Department of Labor: dst-aces-cps-v20040617

8/14/2019 Department of Labor: dst-aces-cps-v20040617

1/121

June 14, 2004

Certification Practices Statement ofDigital Signature Trust for the

Access Certificates for Electronic

Services Program

Digital Signature Trust, LLC

Version 4.1

June 14, 2004


2/121

TABLE OF CONTENTS

SECTION PAGE

SECTION 1 INTRODUCTION ........................................................................................... 1

1.1 OVERVIEW............................................................................................................. 1

1.2 POLICY IDENTIFICATION................................................................................... 1

1.3 COMMUNITY AND APPLICABILITY................................................................. 2

1.3.1 Certificate Service Providers............................................................................ 31.3.1.1 Certification Authorities (CAs) ............................................................................................31.3.1.2 Registration Authorities (RAs) and Trusted Agents.............................................................31.3.1.3 Certificate Manufacturing Authorities (CMAs) .......... .......... ........... .......... ........... .......... .....41.3.1.4 Repositories ..........................................................................................................................4

1.3.2 End Entities ...................................................................................................... 41.3.2.1 Subscribers ...........................................................................................................................41.3.2.2 Relying Parties......................................................................................................................41.3.2.3 Agency and Relying Party Applications...............................................................................51.3.2.3.1 Agency and Relying Party Application SSL Server Certificates................. .......... ........... ......51.3.2.3.2 Agency and Relying Party Application (Mutual Authentication and Signing) .......... ........... .51.3.2.3.3 Agency and Relying Party Application (Encryption) ........... .......... ........... .......... ........... ........51.3.2.3.4 Agency and Relying Party Application (Other) .......... .......... ........... ........... .......... ........... ......5

1.3.3 Policy Authority ............................................................................................... 5

1.3.4 Applicability..................................................................................................... 61.3.4.1 Purpose .................................................................................................................................61.3.4.2 Suitable Uses ........................................................................................................................8

1.4 CONTACT DETAILS.............................................................................................. 8

1.4.1 Organization Responsible for this Certification Practice Statement ................ 8

1.4.2 Contact Person.................................................................................................. 91.4.3 Person Determining Suitability of this CPS ..................................................... 9

SECTION 2 GENERAL PROVISIONS............................................................................ 10

2.1 OBLIGATIONS ..................................................................................................... 10

2.1.1 CAs Obligations ............................................................................................ 10

2.1.2 RA / Trusted Agent Obligations..................................................................... 11

2.1.3 CMA Obligations ........................................................................................... 11

2.1.4 Repository Obligations ................................................................................... 11

2.1.5 Subscriber Obligations ................................................................................... 12

2.1.6 Relying Party Obligations .............................................................................. 122.1.7 Policy Authority Obligations.......................................................................... 13

2.2 LIABILITIES ......................................................................................................... 13

2.2.1 DST Liability.................................................................................................. 15

2.2.2 RA, CMA, and Repository Liability .............................................................. 15

2.3 FINANCIAL RESPONSIBILITY.......................................................................... 15

2.3.1 Indemnification by Relying Parties ................................................................ 15

2.3.3 Fiduciary Relationships .................................................................................. 15

ii


3/121

2.3.4 Administrative Processes................................................................................ 15

2.4 INTERPRETATION AND ENFORCEMENT ...................................................... 15

2.4.1 Governing Law............................................................................................... 15

2.4.2 Severability, Survival, Merger, Notice........................................................... 16

2.4.3 Dispute Resolution Procedures ...................................................................... 16

2.5 FEES....................................................................................................................... 162.5.1 Certificate Issuance, Renewal, Suspension, and Revocation Fees................. 16

2.5.2 Certificate Access Fees................................................................................... 16

2.5.3 Revocation Status Information Access Fees (Certificate Validation

Services) 16

2.5.4 Fees for Other Services such as Policy Information ...................................... 16

2.5.5 Refund Policy ................................................................................................. 17

2.6 PUBLICATION AND REPOSITORY .................................................................. 17

2.6.1 Publication of Information ............................................................................. 17

2.6.2 Frequency of Publication................................................................................ 17

2.6.3 Access Controls .............................................................................................. 17

2.6.4 Repositories .................................................................................................... 172.7 INSPECTIONS AND REVIEWS .......................................................................... 18

2.7.1 Certification and Accreditation ...................................................................... 182.7.1.1 Frequency of Certification Authority Compliance Review .......... ........... .......... ........... ......182.7.1.2 Identity/Qualifications of Reviewer ...................................................................................182.7.1.3 Auditor's Relationship to Audited Party ......... ........... .......... ........... ........... .......... ........... ....182.7.1.4 Communication of Results .................................................................................................19

2.7.2 Quality Assurance Inspection and Review..................................................... 192.7.2.1 Topics Covered by Quality Assurance Inspection and Review..........................................192.7.2.2 Identity/Qualifications of Reviewer ...................................................................................192.7.2.3 Auditor's Relationship to Audited Party ......... ........... .......... ........... ........... .......... ........... ....192.7.2.4 Audit Compliance Report...................................................................................................19

2.7.2.5 Actions Taken as a Result of Deficiency............................................................................192.7.2.6 Communication of Results .................................................................................................19

2.8 CONFIDENTIALITY ............................................................................................ 20

2.8.1 Types of Information to Be Kept Confidential............................................... 202.8.1.1 Privacy Policy and Procedures ...........................................................................................202.8.1.2 Subscriber Information .......................................................................................................202.8.1.3 GSA and Other Government Information ..........................................................................21

2.8.2 Types of Information Not Considered Confidential....................................... 21

2.8.3 Disclosure of Certificate Revocation/Suspension Information ...................... 21

2.8.4 Release to Law Enforcement Officials........................................................... 21

2.9 SECURITY REQUIREMENTS............................................................................. 22

2.9.1 System Security Plan ...................................................................................... 22

2.9.2 Risk Management ........................................................................................... 222.9.3 Certification and Accreditation ...................................................................... 23

2.9.4 Rules of Behavior ........................................................................................... 23

2.9.5 Contingency Plan............................................................................................ 23

2.9.6 Incident Response Capability......................................................................... 23

2.10 INTELLECTUAL PROPERTY RIGHTS.............................................................. 23

iii


4/121

SECTION 3 IDENTIFICATION AND AUTHENTICATION ....................................... 24

3.1 INITIAL REGISTRATION ................................................................................... 24

3.1.1 Types of Names.............................................................................................. 243.1.1.1 ACES Unaffiliated Individual Digital Signature and Encryption Certificates ......... ..........24

3.1.1.2 ACES Business Representative Digital Signature and Encryption Certificates .................243.1.1.3 ACES Agency (Relying Party Applications) Digital Signature and EncryptionCertificates 253.1.1.4 Agency Application SSL Server Certificates .......... ........... .......... ........... .......... ........... ......253.1.1.5 ACES Federal Employee Digital Signature and Encryption Certificates .......... ........... ......25

3.1.2 Name Meanings.............................................................................................. 263.1.2.1 ACES Unaffiliated Individual Digital Signature and Encryption Certificates ......... ..........263.1.2.2 ACES Business Representative Digital Signature and Encryption Certificates .................263.1.2.3 ACES Agency (Relying Party Applications) Digital Signature and EncryptionCertificates 273.1.2.4 ACES DST Digital Signature Certificates..........................................................................273.1.2.5 Agency Application SSL Server Certificates .......... ........... .......... ........... .......... ........... ......273.1.2.6 ACES Federal Employee Digital Signature and Encryption Certificates .......... ........... ......27

3.1.3 Rules for Interpreting Various Name Forms .................................................. 273.1.4 Name Uniqueness........................................................................................... 27

3.1.5 Name Claim Dispute Resolution Procedures ................................................. 28

3.1.6 Recognition, Authentication, and Role of Trademarks .................................. 29

3.1.7 Verification of Possession of Key Pair........................................................... 293.1.7.1 Hardware Tokens................................................................................................................293.1.7.2 Use of Shared Secrets .........................................................................................................29

