProcessingCertificateRekeyRequestsDigiCertwillonlyacceptre‐keyrequestsfromthesubjectoftheCertificateorthePKIsponsor.IfthePrivateKeyandanyidentityanddomaininformationinaCertificatehavenotchanged,thenDigiCertcanissueareplacementCertificateusingapreviouslyissuedCertificateorpreviouslyprovidedCSR.DigiCertre‐usesexistingverificationinformationunlessre‐verificationandauthenticationisrequiredundersection3.3.1orifDigiCertbelievesthattheinformationhasbecomeinaccurate.

4.7.4. NotificationofCertificateRekeytoSubscriberDigiCertnotifiestheSubscriberwithinareasonabletimeaftertheCertificateissues.

4.7.5. ConductConstitutingAcceptanceofaRekeyedCertificateIssuedCertificatesareconsideredaccepted30daysaftertheCertificateisrekeyed,orearlieruponuseoftheCertificatewhenevidenceexiststhattheSubscriberusedtheCertificate.

4.7.6. PublicationoftheIssuedCertificatebytheCADigiCertpublishesrekeyedCertificatesbydeliveringthemtoSubscribers.

4.7.7. NotificationofCertificateIssuancebytheCAtoOtherEntitiesRAsmayreceivenotificationofaCertificate’srekeyiftheRAwasinvolvedintheissuanceprocess.

4.8. CERTIFICATEMODIFICATION

4.8.1. CircumstancesforCertificateModificationModifyingaCertificatemeanscreatinganewCertificateforthesamesubjectwithauthenticatedinformationthatdiffersslightlyfromtheoldCertificate(e.g.,changestoemailaddressornon‐essentialpartsofnamesorattributes)providedthatthemodificationotherwisecomplieswiththisCPS.ThenewCertificatemayhavethesameoradifferentsubjectPublicKey.AftermodifyingaCertificatethatiscross‐certifiedwiththeFBCA,DigiCertmayrevoketheoldCertificatebutwillnotfurtherre‐key,renew,ormodifytheoldCertificate.

4.8.2. WhoMayRequestCertificateModificationDigiCertmodifiesCertificatesattherequestofcertaincertificatesubjectsorinitsowndiscretion.DigiCertdoesnotmakecertificatemodificationservicesavailabletoallSubscribers.

4.8.3. ProcessingCertificateModificationRequestsAfterreceivingarequestformodification,DigiCertverifiesanyinformationthatwillchangeinthemodifiedCertificate.DigiCertwillonlyissuethemodifiedCertificateaftercompletingtheverificationprocessonallmodifiedinformation.DigiCertwillnotissueamodifiedCertificatethathasavalidityperiodthatexceedstheapplicabletimelimitsfoundinsection3.3.1or6.3.2.

4.8.4. NotificationofCertificateModificationtoSubscriberDigiCertnotifiestheSubscriberwithinareasonabletimeaftertheCertificateissues.

4.8.5. ConductConstitutingAcceptanceofaModifiedCertificateModifiedCertificatesareconsideredaccepted30daysaftertheCertificateismodified,orearlieruponuseoftheCertificatewhenevidenceexiststhattheSubscriberusedtheCertificate.

4.8.6. PublicationoftheModifiedCertificatebytheCADigiCertpublishesmodifiedCertificatesbydeliveringthemtoSubscribers.

4.8.7. NotificationofCertificateModificationbytheCAtoOtherEntitiesRAsmayreceivenotificationofaCertificate’smodificationiftheRAwasinvolvedintheissuanceprocess.

4.9. CERTIFICATEREVOCATIONANDSUSPENSION

4.9.1. CircumstancesforRevocationRevocationofaCertificatepermanentlyendstheoperationalperiodoftheCertificatepriortotheCertificatereachingtheendofitsstatedvalidityperiod.PriortorevokingaCertificate,DigiCertverifiestheidentityandauthorityoftheentityrequestingrevocation.DigiCertmayrevokeanyCertificateinitssolediscretion,includingifDigiCertbelievesthat:

1. TheSubscriberrequestedrevocationofitsCertificate;2. TheSubscriberdidnotauthorizetheoriginalcertificaterequestanddidnotretroactivelygrant

authorization;3. EitherthePrivateKeyassociatedwiththeCertificateorthePrivateKeyusedtosigntheCertificate

wascompromisedormisused;4. TheSubscriberbreachedamaterialobligationundertheCP,theCPS,ortherelevantSubscriber

Agreement;5. EithertheSubscriber’sorDigiCert’sobligationsundertheCPorCPSaredelayedorpreventedby

circumstancesbeyondtheparty’sreasonablecontrol,includingcomputerorcommunicationfailure,and,asaresult,anotherentity’sinformationismateriallythreatenedorcompromised;

6. TheSubscriber,sponsor,orotherentitythatwasissuedtheCertificatehaslostitsrightstoaname,trademark,device,IPaddress,domainname,orotherattributethatwasassociatedwiththeCertificate;

7. AwildcardCertificatewasusedtoauthenticateafraudulentlymisleadingsubordinatedomainname;8. TheCertificatewasnotissuedinaccordancewiththeCP,CPS,orapplicableindustrystandards;

9. DigiCertreceivedalawfulandbindingorderfromagovernmentorregulatorybodytorevoketheCertificate;

10. DigiCertceasedoperationsanddidnotarrangeforanothercertificateauthoritytoproviderevocationsupportfortheCertificates;

11. DigiCert'srighttomanageCertificatesunderapplicableindustrystandardswasterminated(unlessarrangementshavebeenmadetocontinuerevocationservicesandmaintaintheCRL/OCSPRepository);

12. AnyinformationappearingintheCertificatewasorbecameinaccurateormisleading;13. ThetechnicalcontentorformatoftheCertificatepresentsanunacceptablerisktoapplication

softwarevendors,RelyingParties,orothers;14. TheSubscriberwasaddedasadeniedpartyorprohibitedpersontoablacklistorisoperatingfroma

destinationprohibitedunderthelawsoftheUnitedStates;15. ForAdobeSigningCertificates,Adobehasrequestedrevocation;or16. Forcode‐signingCertificates,theCertificatewasusedtosign,publish,ordistributemalware,code

thatisdownloadedwithoutuserconsent,orotherharmfulcontent.DigiCertalwaysrevokesaCertificateifthebindingbetweenthesubjectandthesubject’sPublicKeyinthecertificateisnolongervalidorifanassociatedPrivateKeyiscompromised.DigiCertwillrevokeacross‐Certificateifthecross‐certifiedentity(includingDigiCert)nolongermeetsthestipulationsofthecorrespondingpolicies,asindicatedbypolicyOIDslistedinthepolicymappingextensionofthecross‐Certificate.

4.9.2. WhoCanRequestRevocationAnyappropriatelyauthorizedparty,suchasarecognizedrepresentativeofasubscriberorcross‐signedpartner,mayrequestrevocationofaCertificate.DigiCertmayrevokeaCertificatewithoutreceivingarequestandwithoutreason.Thirdpartiesmayrequestcertificaterevocationforproblemsrelatedtofraud,misuse,orcompromise.Certificaterevocationrequestsmustidentifytheentityrequestingrevocationandspecifythereasonforrevocation.

4.9.3. ProcedureforRevocationRequestDigiCertprocessesarevocationrequestasfollows:

1. DigiCertlogstheidentityofentitymakingtherequestorproblemreportandthereasonforrequestingrevocation.DigiCertmayalsoincludeitsownreasonsforrevocationinthelog.

2. DigiCertmayrequestconfirmationoftherevocationfromaknownadministrator,whereapplicable,viaout‐of‐bandcommunication(e.g.,telephone,fax,etc.).

3. IftherequestisauthenticatedasoriginatingfromtheSubscriber,DigiCertrevokestheCertificate.4. Forrequestsfromthirdparties,DigiCertpersonnelbegininvestigatingtherequestwithin24hours

afterreceiptanddecidewhetherrevocationisappropriatebasedonthefollowingcriteria:a. thenatureoftheallegedproblem,b. thenumberofreportsreceivedaboutaparticularCertificateorwebsite,c. theidentityofthecomplainants(forexample,complaintsfromalawenforcementofficial

thatawebsiteisengagedinillegalactivitieshavemoreweightthanacomplaintfromaconsumerallegingtheyneverreceivedthegoodstheyordered),and

d. relevantlegislation.5. IfDigiCertdeterminesthatrevocationisappropriate,DigiCertpersonnelrevoketheCertificateand

updatetheCRL.DigiCertmaintainsacontinuous24/7abilitytointernallyrespondtoanyhighpriorityrevocationrequests.Ifappropriate,DigiCertforwardscomplaintstolawenforcement.WheneveraPIV‐ICardisnolongervalid,theRAresponsibleforitsissuanceormaintenanceisrequiredtocollectthePIV‐ICardfromtheSubscriberassoonaspossibleanddestroythePIV‐ICard.TheRAmustlogthecollectionandphysicaldestructionofeachPIV‐ICard.

4.9.4. RevocationRequestGracePeriodSubscribersarerequiredtorequestrevocationwithinonedayafterdetectingthelossorcompromiseofthePrivateKey.DigiCertmaygrantandextendrevocationgraceperiodsonacase‐by‐casebasis.DigiCertreportsthesuspectedcompromiseofitsCAPrivateKeyandrequestsrevocationtoboththepolicyauthorityandoperatingauthorityofthesuperiorissuingCAwithinonehourofdiscovery.

4.9.5. TimewithinwhichCAMustProcesstheRevocationRequestDigiCertwillrevokeaCACertificatewithinonehourafterreceivingclearinstructionsfromtheDCPA.OtherCertificatesarerevokedasquicklyaspracticalaftervalidatingtherevocationrequest,generallywithinthefollowingtimeframes:

Certificaterevocationrequestsforpublicly‐trustedCertificatesareprocessedwithin18hoursaftertheirreceipt,

RevocationrequestsreceivedtwoormorehoursbeforeCRLissuanceareprocessedbeforethenextCRLispublished,and

RevocationrequestsreceivedwithintwohoursofCRLissuanceareprocessedbeforethefollowingCRLispublished.

4.9.6. RevocationCheckingRequirementforRelyingPartiesPriortorelyingoninformationlistedinaCertificate,aRelyingPartymustconfirmthevalidityofeachCertificateinthecertificatepathinaccordancewithIETFPKIXstandards,includingcheckingforcertificatevalidity,issuer‐to‐subjectnamechaining,policyandkeyuseconstraints,andrevocationstatusthroughCRLsorOCSPrespondersidentifiedineachCertificateinthechain.

4.9.7. CRLIssuanceFrequencyDigiCertusesitsofflinerootCAstopublishCRLsforitsintermediateCAsatleastevery6months.ForanofflineCAthathasbeencross‐signedbytheFederalBridgeCAandonlyissuesCACertificates,certificate‐status‐checkingcertificates,orinternaladministrativeCertificates,DigiCertissuesaCRLatleastevery31days.AllotherCRLsarepublishedatleastevery24hours.IfaCertificateisrevokedforreasonofkeycompromise,aninterimCRLispublishedassoonasfeasible,butnolaterthan18hoursafterreceiptofthenoticeofkeycompromise.

4.9.8. MaximumLatencyforCRLsCRLsforCertificatesissuedtoendentitysubscribersarepostedautomaticallytotheonlinerepositorywithinacommerciallyreasonabletimeaftergeneration,usuallywithinminutesofgeneration.Irregular,interim,oremergencyCRLsandallCRLsforCAschainingtotheFederalBridgearepostedwithinfourhoursaftergeneration.RegularlyscheduledCRLsarepostedpriortothenextUpdatefieldinthepreviouslyissuedCRLofthesamescope.

4.9.9. On‐lineRevocation/StatusCheckingAvailabilityDigiCertmakescertificatestatusinformationavailableviaOCSPforSSLandPIV‐ICertificates.OCSPmaynotbeavailableforotherkindsofCertificates.WhereOCSPsupportisrequiredbytheapplicableCP,OCSPresponsesareprovidedwithinacommerciallyreasonabletimeandnolaterthansixsecondsaftertherequestisreceived,subjecttotransmissionlatenciesovertheInternet.

4.9.10. On‐lineRevocationCheckingRequirementsArelyingpartymustconfirmthevalidityofaCertificateinaccordancewithsection4.9.6priortorelyingontheCertificate.

4.9.11. OtherFormsofRevocationAdvertisementsAvailableNostipulation.

4.9.12. SpecialRequirementsRelatedtoKeyCompromiseDigiCertusescommerciallyreasonableeffortstonotifypotentialRelyingPartiesifitdiscoversorsuspectsthecompromiseofaPrivateKey.DigiCertwilltransitionanyrevocationreasoncodeinaCRLto“key

compromise”upondiscoveryofsuchreasonorasrequiredbyanapplicableCP.IfaCertificateisrevokedbecauseofcompromise,DigiCertwillissueanewCRLwithin18hoursafterreceivingnoticeofthecompromise.

4.9.13. CircumstancesforSuspensionNotapplicable.

4.9.14. WhoCanRequestSuspensionNotapplicable.

4.9.15. ProcedureforSuspensionRequestNotapplicable.

4.9.16. LimitsonSuspensionPeriodNotapplicable.

4.10. CERTIFICATESTATUSSERVICES

4.10.1. OperationalCharacteristicsCertificatestatusinformationisavailableviaCRLandOCSPresponder.TheserialnumberofarevokedCertificateremainsontheCRLuntiloneadditionalCRLispublishedaftertheendoftheCertificate’svalidityperiod,exceptforrevokedEVCodeSigningCertificates,whichremainontheCRLforatleast365daysfollowingtheCertificate’svalidityperiod.OCSPinformationforsubscriberCertificatesisupdatedatleasteveryfourdays.OCSPinformationforsubordinateCACertificatesisupdatedatleastevery12monthsandwithin24hoursafterrevokingtheCertificate.

4.10.2. ServiceAvailabilityCertificatestatusservicesareavailable24x7withoutinterruption.

4.10.3. OptionalFeaturesOCSPRespondersmaynotbeavailableforallcertificatetypes.

4.11. ENDOFSUBSCRIPTIONASubscriber’ssubscriptionserviceendsifitsCertificateexpiresorisrevokedoriftheapplicableSubscriberAgreementexpireswithoutrenewal.

4.12. KEYESCROWANDRECOVERY

4.12.1. KeyEscrowandRecoveryPolicyPractices

DigiCertneverescrowsCAPrivateKeys.DigiCertmayescrowSubscriberkeymanagementkeystoprovidekeyrecoveryservices.DigiCertencryptsandprotectsescrowedPrivateKeysusingthesameorahigherlevelofsecurityasusedtogenerateanddeliverthePrivateKey.ForCertificatescross‐certifiedwiththeFBCA,thirdpartiesarenotpermittedtoholdtheSubscribersignaturekeysintrust.DigiCertallowsSubscribersandotherauthorizedentitiestorecoverescrowed(decryption)PrivateKeys.DigiCertusesmulti‐personcontrolsduringkeyrecoverytopreventunauthorizedaccesstoaSubscriber’sescrowedPrivateKeys.DigiCertacceptskeyrecoveryrequests:

FromtheSubscriberorSubscriber’sorganization,iftheSubscriberhaslostordamagedtheprivate‐keytoken;

FromtheSubscriber’sorganization,iftheSubscriberisnotavailableorisnolongerpartoftheorganizationthatcontractedwithDigiCertforPrivateKeyescrow;

Fromanauthorizedinvestigatororauditor,ifthePrivateKeyispartofarequiredinvestigationoraudit;

Fromarequesterauthorizedbyacompetentlegalauthoritytoaccessthecommunicationthatisencryptedusingthekey;

Fromarequesterauthorizedbylaworgovernmentalregulation;or FromanentitycontractingwithDigiCertforescrowofthePrivateKeywhenkeyrecoveryismission

criticalormissionessential.EntitiesusingDigiCert’skeyescrowservicesarerequiredto:

NotifySubscribersthattheirPrivateKeysareescrowed; Protectescrowedkeysfromunauthorizeddisclosure; ProtectanyauthenticationmechanismsthatcouldbeusedtorecoverescrowedPrivateKeys; Releaseanescrowedkeyonlyaftermakingorreceiving(asapplicable)aproperlyauthorizedrequest

forrecovery;and Complywithanylegalobligationstodiscloseorkeepconfidentialescrowedkeys,escrowedkey‐

relatedinformation,orthefactsconcerninganykeyrecoveryrequestorprocess.

