DigiCert Private PKI CPS v1...Jun 13, 2018 · DigiCert Certification Practices Statement for...

DigiCertCertificationPracticesStatementfor

PrivatePKIServices

DigiCert,Inc.Version1.1

June13,2018

2801N.ThanksgivingWaySuite500

Lehi,UT84043USA

Tel:1‐801‐877‐2100Fax:1‐801‐705‐0481

www.digicert.com

ii

TABLEOFCONTENTS

1. INTRODUCTION......................................................................................................................................................................................................1

1.1. OVERVIEW....................................................................................................................................................................................................1 1.2. DOCUMENTNAMEANDIDENTIFICATION....................................................................................................................................1 1.3. PKIPARTICIPANTS...................................................................................................................................................................................1

1.3.1. CertificationAuthorities...................................................................................................................................................................1 1.3.2. RegistrationAuthoritiesandOtherDelegatedThirdParties...........................................................................................1 1.3.3. Subscribers.............................................................................................................................................................................................1 1.3.4. RelyingParties......................................................................................................................................................................................1 1.3.5. OtherParticipants...............................................................................................................................................................................1

1.4. CERTIFICATEUSAGE...............................................................................................................................................................................1 1.4.1. AppropriateCertificateUses..........................................................................................................................................................2 1.4.2. ProhibitedCertificateUses..............................................................................................................................................................2

1.5. POLICYADMINISTRATION....................................................................................................................................................................2 1.5.1. OrganizationAdministeringtheDocument.............................................................................................................................2 1.5.2. ContactPerson......................................................................................................................................................................................2 1.5.3. PersonDeterminingCPSSuitabilityforthePolicy................................................................................................................2 1.5.4. CPSApprovalProcedures................................................................................................................................................................2

1.6. DEFINITIONSANDACRONYMS...........................................................................................................................................................2 1.6.1. Definitions..............................................................................................................................................................................................2 1.6.2. Acronyms................................................................................................................................................................................................3 1.6.3. References..............................................................................................................................................................................................3

2. PUBLICATIONANDREPOSITORYRESPONSIBILITIES...........................................................................................................................4 2.1. REPOSITORIES............................................................................................................................................................................................4 2.2. PUBLICATIONOFCERTIFICATIONINFORMATION...................................................................................................................4 2.3. TIMEORFREQUENCYOFPUBLICATION........................................................................................................................................4 2.4. ACCESSCONTROLSONREPOSITORIES...........................................................................................................................................4

3. IDENTIFICATIONANDAUTHENTICATION.................................................................................................................................................4 3.1. NAMING.........................................................................................................................................................................................................4

3.1.1. TypesofNames....................................................................................................................................................................................4 3.1.2. NeedforNamestobeMeaningful................................................................................................................................................4 3.1.3. AnonymityorPseudonymityofSubscribers...........................................................................................................................4 3.1.4. RulesforInterpretingVariousNameForms...........................................................................................................................4 3.1.5. UniquenessofNames.........................................................................................................................................................................4 3.1.6. Recognition,Authentication,andRoleofTrademarks........................................................................................................5

3.2. INITIALIDENTITYVALIDATION.........................................................................................................................................................5 3.2.1. MethodtoProvePossessionofPrivateKey.............................................................................................................................5 3.2.2. AuthenticationofOrganizationIdentity....................................................................................................................................5 3.2.3. AuthenticationofIndividualIdentity.........................................................................................................................................5 3.2.4. Non‐verifiedSubscriberInformation.........................................................................................................................................5

3.3. IDENTIFICATIONANDAUTHENTICATIONFORRE‐KEYREQUESTS..................................................................................5 3.3.1. IdentificationandAuthenticationforRoutineRe‐key.........................................................................................................5

3.4. IDENTIFICATIONANDAUTHENTICATIONFORREVOCATIONREQUEST........................................................................6 4. CERTIFICATELIFE‐CYCLEOPERATIONALREQUIREMENTS..............................................................................................................6

4.1. CERTIFICATEAPPLICATION................................................................................................................................................................6 4.1.1. WhoCanSubmitaCertificateApplication................................................................................................................................6 4.1.2. EnrollmentProcessandResponsibilities..................................................................................................................................6