3.1.8 Authentication of Sponsoring Organization Identity ..................................... 30

3.1.9 Authentication of Individual Identity ............................................................. 303.1.9.1 Authentication of ACES Unaffiliated Individual Digital Signature and EncryptionCertificates 313.1.9.2 Authentication of ACES Business Representative Digital Signature and EncryptionCertificates 323.1.9.3 Authentication of ACES Agency (Relying Party Applications) Digital Signature andEncryption Certificates ..........................................................................................................................333.1.9.4 Authentication of Component Identity .......... .......... ........... .......... ........... .......... .................333.1.9.5 Authentication of ACES Federal Employee Digital Signature and EncryptionCertificates 343.1.9.6 Other Certificates................................................................................................................35

3.2 CERTIFICATE RENEWAL, UPDATE AND ROUTINE REKEY..................... 35

3.2.1 Certificate Renewal ........................................................................................ 36

3.2.2 Certificate Rekey ................................................................................................. 36

3.2.3 Certificate Update........................................................................................... 36

3.3 REKEY AFTER REVOCATION .......................................................................... 37

3.4 REVOCATION REQUEST ................................................................................... 37

SECTION 4 OPERATIONAL REQUIREMENTS.......................................................... 38

4.1 CERTIFICATE APPLICATION ........................................................................... 38

4.1.1 Application Initiation ..................................................................................... 384.1.1.1 Application Form................................................................................................................394.1.1.2 Applicant Education and Disclosure ..................................................................................39

iv


5/121

4.1.2 Enrollment Process / DSTs Secure Registration Messaging Protocol.......... 39

4.1.3 Enrollment Process / Bulk Loading....................................................................... 39

4.1.4 Application Rejection..................................................................................... 40

4.2 CERTIFICATE ISSUANCE .................................................................................. 41

4.2.1 Certificate Delivery ........................................................................................ 41

4.2.2 Certificate Replacement ................................................................................. 424.3 CERTIFICATE ACCEPTANCE ........................................................................... 42

4.4 CERTIFICATE REVOCATION............................................................................ 43

4.4.1 Who Can Request Revocation ........................................................................ 43

4.4.2 Circumstances for Revocation........................................................................ 434.4.2.1 Permissive Revocation .......................................................................................................434.4.2.2 Required Revocation ..........................................................................................................43

4.4.3 Procedure for Revocation Request ................................................................. 44

4.4.4 Revocation Request Grace Period .................................................................. 45

4.4.5 Certificate Authority Revocation Lists/Certificate Revocation Lists ............ 454.4.5.1 CRL Issuance Frequency....................................................................................................45

4.4.5.2 CRL Checking Requirements .............................................................................................464.4.6 Online Revocation/Status Checking Availability........................................... 46

4.4.7 Online Revocation Checking Requirements .................................................. 47

4.4.8 Other Forms of Revocation Advertisements Available.................................. 47

4.4.9 Checking Requirements for Other Forms of Revocation Advertisements ..... 47

4.4.10 Special Requirements re Key Compromise.................................................... 47

4.5 CERTIFICATE SUSPENSION ............................................................................. 47

4.5.1 Circumstances for Suspension........................................................................ 47

4.5.2 Who Can Request Suspension ........................................................................ 48

4.5.3 Procedure for Suspension Request ................................................................. 48

4.6 COMPUTER SECURITY AUDIT PROCEDURES ............................................. 48

4.6.1 Types of Events Recorded.............................................................................. 484.6.2 Frequency of Processing Data ........................................................................ 48

4.6.3 Retention Period for Security Audit Data ...................................................... 48

4.6.4 Protection of Security Audit Data .................................................................. 48

4.6.5 Security Audit Data Backup Procedures ........................................................ 49

4.6.6 Security Audit Collection System (Internal vs. External).............................. 49

4.6.7 Notification to Event-Causing Subject........................................................... 49

4.6.8 Vulnerability Assessments ............................................................................. 49

4.7 RECORDS ARCHIVAL.............................................................................................. 49

4.7.1 Types of Events Recorded.............................................................................. 49

4.7.2 Retention Period for Archive.......................................................................... 50

4.7.3 Protection of Archive ..................................................................................... 504.8 KEY CHANGEOVER ........................................................................................... 51

4.9 COMPROMISE AND DISASTER RECOVERY ................................................. 51

4.9.1 Computing Resources, Software, and/or Data are Corrupted ........................ 51

4.9.2 DST Public Key Is Revoked........................................................................... 51

4.9.3 DST Private Key Is Compromised (Key Compromise Plan) ......................... 51

4.9.4 Secure Facility after a Natural or Other Disaster (Disaster Recovery Plan) .. 52

4.10 AUTHORIZED CA CESSATION OF SERVICES ............................................... 52

v


6/121

4.11 CUSTOMER SERVICE CENTER ........................................................................ 53

4.12 PRIVATE KEY RECOVERY............................................................................... 53

4.12.1 Circumstances for private key recovery......................................................... 54

4.12.2 Key Recovery Roles; Who can request private key recovery ........................ 54

4.12.3 Procedure for Private Key Recovery Request ................................................ 55

SECTION 5 PHYSICAL, PROCEDURAL, AND PERSONNEL SECURITY

CONTROLS.......................................................................................................................... 57

5.1 PHYSICAL SECURITY CONTROLS.................................................................. 57

5.1.1 Physical Access Controls ............................................................................... 57

5.1.2 Security Checks .............................................................................................. 58

5.1.3 Media Storage................................................................................................. 58

5.1.4 Environmental Security .................................................................................. 58

5.1.5 Off-Site Backup.............................................................................................. 59

5.2 PROCEDURAL CONTROLS ............................................................................... 60

5.2.1 Trusted Roles.................................................................................................. 605.2.1.1 Physical Security ................................................................................................................60

5.2.2 Number of Persons Required Per Task .......................................................... 60

5.2.3 Identification and Authentication for Each Role............................................ 61

5.2.4 Hardware/Software Maintenance Controls .................................................... 61

5.2.5 Documentation ............................................................................................... 61

5.2.6 Security Awareness and Training................................................................... 62

5.3 PERSONNEL SECURITY CONTROLS .............................................................. 63

5.3.1 Access Authorization...................................................................................... 63

5.3.2 Limited Access ............................................................................................... 635.3.2.1 Background Screening........................................................................................................63

5.3.2.2 Least Privilege ....................................................................................................................645.3.2.3 Separation of Duties ...........................................................................................................645.3.2.4 Individual Accountability ...................................................................................................65

SECTION 6 TECHNICAL SECURITY CONTROLS ................................................... 66

6.1 KEY PAIR GENERATION AND INSTALLATION ........................................... 66

6.1.1 Key Pair Generation ....................................................................................... 666.1.1.1 CA Key Pair Generation.....................................................................................................666.1.1.2 Hardware/Software Key Generation for Program Participants .......... .......... ........... .......... .66

6.1.2 Private Key Delivery to Entity/Owner ........................................................... 67

6.1.3 Subscriber Public Key Delivery to DST ........................................................ 67

6.1.4 CA Public Key Delivery to Users .................................................................. 676.1.5 Key Sizes ........................................................................................................ 67

6.1.6 Public Key Parameters Generation................................................................. 68

6.1.7 Parameter Quality Checking........................................................................... 68

6.1.8 Key Usage Purposes ....................................................................................... 68

6.1.9 Private Key Shared by Multiple Subscribers ....................................................... 68

6.1.10 Date/Time Stamps .......................................................................................... 68

6.2 PRIVATE KEY PROTECTION ............................................................................ 69

vi


7/121

6.2.1 Standards for Cryptographic Module ............................................................. 69

6.2.2 Private Key Backup........................................................................................ 69

6.2.3 Private Key Archival ...................................................................................... 70

6.2.4 Private Key Entry into Cryptographic Module .............................................. 70

6.2.5 Method of Activating Private Keys ................................................................ 70

6.2.6 Method of Deactivating Private Keys ............................................................ 706.2.7 Method of Destroying Subscriber Private Signature Keys ............................ 70