4.12.2. SessionKeyEncapsulationandRecoveryPolicyandPractices

Nostipulation.

5. FACILITY,MANAGEMENT,ANDOPERATIONALCONTROLS

5.1. PHYSICALCONTROLS

5.1.1. SiteLocationandConstructionDigiCertperformsitsCAandTSAoperationsfromsecureandgeographicallydiversecommercialdatacenters.ThedatacentersareequippedwithlogicalandphysicalcontrolsthatmakeDigiCert’sCAandTSAoperationsinaccessibletonon‐trustedpersonnel.DigiCertoperatesunderasecuritypolicydesignedtodetect,deter,andpreventunauthorizedaccesstoDigiCert'soperations.

5.1.2. PhysicalAccessDigiCertprotectsitsequipment(includingcertificatestatusserversandCMSequipmentcontainingPIV‐IContentSigningkeys)fromunauthorizedaccessandimplementsphysicalcontrolstoreducetheriskofequipmenttampering.ThesecurepartsofDigiCertCAhostingfacilitiesareprotectedusingphysicalaccesscontrolsmakingthemaccessibleonlytoappropriatelyauthorizedindividuals.Accesstosecureareasofthebuildingsrequirestheuseofan"access"or"pass"card.Thebuildingsareequippedwithmotiondetectingsensors,andtheexteriorandinternalpassagewaysofthebuildingsareunderconstantvideosurveillance.DigiCertsecurelystoresallremovablemediaandpapercontainingsensitiveplain‐textinformationrelatedtoitsCAoperationsinsecurecontainersinaccordancewithitsDataClassificationPolicy.

5.1.2.1. DataCenterThedatacenterswhereDigiCert’sCAandTSAsystemsoperatehavesecuritypersonnelondutyfulltime(24hoursperday,365daysperyear).AccesstothedatacentershousingtheCAandTSAplatformsrequirestwo‐factorauthentication—theindividualmusthaveanauthorizedaccesscardandpassbiometricaccesscontrolauthenticators.Thesebiometricauthenticationaccesssystemslogeachuseoftheaccesscard.DigiCertdeactivatesandsecurelystoresitsCAequipmentwhennotinuse.Activationdatamusteitherbememorizedorrecordedandstoredinamannercommensuratewiththesecurityaffordedthecryptographicmodule.ActivationdataisneverstoredwiththecryptographicmoduleorremovablehardwareassociatedwithequipmentusedtoadministerDigiCert’sPrivateKeys.Cryptographichardwareincludesamechanismtolockthehardwareafteracertainnumberoffailedloginattempts.

TheDigiCertdatacentersarecontinuouslyattended.However,ifDigiCerteverbecomesawarethatadatacenteristobeleftunattendedorhasbeenleftunattendedforanextendedperiodoftime,DigiCertpersonnelwillperformasecuritycheckofthedatacentertoverifythat:

1. DigiCert’sequipmentisinastateappropriatetothecurrentmodeofoperation,2. Anysecuritycontainersareproperlysecured,3. Physicalsecuritysystems(e.g.,doorlocks)arefunctioningproperly,and4. Theareaissecuredagainstunauthorizedaccess.

DigiCert’sadministratorsareresponsibleformakingthesechecksandmustsignoffthatallnecessaryphysicalprotectionmechanismsareinplaceandactivated.Theidentityoftheindividualmakingthecheckislogged.

5.1.2.2. SupportandVettingRoomControlledaccessandkeyed‐lockdoorssecurethesupportandvettingroomswhereDigiCertpersonnelperformidentityvettingandotherRAfunctions.Accesscarduseisloggedbythebuildingsecuritysystem.Theroomisequippedwithmotion‐activatedvideosurveillancecameras.

5.1.3. PowerandAirConditioningDatacentershaveprimaryandsecondarypowersuppliesthatensurecontinuousanduninterruptedaccesstoelectricpower.Uninterruptedpowersupplies(UPS)anddieselgeneratorsprovideredundantbackuppower.DigiCertmonitorscapacitydemandsandmakesprojectionsaboutfuturecapacityrequirementstoensurethatadequateprocessingpowerandstorageareavailable.DigiCert’sdatacenterfacilitiesusemultipleload‐balancedHVACsystemsforheating,cooling,andairventilationthroughperforated‐tileraisedflooringtopreventoverheatingandtomaintainasuitablehumiditylevelforsensitivecomputersystems.

5.1.4. WaterExposuresThecabinetshousingDigiCert'sCAandTSAsystemsarelocatedonraisedflooring,andthedatacentersareequippedwithmonitoringsystemstodetectexcessmoisture.

5.1.5. FirePreventionandProtectionThedatacentersareequippedwithfiresuppressionmechanisms.

5.1.6. MediaStorageDigiCertprotectsitsmediafromaccidentaldamageandunauthorizedphysicalaccess.Backupfilesarecreatedonadailybasis.DigiCert’sbackupfilesaremaintainedatlocationsseparatefromDigiCert’sprimarydataoperationsfacility.

5.1.7. WasteDisposalAllunnecessarycopiesofprintedsensitiveinformationareshreddedon‐sitebeforedisposal.Allelectronicmediaarezeroized(alldataisoverwrittenwithbinaryzerossoastopreventtherecoveryofthedata)usingprogramsmeetingU.S.DepartmentofDefenserequirements.

5.1.8. Off‐siteBackupDigiCertmaintainsatleastonefullbackupandmakesregularbackupcopiesofanyinformationnecessarytorecoverfromasystemfailure.BackupcopiesofCAPrivateKeysandactivationdataarestoredfordisasterrecoverypurposesoff‐siteinsafedepositboxeslocatedinsidefederallyinsuredfinancialinstitutionsandareaccessibleonlybytrustedpersonnel.

5.1.9. CertificateStatusHosting,CMSandExternalRASystemsAllphysicalcontrolrequirementsunderSection5.1applyequallytoanyCertificateStatusHosting,CMS,orexternalRAsystem.

5.2. PROCEDURALCONTROLS

5.2.1. TrustedRolesPersonnelactingintrustedrolesincludeCA,TSA,andRAsystemadministrationpersonnel,andpersonnelinvolvedwithidentityvettingandtheissuanceandrevocationofCertificates.ThefunctionsanddutiesperformedbypersonsintrustedrolesaredistributedsothatonepersonalonecannotcircumventsecuritymeasuresorsubvertthesecurityandtrustworthinessofthePKIorTSAoperations.AllpersonnelintrustedrolesmustbefreefromconflictsofinterestthatmightprejudicetheimpartialityoftheDigiCertPKI’soperations.Trustedrolesareappointedbyseniormanagement.Alistofpersonnelappointedtotrustedrolesismaintainedandreviewedannually.PersonsactingintrustedrolesareonlyallowedtoaccessaCMSaftertheyareauthenticatedusingamethodcommensuratewithissuanceandcontrolofPIV‐IHardware.

5.2.1.1. CAAdministratorsTheCAAdministratorinstallsandconfigurestheCAsoftware,includingkeygeneration,keybackup,andkeymanagement.TheCAAdministratorperformsandsecurelystoresregularsystembackupsoftheCAsystem.AdministratorsdonotissueCertificatestoSubscribers.

5.2.1.2. RegistrationOfficers–CMS,RA,ValidationandVettingPersonnelTheRegistrationOfficerroleisresponsibleforissuingandrevokingCertificates,includingenrollment,identityverification,andcompliancewithrequiredissuanceandrevocationstepssuchasmanagingthecertificaterequestqueueandcompletingcertificateapprovalchecklistsasidentityvettingtasksaresuccessfullycompleted.

5.2.1.3. SystemAdministrators/SystemEngineers(Operator)TheSystemAdministrator/SystemEngineerinstallsandconfiguressystemhardware,includingservers,routers,firewalls,andnetworkconfigurations.TheSystemAdministrator/SystemEngineeralsokeepsCA,CMSandRAsystemsupdatedwithsoftwarepatchesandothermaintenanceneededforsystemstabilityandrecoverability.

5.2.1.4. InternalAuditorsInternalAuditorsareresponsibleforreviewing,maintaining,andarchivingauditlogsandperformingoroverseeinginternalcomplianceauditstodetermineifDigiCert,anIssuerCA,orRAisoperatinginaccordancewiththisCPSoranRA’sRegistrationPracticesStatement.

5.2.2. NumberofPersonsRequiredperTaskDigiCertrequiresthatatleasttwopeopleactinginatrustedrole(onetheCAAdministratorandtheothernotanInternalAuditor)takeactionrequiringatrustedrole,suchasactivatingDigiCert’sPrivateKeys,generatingaCAKeyPair,orbackingupaDigiCertPrivateKey.TheInternalAuditormayservetofulfilltherequirementofmultipartycontrolforphysicalaccesstotheCAsystembutnotlogicalaccess.NosingleindividualhasthecapabilitytoissueaPIV‐Icredential.

5.2.3. IdentificationandAuthenticationforeachRoleAllpersonnelarerequiredtoauthenticatethemselvestoCA,TSA,andRAsystemsbeforetheyareallowedaccesstosystemsnecessarytoperformtheirtrustedroles.

5.2.4. RolesRequiringSeparationofDutiesRolesrequiringaseparationofdutiesinclude:

1. Thoseperformingauthorizationfunctionssuchastheverificationofinformationincertificateapplicationsandapprovalsofcertificateapplicationsandrevocationrequests,

2. Thoseperformingbackups,recording,andrecordkeepingfunctions;3. Thoseperformingaudit,review,oversight,orreconciliationfunctions;and

4. ThoseperformingdutiesrelatedtoCA/TSAkeymanagementorCA/TSAadministration.Toaccomplishthisseparationofduties,DigiCertspecificallydesignatesindividualstothetrustedrolesdefinedinSection5.2.1above.DigiCertappointsindividualstoonlyoneoftheRegistrationOfficer,Administrator,Operator,orInternalAuditorroles.IndividualsdesignatedasRegistrationOfficerorAdministratormayperformOperatorduties,butanInternalAuditormaynotassumeanyotherrole.DigiCert’ssystemsidentifyandauthenticateindividualsactingintrustedroles,restrictanindividualfromassumingmultipleroles,andpreventanyindividualfromhavingmorethanoneidentity.

5.3. PERSONNELCONTROLS

5.3.1. Qualifications,Experience,andClearanceRequirementsTheDCPAisresponsibleandaccountableforDigiCert’sPKIoperationsandensurescompliancewiththisCPSandtheCP.DigiCert’spersonnelandmanagementpracticesprovidereasonableassuranceofthetrustworthinessandcompetenceofitsemployeesandofthesatisfactoryperformanceoftheirduties.AlltrustedrolesforCAsissuingFederatedDeviceCertificates,ClientCertificatesatLevels3‐USand4‐US(whichareintendedforinteroperabilitythroughtheFederalBridgeCAatid‐fpki‐certpcy‐mediumAssuranceandid‐fpki‐certpcy‐mediumHardware),andPIV‐ICertificatesareheldbycitizensoftheUnitedStates.AnindividualperformingatrustedroleforanRAmaybeacitizenofthecountrywheretheRAislocated.ThereisnocitizenshiprequirementforpersonnelperformingtrustedrolesassociatedwiththeissuanceofotherkindsofCertificates.Managementandoperationalsupportpersonnelinvolvedintime‐stampoperationspossessexperiencewithinformationsecurityandriskassessmentandknowledgeoftime‐stampingtechnology,digitalsignaturetechnology,mechanismsforcalibrationoftimestampingclockswithUTC,andsecurityprocedures.TheDCPAensuresthatallindividualsassignedtotrustedroleshavetheexperience,qualifications,andtrustworthinessrequiredtoperformtheirdutiesunderthisCPS.

5.3.2. BackgroundCheckProceduresDigiCertverifiestheidentityofeachemployeeappointedtoatrustedroleandperformsabackgroundcheckpriortoallowingsuchpersontoactinatrustedrole.DigiCertrequireseachindividualtoappearin‐personbeforeahumanresourcesemployeewhoseresponsibilityitistoverifyidentity.Thehumanresourcesemployeeverifiestheindividual’sidentityusinggovernment‐issuedphotoidentification(e.g.,passportsand/ordriver’slicensesreviewedpursuanttoU.S.CitizenshipandImmigrationServicesFormI‐9,EmploymentEligibilityVerification,orcomparableprocedureforthejurisdictioninwhichtheindividual’sidentityisbeingverified).Backgroundchecksincludeemploymenthistory,education,characterreferences,socialsecuritynumber,previousresidences,drivingrecordsandcriminalbackground.Checksofpreviousresidencesareoverthepastthreeyears.Allotherchecksareforthepreviousfiveyears.Thehighesteducationdegreeobtainedisverifiedregardlessofthedateawarded.Basedupontheinformationobtainedduringthebackgroundcheck,thehumanresourcesdepartmentmakesanadjudicationdecision,withtheassistanceoflegalcounselwhennecessary,astowhethertheindividualissuitableforthepositiontowhichtheywillbeassigned.Backgroundchecksarerefreshedandre‐adjudicationoccursatleasteverytenyears.

5.3.3. TrainingRequirementsDigiCertprovidesskillstrainingtoallemployeesinvolvedinDigiCert’sPKIandTSAoperations.Thetrainingrelatestotheperson’sjobfunctionsandcovers:

1. basicPublicKeyInfrastructure(PKI)knowledge,2. softwareversionsusedbyDigiCert,3. authenticationandverificationpoliciesandprocedures,4. DigiCertsecurityprinciplesandmechanisms,5. disasterrecoveryandbusinesscontinuityprocedures,6. commonthreatstothevalidationprocess,includingphishingandothersocialengineeringtactics,

and7. applicableindustryandgovernmentguidelines.

Trainingisprovidedviaamentoringprocessinvolvingseniormembersoftheteamtowhichtheemployeebelongs.DigiCertmaintainsrecordsofwhoreceivedtrainingandwhatleveloftrainingwascompleted.RegistrationOfficersmusthavetheminimumskillsnecessarytosatisfactorilyperformvalidationdutiesbeforebeinggrantedvalidationprivileges.AllRegistrationOfficersarerequiredtopassaninternalexaminationontheEVGuidelinesandtheBaselineRequirementspriortovalidatingandapprovingtheissuanceofCertificates.Wherecompetenceisdemonstratedinlieuoftraining,DigiCertmaintainssupportingdocumentation.

5.3.4. RetrainingFrequencyandRequirementsEmployeesmustmaintainskilllevelsthatareconsistentwithindustry‐relevanttrainingandperformanceprogramsinordertocontinueactingintrustedroles.DigiCertmakesallemployeesactingintrustedrolesawareofanychangestoDigiCert’soperations.IfDigiCert’soperationschange,DigiCertwillprovidedocumentedtraining,inaccordancewithanexecutedtrainingplan,toallemployeesactingintrustedroles.