4.2. CERTIFICATEAPPLICATIONPROCESSING....................................................................................................................................6 4.2.1. PerformingIdentificationandAuthenticationFunctions..................................................................................................6 4.2.2. ApprovalorRejectionofCertificateApplications.................................................................................................................6 4.2.3. TimetoProcessCertificateApplications...................................................................................................................................6

4.3. CERTIFICATEISSUANCE........................................................................................................................................................................6 4.3.1. CAActionsduringCertificateIssuance......................................................................................................................................6 4.3.2. NotificationtoSubscriberbytheCAofIssuanceofCertificate........................................................................................7

4.4. CERTIFICATEACCEPTANCE.................................................................................................................................................................7

iii

4.4.1. ConductConstitutingCertificateAcceptance..........................................................................................................................7 4.4.2. PublicationoftheCertificatebytheCA.....................................................................................................................................7 4.4.3. NotificationofCertificateIssuancebytheCAtoOtherEntities......................................................................................7

4.5. KEYPAIRANDCERTIFICATEUSAGE................................................................................................................................................7 4.5.1. SubscriberPrivateKeyandCertificateUsage.........................................................................................................................7 4.5.2. RelyingPartyPublicKeyandCertificateUsage......................................................................................................................7

4.6. CERTIFICATERENEWAL........................................................................................................................................................................7 4.6.1. CircumstanceforCertificateRenewal........................................................................................................................................7 4.6.2. WhoMayRequestRenewal.............................................................................................................................................................7 4.6.3. ProcessingCertificateRenewalRequests.................................................................................................................................8 4.6.4. NotificationofNewCertificateIssuancetoSubscriber.......................................................................................................8 4.6.5. ConductConstitutingAcceptanceofaRenewalCertificate...............................................................................................8 4.6.6. PublicationoftheRenewalCertificatebytheCA...................................................................................................................8 4.6.7. NotificationofCertificateIssuancebytheCAtoOtherEntities......................................................................................8

4.7. CERTIFICATERE‐KEY..............................................................................................................................................................................8 4.7.1. CircumstanceforCertificateRekey.............................................................................................................................................8 4.7.2. WhoMayRequestCertificateRekey...........................................................................................................................................8 4.7.3. ProcessingCertificateRekeyRequests......................................................................................................................................8 4.7.4. NotificationofCertificateRekeytoSubscriber.......................................................................................................................8 4.7.5. ConductConstitutingAcceptanceofaRekeyedCertificate...............................................................................................8 4.7.6. PublicationoftheIssuedCertificatebytheCA.......................................................................................................................8 4.7.7. NotificationofCertificateIssuancebytheCAtoOtherEntities......................................................................................8

4.8. CERTIFICATEMODIFICATION.............................................................................................................................................................9 4.8.1. CircumstancesforCertificateModification..............................................................................................................................9 4.8.2. WhoMayRequestCertificateModification..............................................................................................................................9 4.8.3. ProcessingCertificateModificationRequests.........................................................................................................................9 4.8.4. NotificationofCertificateModificationtoSubscriber.........................................................................................................9 4.8.5. ConductConstitutingAcceptanceofaModifiedCertificate..............................................................................................9 4.8.6. PublicationoftheModifiedCertificatebytheCA..................................................................................................................9 4.8.7. NotificationofCertificateModificationbytheCAtoOtherEntities..............................................................................9

4.9. CERTIFICATEREVOCATIONANDSUSPENSION..........................................................................................................................9 4.9.1. CircumstancesforRevocation.......................................................................................................................................................9 4.9.2. WhoCanRequestRevocation.....................................................................................................................................................10 4.9.3. ProcedureforRevocationRequest...........................................................................................................................................10 4.9.4. RevocationRequestGracePeriod.............................................................................................................................................10 4.9.5. TimewithinwhichCAMustProcesstheRevocationRequest......................................................................................11 4.9.6. RevocationCheckingRequirementforRelyingParties...................................................................................................11 4.9.7. CRLIssuanceFrequency................................................................................................................................................................11 4.9.8. MaximumLatencyforCRLs.........................................................................................................................................................11 4.9.9. On‐lineRevocation/StatusCheckingAvailability...............................................................................................................11 4.9.10. On‐lineRevocationCheckingRequirements........................................................................................................................11 4.9.11. OtherFormsofRevocationAdvertisementsAvailable....................................................................................................11 4.9.12. SpecialRequirementsRelatedtoKeyCompromise...........................................................................................................11 4.9.13. CircumstancesforSuspension....................................................................................................................................................11 4.9.14. WhoCanRequestSuspension.....................................................................................................................................................11 4.9.15. ProcedureforSuspensionRequest...........................................................................................................................................11 4.9.16. LimitsonSuspensionPeriod.......................................................................................................................................................11