6.3 GOOD PRACTICES REGARDING KEY PAIR MANAGEMENT .................... 71

6.3.1 Public Key Archival ....................................................................................... 71

6.3.2 Private Key Archival ...................................................................................... 71

6.3.3 Usage Periods for the Public and Private Keys (Key Replacement).............. 71

6.3.4 Restrictions on CA's Private Key Use ............................................................ 71

6.4 ACTIVATION DATA ........................................................................................... 71

6.4.1 Activation Data Generation and Installation.................................................. 71

6.4.2 Activation Data Protection ............................................................................. 71

6.5 COMPUTER SECURITY CONTROLS................................................................ 72

6.5.1 Audit ............................................................................................................... 726.5.2 Technical Access Controls ............................................................................. 73

6.5.3 Identification and Authentication ................................................................... 73

6.5.4 Trusted Paths .................................................................................................. 74

6.6 LIFE CYCLE TECHNICAL CONTROLS............................................................ 74

6.6.1 System Development Controls ....................................................................... 74

6.6.2 Security Management Controls ...................................................................... 74

6.6.3 Object Reuse................................................................................................... 75

6.7 NETWORK SECURITY CONTROLS.................................................................. 75

6.7.1 Remote Access/ Dial-Up Access.................................................................... 76

6.7.2 Firewalls ......................................................................................................... 76

6.7.3 Encryption ...................................................................................................... 76

6.7.4 Interconnections ............................................................................................. 766.7.4.1 Connectivity with Internet and Other WANs .......... ........... .......... ........... .......... ........... ......76

6.7.5 Router ............................................................................................................. 77

6.7.6 Inventory of Network Hardware and Software .............................................. 77

6.8 CRYPTOGRAPHIC MODULE ENGINEERING CONTROLS........................... 77

SECTION 7 CERTIFICATE AND CRL PROFILES ..................................................... 78

7.1 CERTIFICATE PROFILE ..................................................................................... 78

7.1.1 Version Numbers............................................................................................ 78

7.1.2 Certificate Extensions..................................................................................... 787.1.3 Algorithm Object Identifiers .......................................................................... 78

7.1.4 Name Forms ................................................................................................... 79

7.1.5 Name Constraints ........................................................................................... 79

7.1.6 Certificate Policy Object Identifiers............................................................... 79

7.1.7 Usage of Policy Constraints Extension .......................................................... 79

7.1.8 Policy Qualifiers Syntax and Semantics......................................................... 79

7.1.9 Processing Semantics for the Critical Certificate Policy Extension............... 79

vii


8/121

7.2 CRL PROFILE ....................................................................................................... 79

SECTION 8 POLICY ADMINISTRATION .................................................................... 80

8.1 POLICY CHANGE PROCEDURES ..................................................................... 80

8.1.1 List of Items.................................................................................................... 808.1.2 Comments ....................................................................................................... 80

8.2 PUBLICATION AND NOTIFICATION PROCEDURES.................................... 80

8.3 CPS APPROVAL PROCEDURES ........................................................................ 80

8.4 Waivers................................................................................................................... 80

SECTION 9 ACES PRIVACY POLICY AND PROCEDURES .................................... 81

9.1 Administrative, Technical, and Physical Safeguards ............................................ 81

9.1.1 Handling of Information........................................................................................ 81

9.1.2 Information Provided to Certificate Applicant...................................................... 82

9.1.3 Limitations on Collection, Maintenance and Dissemination of Data ................... 829.1.4 Notice of Existence of Records ............................................................................. 82

9.1.5 Access to Records by Covered Individual ............................................................ 83

9.1.6 Amendment of Records ......................................................................................... 849.1.6.1 Handling of Request to Amend Record .......... ........... .......... ........... .......... ........... ........... .......... .859.1.6.2 Handling of Request to Review Refusal to Amend Record ........... ........... .......... ........... .......... .869.1.6.3 Notification of Right to Appeal to GSA ......... ........... .......... ........... .......... ........... ........... .......... .86

9.1.7 Disclosure Accounting .......................................................................................... 87

9.1.8 Reports................................................................................................................... 87

9.1.9 Certificate Issuance Warrants................................................................................ 87

APPENDIX A RELYING PARTY AGREEMENT.................................................... 88

APPENDIX B ACRONYMS AND ABBREVIATIONS ............................................ 89

GLOSSARY .......................................................................................................................... 93

APPENDIX C AUDITABLE EVENTS TABLE ....................................................... 106

APPENDIX D APPLICABLE FEDERAL AND GSA REGULATIONS ............... 112

APPENDIX E CERTIFICATE PROFILES .................................................................. 113

viii


9/121

SECTION 1

INTRODUCTION

1.1 OVERVIEW

This Certification Practices Statement (CPS) describes the certification

practices of Digital Signature Trust, an Identrus company (DST), related to its

operations as a Certification Authority (CA) authorized to issue digital certificates in

accordance with the Certificate Policy (CP) for the Access Certificates for Electronic

Services (ACES) program of the United States Government. This CPS covers the

operation of systems and management of facilities used to provide public key

infrastructure (PKI) services described in the DST Concept of Operations, which include

Certification Authority (CA), Registration Authority (RA), and repository functionality.

In addition to this CPS, the ACES Certificate Policy (ACES CP) and the UnitedStates Government Common Policy CP may further specify requirements applicable to a

particular project, contract or set of contracts, or issuance of a class of certificates

undertaken by DST.

In particular, this CPS addresses the following:

(1) the roles, responsibilities, and relationships among DST, Trusted Agents,

Registration Authorities (RAs), Certificate Manufacturing Authorities (CMAs),

Repositories, Subscribers, Relying Parties, and the Policy Authority (referred to

collectively as Program Participants);

(2) obligations and operational responsibilities of the Program Participants; and

(3) DSTs policies and practices for the issuance, delivery, management, and use

of ACES Certificates to verify digital signatures.

In the event that there is any inconsistency between this CPS, the ACES CP, and DSTs

ACES Contract with GSA, the GSA ACES Contract provisions take precedence over the

CP, which will take precedence over the CPS, even though this CPS may describe in

more detail the policies, practices and procedures implemented by DST in order to

comply with the ACES CP and its ACES Contract with GSA.

1.2 POLICY IDENTIFICATION

This CPS is DSTs ACES CPS version 4.0. This CPS alone is not intended to provide

the basis for any contractual obligations. Certificates are differentiated by function

(signature or encryption), key storage method (software module or hardware token) and

by the certificate subject or holder (unaffiliated individual, business representative,

Federal employee, etc.) See Section 1.3. DST issues ACES certificates under the

following policy OIDS:

1


10/121

DSTs ACES CA Certificate: { 2 16 840 1 101 3 2 1 1 1}

ACESUnaffiliated Individual Digital Signature Certificates: { 2 16 840 1 101 3 2 1 1 2}

ACESUnaffiliated Individual Encryption Certificates: { 2 16 840 1 101 3 2 1 1 2}

ACES Business Representative Digital Signature Certificates:{2 16 840 1 101 3 2 1 1 3}

ACES Business Representative Encryption Certificates: { 2 16 840 1 101 3 2 1 1 3}

ACES Relying Party Digital Signature Certificates: {2 16 840 1 101 3 2 1 1 4}

ACES Relying Party Encryption Certificates: {2 16 840 1 101 3 2 1 1 4}

ACES Agency Application SSL Server Certificates: {2 16 840 1 101 3 2 1 1 5}

ACES Federal Employee Digital Signature Certificates: {2 16 840 1 101 3 2 1 1 6}

ACES Federal Employee Encryption Certificates: {2 16 840 1 101 3 2 1 1 6}

ACES Federal Employee Digital Signature Certificates on Hardware Token:

{2 16 840 1 101 3 2 1 1 7}

ACES Federal Employee Encryption Certificates on Hardware Token:

{2 16 840 1 101 3 2 1 1 7}

All ACES Certificates issued by DST under this CPS include the appropriate OID for the

applicable certificate in the Certificate Policies field of the Certificate. The foregoingOIDs are placed in certificates only as specifically authorized by the ACES CP. Upon

approval by the Federal PKI Policy Authority for cross certification with the Federal

Bridge Certification Authority (FBCA), ACES certificates issued by DST will support

interoperability between the ACES PKI and another PKI by asserting the appropriate

FBCA CP OIDS in thepolicyMappings extension. Certificates issued in accordance with

other approved federal government certificate policies may assert other OIDs upon

approval of the relevant policy authorities.