5.3.5. JobRotationFrequencyandSequenceNostipulation.

5.3.6. SanctionsforUnauthorizedActionsDigiCertemployeesandagentsfailingtocomplywiththisCPS,whetherthroughnegligenceormaliciousintent,aresubjecttoadministrativeordisciplinaryactions,includingterminationofemploymentoragencyandcriminalsanctions.Ifapersoninatrustedroleiscitedbymanagementforunauthorizedorinappropriateactions,thepersonwillbeimmediatelyremovedfromthetrustedrolependingmanagementreview.Aftermanagementhasreviewedanddiscussedtheincidentwiththeemployeeinvolved,managementmayreassignthatemployeetoanon‐trustedroleordismisstheindividualfromemploymentasappropriate.

5.3.7. IndependentContractorRequirementsIndependentcontractorswhoareassignedtoperformtrustedrolesaresubjecttothedutiesandrequirementsspecifiedforsuchrolesinthisSection5.3andaresubjecttosanctionsstatedaboveinSection5.3.6.

5.3.8. DocumentationSuppliedtoPersonnelPersonnelintrustedrolesareprovidedwiththedocumentationnecessarytoperformtheirduties,includingacopyoftheCP,thisCPS,EVGuidelines,andothertechnicalandoperationaldocumentationneededtomaintaintheintegrityofDigiCert'sCAoperations.Personnelarealsogivenaccesstoinformationoninternalsystemsandsecuritydocumentation,identityvettingpoliciesandprocedures,discipline‐specificbooks,treatisesandperiodicals,andotherinformation.

5.4. AUDITLOGGINGPROCEDURES

5.4.1. TypesofEventsRecordedDigiCert’ssystemsrequireidentificationandauthenticationatsystemlogonwithauniqueusernameandpassword.Importantsystemactionsareloggedtoestablishtheaccountabilityoftheoperatorswhoinitiatesuchactions.DigiCertenablesallessentialeventauditingcapabilitiesofitsCAandTSAapplicationsinordertorecordtheeventslistedbelow.IfDigiCert’sapplicationscannotautomaticallyrecordanevent,DigiCertimplementsmanualprocedurestosatisfytherequirements.Foreachevent,DigiCertrecordstherelevant(i)dateandtime,(ii)typeofevent,(iii)successorfailure,and(iv)userorsystemthatcausedtheeventorinitiatedtheaction.DigiCertrecordstheprecisetimeofanysignificantTSAevents.AlleventrecordsareavailabletoauditorsasproofofDigiCert’spractices.

AuditableEventSECURITYAUDITAnychangestotheauditparameters,e.g.,auditfrequency,typeofeventauditedAnyattempttodeleteormodifytheauditlogsAUTHENTICATIONTOSYSTEMSSuccessfulandunsuccessfulattemptstoassumearoleThevalueofmaximumnumberofauthenticationattemptsischangedMaximumnumberofauthenticationattemptsoccurduringuserloginAnadministratorunlocksanaccountthathasbeenlockedasaresultofunsuccessfulauthenticationattemptsAnadministratorchangesthetypeofauthenticator,e.g.,fromapasswordtoabiometricLOCALDATAENTRYAllsecurity‐relevantdatathatisenteredinthesystemREMOTEDATAENTRYAllsecurity‐relevantmessagesthatarereceivedbythesystemDATAEXPORTANDOUTPUTAllsuccessfulandunsuccessfulrequestsforconfidentialandsecurity‐relevantinformationKEYGENERATIONWheneveraCAgeneratesakey(notmandatoryforsinglesessionorone‐timeusesymmetrickeys)PRIVATEKEYLOADANDSTORAGETheloadingofComponentPrivateKeysAllaccesstocertificatesubjectPrivateKeysretainedwithintheCAforkeyrecoverypurposesTRUSTEDPUBLICKEYENTRY,DELETIONANDSTORAGESECRETKEYSTORAGEThemanualentryofsecretkeysusedforauthenticationPRIVATEANDSECRETKEYEXPORTTheexportofprivateandsecretkeys(keysusedforasinglesessionormessageareexcluded)CERTIFICATEREGISTRATIONAllcertificaterequests,includingissuance,re‐key,renewal,andrevocationCertificateissuanceVerificationactivitiesCERTIFICATEREVOCATIONAllcertificaterevocationrequestsCERTIFICATESTATUSCHANGEAPPROVALANDREJECTIONCACONFIGURATIONAnysecurity‐relevantchangestotheconfigurationofaCAsystemcomponentACCOUNTADMINISTRATIONRolesandusersareaddedordeletedTheaccesscontrolprivilegesofauseraccountorarolearemodifiedCERTIFICATEPROFILEMANAGEMENTAllchangestothecertificateprofileREVOCATIONPROFILEMANAGEMENTAllchangestotherevocationprofileCERTIFICATEREVOCATIONLISTPROFILEMANAGEMENTAllchangestothecertificaterevocationlistprofileGenerationofCRLsandOCSPentriesTIMESTAMPINGClocksynchronizationMISCELLANEOUSAppointmentofanindividualtoaTrustedRoleDesignationofpersonnelformultipartycontrolInstallationofanOperatingSystem,PKIApplication,orHardwareSecurityModule

AuditableEventRemovalorDestructionofHSMsSystemStartupLogonattemptstoPKIApplicationReceiptofhardware/softwareAttemptstosetormodifypasswordsBackuporrestorationoftheinternalCAdatabaseFilemanipulation(e.g.,creation,renaming,moving)PostingofanymaterialtoarepositoryAccesstotheinternalCAdatabaseAllcertificatecompromisenotificationrequestsLoadingHSMswithCertificatesShipmentofHSMsZeroizingHSMsRe‐keyoftheComponentCONFIGURATIONCHANGESHardwareSoftwareOperatingSystemPatchesSecurityProfilesPHYSICALACCESS/SITESECURITYPersonnelaccesstosecureareahousingCAorTSAcomponentAccesstoaCAorTSAcomponentKnownorsuspectedviolationsofphysicalsecurityFirewallandrouteractivitiesANOMALIESSystemcrashesandhardwarefailuresSoftwareerrorconditionsSoftwarecheckintegrityfailuresReceiptofimpropermessagesandmisroutedmessagesNetworkattacks(suspectedorconfirmed)EquipmentfailureElectricalpoweroutagesUninterruptiblePowerSupply(UPS)failureObviousandsignificantnetworkserviceoraccessfailuresViolationsofaCPSResettingOperatingSystemclock

5.4.2. FrequencyofProcessingLogAtleastonceeverytwomonths,aDigiCertadministratorreviewsthelogsgeneratedbyDigiCert’ssystems,makessystemandfileintegritychecks,andconductsavulnerabilityassessment.Theadministratormayperformthechecksusingautomatedtools.Duringthesechecks,theadministrator(1)checkswhetheranyonehastamperedwiththelog,(2)scansforanomaliesorspecificconditions,includinganyevidenceofmaliciousactivity,and(3)preparesawrittensummaryofthereview.Anyanomaliesorirregularitiesfoundinthelogsareinvestigated.ThesummariesincluderecommendationstoDigiCert’soperationsmanagementcommitteeandaremadeavailabletoDigiCert'sauditorsuponrequest.DigiCertdocumentsanyactionstakenasaresultofareview.

5.4.3. RetentionPeriodforAuditLogDigiCertretainsauditlogson‐siteuntilaftertheyarereviewed.TheindividualswhoremoveauditlogsfromDigiCert’sCAsystemsaredifferentthantheindividualswhocontrolDigiCert’ssignaturekeys.

5.4.4. ProtectionofAuditLogCAauditloginformationisretainedonequipmentuntilafteritiscopiedbyasystemadministrator.DigiCert’sCAandTSAsystemsareconfiguredtoensurethat(i)onlyauthorizedpeoplehavereadaccesstologs,(ii)onlyauthorizedpeoplemayarchiveauditlogs,and(iii)auditlogsarenotmodified.Auditlogsareprotectedfromdestructionpriortotheendoftheauditlogretentionperiodandareretainedsecurelyon‐siteuntiltransferredtoabackupsite.DigiCert’soff‐sitestoragelocationisasafeandsecurelocationthatisseparatefromthelocationwherethedatawasgenerated.DigiCertmakestime‐stampingrecordsavailablewhenrequiredtoproveinalegalproceedingthatDigiCert’stime‐stampingservicesareoperatingcorrectly.Auditlogsaremadeavailabletoauditorsuponrequest.

5.4.5. AuditLogBackupProceduresDigiCertmakesregularbackupcopiesofauditlogsandauditlogsummariesandsendsacopyoftheauditlogoff‐siteonamonthlybasis.

5.4.6. AuditCollectionSystem(internalvs.external)Automaticauditprocessesbeginonsystemstartupandendatsystemshutdown.Ifanautomatedauditsystemfailsandtheintegrityofthesystemorconfidentialityoftheinformationprotectedbythesystemisatrisk,DigiCert’sAdministratorsandtheDCPAshallbenotifiedandtheDCPAwillconsidersuspendingtheCA’sorRA’soperationsuntiltheproblemisremedied.

5.4.7. NotificationtoEvent‐causingSubjectNostipulation.

5.4.8. VulnerabilityAssessmentsDigiCertperformsannualriskassessmentsthatidentifyandassessreasonablyforeseeableinternalandexternalthreatsthatcouldresultinunauthorizedaccess,disclosure,misuse,alteration,ordestructionofanycertificatedataorcertificateissuanceprocess.DigiCertalsoroutinelyassessesthesufficiencyofthepolicies,procedures,informationsystems,technology,andotherarrangementsthatDigiCerthasinplacetocontrolsuchrisks.DigiCert’sInternalAuditorsreviewthesecurityauditdatachecksforcontinuity.DigiCert’sauditlogmonitoringtoolsalerttheappropriatepersonnelofanyevents,suchasrepeatedfailedactions,requestsforprivilegedinformation,attemptedaccessofsystemfiles,andunauthenticatedresponses.

5.5. RECORDSARCHIVALDigiCertcomplieswithallrecordretentionpoliciesthatapplybylaw.DigiCertincludessufficientdetailinallarchivedrecordstoshowthataCertificateortime‐stamptokenwasissuedinaccordancewiththisCPS.

5.5.1. TypesofRecordsArchivedDigiCertretainsthefollowinginformationinitsarchives(assuchinformationpertainstoDigiCert’sCA/TSAoperations):

1. AccreditationsofDigiCert,2. CPandCPSversions,3. ContractualobligationsandotheragreementsconcerningtheoperationoftheCA/TSA,4. Systemandequipmentconfigurations,modifications,andupdates,5. Rejectionoracceptanceofacertificaterequest,6. Certificateissuance,rekey,renewal,andrevocationrequests,7. SufficientidentityauthenticationdatatosatisfytheidentificationrequirementsofSection3.2,

includinginformationabouttelephonecallsmadeforverificationpurposes,8. AnydocumentationrelatedtothereceiptoracceptanceofaCertificateortoken,9. SubscriberAgreements,10. IssuedCertificates,11. Arecordofcertificatere‐keys,12. CRLsforCAscross‐certifiedwiththeFederalBridgeCA,13. Dataorapplicationsnecessarytoverifyanarchive’scontents,

14. Complianceauditorreports,15. ChangestoDigiCert’sauditparameters,16. Anyattempttodeleteormodifyauditlogs,17. Keygeneration,destruction,storage,backup,andrecovery,18. AccesstoPrivateKeysforkeyrecoverypurposes,19. ChangestotrustedPublicKeys,20. ExportofPrivateKeys,21. Approvalorrejectionofarevocationrequest,22. Appointmentofanindividualtoatrustedrole,23. Destructionofacryptographicmodule,24. Certificatecompromisenotifications,25. Remedialactiontakenasaresultofviolationsofphysicalsecurity,and26. ViolationsoftheCPorCPS.

5.5.2. RetentionPeriodforArchiveDigiCertretainsarchiveddataassociatedwithLevel3orLevel4,federateddevice,andPIV‐ICertificatesforatleast10.5years.DigiCert,ortheRAsupportingissuance,archivesdataforothercertificatetypesforatleast7.5years.

5.5.3. ProtectionofArchiveArchiverecordsarestoredatasecureoff‐sitelocationandaremaintainedinamannerthatpreventsunauthorizedmodification,substitution,ordestruction.ArchivesarenotreleasedexceptasallowedbytheDCPAorasrequiredbylaw.DigiCertmaintainsanysoftwareapplicationrequiredtoprocessthearchivedatauntilthedataiseitherdestroyedortransferredtoanewermedium.IfDigiCertneedstotransferanymediatoadifferentarchivesiteorequipment,DigiCertwillmaintainbotharchivedlocationsand/orpiecesofequipmentuntilthetransferarecomplete.Alltransferstonewarchiveswilloccurinasecuremanner.

5.5.4. ArchiveBackupProceduresOnatleastanannualbasis,DigiCertcreatesanarchivediskofthedatalistedinsection5.5.1bygroupingthedatatypestogetherbysourceintoseparate,compressedarchivefiles.Eacharchivefileishashedtoproducechecksumsthatarestoredseparatelyforintegrityverificationatalaterdate.DigiCertstoresthearchivediskinasecureoff‐sitelocationforthedurationofthesetretentionperiod.RAscreateandstorearchivedrecordsinaccordancewiththeapplicabledocumentationretentionpolicy.

5.5.5. RequirementsforTime‐stampingofRecordsDigiCertautomaticallytime‐stampsarchivedrecordswithsystemtime(non‐cryptographicmethod)astheyarecreated.DigiCertsynchronizesitssystemtimeatleasteveryeighthoursusingarealtimevaluedistributedbyarecognizedUTC(k)laboratoryorNationalMeasurementInstitute.

5.5.6. ArchiveCollectionSystem(internalorexternal)ArchiveinformationiscollectedinternallybyDigiCert.

5.5.7. ProcedurestoObtainandVerifyArchiveInformationDetailsconcerningthecreationandstorageofarchiveinformationarefoundinsection5.5.4.AfterreceivingarequestmadeforaproperpurposebyaCustomer,itsagent,orapartyinvolvedinadisputeoveratransactioninvolvingtheDigiCertPKI,DigiCertmayelecttoretrievetheinformationfromarchival.Theintegrityofarchiveinformationisverifiedbycomparingahashofthecompressedarchivefilewiththefilechecksumoriginallystoredforthatfile,asdescribedinSection5.5.4.DigiCertmayelecttotransmittherelevantinformationviaasecureelectronicmethodorcourier,oritmayalsorefusetoprovidetheinformationinitsdiscretionandmayrequirepriorpaymentofallcostsassociatedwiththedata.

5.6. KEYCHANGEOVERKeychangeoverproceduresenablethesmoothtransitionfromexpiringCACertificatestonewCACertificates.TowardstheendofaCAPrivateKey’slifetime,DigiCertceasesusingtheexpiringCAPrivateKeytosignCertificatesandusestheoldPrivateKeyonlytosignCRLsandOCSPresponderCertificates.AnewCAsigningKeyPairiscommissionedandallsubsequentlyissuedCertificatesandCRLsaresignedwiththenewprivatesigningkey.BoththeoldandthenewKeyPairsmaybeconcurrentlyactive.ThiskeychangeoverprocesshelpsminimizeanyadverseeffectsfromCAcertificateexpiration.ThecorrespondingnewCAPublicKeyCertificateisprovidedtosubscribersandrelyingpartiesthroughthedeliverymethodsdetailedinSection6.1.4.WhereDigiCerthascross‐certifiedanotherCAthatisintheprocessofakeyrollover,DigiCertobtainsanewCAPublicKey(PKCS#10)ornewCACertificatefromtheotherCAanddistributesanewCAcrossCertificatefollowingtheproceduresdescribedabove.

5.7. COMPROMISEANDDISASTERRECOVERY

5.7.1. IncidentandCompromiseHandlingProceduresDigiCertmaintainsincidentresponseprocedurestoguidepersonnelinresponsetosecurityincidents,naturaldisasters,andsimilareventsthatmaygiverisetosystemcompromise.DigiCertreviews,tests,andupdatesitsincidentresponseplansandproceduresonatleastanannualbasis.