4.10. CERTIFICATESTATUSSERVICES....................................................................................................................................................11 4.10.1. OperationalCharacteristics.........................................................................................................................................................11 4.10.2. ServiceAvailability..........................................................................................................................................................................11 4.10.3. OptionalFeatures.............................................................................................................................................................................11

4.11. ENDOFSUBSCRIPTION.......................................................................................................................................................................12 4.12. KEYESCROWANDRECOVERY.........................................................................................................................................................12

4.12.1. KeyEscrowandRecoveryPolicyPractices...........................................................................................................................12 4.12.2. SessionKeyEncapsulationandRecoveryPolicyandPractices....................................................................................12

5. FACILITY,MANAGEMENT,ANDOPERATIONALCONTROLS...........................................................................................................12 5.1. PHYSICALCONTROLS...........................................................................................................................................................................12

5.1.1. SiteLocationandConstruction...................................................................................................................................................12 5.1.2. PhysicalAccess..................................................................................................................................................................................12 5.1.3. PowerandAirConditioning........................................................................................................................................................13 5.1.4. WaterExposures..............................................................................................................................................................................13

iv

5.1.5. FirePreventionandProtection..................................................................................................................................................13 5.1.6. MediaStorage....................................................................................................................................................................................13 5.1.7. WasteDisposal..................................................................................................................................................................................13 5.1.8. Off‐siteBackup..................................................................................................................................................................................13

5.2. PROCEDURALCONTROLS...................................................................................................................................................................13 5.2.1. TrustedRoles.....................................................................................................................................................................................13 5.2.2. NumberofPersonsRequiredperTask...................................................................................................................................14 5.2.3. IdentificationandAuthenticationforeachRole.................................................................................................................14 5.2.4. RolesRequiringSeparationofDuties......................................................................................................................................14

5.3. PERSONNELCONTROLS......................................................................................................................................................................14 5.3.1. Qualifications,Experience,andClearanceRequirements...............................................................................................14 5.3.2. BackgroundCheckProcedures...................................................................................................................................................14 5.3.3. TrainingRequirements..................................................................................................................................................................15 5.3.4. RetrainingFrequencyandRequirements..............................................................................................................................15 5.3.5. JobRotationFrequencyandSequence....................................................................................................................................15 5.3.6. SanctionsforUnauthorizedActions.........................................................................................................................................15 5.3.7. IndependentContractorRequirements..................................................................................................................................15 5.3.8. DocumentationSuppliedtoPersonnel....................................................................................................................................15

5.4. AUDITLOGGINGPROCEDURES........................................................................................................................................................16 5.4.1. TypesofEventsRecorded............................................................................................................................................................16 5.4.2. FrequencyofProcessingLog.......................................................................................................................................................17 5.4.3. RetentionPeriodforAuditLog...................................................................................................................................................18 5.4.4. ProtectionofAuditLog..................................................................................................................................................................18 5.4.5. AuditLogBackupProcedures.....................................................................................................................................................18 5.4.6. AuditCollectionSystem(internalvs.external)...................................................................................................................18 5.4.7. NotificationtoEvent‐causingSubject......................................................................................................................................18 5.4.8. VulnerabilityAssessments...........................................................................................................................................................18

5.5. RECORDSARCHIVAL.............................................................................................................................................................................18 5.5.1. TypesofRecordsArchived...........................................................................................................................................................18 5.5.2. RetentionPeriodforArchive.......................................................................................................................................................19 5.5.3. ProtectionofArchive......................................................................................................................................................................19 5.5.4. ArchiveBackupProcedures.........................................................................................................................................................20 5.5.5. RequirementsforTime‐stampingofRecords......................................................................................................................20 5.5.6. ArchiveCollectionSystem(internalorexternal)...............................................................................................................20 5.5.7. ProcedurestoObtainandVerifyArchiveInformation.....................................................................................................20

5.6. KEYCHANGEOVER.................................................................................................................................................................................20 5.7. COMPROMISEANDDISASTERRECOVERY..................................................................................................................................20