1.3 COMMUNITY AND APPLICABILITY

The ACES PKI is a bounded public key infrastructure. The ACES CP and this CPS

describe the rights and obligations of persons and entities authorized under the CP to

fulfill any of the following roles: Certificate Service Provider roles, End Entity roles, and

Policy Authority role. Certificate Service Provider roles are CA, Trusted Agent, RA,

CMA, and Repository. End Entity roles are Subscriber--Unaffiliated Individual,

Business Representative, Federal Employee, Server, Agency Application, State and

2


11/121


12/121

registration functions without use of automated RA interfaces with DSTs CA system.

1.3.1.3 Certificate Manufacturing Authorities (CMAs)

DST performs the role and functions of CMA. DST may also receive assistance in

performing its CMA functions from GSA-approved contracting third parties who agree tobe subject to and bound by the ACES CP with respect to CMA services.

1.3.1.4 Repositories

DST performs the role and functions of Repository. DST may also receive assistance in

performing its Repository functions from GSA-approved contracting third parties who

agree to be subject to and bound by the ACES CP with respect to Repository services.

1.3.2 End Entities

1.3.2.1 Subscribers

DST issues ACES Certificates to the following classes of Subscribers:

(a) Members of the general public (Unaffiliated Individuals);

(b) Individuals authorized to act on behalf of business entities (i.e., Sponsoring

Organizations) recognized by DST, such as employees, officers, and agents of

a Sponsoring Organization (Business Representatives);

(c) Government employees authorized to act on behalf of state and local

government organizations;

(d) Federal Employees1

authorized to act on behalf of federal Sponsoring

Organizations recognized by DST, such as employees, officers, and agents ofan Eligible Federal Agency, entity, or department. Eligible Federal agencies

and entities include all Federal agencies, authorized Federal Contractors,

agency-sponsored universities and laboratories, other organizations, and, if

authorized by law, state, local, and tribal governments. All organizations

listed in GSA Order ADM 4800.2D (as updated) are also eligible. The

Government has the right to add authorized users in these categories pursuant

to the ACES CP;

(e) Relying Parties that choose to use ACES; and

(f) Agency Application Servers.

1.3.2.2 Relying Parties

Relying Parties are those persons and entities authorized by either GSA or DST to accept

and rely upon ACES Certificates for purposes of verifying digital signatures on electronic

records and messages. Agencies desiring to become Relying Parties must enter into a

1Any Business Representative Certificates issued to Federal Employees prior to the implementation of

Federal Employee Certificates shall remain in effect until they expire.

4


13/121

GSA ACES Relying Party Agreement via a Memorandum of Understanding (MOA) to

accept ACES Certificates and agree to be bound by the terms of the ACES CP. The

Government may specify Relying Parties pursuant to the ACES CP. Any party other

than an Agency desiring to become a Relying Party must enter into a DST ACES Relying

Party Agreement with DST. DST shall have no liability to any Relying Party with

respect to any DST-issued ACES certificate unless that party has entered into a GSAACES Relying Party Agreement or a DST ACES Relying Party Agreement that remains

in force at the time the certificate is relied upon.

1.3.2.3 Agency and Relying Party Applications

DST issues certificates to federal, state and local Agency and Relying Party Applications

for various purposes as described below.

1.3.2.3.1 Agency and Relying Party Application SSL Server Certificates

DST issues Agency Application SSL Server Certificates for use on federal, state andlocal Agency Servers to allow mutual authentication and/or trusted SSL communications

with the federal, state or local agencys or Relying Partys customers. These certificates

are issued to the agency or Relying Party server where the common name is the

registered Domain Name of the Webserver and allow for server and client authentication

through the extended KeyUsage extension.

1.3.2.3.2 Agency and Relying Party Application (Mutual Authentication and

Signing)

DST issues signing-only certificates to federal, state and local agency and Relying Party

applications for mutual authentication and for the purpose of providing Agency andRelying Party Customers with signed return receipt notifications acknowledging that the

agency or relying party application received the customers transaction or to sign internal

data (customer transactions, Application log files or agency archive data) where required

by the agency policies.

1.3.2.3.3 Agency and Relying Party Application (Encryption)

DST issues data encryption certificates to federal, state and local agency and relying

party applications for the purpose of encrypting sensitive data where agency or relying

party policy dictates.

1.3.2.3.4 Agency and Relying Party Application (Other)

DST may issue other certificate types as needed by a federal, state or local agency,

relying party, or agency or relying party application. See Section 3.1.9.6 for further

information.

1.3.3 Policy Authority

5


14/121

GSA is the Policy Authority responsible for organizing and administering the ACES CP

and ACES Contract(s).

1.3.4 Applicability

1.3.4.1 Purpose

DST and its Subscribers may use ACES Digital Signature Certificates to mutually

authenticate Subscribers and Relying Party applications. Subscribers and Agency

Applications may use ACES Encryption Certificates to employ the confidentiality service

on the data exchanged. The following table summarizes the functional uses of ACES

Certificates:

ACES CertificateType

Subscriber Purpose Use of Certificate

Unaffiliated

Individual

Certificate

Unaffiliated

Individual

Digital

Signature

To enable an Unaffiliated

Individual ACES Subscriber and

Relying Parties to mutually

authenticate themselves

electronically for information

and transactions and to verify

digitally signed

documents/transactions

Encryption To enable an Unaffiliated

Individual ACES Subscriber to

use confidentiality services

(encryption and decryption) on

his/her information and

transactions

Business

Representative

Certificate

Business

Representative

authorized to

act on behalf of

a Sponsoring

Organization

Digital

Signature

To enable a Business

Representative to mutually

authenticate themselves to

conduct business-related

activities electronically and to

verify digitally signed

documents/ transactions

Encryption To enable a Business

Representative to use

confidentiality services



transactions

6


15/121

ACES Certificate

Type


State and Local

Governments

Government

Employee

authorized to

act on behalf ofa State or Local

Government

Digital

Signature

To enable a State or Local

Government Representative to

mutually authenticate themselves

to conduct business-relatedactivities electronically and to

verify digitally signed

documents/ transactions

Encryption To enable a State or Local

Government Representative to




transactions

Relying Party

Certificate

Relying Party Digital

Signature

To enable a Relying Party and

Unaffiliated Individuals,

Business Representatives (non-

federal Employees), State and

Local Governments, Federal

Employees, and DSTto

mutually authenticate

themselves; to make signed

validation requests; and to sign

log files.

Encryption To enable a Relying Party to

provide confidentiality services(encryption and decryption) to

Subscribers on their information

and transactions

Agency / Relying

Party Application

SSL Server

Certificate

Server Authentication

and Encrypted

Data

Transmission

To enable authenticated

encrypted communications

between subscribers and servers

Federal Employee

Certificate

Federal

Employee

Digital

Signature

To enable a Federal Employee

and Relying Parties mutually

authenticate themselves and to

verify digitally signeddocuments/transactions

Federal

Employee

Encryption To enable a Federal Employee to




transactions

7


16/121

ACES Certificate

Type


CA

Certificate

N/A To enable the authorized CA to

issue subscriber certificates

1.3.4.2 Suitable Uses

ACES Certificates may be used by individuals, businesses, and state and local

governments to transact business with the Federal Government and non-Federal

Government participants who would otherwise be involved in such transactions provided

that the Federal Government does not incur any additional costs.