5.7.2. ComputingResources,Software,and/orDataAreCorruptedDigiCertmakesregularsystembackupsonatleastaweeklybasisandmaintainsbackupcopiesofitsPrivateKeys,whicharestoredinasecure,off‐sitelocation.IfDigiCertdiscoversthatanyofitscomputingresources,software,ordataoperationshavebeencompromised,DigiCertassessesthethreatsandrisksthatthecompromisepresentstotheintegrityorsecurityofitsoperationsorthoseofaffectedparties.IfDigiCertdeterminesthatacontinuedoperationcouldposeasignificantrisktoRelyingPartiesorSubscribers,DigiCertsuspendssuchoperationuntilitdeterminesthattheriskismitigated.

5.7.3. EntityPrivateKeyCompromiseProceduresIfDigiCertsuspectsthatoneofitsPrivateKeyshasbeencomprisedorlostthenanemergencyresponseteamwillconveneandassessthesituationtodeterminethedegreeandscopeoftheincidentandtakeappropriateaction.Specifically,DigiCertwill:

1. Collectinformationrelatedtotheincident;2. Begininvestigatingtheincidentanddeterminethedegreeandscopeofthecompromise;3. Haveitsincidentresponseteamdetermineandreportonthecourseofactionorstrategythatshould

betakentocorrecttheproblemandpreventreoccurrence;4. Ifappropriate,contactgovernmentagencies,lawenforcement,andotherinterestedpartiesand

activateanyotherappropriateadditionalsecuritymeasures;5. IfthecompromiseinvolvesaPrivateKeyusedtosigntime‐stamptokens,provideadescriptionofthe

compromisetoSubscribersandRelyingParties;6. Notifyanycross‐certifiedentitiesofthecompromisesothattheycanrevoketheircross‐Certificates;7. MakeinformationavailablethatcanbeusedtoidentifywhichCertificatesandtime‐stamptokensare

affected,unlessdoingsowouldbreachtheprivacyofaDigiCertuserorthesecurityofDigiCert’sservices;

8. Monitoritssystem,continueitsinvestigation,ensurethatdataisstillbeingrecordedasevidence,andmakeaforensiccopyofdatacollected;

9. Isolate,contain,andstabilizeitssystems,applyinganyshort‐termfixesneededtoreturnthesystemtoanormaloperatingstate;

10. Prepareandcirculateanincidentreportthatanalyzesthecauseoftheincidentanddocumentsthelessonslearned;and

11. IncorporatelessonslearnedintotheimplementationoflongtermsolutionsandtheIncidentResponsePlan.

DigiCertmaygenerateanewKeyPairandsignanewCertificate.IfadisasterphysicallydamagesDigiCert’sequipmentanddestroysallcopiesofDigiCert’ssignaturekeysthenDigiCertwillprovidenoticetoaffectedpartiesattheearliestfeasibletime.

5.7.4. BusinessContinuityCapabilitiesafteraDisasterTomaintaintheintegrityofitsservices,DigiCertimplementsdatabackupandrecoveryproceduresaspartofitsBusinessContinuityManagementPlan(BCMP).StatedgoalsoftheBCMParetoensurethatcertificatestatusservicesbeonlyminimallyaffectedbyanydisasterinvolvingDigiCert’sprimaryfacilityandthatDigiCertbecapableofmaintainingotherservicesorresumingthemasquicklyaspossiblefollowingadisaster.DigiCertreviews,tests,andupdatestheBCMPandsupportingproceduresatleastannually.DigiCert'ssystemsareredundantlyconfiguredatitsprimaryfacilityandaremirroredataseparate,geographicallydiverselocationforfailoverintheeventofadisaster.IfadisastercausesDigiCert’sprimaryCAorTSAoperationstobecomeinoperative,DigiCertwillre‐initiateitsoperationsatitssecondarylocationgivingprioritytotheprovisionofcertificatestatusinformationandtimestampingcapabilities,ifaffected.

5.8. CAORRATERMINATIONBeforeterminatingitsCAorTSAactivities,DigiCertwill:

1. Providenoticeandinformationabouttheterminationbysendingnoticebyemailtoitscustomers,ApplicationSoftwareVendors,andcross‐certifyingentitiesandbypostingsuchinformationonDigiCert’swebsite;and

2. Transferallresponsibilitiestoaqualifiedsuccessorentity.Ifaqualifiedsuccessorentitydoesnotexist,DigiCertwill:

1. transferthosefunctionscapableofbeingtransferredtoareliablethirdpartyandarrangetopreserveallrelevantrecordswithareliablethirdpartyoragovernment,regulatory,orlegalbodywithappropriateauthority;

2. revokeallCertificatesthatarestillun‐revokedorun‐expiredonadateasspecifiedinthenoticeandpublishfinalCRLs;

3. destroyallPrivateKeys;and4. makeothernecessaryarrangementsthatareinaccordancewiththisCPS.

DigiCerthasmadearrangementstocoverthecostsassociatedwithfulfillingtheserequirementsincaseDigiCertbecomesbankruptorisunabletocoverthecosts.Anyrequirementsofthissectionthatarevariedbycontractapplyonlythecontractingparties.

6. TECHNICALSECURITYCONTROLS

6.1. KEYPAIRGENERATIONANDINSTALLATION

6.1.1. KeyPairGeneration

AllkeysmustbegeneratedusingaFIPS‐approvedmethodorequivalentinternationalstandard.DigiCert'sCAKeyPairsaregeneratedbymultipletrustedindividualsactingintrustedrolesandusingacryptographichardwaredeviceaspartofscriptedkeygenerationceremony.ThecryptographichardwareisevaluatedtoFIPS140‐1Level3andEAL4+.Activationofthehardwarerequirestheuseoftwo‐factorauthenticationtokens.DigiCertcreatesauditableevidenceduringthekeygenerationprocesstoprovethattheCPSwasfollowedandroleseparationwasenforcedduringthekeygenerationprocess.DigiCertrequiresthatanexternalauditorwitnessthegenerationofanyCAkeystobeusedaspubliclytrustedrootCertificatesortosignEVCertificates.ForotherCAkeypairgenerationceremonies,anInternalAuditor,externalauditor,orindependentthirdpartyattendstheceremony,oranexternalauditorexaminesthesignedanddocumentedrecordofthekeygenerationceremony,asallowedbyapplicablepolicy.

Subscribersmustgeneratetheirkeysinamannerthatisappropriateforthecertificatetype.CertificatesissuedatLevel3HardwareoratLevel4BiometricmustbegeneratedonvalidatedhardwarecryptographicmodulesusingaFIPS‐approvedmethod.SubscriberswhogeneratetheirownkeysforaQualifiedCertificateonanSSCDshallensurethattheSSCDmeetstherequirementsofCWA14169andthatthePublicKeytobecertifiedisfromtheKeyPairgeneratedbytheSSCD.ForAdobeSigningCertificates,SubscribersmustgeneratetheirKeyPairsinamediumthatpreventsexportationorduplicationandthatmeetsorexceedsFIPS140‐1Level2certificationstandards.

6.1.2. PrivateKeyDeliverytoSubscriberIfDigiCert,aCMS,oranRAgeneratesakeyforaSubscriber,thenitmustdeliverthePrivateKeysecurelytotheSubscriber.Keysmaybedeliveredelectronically(suchasthroughsecureemailorstoredinacloud‐basedsystem)oronahardwarecryptographicmodule/SSCD.Inallcases:

1. Exceptwhereescrow/backupservicesareauthorizedandpermitted,thekeygeneratormustnotretainaccesstotheSubscriber’sPrivateKeyafterdelivery,

2. ThekeygeneratormustprotectthePrivateKeyfromactivation,compromise,ormodificationduringthedeliveryprocess,

3. TheSubscribermustacknowledgereceiptofthePrivateKey(s),typicallybyhavingtheSubscriberusetherelatedCertificate,and

4. ThekeygeneratormustdeliverthePrivateKeyinawaythatensuresthatthecorrecttokensandactivationdataareprovidedtothecorrectSubscribers,including:

a. Forhardwaremodules,thekeygeneratormaintainingaccountabilityforthelocationandstateofthemoduleuntiltheSubscriberacceptspossessionofitand

b. ForelectronicdeliveryofPrivateKeys,thekeygeneratorencryptingkeymaterialusingacryptographicalgorithmandkeysizeatleastasstrongasthePrivateKey.Thekeygeneratorshalldeliveractivationdatausingaseparatesecurechannel.

TheentityassistingtheSubscriberwithkeygenerationshallmaintainarecordoftheSubscriber’sacknowledgementofreceiptofthedevicecontainingtheSubscriber’sKeyPair.ACMSorRAprovidingkeydeliveryservicesisrequiredtoprovideacopyofthisrecordtoDigiCert.

6.1.3. PublicKeyDeliverytoCertificateIssuerSubscribersgenerateKeyPairsandsubmitthePublicKeytoDigiCertinaCSRaspartofthecertificaterequestprocess.TheSubscriber’ssignatureontherequestisauthenticatedpriortoissuingtheCertificate.

6.1.4. CAPublicKeyDeliverytoRelyingPartiesDigiCert'sPublicKeysareprovidedtoRelyingPartiesasspecifiedinacertificatevalidationorpathdiscoverypolicyfile,astrustanchorsincommercialbrowsersandoperatingsystemrootstore,and/orasrootssignedbyotherCAs.AllaccreditationauthoritiessupportingDigiCertCertificatesandallapplicationsoftwareprovidersarepermittedtoredistributeDigiCert’srootanchors.DigiCertmayalsodistributePublicKeysthatarepartofanupdatedsignatureKeyPairasaself‐signedCertificate,asanewCACertificate,orinakeyroll‐overCertificate.RelyingPartiesmayobtainDigiCert'sself‐signedCACertificatesfromDigiCert'swebsiteorbyemail.

6.1.5. KeySizesDigiCertgenerallyfollowstheNISTtimelinesinusingandretiringsignaturealgorithmsandkeysizes.Accordingly,DigiCertisphasingoutitsuseoftheSHA‐1hashalgorithm.Currently,DigiCertgeneratesandusesatleastthefollowingminimumkeysizes,signaturealgorithms,andhashalgorithmsforsigningCertificates,CRLs,andcertificatestatusserverresponsesforpolicyOIDsof2.16.840.1.114412.1.11,2.16.840.1.114412.1.12,orwithinthepolicyOIDarcof2.16.840.1.114412.4(forFBCACertificates):

2048‐bitRSAKeyor384‐bitECDSAKeywithSecureHashAlgorithmversion2(SHA‐256)orahashalgorithmthatisequally

ormoreresistanttoacollisionattack).Certificatesthatdonotassertthesecertificatepolicies(seeotherpolicieslistedinSection1.2)mayalsobesignedusingtheSHA‐1hashalgorithm,providedthatitsuse

otherwisecomplieswithrequirementsoftheCA/BrowserForumortherelevantCP.SignaturesonCRLs,OCSPresponses,andOCSPresponderCertificatesthatprovidestatusinformationforCertificatesthatweregeneratedusingSHA‐1maycontinuetobegeneratedusingtheSHA‐1algorithm.AllothersignaturesonCRLs,OCSPresponses,andOCSPresponderCertificatesmustusetheSHA‐256hashalgorithmoronethatisequallyormoreresistanttocollisionattack.DigiCertrequiresend‐entityCertificatestocontainakeysizethatisatleast2048bitsforRSA,DSA,orDiffie‐Hellmanand224bitsforellipticcurvealgorithms.DigiCertmayrequirehigherbitkeysinitssolediscretion.PIV‐ICertificatescontainPublicKeysandalgorithmsthatconformto[NISTSP800‐78].AnyCertificates(whetherCAorend‐entity)expiringafter12/31/2030mustbeatleast3072‐bitforRSAand256‐bitforECDSA.DigiCertandSubscribersmayfulfillthetransmissionsecurityrequirementsundertheCPandthisCPSusingTLSoranotherprotocolthatprovidessimilarsecurity,providedtheprotocolrequiresatleastAES128bitsorequivalentforthesymmetrickeyandatleast2048bitRSAorequivalentfortheasymmetrickeys(andatleast3072bitRSAorequivalentforasymmetrickeysafter12/31/2030).

6.1.6. PublicKeyParametersGenerationandQualityCheckingDigiCertusesacryptomodulethatconformstoFIPS186‐2andprovidesrandomnumbergenerationandon‐boardgenerationofupto4096‐bitRSAPublicKeysandawiderangeofECCcurves.

6.1.7. KeyUsagePurposes(asperX.509v3keyusagefield)DigiCert'sCertificatesincludekeyusageextensionfieldsthatspecifytheintendeduseoftheCertificateandtechnicallylimittheCertificate’sfunctionalityinX.509v3‐compliantsoftware.TheuseofaspecifickeyisdeterminedbythekeyusageextensionintheX.509Certificate.SubscriberCertificatesassertkeyusagesbasedontheintendedapplicationoftheKeyPair.Inparticular,Certificatestobeusedfordigitalsignatures(includingauthentication)setthedigitalSignatureand/ornonRepudiationbits.CertificatestobeusedforkeyordataencryptionshallsetthekeyEnciphermentand/ordataEnciphermentbits.CertificatestobeusedforkeyagreementshallsetthekeyAgreementbit.KeyusagebitsandextendedkeyusagesarespecifiedinthecertificateprofileforeachtypeofCertificateassetforthinDigiCert’sCertificateProfilesdocument.DigiCert’sCACertificateshaveatleasttwokeyusagebitsset:keyCertSignandcRLSign,andforsigningOCSPresponses,thedigitalSignaturebitisalsoset.Exceptforlegacyapplicationsrequiringasinglekeyfordualusewithbothencryptionandsignature,DigiCertdoesnotissueCertificateswithkeyusageforbothsigningandencryption.Instead,DigiCertissuesSubscriberstwoKeyPairs—oneforkeymanagementandonefordigitalsignatureandauthentication.ForCertificatesatLevels1,2and3thatareusedforsigningandencryptioninsupportoflegacyapplications,theymust:

begeneratedandmanagedinaccordancewiththeirrespectivesignaturecertificaterequirements,exceptwhereotherwisenotedinthisCPS,

neverassertthenon‐repudiationkeyusagebit,and notbeusedforauthenticatingdatathatwillbeverifiedonthebasisofthedual‐useCertificateata

futuretime.NoLevel4Certificatesmayhavesuchdual‐useKeyPairs.PIV‐IContentSigningCertificatesalsoincludeanextendedkeyusageofid‐fpki‐pivi‐content‐signing.

6.2. PRIVATEKEYPROTECTIONANDCRYPTOGRAPHICMODULEENGINEERINGCONTROLS

6.2.1. CryptographicModuleStandardsandControlsDigiCert'scryptographicmodulesforallofitsCAandOCSPresponderKeyPairsarevalidatedtotheFIPS140Level3andInternationalCommonCriteria(CC)InformationTechnologySecurityEvaluationAssuranceLevel(EAL)14169EAL4+Type3(EAL4AugmentedbyAVA_VLA.4andAVA_MSU.3)intheEuropeanUnion(EU).IGTFCertificateSubscribersmustprotecttheirPrivateKeysinaccordancewiththeapplicableGuidelinesonPrivateKeyProtection,includingtheuseofstrongpassphrasestoprotectPrivateKeys.Cryptographicmodulerequirementsforsubscribersandregistrationauthoritiesareshowninthetablebelow.

