|
CA Business Practices Disclosure
The Certification Authority discloses its business practices, including but not limited to the following:
General
Identification of each CP and CPS for which the CA issues certificates Community and applicability, including a description of the types of entities within the PKI and the applicability of certificates issued by the CA Contact details and administrative provisions, including:
* Contact person
* Identification of Policy Authority
* Street address
* Version and effective date(s) of each CP and CPS
Any applicable provisions regarding apportionment of liability Financial responsibility, including:
* Indemnification by relying parties
* Fiduciary relationships
Interpretation and enforcement, including:
* Governing law
* Severability, survival, merger, and notice
* Dispute resolution procedures
Fees, including:
* Certificate issuance or renewal fees
* Certificate access fees
* Revocation or status information access fees
* Fees for other services such as policy information
* Refund policy
Publication and repository requirements, including:
* Publication of CA information
* Frequency of publication
* Access controls
Compliance audit requirements including:
* Frequency of entity compliance audit
* Auditor's relationship to audited party
* Topics covered by audit
* Actions taken as a result of deficiency
* Communication of results
Description of the conditions for applicability of certificates issued by the CA that reference a specific Certificate Policy, including:
* Specific permitted uses for the certificates if such use is limited to specific applications
* Limitations on the use of certificates if there are specified prohibited uses for such certificates
CA and/or RA obligations:
* Notification of issuance of a certificate to the subscriber who is the subject of the certificate being issued
* Notification of issuance of a certificate to others than the subject of the certificate
* Notification of revocation or suspension of a certificate to the subscriber whose certificate is being revoked or suspended
* Notification of revocation or suspension of a certificate to others than the subject whose certificate is being revoked or suspended.
RA obligations, including:
* Identification and authentication of subscribers
* Validation of revocation and suspension requests
* Verification of subscriber renewal or rekey requests
Repository obligations, including:
* Timely publication of certificates and Certificate Revocation
Lists Subscriber obligations, including:
* Accuracy of representations in certificate application
* Protection of the subscriber's private key
* Restrictions on private key and certificate use
* Notification upon private key compromise
Relying party obligations, including:
* Purposes for which certificate is used
* Digital signature verification responsibilities
* Revocation and suspension checking responsibilities
* Acknowledgment of applicable liability caps and warranties
Any applicable reliance or financial limits for certificate usage
Certificate Life Cycle Management
Whether certificate suspension is supported Initial registration, including a description of the CA's requirements for the identification and authentication of subscribers and validation of certificate requests during entity registration or certificate issuance:
* Types of names assigned to the subject and rules for interpreting various name forms
* Whether names have to be meaningful or not
* Whether names have to be unique
* How name claim disputes are resolved
* Recognition, authentication, and role of trademarks
* If and how the subject must prove possession of the companion private key for the public key being provided for a certificate
* How the subscriber's public key is provided securely to the CA for issuance of a certificate
* Authentication requirements for organizational identity of subject
* Authentication of individual identity
* Required certificate request data
* How the CA verifies the authority of the subscriber to request a certificate
* How the CA verifies the accuracy of the information included in the subscriber's certificate request
* Whether the CA checks certificate requests for errors or omissions
Registration requirements where external Registration Authorities are used, including the CA's procedures for:
* Validating the identity of external Registration Authorities
* Authorizing external Registration Authorities
* Requirements for the external Registration Authority to secure that part of the certificate application, certificate renewal, and certificate rekey processes for which the RA assumes responsibility
* How the CA verifies the authenticity of certificate request submissions received from an external RA
Certificate renewal, including a description of the CA's procedures for the following:
* Notifying subscribers of the need for renewal
* Identification and authentication
* Renewal request verification
Certificate issuance, including a description of the requirements regarding the following:
* Issuance of a certificates
* Notification to the applicant of such issuance
* Certificate format requirements
* Validity period requirements
* Extension field requirements (meaning, what extension fields are honored, and how they are to be populated)
Certificate acceptance, including a description of the requirements regarding acceptance of an issued certificate and for consequent publication of certificates
Certificate revocation, including:
* Circumstances under which a certificate may or must be revoked
* Identification and authentication procedures required for revocation requests
* Procedures used for initiation, authorization, and verification of certificate revocation requests
* Revocation request grace period available to the subscriber
* Any variations on the preceding stipulations in the event that the revocation is the result of private key compromise (as opposed to other reasons for revocation)
* Procedures to provide a means of rapid communication to facilitate the secure and authenticated revocation of:
(1) one or more certificates of one or more entities;
(2) the set of all certificates issued by a CA based on a single public/private key pair used by a CA to generate certificates; and
(3) all certificates issued by a CA, regardless of the public/private key pair used
* Procedures for notifying the subscriber upon revocation of the subscriber's certificate
* Whether the external Registration Authority is notified upon the revocation of a subscriber's certificate for which the revocation request was processed by the external RA
* How and when the subscriber's certificate status information is updated upon certificate revocation
Certificate suspension, including:
* Circumstances under which a certificate may or must be suspended
* Identification and authentication procedures required for revocation requests
* Procedures used for initiation, authorization, and verification of certificate suspension requests
* How long the suspension may last
* Circumstances under which the suspension of a certificate may or must be lifted
* Authorization criteria to request the lifting of a certificate suspension
* Any variations on the preceding stipulations if the suspension is the result of private key compromise (as opposed to other reasons for suspension)
* Procedures to provide a means of rapid communication to facilitate the secure and authenticated suspension of:
(1) one or more certificates of one or mCAoa ,resinglegenerate entities;
(2) the set of all certificates issued by a CA ;based on a public/private key pair used by a CA to certificates and
(3) all certificates issued by regardless of the public/private key pair used
* Procedures for notifying the subscriber upon suspension of the subscriber's certificate
* Whether the external RA is notified upon the suspension of a subscriber's certificate for which the suspension request was processed or submitted by the external RA
* How and when the subscriber's certificate status information is updated upon certificate suspension and the lifting of a certificate suspension
* Adequacy of Security policies and implementation
* Existence of adequate physical security
* Evaluation of Functionalities in Technology as it supports CA operations
* Compliance to relevant CPS as approved and provided by the Controller
* Adequacy of contracts/agreements for all outsourced CA operations
* Adherence to Information Technolgy ACT, 2000, the rules and regulations thereunder, and guidelines issued by the Controller from time-to-time
|