1.4 CONTACT DETAILS

DST's Customer Service Center is available between 7 a.m. and 6 p.m. Mountain

Standard Time (MST), Monday through Friday, excluding Federal holidays. DST'sCustomer Service Center assists subscribers with certificate- and key-related issues.

Such issues include, but are not limited to, problems with key generation and certificate

installation. Problems and inquiries received that are not certificate-related are directed

to the relevant government agency for resolution with the subscriber. Those concerns can

include, but are not limited to, problems with accessing information and inquiries of a

general nature. For questions concerning ACES certificates, DST operations or the DST

ACES CPS, please contact:

Digital Signature Trust

ACES Program

255 Admiral Byrd RoadSalt Lake City, UT 84116-3703

[email protected]

Toll-free US: 888-339-8798

Outside of the US: 801 326 5974

Fax: 801-326-5438

Otherwise, assistance is available at the Web site above, 24 hours per day, including

Federal holidays, to individual subscribers, business representatives, and individuals

authorized to act on behalf of agency applications.

1.4.1 Organization Responsible for this Certification Practice Statement

DST's Change and Risk Management Committee ("CRMC") reviews CPs and approves

CPSs. The CRMC manages the audit and risk assessment function for DSTs CA

operations to ensure that the risks are accurately identified, that necessary mitigating

activities are identified, and that individual projects should proceed. The Chair of the

8


17/121

CRMC represents DST at meetings of the Audit Committee. The CRMC is comprised of

representatives from functional units across the organization.

1.4.2 Contact Person

Attn.: Keren CumminsDigital Signature Trust, LLC

15200 Shady Grove Road

Suite 350

Rockville, MD 20850

Phone: (301) 921-5977

1.4.3 Person Determining Suitability of this CPS

Attn: ACES Program Manager

Federal Technology ServiceGeneral Services Administration

Washington, D.C. 20407

9


18/121

SECTION 2

GENERAL PROVISIONS

2.1 OBLIGATIONS

This Section provides a general description of the roles and responsibilities of the ACES

Program Participants operating under the ACES CP and this CPS: DST, RAs, CMAs,

Repositories, Subscribers, Relying Parties, and the Policy Authority. Additional

obligations are set forth in other provisions of this CPS, DSTs ACES Contract, the

System Security Plan (the SSP), Privacy Practices and Procedures (the PPP),

Agreements with Relying Parties, Subscriber Agreements and other agreements with

Program Participants.

2.1.1 CAs Obligations

This section corresponds to Section 2.1.1. of the ACES CP and addresses the obligations

and responsibilities of DST and its Authorized RAs, CMAs, and Repositories and their

performance with respect to all ACES Certificates that DST issues.

DST is responsible for all aspects of the issuance and management of ACES Certificates,

including the application/enrollment process; the identification verification and

authentication process; the certificate manufacturing process; dissemination and

activation of the certificate; publication of the certificate (if required); renewal,

suspension, revocation, and replacement of the certificate; verification of certificate

status upon request; and ensuring that all aspects of DSTs services, operations and

infrastructure related to ACES Certificates are performed in accordance with therequirements, representations, and warranties of the ACES CP (except in circumstances

where government agencies or Relying Parties agree to provide defined RA roles and

functions).

DST assumes responsibility for ensuring that all work is performed under the supervision

of DST and responsible DST employees. DST provides assurance of the trustworthiness

and competence of its employees and their satisfactory performance of duties relating to

the provision of ACES services as described in this CPS and other relevant documents.

Each DST employee to whom information is made available or disclosed is notified in

writing by DST that information disclosed to such employee can be used only for the

purpose and to the extent authorized in the ACES CP and other relevant documents.

DST complies with all applicable Federal and GSA requirements set forth in its ACES

Contract with GSA, including the Federal Privacy Act, Appendices I and III of OMB

Circular A-130, and regulations governing the prevention and reporting of waste, fraud

and abuse, as supported by the documentation that it submits to GSA and/or other

Federal agencies. DST has standard forms for contracts, which contain DSTs obligations

among different classes of subscribers and relying parties. DSTs system architectures

10


19/121

support varying levels of workload, as set forth in DSTs ACES Contract.

2.1.2 RA / Trusted Agent Obligations

A Registration Authority (RA) is a person or entity responsible for the applicant

registration, certificate application, and authentication of identity functions forUnaffiliated Individuals, Business Representatives, State and Local Government

Representatives, Federal Employees, Servers, and Relying Parties. An Authorized RA

may also be responsible for handling suspension and revocation requests, and for aspects

of Subscriber education.

Authorized RAs retained under contract to perform RA services on behalf of DST are

required to comply with the provisions of this CPS and the ACES CP.

Trusted Agents are responsible for reviewing and collecting registration data and

completed in-person registration forms for submission to DST or its Authorized RA as

part of a bulk-loading registration process for applicants who are authorized by theTrusted Agents organization to hold an ACES Certificate. DST enters into contractual

agreements with some Trusted Agents and Authorized RAs requiring them to retain and

protect collected information in accordance with applicable requirements of the ACES

CP. DST and its Authorized RAs and Trusted Agents shall accurately verify subscriber

identity and process requests and responses timely and securely. DSTs Authorized RAs

and Trusted Agents shall comply with this CPS and the ACES CP. DST will monitor the

compliance of its Authorized RAs and Trusted Agents with this CPS and the ACES CP.

Failure to comply with the provisions of the CPS and the CP may subject DST, and any

Authorized RA or Trusted Agent, to sanctions, including termination as agent of DST

and possible civil and criminal sanctions.

2.1.3 CMA Obligations

A CMA is responsible for the functions of manufacturing, issuance, suspension, and

revocation of ACES Certificates. CMAs retained under contract to perform CMA

services on behalf of DST are required to comply with the provisions of this CPS and the

ACES CP.

2.1.4 Repository Obligations

A Repository is responsible for maintaining a secure system for storing and retrieving

currently valid ACES Certificates, a current copy of the ACES CP, and other information

relevant to ACES Certificates, and for providing information regarding the status of

ACES Certificates as valid or invalid that can be determined by a Relying Party.

Repositories retained under contract to perform Repository services on behalf of DST are

required to comply with the provisions of this CPS and the ACES CP.

11


20/121

2.1.5 Subscriber Obligations

Through a combination of online processes and printed forms, each applicant for an

ACES Certificate shall:

provide complete and accurate responses to all requests for information made

by DST (or a Trusted Agent or Authorized RA) during the applicant

registration, certificate application, and authentication of identity processes;

generate a key pair using a reasonably trustworthy system, and take

reasonable precautions to prevent any compromise, modification, loss,

disclosure, or unauthorized use of the private key;

upon issuance of an ACES Certificate naming the applicant as the Subscriber,

review the ACES Certificate to ensure that all Subscriber information

included in it is accurate, and to expressly indicate acceptance or rejection ofthe ACES Certificate;

promise to protect a private keys at all times, in accordance with the

applicable Subscriber Agreement, this CPS, the ACES CP and any other

obligations that the Subscriber may otherwise have;

use the ACES Certificate and the corresponding private key exclusively for

purposes authorized by the ACES CP and only in a manner consistent with the

ACES CP;

instruct DST (or an Authorized RA or employer) to revoke the ACES

Certificate promptly upon any actual or suspected loss, disclosure, or other

compromise of the private key, or, in the case of Business Representative and

Federal Employee ACES Certificates, whenever the Subscriber is no longer

affiliated with the Sponsoring Organization; and

respond as required to notices issued by DST or its authorized agents.

Subscribers who receive certificates from DST shall comply with these requirements as

well as those in the ACES CP. Additional information concerning the rights and

obligations of Subscribers may be found in Sections 1.3, 3.1 and 4.1 of this CPS.

2.1.6 Relying Party Obligations

The ACES CP and an applicable Relying Party Agreement (the Relying Party Agreement

contained in Appendix A to the ACES CP or a Relying Party Agreement entered into

between DST and a non-Agency Relying Party) is binding on each Relying Party and

govern its performance with respect to its application for, use of, and reliance on ACES

12


21/121

Certificates.