AssuranceLevel Subscriber RegistrationAuthority

EVCodeSigningFIPS140Level2(Hardware)

FIPS140Level2(Hardware)

AdobeSigningFIPS140Level2(Hardware)


Rudimentary N/AFIPS140Level1

(HardwareorSoftware)

Basic,LOA2,andLOA3FIPS140Level1

(HardwareorSoftware)FIPS140Level1

(HardwareorSoftware)

Medium

FIPS140Level1(Software)



MediumHardware,Biometric&PIV‐ICard/HardwareAuthentication



EUQConSSCDEAL4Augmented

(Hardware)EAL4Augmented

(Hardware)

DigiCertensuresthatthePrivateKeyofanEVCodeSigningCertificateisproperlygenerated,used,andstoredinacryptomodulethatmeetsorexceedstherequirementsofFIPS140level2by(i)shippingconformingcryptomoduleswithpreinstalledKeyPairs,(ii)communicatingviaPKCS#11cryptoAPIsofcryptomodulesthatDigiCerthasverifiedmeetorexceedrequirements,or(iii)obtaininganITauditfromtheSubscriberthatindicatescompliancewithFIPS140‐2level2ortheequivalent.

6.2.2. PrivateKey(noutofm)Multi‐personControlDigiCert'sauthenticationmechanismsareprotectedsecurelywhennotinuseandmayonlybeaccessedbyactionsofmultipletrustedpersons.BackupsofCAPrivateKeysaresecurelystoredoff‐siteandrequiretwo‐personaccess.Re‐activationofabacked‐upCAPrivateKey(unwrapping)requiresthesamesecurityandmulti‐personcontrolaswhenperformingothersensitiveCAPrivateKeyoperations.

6.2.3. PrivateKeyEscrowDigiCertdoesnotescrowitssignaturekeys.Subscribersmaynotescrowtheirprivatesignaturekeys.DigiCertmayprovideescrowservicesforothertypesofCertificatesinordertoprovidekeyrecoveryasdescribedinsection4.12.1.

6.2.4. PrivateKeyBackupDigiCert'sPrivateKeysaregeneratedandstoredinsideDigiCert’scryptographicmodule,whichhasbeenevaluatedtoatleastFIPS140Level3andEAL4+.Whenkeysaretransferredtoothermediaforbackupanddisasterrecoverypurposes,thekeysaretransferredandstoredinanencryptedform.DigiCert'sCAKeyPairsarebackedupbymultipletrustedindividualsusingacryptographichardwaredeviceaspartofscriptedandvideo‐recordedkeybackupprocess.DigiCertmayprovidebackupservicesforPrivateKeysthatarenotrequiredtobekeptonahardwaredevice.AccesstobackupCertificatesisprotectedinamannerthatonlytheSubscribercancontrolthePrivateKey.DigiCertmayrequirebackupofPIV‐IContentSigningprivatesignaturekeystofacilitatedisasterrecovery,providedthatallbackupisperformedundermulti‐personcontrol.Backedupkeysareneverstoredinaplaintextformoutsideofthecryptographicmodule.

6.2.5. PrivateKeyArchivalDigiCertdoesnotarchivePrivateKeys.

6.2.6. PrivateKeyTransferintoorfromaCryptographicModuleAllkeysmustbegeneratedbyandinacryptographicmodule.PrivateKeysareexportedfromthecryptographicmoduleintobackuptokensonlyforHSMtransfer,offlinestorage,andbackuppurposes.ThePrivateKeysareencryptedwhentransferredoutofthemoduleandneverexistinplaintextform.Whentransportedbetweencryptographicmodules,DigiCertencryptsthePrivateKeyandprotectsthekeysusedforencryptionfromdisclosure.PrivateKeysusedtoencryptbackupsaresecurelystoredandrequiretwo‐personaccess.

6.2.7. PrivateKeyStorageonCryptographicModuleDigiCert'sPrivateKeysaregeneratedandstoredinsideDigiCert’scryptographicmodule,whichhasbeenevaluatedtoatleastFIPS140Level3andEAL4+.RootPrivateKeysarestoredofflineincryptographicmodulesorbackuptokensasdescribedaboveinSections6.2.2,6.2.4,and6.2.6.

6.2.8. MethodofActivatingPrivateKeysDigiCert'sPrivateKeysareactivatedaccordingtothespecificationsofthecryptographicmodulemanufacturer.Activationdataentryisprotectedfromdisclosure.SubscribersaresolelyresponsibleforprotectingtheirPrivateKeys.SubscribersshoulduseastrongpasswordorequivalentauthenticationmethodtopreventunauthorizedaccessoruseoftheSubscriber’sPrivateKey.Ataminimum,SubscribersarerequiredtoauthenticatethemselvestothecryptographicmodulebeforeactivatingtheirPrivateKeys.SeealsoSection6.4.

6.2.9. MethodofDeactivatingPrivateKeysDigiCert’sPrivateKeysaredeactivatedvialogoutproceduresontheapplicableHSMdevicewhennotinuse.RootPrivateKeysarefurtherdeactivatedbyremovingthementirelyfromthestoragepartitionontheHSMdevice.DigiCertneverleavesitsHSMdevicesinanactiveunlockedorunattendedstate.SubscribersshoulddeactivatetheirPrivateKeysvialogoutandremovalprocedureswhennotinuse.

6.2.10. MethodofDestroyingPrivateKeysDigiCertpersonnel,actingintrustedroles,destroyCA,RA,andstatusserverPrivateKeyswhennolongerneeded.SubscribersshalldestroytheirPrivateKeyswhenthecorrespondingCertificateisrevokedorexpiredorifthePrivateKeyisnolongerneeded.

DigiCertmaydestroyaPrivateKeybydeletingitfromallknownstoragepartitions.DigiCertalsozeroizestheHSMdeviceandassociatedbackuptokensaccordingtothespecificationsofthehardwaremanufacturer.Thisreinitializesthedeviceandoverwritesthedatawithbinaryzeros.Ifthezeroizationorre‐initializationprocedurefails,DigiCertwillcrush,shred,and/orincineratethedeviceinamannerthatdestroystheabilitytoextractanyPrivateKey.

6.2.11. CryptographicModuleRatingSeeSection6.2.1.

6.3. OTHERASPECTSOFKEYPAIRMANAGEMENT

6.3.1. PublicKeyArchivalDigiCertarchivescopiesofPublicKeysinaccordancewithSection5.5.

6.3.2. CertificateOperationalPeriodsandKeyPairUsagePeriodsDigiCertCertificateshavemaximumvalidityperiodsof:Type PrivateKeyUse CertificateTermRootCA 20years 25yearsSubCA* 12years 15yearsFBCA‐Cross‐certifiedSubCAs 6years (periodof

keyuseforsigningCertificates)

10years(keystillsignsCRLs,OCSPresponses,andOCSPresponder

Certificates)IGTFCross‐certifiedSubCA* 6years 15yearsCRLandOCSPrespondersigning 3years 31days†OVSSL Nostipulation 39 monthsEVSSL Nostipulation 27monthsTimeStampingAuthority 15months 135 monthsObjectSigningCertificateandDocumentSigning

Nostipulation‡ 123months

CodeSigningCertificateissuedtoSubscriberundertheMinimumRequirementsforCodeSigningCertificatesortheEVCodeSigningGuidelines

Nostipulation 39months

EVCodeSigningCertificateissuedtoSigningAuthority

123months 123months

AdobeSigningCertificate 39months 5yearsFBCAandIGTFEndEntityClientusedforsignatures,includingEUQualifiedCertificates

36months 36months

FBCAandIGTFClientusedforkeymanagement.

36months 36months

EndEntityClientforallotherpurposes(FBCAorIGTFcompliant)

36months 36months

EndEntity/Clientforallotherpurposes(non‐FBCAandnon‐IGTFcerts)

NoStipulation 60months

PIV‐IContentSigning** 36months 9yearsPIV‐ICards 6years 6yearsIGTFonhardware 60months 13monthsHotspot2.0OSUServerCertificates Nostipulation 2years

*IGTFsigningCertificateshavealifetimethatisatleasttwicethemaximumlifetimeofanendentityCertificate.†OCSPresponderandCRLsigningCertificatesassociatedwithaPIV‐ICertificateonlyhaveamaximumcertificatevalidityperiodof31days.‡Codeandcontentsignerscross‐certifiedwithFBCAmayusetheirPrivateKeysforthreeyears;thelifetimeoftheassociatedPublicKeysshallnotexceedeightyears.**SubscriberPublicKeysinCertificatesthatassertthePIV‐IContentSigningOIDintheextendedkeyusageextensionhaveamaximumusageperiodofnineyears.ThePrivateKeyscorrespondingtothePublicKeysintheseCertificateshaveamaximumusageperiodofthreeyears.ExpirationofPIV‐IContentSigningCertificateshallbelaterthantheexpirationofthePIV‐IHardwareandPIV‐ICardAuthenticationCertificates.RelyingpartiesmaystillvalidatesignaturesgeneratedwiththesekeysafterexpirationoftheCertificate.PrivateKeysassociatedwithself‐signedrootCertificatesthataredistributedastrustanchorsareusedforamaximumof20years.DigiCertdoesnotissuePIV‐IsubscriberCertificatesthatexpirelaterthantheexpirationdateofthePIV‐IhardwaretokenonwhichtheCertificatesreside.DigiCertmayvoluntarilyretireitsCAPrivateKeysbeforetheperiodslistedabovetoaccommodatekeychangeoverprocesses.DigiCertdoesnotissueSubscriberCertificateswithanexpirationdatethatispasttheIssuerCA’spublickeyexpirationdateorthatexceedstheroutinere‐keyidentificationrequirementsspecifiedinSection3.1.1.

6.4. ACTIVATIONDATA

6.4.1. ActivationDataGenerationandInstallationDigiCertactivatesthecryptographicmodulecontainingitsCAPrivateKeysaccordingtothespecificationsofthehardwaremanufacturer.ThismethodhasbeenevaluatedasmeetingtherequirementsofFIPS140‐2Level3.Thecryptographichardwareisheldundertwo‐personcontrolasexplainedinSection5.2.2andelsewhereinthisCPS.DigiCertwillonlytransmitactivationdataviaanappropriatelyprotectedchannelandatatimeandplacethatisdistinctfromthedeliveryoftheassociatedcryptographicmodule.AllDigiCertpersonnelandSubscribersareinstructedtousestrongpasswordsandtoprotectPINsandpasswords.DigiCertemployeesarerequiredtocreatenon‐dictionary,alphanumericpasswordswithaminimumlengthandtochangetheirpasswordsonaregularbasis.IfDigiCertusespasswordsasactivationdataforasigningkey,DigiCertwillchangetheactivationdatachangeuponrekeyoftheCACertificate.

6.4.2. ActivationDataProtectionDigiCertprotectsdatausedtounlockPrivateKeysfromdisclosureusingacombinationofcryptographicandphysicalaccesscontrolmechanisms.Protectionmechanismsincludekeepingactivationmechanismssecureusingrole‐basedphysicalcontrol.AllDigiCertpersonnelareinstructedtomemorizeandnottowritedowntheirpasswordorshareitwithanotherindividual.DigiCertlocksaccountsusedtoaccesssecureCAprocessesifacertainnumberoffailedpasswordattemptsoccur.

6.4.3. OtherAspectsofActivationDataIfDigiCertmustresetactivationdataassociatedwithaPIV‐ICertificatethenDigiCertoranRAperformsasuccessfulbiometric1:1matchoftheapplicantagainstthebiometricscollectedinSection3.2.3.

6.5. COMPUTERSECURITYCONTROLS

6.5.1. SpecificComputerSecurityTechnicalRequirementsDigiCertsecuresitsCAsystemsandauthenticatesandprotectscommunicationsbetweenitssystemsandtrustedroles.DigiCert'sCAserversandsupport‐and‐vettingworkstationsrunontrustworthysystemsthatareconfiguredandhardenedusingindustrybestpractices.AllCAsystemsarescannedformaliciouscodeandprotectedagainstspywareandviruses.

DigiCert’sCAsystems,includinganyremoteworkstations,areconfiguredto:1. authenticatetheidentityofusersbeforepermittingaccesstothesystemorapplications,2. managetheprivilegesofusersandlimituserstotheirassignedroles,3. generateandarchiveauditrecordsforalltransactions,4. enforcedomainintegrityboundariesforsecuritycriticalprocesses,and5. supportrecoveryfromkeyorsystemfailure.

AllCertificateStatusServers:

authenticatetheidentityofusersbeforepermittingaccesstothesystemorapplications, manageprivilegestolimituserstotheirassignedroles, enforcedomainintegrityboundariesforsecuritycriticalprocesses,and supportrecoveryfromkeyorsystemfailure.

6.5.2. ComputerSecurityRatingNostipulation.

6.6. LIFECYCLETECHNICALCONTROLS

6.6.1. SystemDevelopmentControlsDigiCerthasmechanismsinplacetocontrolandmonitortheacquisitionanddevelopmentofitsCAsystems.Changerequestsrequiretheapprovalofatleastoneadministratorwhoisdifferentfromthepersonsubmittingtherequest.DigiCertonlyinstallssoftwareonCAsystemsifthesoftwareispartoftheCA’soperation.CAhardwareandsoftwarearededicatedtoperformingoperationsoftheCA.Vendorsareselectedbasedontheirreputationinthemarket,abilitytodeliverqualityproduct,andlikelihoodofremainingviableinthefuture.Managementisinvolvedinthevendorselectionandpurchasedecisionprocess.Non‐PKIhardwareandsoftwareispurchasedwithoutidentifyingthepurposeforwhichthecomponentwillbeused.Allhardwareandsoftwareareshippedunderstandardconditionstoensuredeliveryofthecomponentdirectlytoatrustedemployeewhoensuresthattheequipmentisinstalledwithoutopportunityfortampering.SomeofthePKIsoftwarecomponentsusedbyDigiCertaredevelopedin‐houseorbyconsultantsusingstandardsoftwaredevelopmentmethodologies.Allsuchsoftwareisdesignedanddevelopedinacontrolledenvironmentandsubjectedtoqualityassurancereview.Othersoftwareispurchasedcommercialoff‐the‐shelf(COTS).Qualityassuranceismaintainedthroughouttheprocessthroughtestinganddocumentationorbypurchasingfromtrustedvendorsasdiscussedabove.Updatesofequipmentandsoftwarearepurchasedordevelopedinthesamemannerastheoriginalequipmentorsoftwareandareinstalledandtestedbytrustedandtrainedpersonnel.AllhardwareandsoftwareessentialtoDigiCert’soperationsisscannedformaliciouscodeonfirstuseandperiodicallythereafter.

6.6.2. SecurityManagementControlsDigiCerthasmechanismsinplacetocontrolandmonitorthesecurity‐relatedconfigurationsofitsCAsystems.WhenloadingsoftwareontoaCAsystem,DigiCertverifiesthatthesoftwareisthecorrectversionandissuppliedbythevendorfreeofanymodifications.DigiCertverifiestheintegrityofsoftwareusedwithitsCAprocessesatleastonceaweek.

6.6.3. LifeCycleSecurityControlsNostipulation.

6.7. NETWORKSECURITYCONTROLSDigiCertdocumentsandcontrolstheconfigurationofitssystems,includinganyupgradesormodificationsmade.DigiCert'sCAsystemisconnectedtooneinternalnetworkandisprotectedbyfirewallsandNetwork

AddressTranslationforallinternalIPaddresses(e.g.,192.168.x.x).DigiCert'scustomersupportandvettingworkstationsarealsoprotectedbyfirewall(s)andonlyuseinternalIPaddresses.RootKeysarekeptofflineandbroughtonlineonlywhennecessarytosignCertificate‐issuingsubordinateCAs,OCSPResponderCertificates,orperiodicCRLs.Firewallsandboundarycontroldevicesareconfiguredtoallowaccessonlybytheaddresses,ports,protocolsandcommandsrequiredforthetrustworthyprovisionofPKIservicesbysuchsystems.DigiCert'ssecuritypolicyistoblockallportsandprotocolsandopenonlyportsnecessarytoenableCAfunctions.AllCAequipmentisconfiguredwithaminimumnumberofservicesandallunusednetworkportsandservicesaredisabled.DigiCert'snetworkconfigurationisavailableforreviewon‐sitebyitsauditorsandconsultantsunderanappropriatenon‐disclosureagreement.