5.7.1. IncidentandCompromiseHandlingProcedures................................................................................................................20 5.7.2. ComputingResources,Software,and/orDataAreCorrupted......................................................................................20 5.7.3. EntityPrivateKeyCompromiseProcedures........................................................................................................................20 5.7.4. BusinessContinuityCapabilitiesafteraDisaster...............................................................................................................20

5.8. CAORRATERMINATION....................................................................................................................................................................21 6. TECHNICALSECURITYCONTROLS..............................................................................................................................................................21

6.1. KEYPAIRGENERATIONANDINSTALLATION...........................................................................................................................21 6.1.1. KeyPairGeneration........................................................................................................................................................................21 6.1.2. PrivateKeyDeliverytoSubscriber...........................................................................................................................................21 6.1.3. PublicKeyDeliverytoCertificateIssuer................................................................................................................................21 6.1.4. CAPublicKeyDeliverytoRelyingParties.............................................................................................................................21 6.1.5. KeySizes...............................................................................................................................................................................................22 6.1.6. PublicKeyParametersGenerationandQualityChecking..............................................................................................22 6.1.7. KeyUsagePurposes(asperX.509v3keyusagefield)....................................................................................................22

6.2. PRIVATEKEYPROTECTIONANDCRYPTOGRAPHICMODULEENGINEERINGCONTROLS...................................22 6.2.1. CryptographicModuleStandardsandControls..................................................................................................................22 6.2.2. PrivateKey(noutofm)Multi‐personControl....................................................................................................................22 6.2.3. PrivateKeyEscrow..........................................................................................................................................................................22 6.2.4. PrivateKeyBackup..........................................................................................................................................................................22 6.2.5. PrivateKeyArchival........................................................................................................................................................................22 6.2.6. PrivateKeyTransferintoorfromaCryptographicModule..........................................................................................22 6.2.7. PrivateKeyStorageonCryptographicModule....................................................................................................................22 6.2.8. MethodofActivatingPrivateKeys............................................................................................................................................22 6.2.9. MethodofDeactivatingPrivateKeys.......................................................................................................................................23

v

6.2.10. MethodofDestroyingPrivateKeys..........................................................................................................................................23 6.2.11. CryptographicModuleRating.....................................................................................................................................................23

6.3. OTHERASPECTSOFKEYPAIRMANAGEMENT........................................................................................................................23 6.3.1. PublicKeyArchival..........................................................................................................................................................................23 6.3.2. CertificateOperationalPeriodsandKeyPairUsagePeriods.........................................................................................23

6.4. ACTIVATIONDATA................................................................................................................................................................................23 6.4.1. ActivationDataGenerationandInstallation.........................................................................................................................23 6.4.2. ActivationDataProtection...........................................................................................................................................................23 6.4.3. OtherAspectsofActivationData...............................................................................................................................................23

6.5. COMPUTERSECURITYCONTROLS.................................................................................................................................................23 6.5.1. SpecificComputerSecurityTechnicalRequirements.......................................................................................................23 6.5.2. ComputerSecurityRating.............................................................................................................................................................23

6.6. LIFECYCLETECHNICALCONTROLS..............................................................................................................................................24 6.6.1. SystemDevelopmentControls....................................................................................................................................................24 6.6.2. SecurityManagementControls..................................................................................................................................................24 6.6.3. LifeCycleSecurityControls.........................................................................................................................................................24

6.7. NETWORKSECURITYCONTROLS...................................................................................................................................................24 6.8. TIME‐STAMPING.....................................................................................................................................................................................24

7. CERTIFICATE,CRL,ANDOCSPPROFILES.................................................................................................................................................24 7.1. CERTIFICATEPROFILE........................................................................................................................................................................25

7.1.1. VersionNumber(s)..........................................................................................................................................................................25 7.1.2. CertificateExtensions.....................................................................................................................................................................25 7.1.3. AlgorithmObjectIdentifiers........................................................................................................................................................25 7.1.4. NameForms.......................................................................................................................................................................................25 7.1.5. NameConstraints.............................................................................................................................................................................25 7.1.6. CertificatePolicyObjectIdentifier............................................................................................................................................25 7.1.7. UsageofPolicyConstraintsExtension....................................................................................................................................25 7.1.8. PolicyQualifiersSyntaxandSemantics..................................................................................................................................25 7.1.9. ProcessingSemanticsfortheCriticalCertificatePoliciesExtension..........................................................................25