(a) Acceptance of Certificates. Each Relying Party will validate ACES Certificates

issued by all Authorized CAs;

(b) Certificate Validation. Each Relying Party will validate every ACES Certificateit relies upon with the Authorized CA that issued the certificate; and

(c) Reliance. A Relying Party may rely on a valid ACES Certificate for purposes of

verifying the digital signature only if:

the ACES Certificate was used and relied upon to authenticate a Subscribers

digital signature for an application bound by the ACES CP;

prior to reliance, the Relying Party (1) verified the digital signature by

reference to the public key in the ACES Certificate, and (2) checked the status

of the ACES Certificate by generating an appropriate status request via a

current CRL, OCSP, or other comparable validation method, as approved by

GSA, and (3) a check of the certificates status indicated that the certificate

was valid; and

the reliance was reasonable and in good faith in light of all the circumstances

known to the Relying Party at the time of reliance.

Relying Parties must evaluate the environment and the associated threats and

vulnerabilities and determine the level of risk they are willing to accept based on the

sensitivity or significance of the information. This evaluation is done by each Relying

Party for each application and is not controlled by the ACES CP or this CPS. Relying

Parties who rely on stale CRLs do so at their own risk. See Section 4.4 (Certificate

Revocation).

Parties who rely upon the certificates issued under the ACES CP or this CPS should

preserve original signed data, the applications necessary to read and process that data,

and the cryptographic applications needed to verify the digital signatures on that data for

as long as it may be necessary to verify the signature on that data.

2.1.7 Policy Authority Obligations

The Policy Authority is responsible for the terms and maintenance of the ACES CP.

2.2 LIABILITIES

Except as expressly provided in written contracts, including DSTs ACES Contract, and

according to specific certificate policies and other statutory and regulatory requirements,

DST disclaims all warranties and obligations of any type, including any warranty of

13


22/121

merchantability, any warranty of fitness for a particular purpose, and any warranty of

accuracy of information provided.

Nothing in the ACES CP or this CPS shall create, alter, or eliminate any other obligation,

responsibility, or liability that may be imposed on any Program Participant by virtue of

any contract or obligation that is otherwise determined by applicable law.

DST SHALL HAVE NO LIABILITY FOR LOSS DUE TO USE OF A DST-

ISSUED ACES CERTIFICATE, UNLESS THE LOSS IS PROVEN TO BE A

DIRECT RESULT OF A BREACH BY DST OF THIS CPS OR APROXIMATE

RESULT OF THE GROSS NEGLIGENCE, FRAUD OR WILLFUL

MISCONDUCT OF DST. DST SHALL HAVE NO LIABILITY FOR CLAIMS

ALLEGING ORDINARY NEGLIGENCE.

A Relying Party shall have no recourse against DST, its RAs, certificate manufacturing

authority or repository for any claim under any theory of liability (including negligence)

arising out of reliance upon an ACES certificate, unless such party shall have agreed toprovide such recourse under a contract with the relying party. Each Relying Party

assumes all risk of such reliance in the absence of such agreement, except that the

Subscriber may have liability under applicable law to the Relying Party with respect to a

message bearing his digital signature that is authenticated with an ACES certificate.

ACES certificates shall contain (non-critical field) notice that there is no recourse against

the issuer of the ACES certificate except as provided for under Paragraph 2.2 of the

ACES Certificate Policy, as stipulated in APPENDIX E of this Policy.

IN NO EVENT SHALL DST BE LIABLE FOR ANY CONSEQUENTIAL, INDIRECT,

REMOTE, EXEMPLARY, PUNITIVE, SPECIAL, OR INCIDENTAL DAMAGES, OR

DAMAGES FOR BUSINESS INTERRUPTION, LOSS OF PROFITS, REVENUES

SAVINGS, OPPORTUNITIES OR DATA, OR INJURY TO CUSTOMER

RELATIONSHIPS, REGARDLESS OF THE FORM OF ACTION AND

REGARDLESS OF WHETHER DST WAS ADVISED OF THE POSSIBILITY OF

SUCH DAMAGES.

DST SHALL INCUR NO LIABILITY IF DST IS PREVENTED, FORBIDDEN OR

DELAYED FROM PERFORMING, OR OMITS TO PERFORM, ANY ACT OR

REQUIREMENT BY REASON OF ANY PROVISION OF ANY APPLICABLE LAW,

REGULATION OR ORDER, THE FAILURE OF ANY ELECTRICAL,

COMMUNICATION OR OTHER SYSTEM OPERATED BY ANY PARTY OTHER

THAN DST OR ANY ACT OF GOD, EMERGENCY CONDITION OR WAR OR

OTHER CIRCUMSTANCE BEYOND THE CONTROL OF DST.

Any applicable limitation of DSTs liability contained in any DST Subscriber Agreement

DST Business Representative Authorization Form or DST Relying Party Agreement,

14


23/121

respectively, shall apply to any claim against DST by such Subscriber or Relying Party,

respectively.

2.2.1 DST Liability

See Section 2.2. Tort liability for claims by parties other than Program Participantsarising out of transactions involving Certificates issued under the ACES Contract is

governed by the Federal Tort Claims Act. DST asserts the Government Contractor

defense, which is applicable to DST to the extent that DST has met the standard of care

spelled out by the ACES Contract. Other limitations and disclaimers of liability may exist

in agreements between DST and Program Participants. Use of, or reliance upon, a DST

issued ACES Certificate other than pursuant to an agreement with GSA or DST is

prohibited and is at such partys own risk.

2.2.2 RA, CMA, and Repository Liability

See Section 2.2 and Section 2.2.1.

2.3 FINANCIAL RESPONSIBILITY

No stipulation.

2.3.1 Indemnification by Relying Parties

A Relying Party under a DST ACES Relying Party Agreement shall indemnify DST

under the applicable terms and conditions of any indemnification provision therein.

2.3.2 Indemnification by Subscriber

A Subscriber under a DST ACES Subscriber Agreement shall indemnify DST under the

applicable terms and conditions of any indemnification provision therein.

2.3.3 Fiduciary Relationships

Issuance of ACES Certificates by DST or its representatives or agents in accordance with

this CPS does not make DST or its representatives or agents, fiduciaries, trustees, or

representatives of Subscribers or Relying Parties.

2.3.4 Administrative Processes

No stipulation.

2.4 INTERPRETATION AND ENFORCEMENT

2.4.1 Governing Law

15


24/121

The laws of the United States and the State of Utah shall govern the enforceability,

construction, interpretation, and validity of this CPS.

2.4.2 Severability, Survival, Merger, Notice

Should it be determined that one section of this CPS is incorrect or invalid, the othersections of this CPS shall remain in effect until the CPS is updated.

2.4.3 Dispute Resolution Procedures

In the event of any dispute or disagreement between two or more of the Program

Participants (Disputing Parties) arising out of or relating to the ACES CP or ACES

Contracts, this CPS, or relevant Agreements related to this policy, which include Relying

Party Agreements and Subscriber Agreements, the Disputing Parties shall use their best

efforts to settle the dispute or disagreement through negotiations in good faith following

notice from one Disputing Party to the other(s). If the Disputing Parties cannot reach a

mutually agreeable resolution of the dispute or disagreement within sixty (60) daysfollowing the date of such notice, then the Disputing Parties may present the dispute to

the GSA ACES Contract Officer for resolution.

Any Contract dispute between DST and GSA shall be handled under the terms and

conditions of the ACES Contract.

2.5 FEES

2.5.1 Certificate Issuance, Renewal, Suspension, and Revocation Fees

Fees may be assessed for certificate issuance and for certificate renewal (re-key). Feeswill not be assessed for certificate suspension and revocation.

2.5.2 Certificate Access Fees

DST shall not impose any certificate access fees on Subscribers with respect to the

content of their own ACES Certificate(s) or the status of such ACES Certificate(s).

2.5.3 Revocation Status Information Access Fees (Certificate Validation

Services)

Fees may be assessed for certificate validation services based upon Relying Partyagreements negotiated between DST and the validating party.