6.8. TIME‐STAMPINGThesystemtimeonDigiCert’scomputersisupdatedusingtheNetworkTimeProtocol(NTP)tosynchronizesystemclocksatleastonceeveryeighthours(Windowsdefault).AlltimesaretraceabletoarealtimevaluedistributedbyaUTC(k)laboratoryorNationalMeasurementInstituteandareupdatedwhenaleapsecondoccursasnotifiedbytheappropriatebody.DigiCertmaintainsaninternalNTPserverthatsynchronizeswithcellulartelephonenetworksandmaintainstheaccuracyofitsclockwithinonesecondorless.ForeachtimestamprequesttheinternalNTPserverisqueriedforthecurrenttime.However,RelyingPartiesshouldbeawarethatalltimesincludedinatime‐stamptokenaresynchronizedwithUTCwithintheaccuracydefinedinthetime‐stamptokenitself,ifpresent.DigiCertwillnotissueatime‐stamptokenusinganyclockthatisdetectedasinaccurate.Allclocksusedfortime‐stampingarehousedintheDigiCert’ssecurefacilitiesandareprotectedagainstthreatsthatcouldresultinanunexpectedchangetotheclock’stime.DigiCert'sfacilitiesautomaticallydetectandreportanyclockthatdriftsorjumpsoutofsynchronizationwithUTC.Clockadjustmentsareauditableevents.SomeaspectsofRFC3161timestampsdifferfromMicrosoftAuthenticodetimestamps.ForRFC3161‐complianttimestamps,DigiCertincludesauniqueintegerforeachnewlygeneratedtime‐stamptoken.DigiCertonlytime‐stampshashrepresentationsofdata,notthedataitself.Informationcanbehashedfortime‐stampingusingSHA‐1orSHA‐256withRSAencryptionandeither1024or2048bitkeysizeforsignaturecreation.(SHA‐1,SHA‐256,SHA‐384,SHA‐512,MD5,MD4,andMD2aresupportedforRFC3161‐basedrequests.)DigiCertdoesnotexaminetheimprintbeingtime‐stampedotherthantochecktheimprint’slength.DigiCertalsodoesnotincludeanyidentificationoftheTimeStampTokenRequester(TSTRequester)inthetime‐stamptoken.Alltime‐stamptokensaresignedusingakeygeneratedexclusivelyforthatpurposesandhavethepropertyofthekeyindicatedintheCertificate.TSTRequestersrequesttime‐stamptokensbysendingarequesttoDigiCert.AftertheTSTRequesterreceivesaresponsefromDigiCert,itmustverifythestatuserrorreturnedintheresponse.Ifanerrorwasnotreturned,theTSTRequestermustthenverifythefieldscontainedinthetime‐stamptokenandthevalidityofthetime‐stamptoken’sdigitalsignature.Inparticular,theTSTRequestermustverifythatthetime‐stampeddatacorrespondstowhatwasrequestedandthatthetime‐stamptokencontainsthecorrectcertificateidentifier,thecorrectdataimprint,andthecorrecthashalgorithmOID.TheTSTRequestermustalsoverifythetimelinessoftheresponsebyverifyingtheresponseagainstalocaltrustedtimereference.TheTSTRequesterisrequiredtonotifyDigiCertimmediatelyifanyinformationcannotbeverified.TimeStampVerifiersshallverifythedigitalsignatureonthetime‐stamptokenandconfirmthatthedatacorrespondstothehashvalueinthetime‐stamptoken.

6.9. PIV‐ICARDSThefollowingrequirementsapplytoPIV‐ICards:

1. ToensureinteroperabilitywithFederalsystems,PIV‐ICardsuseasmartcardplatformthatisonGSA’sFIPS201EvaluationProgramApprovedProductList(APL)andusethePIVapplicationidentifier(AID).

2. AllPIV‐ICardsconformto[NISTSP800‐731].

3. ThemandatoryX.509CertificateforAuthenticationisonlyissuedunderapolicythatiscrosscertifiedwiththeFBCAPIV‐IHardwarepolicyOID.

4. PIV‐ICertificatesconformtothePIV‐IProfile.5. AnasymmetricX.509CertificateforCardAuthenticationisincludedineachPIV‐Icard.The

Certificate:a. conformstoPIV‐IProfile,b. conformsto[NISTSP800‐73],andc. isissuedunderthePIV‐ICardAuthenticationpolicy.

6. TheCMSincludesanelectronicrepresentation(asspecifiedinSP800‐73andSP800‐76)ofthecardholder’sfacialimageineachPIV‐Icard.

7. TheX.509CertificatesforDigitalSignatureandKeyManagementdescribedin[NISTSP800‐73]areoptionalforPIV‐ICards.

8. TheCMSmakesitsPIV‐ICardsvisuallydistinctfromaFederalPIVCardtopreventcreationofafraudulentFederalPIVCard.Ataminimum,theCMSdoesnotallowedimagesorlogosonaPIV‐ICardtobeplacedwithinZone11,AgencySeal,asdefinedby[FIPS201].

9. TheCMSrequiresthefollowingitemsonthefrontofacard:a. Cardholderfacialimage,b. Cardholderfullname,c. OrganizationalAffiliation,ifexists;otherwisetheissuerofthecard,andd. Cardexpirationdate.

10. PIV‐Icardsareissuedwithanexpirationdatethatissixyearsorless.11. AllPIV‐ICardsexpirelaterthanthePIV‐IContentSigningCertificateonthecard.12. ApolicyOIDthathasbeenmappedtotheFBCAPIV‐IContentSigningpolicyOIDisincludedinthe

digitalsignatureCertificateusedtosignobjectsonthePIV‐ICard.ThePIV‐IContentSigningCertificateconformstothePIV‐IProfile.

13. ThePIV‐IContentSigningCertificateandcorrespondingPrivateKeyaremanagedwithinatrustedCardManagementSystem.

14. Atissuance,thePIV‐ICardisactivatedandreleasedtothesubscriberonlyafterasuccessful1:1biometricmatchoftheapplicantagainstthebiometricscollectedinSection3.2.3.

15. PIV‐ICardsmaysupportcardactivationbythecardmanagementsystemtosupportcardpersonalizationandpost‐issuancecardupdate.Toactivatethecardforpersonalizationorupdate,thecardmanagementsystemperformsachallengeresponseprotocolusingcryptographickeysstoredonthecardinaccordancewith[SP800‐73].Whencardsarepersonalized,cardmanagementkeysaresettobespecifictoeachPIV‐ICard.Thatis,eachPIV‐ICardcontainsauniquecardmanagementkey.CardmanagementkeysmeetthealgorithmandkeysizerequirementsstatedinSpecialPublication800‐78,CryptographicAlgorithmsandKeySizesforPersonalIdentityVerification.[SP800‐78].

7. CERTIFICATE,CRL,ANDOCSPPROFILESDigiCertusestheITUX.509,version3standardtoconstructdigitalCertificatesforusewithintheDigiCertPKI.DigiCertaddscertaincertificateextensionstothebasiccertificatestructureforthepurposesintendedbyX.509v3asperAmendment1toISO/IEC9594‐8,1995.ForPIV‐ICertificates,DigiCertfollowstheFPKIPA’sX.509CertificateandCertificateRevocationList(CRL)ExtensionsProfileforPersonalIdentityVerificationInteroperable(PIV‐I)Cards.ForQualifiedCertificates,DigiCertfollowsETSITS101862.

7.1. CERTIFICATEPROFILE

7.1.1. VersionNumber(s)AllCertificatesareX.509version3Certificates.

7.1.2. CertificateExtensionsSeeDigiCert’sCertificateProfilesdocument.IGTFCertificatescomplywiththeGridCertificateProfileasdefinedbytheOpenGridForumGFD.125.

PIV‐ICertificatescomplywiththeX.509CertificateandCertificateRevocationList(CRL)ExtensionsProfileforPersonalIdentityVerificationInteroperable(PIV‐I)Cards,Date:April232010,assetforthat:http://www.idmanagement.gov/sites/default/files/documents/pivi_certificate_crl_profile.pdf

7.1.3. AlgorithmObjectIdentifiersDigiCertCertificatesaresignedusingoneofthefollowingalgorithms:sha‐1WithRSAEncryption [iso(1)member‐body(2)us(840)rsadsi(113549)pkcs(1)pkcs‐1(1)5]sha256WithRSAEncryption [iso(1)member‐body(2)us(840)rsadsi(113549)pkcs(1)pkcs‐1(1)

11]ecdsa‐with‐sha384 [iso(1)member‐body(2)us(840)ansi‐X9‐62(10045)signatures(4)

ecdsa‐with‐SHA2(3)3]DigiCertdoesnotcurrentlysignCertificatesusingRSAwithPSSpadding.SSL/TLSServerCertificatesarenotsignedwithsha‐1WithRSAEncryption.DigiCertandSubscribersmaygenerateKeyPairsusingthefollowing:id‐dsa [iso(1)member‐body(2)us(840)x9‐57(10040)x9cm(4)1]RsaEncryption [iso(1)member‐body(2)us(840)rsadsi(113549)pkcs(1)pkcs‐1(1)1]Dhpublicnumber [iso(1)member‐body(2)us(840)ansi‐x942(10046)number‐type(2)1]

id‐keyExchangeAlgorithm[joint‐iso‐ccitt(2)country(16)us(840)organization(1)gov(101)dod(2)infosec(1)algorithms(1)22]

id‐ecPublicKey [iso(1)member‐body(2)us(840)ansi‐X9‐62(10045)id‐publicKeyType(2)1]

EllipticcurvePublicKeyssubmittedtoDigiCertforinclusioninendentityCertificatesshouldallbebasedonNIST“SuiteB”curves.SignaturealgorithmsforPIV‐ICertificatesarelimitedtothoseidentifiedbyNISTSP800‐78.

7.1.4. NameFormsEachCertificateincludesauniqueserialnumberthatisneverreused.OptionalsubfieldsinthesubjectofanSSLCertificatemusteithercontaininformationverifiedbyDigiCertorbeleftempty.SSLCertificatescannotcontainmetadatasuchas‘.’,‘‐‘and‘‘charactersoranyotherindicationthatthefieldisnotapplicable.DigiCertlogicallyrestrictsOUfieldsfromcontainingSubscriberinformationthathasnotbeenverifiedinaccordancewithSection3.TheDistinguishedNameforeachCertificatetypeissetforthinDigiCert’scertificateprofilesdocument.ThecontentsofthefieldsinEVCertificatesmustmeettherequirementsinSection8.1oftheEVGuidelines.

7.1.5. NameConstraintsNostipulation.

7.1.6. CertificatePolicyObjectIdentifierAnobjectidentifier(OID)isauniquenumberthatidentifiesanobjectorpolicy.TheOIDsusedbyDigiCertarelistedinSection1.2andinDigiCert’sCertificateProfilesdocument.

7.1.7. UsageofPolicyConstraintsExtensionNotapplicable.

7.1.8. PolicyQualifiersSyntaxandSemanticsDigiCertincludesbriefstatementsinCertificatesaboutthelimitationsofliabilityandothertermsassociatedwiththeuseofaCertificateinthePolicyQualifierfieldoftheCertificatesPolicyextension.

7.1.9. ProcessingSemanticsfortheCriticalCertificatePoliciesExtensionNostipulation.

7.2. CRLPROFILEForPIV‐ICertificates,DigiCertfollowstheFPKIPA’sX.509CertificateandCertificateRevocationList(CRL)ExtensionsProfileforPersonalIdentityVerificationInteroperable(PIV‐I)Cards.

7.2.1. Versionnumber(s)DigiCertissuesversion2CRLsthatcontainthefollowingfields:

Field ValueIssuerSignatureAlgorithm sha‐1WithRSAEncryption[12840113549115] OR

sha‐256WithRSAEncryption[128401135491111]ORecdsa‐with‐sha384[1284010045433]

IssuerDistinguishedName DigiCertthisUpdate CRLissuedateinUTCformatnextUpdate DatewhenthenextCRLwillissueinUTCformat.RevokedCertificatesList

ListofrevokedCertificates,includingtheserialnumberandrevocationdate

Issuer’sSignature [Signature]

7.2.2. CRLandCRLEntryExtensionsCRLshavethefollowingextensions:

Extension ValueCRLNumber NeverrepeatedmonotonicallyincreasingintegerAuthorityKeyIdentifier SameastheAuthorityKeyIdentifierlistedintheCertificateInvalidityDate OptionaldateinUTCformatReasonCode Optional reasonforrevocation

7.3. OCSPPROFILEForPIV‐ICertificates,DigiCertfollowstheFPKIPA’sX.509CertificateandCertificateRevocationList(CRL)ExtensionsProfileforPersonalIdentityVerificationInteroperable(PIV‐I)Cards.

7.3.1. VersionNumber(s)DigiCert’sOCSPrespondersconformtoversion1ofRFC2560.

7.3.2. OCSPExtensionsNostipulation.

8. COMPLIANCEAUDITANDOTHERASSESSMENTSThepracticesinthisCPSaredesignedtomeetorexceedtherequirementsofgenerallyacceptedindustrystandards,includingthelatestversionoftheEVGuidelinesandtheWebTrustProgramforCertificationAuthorities,ANSX9.79/ISO21188PKIPracticesandPolicyFramework("CAWebTrust/ISO21188").ForpurposesofinteroperationwiththeU.S.Government,compliancecanbedeterminedbyreferencetoanycurrentauditorletterofcompliancemeetingFPKIPAAuditRequirements.

8.1. FREQUENCYORCIRCUMSTANCESOFASSESSMENTDigiCertreceivesanannualauditbyanindependentexternalauditortoassessDigiCert'scompliancewiththisCPS,anyapplicableCPs,andtheCAWebTrust/ISO21188andWebTrustEVProgramcriteria.TheauditcoversDigiCert’sRAsystems,SubCAs,andOCSPResponders.

8.2. IDENTITY/QUALIFICATIONSOFASSESSORWebTrustauditorsmustmeettherequirementsofSection14.1.14oftheEVGuidelines.Specifically:

(1) Qualificationsandexperience:Auditingmustbetheauditor’sprimarybusinessfunction.TheindividualoratleastonememberoftheauditgroupmustbequalifiedasaCertifiedInformationSystemsAuditor(CISA),anAICPACertifiedInformationTechnologyProfessional(CPA.CITP),a

CertifiedInternalAuditor(CIA),orhaveanotherrecognizedinformationsecurityauditingcredential.Auditorsmustbesubjecttodisciplinaryactionbyitslicensingbody.

(2) Expertise:TheindividualorgroupmustbetrainedandskilledintheauditingofsecureinformationsystemsandbefamiliarwithPublicKeyinfrastructures,certificationsystems,andInternetsecurityissues.

(3) Rulesandstandards:Theauditormustconformtoapplicablestandards,rules,andbestpracticespromulgatedbytheAmericanInstituteofCertifiedPublicAccountants(AICPA),CPACanada,theInstituteofCharteredAccountantsofEngland&Wales(ICAEW),theInternationalAccountingStandardsadoptedbytheEuropeanCommission(IAS),InformationSystemsAuditandControlAssociation(ISACA),theInstituteofInternalAuditors(IIA),oranotherqualifiedauditingstandardsbody.