7.2. CRLPROFILE............................................................................................................................................................................................25 7.2.1. Versionnumber(s)...........................................................................................................................................................................25 7.2.2. CRLandCRLEntryExtensions...................................................................................................................................................25

7.3. OCSPPROFILE..........................................................................................................................................................................................26 7.3.1. VersionNumber(s)..........................................................................................................................................................................26 7.3.2. OCSPExtensions...............................................................................................................................................................................26

8. COMPLIANCEAUDITANDOTHERASSESSMENTS...............................................................................................................................26 8.1. FREQUENCYORCIRCUMSTANCESOFASSESSMENT.............................................................................................................26 8.2. IDENTITY/QUALIFICATIONSOFASSESSOR...............................................................................................................................26 8.3. ASSESSOR'SRELATIONSHIPTOASSESSEDENTITY...............................................................................................................26 8.4. TOPICSCOVEREDBYASSESSMENT...............................................................................................................................................26 8.5. ACTIONSTAKENASARESULTOFDEFICIENCY.......................................................................................................................26 8.6. COMMUNICATIONOFRESULTS.......................................................................................................................................................26 8.7. SELF‐AUDITS............................................................................................................................................................................................26

9. OTHERBUSINESSANDLEGALMATTERS.................................................................................................................................................26 9.1. FEES..............................................................................................................................................................................................................26

9.1.1. CertificateIssuanceorRenewalFees......................................................................................................................................26 9.1.2. CertificateAccessFees...................................................................................................................................................................27 9.1.3. RevocationorStatusInformationAccessFees....................................................................................................................27 9.1.4. FeesforOtherServices..................................................................................................................................................................27 9.1.5. RefundPolicy.....................................................................................................................................................................................27

9.2. FINANCIALRESPONSIBILITY............................................................................................................................................................27 9.2.1. InsuranceCoverage.........................................................................................................................................................................27 9.2.2. OtherAssets........................................................................................................................................................................................27 9.2.3. InsuranceorWarrantyCoverageforEnd‐Entities.............................................................................................................27

9.3. CONFIDENTIALITYOFBUSINESSINFORMATION...................................................................................................................27 9.3.1. ScopeofConfidentialInformation............................................................................................................................................27 9.3.2. InformationNotWithintheScopeofConfidentialInformation...................................................................................27 9.3.3. ResponsibilitytoProtectConfidentialInformation...........................................................................................................28

9.4. PRIVACYOFPERSONALINFORMATION......................................................................................................................................28 9.4.1. PrivacyPlan........................................................................................................................................................................................28 9.4.2. InformationTreatedasPrivate..................................................................................................................................................28

vi

9.4.3. InformationNotDeemedPrivate..............................................................................................................................................28 9.4.4. ResponsibilitytoProtectPrivateInformation.....................................................................................................................28 9.4.5. NoticeandConsenttoUsePrivateInformation..................................................................................................................28 9.4.6. DisclosurePursuanttoJudicialorAdministrativeProcess............................................................................................28 9.4.7. OtherInformationDisclosureCircumstances......................................................................................................................28

9.5. INTELLECTUALPROPERTYRIGHTS..............................................................................................................................................28 9.6. REPRESENTATIONSANDWARRANTIES.....................................................................................................................................28

9.6.1. CARepresentationsandWarranties........................................................................................................................................28 9.6.2. RARepresentationsandWarranties........................................................................................................................................29 9.6.3. SubscriberRepresentationsandWarranties.......................................................................................................................29 9.6.4. RelyingPartyRepresentationsandWarranties..................................................................................................................30 9.6.5. RepresentationsandWarrantiesofOtherParticipants...................................................................................................30

9.7. DISCLAIMERSOFWARRANTIES......................................................................................................................................................30 9.8. LIMITATIONSOFLIABILITY..............................................................................................................................................................31 9.9. INDEMNITIES...........................................................................................................................................................................................31

9.9.1. IndemnificationbyDigiCert.........................................................................................................................................................31 9.9.2. IndemnificationbySubscribers.................................................................................................................................................31 9.9.3. IndemnificationbyRelyingParties...........................................................................................................................................32

9.10. TERMANDTERMINATION.................................................................................................................................................................32 9.10.1. Term.......................................................................................................................................................................................................32 9.10.2. Termination........................................................................................................................................................................................32 9.10.3. EffectofTerminationandSurvival...........................................................................................................................................32