2.5.4 Fees for Other Services such as Policy Information

DST may charge for recovery of escrowed decryption keys, but shall not impose fees for

access to policy information.

16


25/121

2.5.5 Refund Policy

Refunds are not provided unless other arrangements are specifically made through

customer agreements.

2.6 PUBLICATION AND REPOSITORY

2.6.1 Publication of Information

ACES Certificates issued by DST contain pointers to locations where certificate-related

information is published. DSTs secure online Repository is available to Subscribers and

Relying Parties at DSTs LDAP repository directory, which contains: (1) all ACES

Certificates issued by DST that have been accepted by Subscribers; and (2) Authority

Revocation Lists / Certificate Revocation Lists (ARLs/CRLs), as specified by the ACES

Contract and the ACES Policy Office. Online certificate status information is available

through DSTs ACES validation services. DSTs Federal web pages for ACES contain

links to: (1) DSTs ACES Certificate for its signing key; (2) past and current versions ofDSTs ACES CPS; (3) a copy of the ACES CP; and (4) other relevant information about

ACES Certificates.

2.6.2 Frequency of Publication

All information to be published in the repository shall be published immediately after

such information is available to DST. DST will publish ACES Certificates immediately

upon acceptance of such ACES Certificates. Information relating to the status of an

ACES Certificate will be published in accordance with DSTs GSA ACES Contract.

2.6.3 Access Controls

DST does not impose any access controls on the ACES CP, DST's ACES Certificate for

its signing key, and past and current versions of this CPS as well as subscriber certificates

and status information. DST does, however, impose access controls to ensure

authentication of Subscribers with respect to their own certificate(s) and the status of

such certificate(s) and personal registration information, which is separately managed

from the public certificate and status repository. Access is restricted in accordance with

Section 2.8.1.1. Access to information in DSTs ACES repositories is otherwise

determined by the GSA pursuant to its authorizing and controlling statutes.

2.6.4 Repositories

Information in DSTs ACES repository is protected in accordance with the Privacy Act

of 1974 as set forth in DSTs Privacy Policies and Procedures (PPP), available at DSTs

Federal web pages for ACES and other privacy- and security-related documents that are

maintained internally by DST. See Section 2.8.1.1.

17


26/121

2.7 INSPECTIONS AND REVIEWS

DST is subject to inspections and reviews in accordance with Federal regulations and

GSA policy and security guidelines (See Appendix D to the ACES CP).DSTs system

security test and evaluation plan describes how the security features and controls of its

systems are to be tested and reviewed when significant modifications are made. DST isalso subject to examination and the regulatory authority of the Office of the Comptroller

of the Currency (OCC) under 12 U.S.C. 867(c). DST's commercial practices are

audited as required by the OCC and states where DST is licensed as a CA. Full or partial

audit results may be released to the extent permitted by law, regulation, contract or DST

management. DST is audited annually pursuant to the American Institute of Certified

Public Accountants (AICPAs) / Canadian Institute of Chartered Accountants (CICAs)

Web Trust Program for Certification Authorities. (CA Web Trust). In addition to

examination and regulation by the OCC, CA Web Trust, and other audits performed by

independent auditors, DST is subject to the GSAs Certification and Accreditation

(C&A) process.

2.7.1 Certification and Accreditation

In accordance with the ACES CP and the DST ACES Contract, DST and its CA system

subcontractors must undergo ACES Security C&A as a condition of obtaining and

retaining approval to operate as an Authorized CA under the ACES CP. The C&A

process verifies that DST has in place and follows a system that assures that the quality

of its CA Services conforms to the requirements of the ACES CP and its ACES Contract.

C&A is performed in accordance with Federal regulations and GSA policy and

supporting security guidelines. (See Appendix D to the ACES CP).

2.7.1.1 Frequency of Certification Authority Compliance Review

DST has passed previous C&As and has demonstrated compliance with the ACES CP, its

ACES CPS, and its GSA ACES Contract. The GSA and other authorized Federal entities

may perform periodic and aperiodic compliance audits or inspections of DST,

subordinate CA, or RA operations to validate that the subordinate entities are operating

in accordance with the security practices and procedures described in their respective

CPSs, Registration Practices Statements (RPSs), SSPs and PPPs.

2.7.1.2 Identity/Qualifications of Reviewer

See Section 2.7.1.2 of the ACES CP.

2.7.1.3 Auditor's Relationship to Audited Party


18


27/121

2.7.1.4 Communication of Results


2.7.2 Quality Assurance Inspection and Review

2.7.2.1 Topics Covered by Quality Assurance Inspection and Review

The purpose of a quality assurance inspection and review of DST is to verify that it is

operating in compliance with the requirements of the ACES CP, its ACES Contract, and

this CPS. Quality assurance inspections of DST are conducted pursuant to the

AICPA/CICAs Web Trust Program for Certification Authorities (CA Web Trust).

2.7.2.2 Identity/Qualifications of Reviewer

DSTs compliance auditors demonstrate competence in the field of compliance audits,

and are thoroughly familiar with the requirements that DST imposes on the issuance andmanagement of its certificates. The auditor performs such compliance audits as its

primary responsibility. See Sections 2.7.1.2, 2.7.1.3 and 2.7.2.3.

2.7.2.3 Auditor's Relationship to Audited Party

DSTs compliance auditors are representatives from the OCC, the GSA, firms

specializing in information systems and network security, and private, unaffiliated and

nationally recognized accounting firms.

2.7.2.4 Audit Compliance Report

The results of DSTs compliance audit are fully documented, and reports resulting from

Quality Assurance Inspections are submitted to GSA within 30 calendar days of the date

of their completion.

2.7.2.5 Actions Taken as a Result of Deficiency

DST shall correct any deficiencies noted during compliance reviews, as specified by

GSA. Also, if irregularities are found during OCC compliance audits, the OCC may

require appropriate remedial action or terminate DST operations after appropriate notice

to existing clients. The results of compliance audits will not be made public except as

described in Section 2.7.2.6.

2.7.2.6 Communication of Results

DST posts its auditors CA Web Trust certification on its web site in accordance with

applicable AICPA audit-reporting standards. Audit information that might pose an

immediate threat of harm to Program Participants or that could potentially compromise

the future security of DST's operations is not made publicly available.

19


28/121

2.8 CONFIDENTIALITY

DST implements appropriate administrative, technical, and physical safeguards to insure

the security and confidentiality of records and to protect against any anticipated threats or

hazards to their security or integrity which could result in substantial harm,

embarrassment, inconvenience, or unfairness to any individual on whom information ismaintained, in accordance with Title 5, U.S.C., Sec. 552a.

2.8.1 Types of Information to Be Kept Confidential

2.8.1.1 Privacy Policy and Procedures

DSTs written Privacy Policies and Procedures (PPP) , designed to ensure compliance

with the requirements of 5 U.S.C. 552a, Appendix I to OMB Circular A-130, and the

ACES Contract, may be found in Section 9 of this CPS.

2.8.1.2 Subscriber Information

Certificates issued by DST only contain information that is necessary for their effective

use. Non-Certificate information, however, is requested from applicants and is required

to identify Subscribers, issue Certificates and manage information on behalf of

Subscribers. Such information includes numeric identifiers of driver's licenses, credit

card accounts, passports, social security numbers and other identifiers, as well as

business or home addresses and telephone numbers. (See Section 3.1.9.1.) Such

personal information collected by DST is treated as private and is not disclosed unless

otherwise required by law or for auditing purposes. All non-Certificate, non-repository

information in DST records will be handled as sensitive, and access will be restricted to

those with business, operational or official needs. Certificate-restricted access willrequire presentation of a user's Certificate, and only the appropriate access permissions

will be granted to the user.