(4) Reputation:Thefirmmusthaveareputationforconductingitsauditingbusinesscompetentlyandcorrectly.

(5) Insurance:EVauditorsmustmaintainProfessionalLiability/ErrorsandOmissionsInsurance,withpolicylimitsofatleast$1millionincoverage.

8.3. ASSESSOR'SRELATIONSHIPTOASSESSEDENTITYDigiCert’sWebTrustauditordoesnothaveafinancialinterest,businessrelationship,orcourseofdealingthatcouldforeseeablycreateasignificantbiasfororagainstDigiCert.

8.4. TOPICSCOVEREDBYASSESSMENTTheauditcoversDigiCert'sbusinesspracticesdisclosure,theintegrityofDigiCert'sPKIoperations,andDigiCert’scompliancewiththeEVGuidelines.TheauditverifiesthatDigiCertiscompliantwiththeCP,thisCPS,andanyMOAbetweenitandanyotherPKI.

8.5. ACTIONSTAKENASARESULTOFDEFICIENCYIfanauditreportsamaterialnoncompliancewithapplicablelaw,thisCPS,theCP,oranyothercontractualobligationsrelatedtoDigiCert’sservices,then(1)theauditorwilldocumentthediscrepancy,(2)theauditorwillpromptlynotifyDigiCert,and(3)DigiCertwilldevelopaplantocurethenoncompliance.DigiCertwillsubmittheplantotheDCPAforapprovalandtoanythirdpartythatDigiCertislegallyobligatedtosatisfy.TheDCPAmayrequireadditionalactionifnecessarytorectifyanysignificantissuescreatedbythenon‐compliance,includingrequiringrevocationofaffectedCertificates.

8.6. COMMUNICATIONOFRESULTSTheresultsofeachauditarereportedtotheDCPAandtoanythirdpartyentitieswhichareentitledbylaw,regulation,oragreementtoreceiveacopyoftheauditresults.Onanannualbasis,DigiCertsubmitsareportofitsauditcompliancetovariousparties,suchasMozilla,theFederalPKIPolicyAuthority,CAlicensingbodies,etc.

8.7. SELF‐AUDITSOnatleastaquarterlybasis,DigiCertperformsregularinternalauditsagainstarandomlyselectedsampleofatleastthreepercentoftheOVandDVSSLCertificatesandatleastthreepercentoftheEVSSLandEVCodeSigningCertificatesissuedsincethelastinternalaudit.Self‐auditsonSSLandcodesigningCertificatesareperformedinaccordancewithGuidelinesadoptedbytheCA/BrowserForum.

9. OTHERBUSINESSANDLEGALMATTERS

9.1. FEES

9.1.1. CertificateIssuanceorRenewalFeesDigiCertchargesfeesforcertificateissuanceandrenewal.DigiCertmaychangeitsfeesatanytimeinaccordancewiththeapplicablecustomeragreement.

9.1.2. CertificateAccessFeesDigiCertmaychargeareasonablefeeforaccesstoitscertificatedatabases.

9.1.3. RevocationorStatusInformationAccessFeesDigiCertdoesnotchargeacertificaterevocationfeeorafeeforcheckingthevaliditystatusofanissuedCertificateusingaCRL.DigiCertmaychargeafeeforprovidingcertificatestatusinformationviaOCSP.

9.1.4. FeesforOtherServicesNostipulation.

9.1.5. RefundPolicySubscribersmustrequestrefunds,inwriting,within30daysafteraCertificateissues.Afterreceivingtherefundrequest,DigiCertmayrevoketheCertificateandrefundtheamountpaidbytheApplicant,minusanyapplicableapplicationprocessingfees.

9.2. FINANCIALRESPONSIBILITY

9.2.1. InsuranceCoverageDigiCertmaintainsCommercialGeneralLiabilityinsurancewithapolicylimitofatleast$2millionincoverageandProfessionalLiability/Errors&Omissionsinsurancewithapolicylimitofatleast$5millionincoverage.InsuranceiscarriedthroughcompaniesratednolessthanA‐astoPolicyHolder’sRatinginthecurrenteditionofBest’sInsuranceGuide(orwithanassociationofcompanies,eachofthemembersofwhicharesorated).

9.2.2. OtherAssetsNostipulation.

9.2.3. InsuranceorWarrantyCoverageforEnd‐EntitiesInsurancecoverageforend‐entitiesisspecifiedinDigiCert’sRelyingPartyAgreement.

9.3. CONFIDENTIALITYOFBUSINESSINFORMATION

9.3.1. ScopeofConfidentialInformationThefollowinginformationisconsideredconfidentialandprotectedagainstdisclosureusingareasonabledegreeofcare:

PrivateKeys; ActivationdatausedtoaccessPrivateKeysortogainaccesstotheCAsystem; Businesscontinuity,incidentresponse,contingency,anddisasterrecoveryplans; Othersecuritypracticesusedtoprotecttheconfidentiality,integrity,oravailabilityofinformation; InformationheldbyDigiCertasprivateinformationinaccordancewithSection9.4; Auditlogsandarchiverecords;and Transactionrecords,financialauditrecords,andexternalorinternalaudittrailrecordsandanyaudit

reports(withtheexceptionofanauditor’sletterconfirmingtheeffectivenessofthecontrolssetforthinthisCPS).

9.3.2. InformationNotWithintheScopeofConfidentialInformationAnyinformationnotlistedasconfidentialisconsideredpublicinformation.PublishedCertificateandrevocationdataisconsideredpublicinformation.

9.3.3. ResponsibilitytoProtectConfidentialInformationDigiCert’semployees,agents,andcontractorsareresponsibleforprotectingconfidentialinformationandarecontractuallyobligatedtodoso.Employeesreceivetrainingonhowtohandleconfidentialinformation.

9.4. PRIVACYOFPERSONALINFORMATION

9.4.1. PrivacyPlanDigiCertfollowstheprivacypolicypostedonitswebsitewhenhandlingpersonalinformation.Personalinformationisonlydisclosedwhenthedisclosureisrequiredbylaworwhenrequestedbythesubjectofthepersonalinformation.

9.4.2. InformationTreatedasPrivateDigiCerttreatsallpersonalinformationaboutanindividualthatisnotpubliclyavailableinthecontentsofaCertificateorCRLasprivateinformation.DigiCertprotectsprivateinformationusingappropriatesafeguardsandareasonabledegreeofcare.

9.4.3. InformationNotDeemedPrivatePrivateinformationdoesnotincludeCertificates,CRLs,ortheircontents.

9.4.4. ResponsibilitytoProtectPrivateInformationDigiCertemployeesandcontractorsareexpectedtohandlepersonalinformationinstrictconfidenceandmeettherequirementsofUSandEuropeanlawconcerningtheprotectionofpersonaldata.Allsensitiveinformationissecurelystoredandprotectedagainstaccidentaldisclosure.

9.4.5. NoticeandConsenttoUsePrivateInformationPersonalinformationobtainedfromanapplicantduringtheapplicationoridentityverificationprocessisconsideredprivateinformationiftheinformationisnotincludedinaCertificate.DigiCertwillonlyuseprivateinformationafterobtainingthesubject'sconsentorasrequiredbyapplicablelaworregulation.AllSubscribersmustconsenttotheglobaltransferandpublicationofanypersonaldatacontainedinaCertificate.

9.4.6. DisclosurePursuanttoJudicialorAdministrativeProcessDigiCertmaydiscloseprivateinformation,withoutnotice,ifDigiCertbelievesthedisclosureisrequiredbylaworregulation.

9.4.7. OtherInformationDisclosureCircumstancesNostipulation.

9.5. INTELLECTUALPROPERTYRIGHTSDigiCertand/oritsbusinesspartnersowntheintellectualpropertyrightsinDigiCert’sservices,includingtheCertificates,trademarksusedinprovidingtheservices,andthisCPS.“DigiCert”isaregisteredtrademarkofDigiCert,Inc.CertificateandrevocationinformationarethepropertyofDigiCert.DigiCertgrantspermissiontoreproduceanddistributeCertificatesonanon‐exclusiveandroyalty‐freebasis,providedthattheyarereproducedanddistributedinfull.DigiCertdoesnotallowderivativeworksofitsCertificatesorproductswithoutpriorwrittenpermission.PrivateandPublicKeysremainthepropertyoftheSubscriberswhorightfullyholdthem.Allsecretshares(distributedelements)oftheDigiCertPrivateKeysarethepropertyofDigiCert.

9.6. REPRESENTATIONSANDWARRANTIES

9.6.1. CARepresentationsandWarrantiesExceptasexpresslystatedinthisCPSorinaseparateagreementwithaSubscriber,DigiCertdoesnotmakeanyrepresentationsregardingitsproductsorservices.DigiCertrepresents,totheextentspecifiedinthisCPS,that:

DigiCertcomplies,inallmaterialaspects,withtheCP,thisCPS,andallapplicablelawsandregulations,

DigiCertpublishesandupdatesCRLsandOCSPresponsesonaregularbasis, AllCertificatesissuedunderthisCPSwillbeverifiedinaccordancewiththisCPSandmeetthe

minimumrequirementsfoundhereinandintheBaselineRequirements, DigiCertwillmaintainarepositoryofpublicinformationonitswebsite,and InformationpublishedonaqualifiedCertificatemeetstherequirementsspecifiedinEUlaw.

TotheextentallowedunderEUlaw,DigiCert:

Doesnotwarranttheaccuracy,authenticity,completeness,orfitnessofanyunverifiedinformation,includingnameverificationfor(1)Certificatesintendedforemailandintranetuse,(2)Multi‐SANCertificates,and(3)otherCertificatesissuedtoindividualsandintranets.

IsnotresponsibleforinformationcontainedinaCertificateexceptasstatedinthisCPS, Doesnotwarrantthequality,function,orperformanceofanysoftwareorhardwaredevice,and IsnotresponsibleforfailingtocomplywiththisCPSbecauseofcircumstancesoutsideof

DigiCert’scontrol.ForEVCertificates,DigiCertrepresentstoSubscribers,Subjects,ApplicationSoftwareVendorsthatdistributeDigiCert’srootCertificates,andRelyingPartiesthatuseaDigiCertCertificatewhiletheCertificateisvalidthatDigiCertfollowedtheEVGuidelineswhenverifyinginformationandissuingEVCertificates.ThisrepresentationislimitedsolelytoDigiCert’scompliancewiththeEVGuidelines(e.g.,DigiCertmayrelyonerroneousinformationprovidedinanattorney’sopinionoraccountant’sletterthatischeckedinaccordancewiththeGuidelines).ForPIVCertificates,DigiCertmaintainsanagreementwithAffiliatedOrganizationsthatincludesobligationsrelatedtoauthorizingaffiliationwithSubscribersofPIV‐ICertificates.

9.6.2. RARepresentationsandWarrantiesRAsrepresentthat:

1. TheRA’scertificateissuanceandmanagementservicesconformtotheDigiCertCPandthisCPS,2. InformationprovidedbytheRAdoesnotcontainanyfalseormisleadinginformation,3. TranslationsperformedbytheRAareanaccuratetranslationoftheoriginalinformation,and4. AllCertificatesrequestedbytheRAmeettherequirementsofthisCPS.

DigiCert’sagreementwiththeRAmaycontainadditionalrepresentations.

9.6.3. SubscriberRepresentationsandWarrantiesPriortobeingissuedandreceivingaCertificate,subscribersaresolelyresponsibleforanymisrepresentationstheymaketothirdpartiesandforalltransactionsthatuseSubscriber’sPrivateKey,regardlessofwhethersuchusewasauthorized.SubscribersarerequiredtonotifyDigiCertandanyapplicableRAifachangeoccursthatcouldaffectthestatusoftheCertificate.SubscribersrepresenttoDigiCert,ApplicationSoftwareVendors,andRelyingPartiesthat,foreachCertificate,theSubscriberwill:

1. SecurelygenerateitsPrivateKeysandprotectitsPrivateKeysfromcompromise,2. ProvideaccurateandcompleteinformationwhencommunicatingwithDigiCert,3. ConfirmtheaccuracyofthecertificatedatapriortousingtheCertificate,4. Promptly(i)requestrevocationofaCertificate,ceaseusingitanditsassociatedPrivateKey,and

notifyDigiCertifthereisanyactualorsuspectedmisuseorcompromiseofthePrivateKey

associatedwiththePublicKeyincludedinthecertificate,and(ii)requestrevocationoftheCertificate,andceaseusingit,ifanyinformationintheCertificateisorbecomesincorrectorinaccurate,

5. EnsurethatindividualsusingCertificatesonbehalfofanorganizationhavereceivedsecuritytrainingappropriatetotheCertificate,

6. UsetheCertificateonlyforauthorizedandlegalpurposes,consistentwiththecertificatepurpose,thisCPS,anyapplicableCP,andtherelevantSubscriberAgreement,includingonlyinstallingSSLCertificatesonserversaccessibleatthedomainlistedintheCertificateandnotusingcodesigningCertificatestosignmaliciouscodeoranycodethatisdownloadedwithoutauser’sconsent,and

7. PromptlyceaseusingtheCertificateandrelatedPrivateKeyaftertheCertificate’sexpiration.

9.6.4. RelyingPartyRepresentationsandWarrantiesEachRelyingPartyrepresentsthat,priortorelyingonaDigiCertCertificate,it:

1. ObtainedsufficientknowledgeontheuseofdigitalCertificatesandPKI,2. StudiedtheapplicablelimitationsontheusageofCertificatesandagreestoDigiCert’slimitationson

liabilityrelatedtotheuseofCertificates,3. Hasread,understands,andagreestotheDigiCertRelyingPartyAgreementandthisCPS,4. VerifiedboththeDigiCertCertificateandtheCertificatesinthecertificatechainusingtherelevant

CRLorOCSP,5. WillnotuseaDigiCertCertificateiftheCertificatehasexpiredorbeenrevoked,and6. Willtakeallreasonablestepstominimizetheriskassociatedwithrelyingonadigitalsignature,

includingonlyrelyingonaDigiCertCertificateafterconsidering:a) applicablelawandthelegalrequirementsforidentificationofaparty,protectionofthe

confidentialityorprivacyofinformation,andenforceabilityofthetransaction;b) theintendeduseoftheCertificateaslistedinthecertificateorthisCPS,c) thedatalistedintheCertificate,d) theeconomicvalueofthetransactionorcommunication,e) thepotentiallossordamagethatwouldbecausedbyanerroneousidentificationoralossof

confidentialityorprivacyofinformationintheapplication,transaction,orcommunication,f) theRelyingParty’spreviouscourseofdealingwiththeSubscriber,g) theRelyingParty’sunderstandingoftrade,includingexperiencewithcomputer‐based

methodsoftrade,andh) anyotherindiciaofreliabilityorunreliabilitypertainingtotheSubscriberand/orthe

application,communication,ortransaction.AnyunauthorizedrelianceonaCertificateisataparty’sownrisk.

9.6.5. RepresentationsandWarrantiesofOtherParticipantsNostipulation.

9.7. DISCLAIMERSOFWARRANTIESEXCEPTASEXPRESSLYSTATEDINSECTION9.6.1,ALLCERTIFICATESANDANYRELATEDSOFTWAREANDSERVICESAREPROVIDED"ASIS"AND"ASAVAILABLE”.TOTHEMAXIMUMEXTENTPERMITTEDBYLAW,DIGICERTDISCLAIMSALLEXPRESSANDIMPLIEDWARRANTIES,INCLUDINGALLWARRANTIESOFMERCHANTABILITY,FITNESSFORAPARTICULARPURPOSE,ANDNON‐INFRINGEMENT.DIGICERTDOESNOTWARRANTTHATANYSERVICEORPRODUCTWILLMEETANYEXPECTATIONSORTHATACCESSTOCERTIFICATESWILLBETIMELYORERROR‐FREE.DigiCertdoesnotguaranteetheavailabilityofanyproductsorservicesandmaymodifyordiscontinueanyproductorserviceofferingatanytime.AfiduciarydutyisnotcreatedsimplybecauseanentityusesDigiCert’sservices.