9.11. INDIVIDUALNOTICESANDCOMMUNICATIONSWITHPARTICIPANTS........................................................................32 9.12. AMENDMENTS.........................................................................................................................................................................................32

9.12.1. ProcedureforAmendment...........................................................................................................................................................32 9.12.2. NotificationMechanismandPeriod.........................................................................................................................................32 9.12.3. CircumstancesunderwhichOIDMustBeChanged...........................................................................................................32

9.13. DISPUTERESOLUTIONPROVISIONS.............................................................................................................................................32 9.14. GOVERNINGLAW...................................................................................................................................................................................32 9.15. COMPLIANCEWITHAPPLICABLELAW........................................................................................................................................33 9.16. MISCELLANEOUSPROVISIONS.........................................................................................................................................................33

9.16.1. EntireAgreement.............................................................................................................................................................................33 9.16.2. Assignment..........................................................................................................................................................................................33 9.16.3. Severability.........................................................................................................................................................................................33 9.16.4. Enforcement(attorneys'feesandwaiverofrights)..........................................................................................................33 9.16.5. ForceMajeure....................................................................................................................................................................................33

9.17. OTHERPROVISIONS..............................................................................................................................................................................33

1

1. INTRODUCTION

1.1. OVERVIEWThisdocumentistheDigiCert,Inc.(“DigiCert”)CertificationPracticesStatement(CPS)forPrivatePKIServicesthatoutlinestheprinciplesandpracticesrelatedtoDigiCert’scertificationofnon‐cross‐certifiedandnon‐publiclytrustedX.509digitalcertificates.

ThisCPSisonlyoneofseveraldocumentsthatcontrolDigiCert’scertificationservices.Otherimportantdocumentsincludebothprivateandpublicdocuments,suchasDigiCert’sagreementswithitscustomers,relyingpartyagreements,andDigiCert’sprivacypolicy.DigiCertmayprovideadditionalcertificatepoliciesorcertificationpracticestatements.Thesesupplementalpoliciesandstatementsareavailabletoapplicableusersorrelyingparties.

1.2. DOCUMENTNAMEANDIDENTIFICATIONThisdocumentistheDigiCertCertificationPracticesStatementforPrivatePKIServicesandhasbeenapprovedforpublicationbytheDigiCertPolicyAuthority(DCPA)asofthedateindicatedonthecoverpage.

1.3. PKIPARTICIPANTS1.3.1. CertificationAuthorities

DigiCertisacertificationauthority(CA)thatissuesdigitalcertificates.AsaCA,DigiCertperformsfunctionsassociatedwithbothprivatePKIServicesandpublickeyoperations,includingreceivingcertificaterequests,issuing,revokingandrenewingadigitalcertificate,andmaintaining,issuing,andpublishingCRLsandOCSPresponses.GeneralinformationaboutDigiCert’sproductsandservicesareavailableathttps://www.digicert.com.

1.3.2. RegistrationAuthoritiesandOtherDelegatedThirdPartiesDigiCertmaydelegatetheperformanceofcertainfunctionstoRegistrationAuthorities(RA)andotherthirdpartiestorequestcertificatesand/orperformidentificationandauthenticationforend‐usercertificates.ThespecificroleofanRAordelegatedthirdpartyvariesgreatlybetweenentities,rangingfromsimpletranslationservicestoactualassistanceingatheringandverifyingApplicantinformation.SomeRAsoperateidentitymanagementsystems(IdMs)andmaymanagethecertificatelifecycleforend‐users.SpecificrolesofeachRAunderaprivatePKIdependhighlyonthecontractwiththeprivatePKIparty.

1.3.3. SubscribersSubscribersuseDigiCert’sservicesandPKItosupporttransactionsandcommunications.Subscribersarenotalwaysthepartyidentifiedinacertificate,suchaswhencertificatesareissuedtoanorganization’semployees.TheSubjectofacertificateisthepartynamedinthecertificate.ASubscriber,asusedherein,referstoboththeSubjectofthecertificateandtheentitythatcontractedwithDigiCertforthecertificate’sissuance.

1.3.4. RelyingPartiesRelyingpartiesareentitiesthatactinrelianceonacertificateand/ordigitalsignatureissuedbyDigiCert.RelyingpartiesaredefinedbythecommunitysupportedbytheprivatePKIinfrastructureandbycontractwithDigiCert.