DST protects the confidentiality of personal information regarding Subscribers that is

collected during the applicant registration, ACES Certificate application, authentication,

and certificate status checking processes in accordance with the Privacy Act of 1974,

Appendix III to Office of Management and Budget (OMB) Circular A-130, GSA Order

2100.1A, and supporting GSA security guidelines. Such information is used only for the

purpose of providing CA Services and carrying out the provisions of the ACES CP and

DSTs ACES Contract, and is not disclosed in any manner to any person without the

prior consent of the Subscriber, unless otherwise required by law, except as may benecessary for the performance of CA Services in accordance with DSTs ACES Contract.

In addition, personal information submitted by Subscribers:

(a) Shall be made available by DST to the Subscriber involved following an

appropriate request by such Subscriber;

(b) Shall be subject to correction and/or revision by such Subscriber;

(c) Shall be protected by DST in a manner designed to ensure the datas

20


29/121


30/121

2.9 SECURITY REQUIREMENTS

DST is required to have the following minimum security controls in place:

Technical and/or security evaluation complete

Risk assessment conducted

Rules of behavior established and signed by users

Contingency Plan developed and tested

Security Plan developed, updated, and reviewed

System meets all applicable Federal laws, regulations, policies, guidelines,

and standards

In-place and planned security safeguards appear to be adequate and

appropriate for the system, i.e., the level of controls should be consistent with

the level of sensitivity of the system.

DST shall not publish or disclose in any manner, without the GSA ACO's written

consent, the details of any safeguards either designed or developed by DST under the

ACES Contract or otherwise provided by the Government.

No party may use any software, program, routine, query, device or manual process in an

attempt to: bypass security measures (including attempting to probe, scan or test

vulnerabilities to breach security); access data for which they are unauthorized to access;

interfere with the proper working of DSTs CA systems; or impose a disproportionately

large load on (i.e., overload or crash) the infrastructure supporting DSTs systems (e.g.,

DOS/DDOS attacks, viruses, etc.). The unauthorized use of any robot, spider, software,

routine, meta-search, automated query to monitor, copy or make any other unauthorized

uses of DSTs systems is strictly prohibited and will be prosecuted to the fullest extent

allowed by law. DST reserves the right block any activity that it interprets as a runaway

application, attack or other event that might be an attempt to bring down DSTs ACES

PKI infrastructure and systems.

2.9.1 System Security Plan

DST has prepared and maintains a System Security Plan (SSP) in accordance with

requirements set forth in OMB Circular A-130, NIST 800-18, GSA Order 2100.1A and

all supporting GSA security guidelines, and the ACES Contract.

2.9.2 Risk Management

DST conducts periodic risk assessments and maintain its ACES systems at the level of

residual risk accepted by the designated approving authority in accordance with OMB

Circular A-130, NIST 800-18, GSA Order 2100.1A and all supporting GSA security

guidelines, and the ACES Contract.

22


31/121

2.9.3 Certification and Accreditation

Certification and Accreditation of DSTs ACES system shall be performed and

maintained in accordance with requirements set forth in OMB Circular A-130, NIST 800-

18, GSA Order 2100.1A and all supporting GSA security guidelines, and the ACESContract.

2.9.4 Rules of Behavior

The SSP includes the rules of conduct that will be used to instruct DSTs officers and

employees in compliance requirements and penalties for noncompliance. DSTs rules of

behavior are developed and implemented in accordance with requirements set forth in

OMB Circular A-130, NIST 800-18, GSA Order 2100.1A and all supporting GSA

security guidelines, and the ACES Contract.

2.9.5 Contingency Plan

DST develops, implements, maintains, and periodically tests its contingency plan for its

ACES system in accordance with guidelines provided in OMB Circular A-130, NIST

800-18, FIPS PUB 87, and GSA Order 2100.1A and all supporting GSA security

guidelines.

2.9.6 Incident Response Capability

DST is able to provide help to users when a security incident occurs in the system and to

share information concerning common vulnerabilities and threats. A security incident is

defined to be any adverse event that threatens the security of information resources.Adverse events include compromises of integrity, denial of service, compromises of

confidentiality, loss of accountability, or damage to any part of the system.

Incident response procedures and reporting of security incidents shall be in accordance

with guidelines provided in OMB Circular A-130, NIST 800-18, GSA Order 2100.1A

and all supporting GSA security guidelines, and the ACES contract.

2.10 INTELLECTUAL PROPERTY RIGHTS

Private keys shall be treated as the sole property of the legitimate holder of the

corresponding public key identified in an ACES Certificate. Access Certificates forElectronic Services, ACES, and the ACES OIDs are the property of GSA (or, if the

Subscriber is not a government employee or contractor to whom a Certificate is issued in

his capacity as such, the Subscriber), which may be used only by DST in accordance with

the provisions of the ACES CP and DSTs ACES Contract. Any other use of the above

without the express written permission of GSA is expressly prohibited.

23


32/121

SECTION 3

IDENTIFICATION AND AUTHENTICATION

3.1 INITIAL REGISTRATION

Subject to the requirements noted below, applications for ACES Certificates may be

communicated from the applicant to DST, a Trusted Agent, or an Authorized RA, and

authorizations to issue ACES Certificates may be communicated from an Authorized RA

or Trusted Agent to DST, (1) electronically, provided that all communication is secure,

(2) by U.S. Postal Service first-class mail, or (3) in person. Certificates issued to

business representatives and Federal employees require a face-to-face registration

process to validate identity credentials, which DST may perform through its Trusted

Agents or Authorized RAs.

3.1.1 Types of Names

DST-issued certificates contain an X.500 distinguished name for the subscriber

consisting of either the X.501 distinguished name specifying a geo-political name or an

Internet domain component name. When domain component naming is used, DST

reserves the right to issue certificates utilizing domain component naming to honor

contract obligations or where practical or required for proper application useage for

distinguished names in the following manner: dc=gov, dc=org0, [dc=org1],[

dc=orgN]; dc=mil, dc=org0, [dc=org1],[ dc=orgN]; etc.

3.1.1.1 ACES Unaffiliated Individual Digital Signature and Encryption

Certificates

The subject name used for ACES Certificate applicants shall be the Subscribers

authenticated common name and optional Subject Alternative Name if marked non-

critical.

3.1.1.2 ACES Business Representative Digital Signature and Encryption

Certificates

Certificates shall assert X.500 Distinguished Name, and optional Subject Alternative

Name if marked non-critical. Where required, DST may generate and sign certificates

that contain an X.500 Distinguished Name (DN); the X.500 DN may also contain domaincomponent elements. Where DNs are required, subscribers shall have them assigned

through DST, in accordance with a naming authority. ACES Business Representative

Digital Signature Certificates shall assert an alternate name form subject to requirements

set forth below intended to ensure name uniqueness.

24


33/121

3.1.1.3 ACES Agency (Relying Party Applications) Digital Signature and

Encryption Certificates

Certificates shall assert X.500 Distinguished Name, and optional Subject Alternative

Name if marked non-critical. Where required, DST may generate and sign certificates

that contain an X.500 Distinguished Name (DN); the X.500 DN may also contain domaincomponent elements. Where DNs are required, relying parties shall have them assigned

through DST, in accordance with the agencys naming scheme under government-wide

policy. ACES Relying Party Application Digital Signature and Encryption Certificates

shall assert an alternate name form subject to requirements set forth below intended to

ensure name uniqueness.

3.1.1.4 Agency Application SSL Server Certificates

Certificates shall assert X.500 Distinguished Name of the server including the

identification of the organization and organizational unit sponsoring the server.

Additionally, the distinguished name shall assert the registered fully qualified domainname of the server.

3.1.1.5 ACES Federal Employee Digital Signature and Encryption

Certificates

DST ACES Certificates shall assert an X.500 Distinguished Names, and optional Subject

Alternative Names, if marked non-critical. Where required, DST may generate and sign

certificates that contain an X.500 Distinguished Name (DN); the X.500 DN may also

contain domain component elements if required. Where DNs are required, subscribers

shall have them assigned through DST, in accordance with the applicable agencys

naming authorit

Date post:	31-May-2018
Category:	Documents
Upload:	department-of-labor
View:	213 times
Download:	0 times

Department of Labor: dst-aces-cps-v20040617

Documents