9.8. LIMITATIONSOFLIABILITYNOTHINGHEREINLIMITSLIABILTYRELATEDTO(I)DEATHORPERSONALINJURYRESULTINGFROMDIGICERT’SNEGLIGENCEOR(II)FRAUDCOMMITTEDBYDIGICERT.EXCEPTASSTATEDABOVE,ANYENTITYUSINGADIGICERTCERTIFICATEORSERVICEWAIVESALLLIABILITYOFDIGICERTRELATEDTOSUCHUSE,PROVIDEDTHATDIGICERTHASMATERIALLYCOMPLIEDWITHTHISCPSINPROVIDINGTHE

CERTIFICATEORSERVICE.DIGICERT’SLIABILITYFORCERTIFICATESANDSERVICESTHATDONOTMATERIALLYCOMPLYWITHTHISCPSISLIMITEDASFOLLOWS:

1. NOLIABILITYIFTHEDAMAGEORLOSSRELATESTOACERTIFICATEOTHERTHANASSLCERTIFICATEORCODESIGNINGCERTIFICATE,

2. AMAXIMUMLIABILITYOF$1,000PERTRANSACTIONFORSSLCERTIFICATES,3. ANAGGREGATEMAXIMUMLIABILITYOF$10,000FORALLCLAIMSRELATEDTOASINGLE

CERTIFICATEORSERVICE,4. ANDANAGGREGATEMAXIMUMLIABILITYOF$1MILLIONFORALLCLAIMS,REGARDLESSOF

THENUMBERORSOURCEOFTHECLAIMS.DIGICERTAPPORTIONSPAYMENTSRELATEDTOANAGGREGATEMAXIMUMLIMITATIONONLIABILITYUNDERTHISSECTIONTOTHEFIRSTCLAIMSTHATACHIEVEFINALRESOLUTION.Allliabilityislimitedtoactualandlegallyprovabledamages.DigiCertisnotliablefor:

1. Anyindirect,consequential,special,orpunitivedamagesoranylossofprofit,revenue,data,oropportunity,evenifDigiCertisawareofthepossibilityofsuchdamages;

2. LiabilityrelatedtofraudorwillfulmisconductoftheApplicant;3. LiabilityrelatedtouseofaCertificatethatexceedsthelimitationsonuse,value,ortransactionsas

statedeitherintheCertificateorthisCPS;4. Liabilityrelatedtothesecurity,usability,orintegrityofproductsnotsuppliedbyDigiCert,including

theSubscriber’sandRelyingParty’shardware;or5. LiabilityrelatedtothecompromiseofaSubscriber’sPrivateKey.

Thelimitationsinthissectionapplytothemaximumextentpermittedbylawandapplyregardlessof(i)thereasonforornatureoftheliability,includingtortclaims,(ii)thenumberofclaimsofliability,(iii)theextentornatureofthedamages,(iv)whetherDigiCertfailedtofollowanyprovisionofthisCPS,or(v)whetheranyprovisionofthisCPSwasprovenineffective.ThedisclaimersandlimitationsonliabilitiesinthisCPSarefundamentaltermstotheuseofDigiCert’sCertificatesandservices.

9.9. INDEMNITIES

9.9.1. IndemnificationbyDigiCertDigiCertshallindemnifyeachApplicationSoftwareVendoragainstanyclaim,damage,orlosssufferedbyanApplicationSoftwareVendorrelatedtoanEVCertificateissuedbyDigiCert,regardlessofthecauseofactionorlegaltheoryinvolved,exceptwheretheclaim,damage,orlosssufferedbytheApplicationSoftwareVendorwasdirectlycausedbytheApplicationSoftwareVendor’ssoftwaredisplayingeither(1)avalidandtrustworthyEVCertificateasnotvalidortrustworthyor(2)displayingastrustworthy(i)anEVCertificatethathasexpiredor(ii)arevokedEVCertificatewheretherevocationstatusisavailableonlinebuttheApplicationSoftwareVendor’ssoftwarefailedtocheckorignoredthestatus.

9.9.2. IndemnificationbySubscribersTotheextentpermittedbylaw,eachSubscribershallindemnifyDigiCert,itspartners,andanycross‐signedentities,andtheirrespectivedirectors,officers,employees,agents,andcontractorsagainstanyloss,damage,orexpense,includingreasonableattorney’sfees,relatedto(i)anymisrepresentationoromissionofmaterialfactbySubscriber,regardlessofwhetherthemisrepresentationoromissionwasintentionalorunintentional;(ii)Subscriber’sbreachoftheSubscriberAgreement,thisCPS,orapplicablelaw;(iii)thecompromiseorunauthorizeduseofaCertificateorPrivateKeycausedbytheSubscriber’snegligenceorintentionalacts;or(iv)Subscriber’smisuseoftheCertificateorPrivateKey.

9.9.3. IndemnificationbyRelyingPartiesTotheextentpermittedbylaw,eachRelyingPartyshallindemnifyDigiCert,itspartners,andanycross‐signedentities,andtheirrespectivedirectors,officers,employees,agents,andcontractorsagainstanyloss,

damage,orexpense,includingreasonableattorney’sfees,relatedtotheRelyingParty’s(i)breachoftheRelyingPartyAgreement,anEnd‐UserLicenseAgreement,thisCPS,orapplicablelaw;(ii)unreasonablerelianceonaCertificate;or(iii)failuretochecktheCertificate’sstatuspriortouse.

9.10. TERMANDTERMINATION

9.10.1. TermThisCPSandanyamendmentstotheCPSareeffectivewhenpublishedtoDigiCert’sonlinerepositoryandremainineffectuntilreplacedwithanewerversion.

9.10.2. TerminationThisCPSandanyamendmentsremainineffectuntilreplacedbyanewerversion.

9.10.3. EffectofTerminationandSurvivalDigiCertwillcommunicatetheconditionsandeffectofthisCPS’sterminationviatheDigiCertRepository.Thecommunicationwillspecifywhichprovisionssurvivetermination.Ataminimum,allresponsibilitiesrelatedtoprotectingconfidentialinformationwillsurvivetermination.AllSubscriberAgreementsremaineffectiveuntiltheCertificateisrevokedorexpired,evenifthisCPSterminates.

9.11. INDIVIDUALNOTICESANDCOMMUNICATIONSWITHPARTICIPANTSDigiCertacceptsnoticesrelatedtothisCPSatthelocationsspecifiedinSection2.2.NoticesaredeemedeffectiveafterthesenderreceivesavalidanddigitallysignedacknowledgmentofreceiptfromDigiCert.Ifanacknowledgementofreceiptisnotreceivedwithinfivedays,thesendermustresendthenoticeinpaperformtothestreetaddressspecifiedinSection2.2usingeitheracourierservicethatconfirmsdeliveryorviacertifiedorregisteredmailwithpostageprepaidandreturnreceiptrequested.DigiCertmayallowotherformsofnoticeinitsSubscriberAgreements.

9.12. AMENDMENTS

9.12.1. ProcedureforAmendmentThisCPSisreviewedannually.AmendmentsaremadebypostinganupdatedversionoftheCPStotheonlinerepository.ControlsareinplacetoreasonablyensurethatthisCPSisnotamendedandpublishedwithoutthepriorauthorizationoftheDCPA.

9.12.2. NotificationMechanismandPeriodDigiCertpostsCPSrevisionstoitswebsite.DigiCertdoesnotguaranteeorsetanotice‐and‐commentperiodandmaymakechangestothisCPSwithoutnoticeandwithoutchangingtheversionnumber.MajorchangesaffectingaccreditedCertificatesareannouncedandapprovedbytheaccreditingagencypriortobecomingeffective.TheDCPAisresponsiblefordeterminingwhatconstitutesamaterialchangeoftheCPS.

9.12.3. CircumstancesunderwhichOIDMustBeChangedTheDCPAissolelyresponsiblefordeterminingwhetheranamendmenttotheCPSrequiresanOIDchange.

9.13. DISPUTERESOLUTIONPROVISIONSPartiesarerequiredtonotifyDigiCertandattempttoresolvedisputesdirectlywithDigiCertbeforeresortingtoanydisputeresolutionmechanism,includingadjudicationoranytypeofalternativedisputeresolution.

9.14. GOVERNINGLAWThenationallawoftherelevantmemberstategovernsanydisputeinvolvingQualifiedCertificates.ExceptfordisputesinvolvingQualifiedCertificates,thelawsofthestateofUtahgoverntheinterpretation,construction,andenforcementofthisCPSandallproceedingsrelatedtoDigiCert’sproductsandservices,includingtortclaims,withoutregardtoanyconflictsoflawprinciples.ThestateofUtahhasnon‐exclusivevenueandjurisdictionoveranyproceedingsrelatedtotheCPSoranyDigiCertproductorservice.

9.15. COMPLIANCEWITHAPPLICABLELAWThisCPSissubjecttoallapplicablelawsandregulations,includingUnitedStatesrestrictionsontheexportofsoftwareandcryptographyproducts.Subjecttosection9.4.5’sNoticeandConsenttoUsePrivateInformationcontainedinCertificates,DigiCertmeetstherequirementsoftheEuropeandataprotectionlawsandhasestablishedappropriatetechnicalandorganizationmeasuresagainstunauthorizedorunlawfulprocessingofpersonaldataandagainsttheloss,damage,ordestructionofpersonaldata.

9.16. MISCELLANEOUSPROVISIONS

9.16.1. EntireAgreementDigiCertcontractuallyobligateseachRAtocomplywiththisCPSandapplicableindustryguidelines.DigiCertalsorequireseachpartyusingitsproductsandservicestoenterintoanagreementthatdelineatesthetermsassociatedwiththeproductorservice.IfanagreementhasprovisionsthatdifferfromthisCPS,thentheagreementwiththatpartycontrols,butsolelywithrespecttothatparty.Thirdpartiesmaynotrelyonorbringactiontoenforcesuchagreement.

9.16.2. AssignmentAnyentitiesoperatingunderthisCPSmaynotassigntheirrightsorobligationswithoutthepriorwrittenconsentofDigiCert.Unlessspecifiedotherwiseinacontactwithaparty,DigiCertdoesnotprovidenoticeofassignment.

9.16.3. SeverabilityIfanyprovisionofthisCPSisheldinvalidorunenforceablebyacompetentcourtortribunal,theremainderoftheCPSwillremainvalidandenforceable.EachprovisionofthisCPSthatprovidesforalimitationofliability,disclaimerofawarranty,oranexclusionofdamagesisseverableandindependentofanyotherprovision.

9.16.4. Enforcement(attorneys'feesandwaiverofrights)DigiCertmayseekindemnificationandattorneys'feesfromapartyfordamages,losses,andexpensesrelatedtothatparty'sconduct.DigiCert’sfailuretoenforceaprovisionofthisCPSdoesnotwaiveDigiCert’srighttoenforcethesameprovisionlaterorrighttoenforceanyotherprovisionofthisCPS.Tobeeffective,waiversmustbeinwritingandsignedbyDigiCert.

9.16.5. ForceMajeureDigiCertisnotliableforanydelayorfailuretoperformanobligationunderthisCPStotheextentthatthedelayorfailureiscausedbyanoccurrencebeyondDigiCert’sreasonablecontrol.TheoperationoftheInternetisbeyondDigiCert’sreasonablecontrol.

9.17. OTHERPROVISIONSNostipulation.

APPENDIXA:SAMPLEOPINIONLETTER

[Date]To: DigiCert,Inc. 2801N.ThanksgivingWay Suite500 Lehi,UT84043 Email:[email protected] Fax:801‐705‐0481Re: DigitalCertificatefor[Exactcompanynameofclient–seefootnote1](“Client”)

ThisfirmrepresentsClient,whoaskedthatI,asits[accountant,lawyer,solicitors,barrister,advocate,etc.],attesttothefollowinginformationsolelyasrelatedtotheClient’sapplicationforadigitalcertificate.

AfterreviewingtheClient’srecordsandbasedonmyinvestigation,myprofessionalopinionisthat:

1. Clientisadulyformed[corporation,LLC,etc.]underthelawsofthe[state/province]of[nameof

governingjurisdictionwhereClientisincorporatedorregistered];is“active,”“valid,”“current,”ortheequivalent;andisnotunderanyknownlegaldisability.

2. [Ifapplicable]TheRomanizedtransliterationofClient’sformallegalnameis:[Romanizedname].

3. [Ifapplicable]Clientconductsbusinessunderthe[assumed/DBA/trade]nameof[assumednameofClient].Clienthasacurrentlyvalidregistrationofthenamewiththegovernmentagencythathasjurisdictionovertheplaceofbusinesslistedbelow.

4. Theaddresswhere[Client,Client’sparent,orClient’ssubsidiary–selectone]conductsbusinessoperationsis:[Insertplaceofbusiness–thisshouldmatchtheaddressonthecertificateapplication]

5. AmaintelephonenumberatClient’splaceofbusinessis:

[Insertprimarytelephonenumberofbusiness]

6. [NameofClient’sRepresentative–seefootnote2]isanindividual(orareindividuals)withtheauthoritytoactonbehalfofClientto:a) ProvideinformationabouttheClientcontainedinthereferencedapplication,b) Requestoneormoredigitalcertificatesanddesignateotherpersonstorequestdigital

certificates,andc) AgreetothecontractualobligationscontainedinDigiCert’sagreements.

7. [NameandtitleofClient’sRepresentative],whoisClient’s[TitleofClientRepresentative],canbecontactedat:Email:[EmailaddressofClientRepresentative]Phone:[PhonenumberofClientRepresentative]

8. Clienthaseitheroperatedasabusinessforthreeormoreyearsorhasanactivedepositaccountheldatabankorotherfinancialinstitutionwherefundsdepositedarepayableondemand.

9. Clienthastheexclusiverighttousethefollowingdomainname(s)inidentifyingitselfontheInternetandisawarethatithassuchcontrol:[Insertdomainnames]

Althoughwedidnotfindanyexceptionstotheaboveidentificationprocedures,theseproceduresdonot

constituteanauditoropinionofClient'sapplicationforadigitalcertificate.WearenotexpressinganopiniononClient'sdigitalcertificateapplicationandhaveprovidedthislettersolelyforthebenefitofDigiCertinconnectionwithClient'sapplicationforadigitalcertificate.Nootherpersonorentitymayrelyonthisletterwithoutmyexpresswrittenconsent.Thislettershallnotbequotedinwholeorinpart,used,publishedorotherwisereferredtoorrelieduponinanymanner,including,withoutlimitation,inanyfinancialstatementorotherdocument.Signature:__________________________________________________PrintAccountant/AttorneyName:______________________________________________________PhoneNumber:_____________________________________________Email:_____________________________________________FirmName:_____________________________________________Licensedin:___________________________________Licensenumber,ifany:__________________________________Contactinformationforlicensingagencywherethisaccountant's/attorney'slicenseinformationmaybeverified:___________________________________________________________________Note1:ThismustbetheClient’sexactcorporatenameasregisteredwiththerelevantIncorporatingAgency

intheClient’sJurisdictionofIncorporation.Note2:APowerofAttorneyfromanofficeroftheClientwhohasthepowertodelegateauthorityissufficient

toestablishtheClientRepresentative’sactualauthority.Multiplerepresentativesmaybelisted.Note3:In‐housecounseloftheClientmaysubmitthisletterifpermittedbytherulesofyourjurisdiction.Note4: Thislettermaybesubmittedbymail,fax,oremail.

digicert certification practices statement, v. 4 · digicert certification practices statement ......

Documents