1.3.5. OtherParticipantsNostipulation.

1.4. CERTIFICATEUSAGEAdigitalcertificate(orcertificate)isformatteddatathatcryptographicallybindsanidentifiedsubscriberwithaPublicKey.Adigitalcertificateallowsanentitytakingpartinanelectronictransactiontoproveitsidentitytootherparticipantsinsuchtransaction.

2

1.4.1. AppropriateCertificateUsesCertificatesissuedpursuanttothisCPSmaybeusedforalllegalauthentication,encryption,accesscontrol,anddigitalsignaturepurposes,asdesignatedbythekeyusageandextendedkeyusagefieldsfoundwithinthecertificate.However,thesensitivityoftheinformationprocessedorprotectedbyacertificatevariesgreatly,andeachrelyingpartymustevaluatetheapplicationenvironmentandassociatedrisksbeforedecidingonwhethertouseacertificateissuedunderthisCPS.TheexactuseofeachCertificateislefttothediscretionofthecommunityforwhichthePKIisoperated.

1.4.2. ProhibitedCertificateUsesCertificatesdonotguaranteethattheSubjectistrustworthy,honest,reputableinitsbusinessdealings,compliantwithanylaws,orsafetodobusinesswith.Acertificateonlyestablishesthattheinformationinthecertificatewasverifiedasreasonablycorrectwhenthecertificateissued.

1.5. POLICYADMINISTRATION

1.5.1. OrganizationAdministeringtheDocumentThisCPSandthedocumentsreferencedhereinaremaintainedbytheDCPA,whichcanbecontactedat:

DigiCertPolicyAuthoritySuite5002801N.ThanksgivingWayLehi,UT84043USATel:1‐801‐701‐9600Fax:1‐801‐705‐0481

1.5.2. ContactPersonAttn:LegalCounselDigiCertPolicyAuthoritySuite5002801N.ThanksgivingWayLehi,UT84043USA

1.5.3. PersonDeterminingCPSSuitabilityforthePolicyTheDCPAdeterminesthesuitabilityandapplicabilityofthisCPSbasedonthecontractwiththecustomerforwhichthePKIisoperatedandanyrelevantaudits.TheDCPAisresponsibleforthePKI’scompliancewiththisCPS.

1.5.4. CPSApprovalProceduresTheDCPAapprovestheCPSandanyamendments.AmendmentsaremadeaftertheDCPAhasreviewedtheamendments’consistencywithrelevantcontracts.TheDCPAdetermineswhetheranamendmenttothisCPSisconsistentwithacontract,requiresnotice,orrequiresanOIDchange.

1.6. DEFINITIONSANDACRONYMS1.6.1. Definitions

“Applicant”meansanentityapplyingforacertificate.

“KeyPair”meansaPrivateKeyandassociatedPublicKey.

“OCSPResponder”meansanonlinesoftwareapplicationoperatedundertheauthorityofDigiCertandconnectedtoitsrepositoryforprocessingcertificatestatusrequests.

“PrivateKey”meansthekeyofakeypairthatiskeptsecretbytheholderofthekeypair,andthatisusedtocreatedigitalsignaturesand/ortodecryptelectronicrecordsorfilesthatwereencryptedwiththecorrespondingPublicKey.

3

“PublicKey”meansthekeyofakeypairthatmaybepubliclydisclosedbytheholderofthecorrespondingPrivateKeyandthatisusedbyaRelyingPartytoverifydigitalsignaturescreatedwiththeholder'scorrespondingPrivateKeyand/ortoencryptmessagessothattheycanbedecryptedonlywiththeholder'scorrespondingPrivateKey.

“RelyingParty”meansanentitythatreliesuponeithertheinformationcontainedwithinacertificateoratime‐stamptoken.

“Subscriber”meanseithertheentityidentifiedasthesubjectinthecertificateortheentitythatisreceivingDigiCert’stime‐stampingservices.

1.6.2. AcronymsCA CertificateAuthorityorCertificationAuthority

CPS CertificationPracticeStatement

CRL CertificateRevocationList

CSR CertificateSigningRequest

DCPA DigiCertPolicyAuthority

FIPS (USGovernment)FederalInformationProcessingStandard

HSM HardwareSecurityModule

IdM IdentityManagementSystem

ITU InternationalTelecommunicationUnion

ITU‐T ITUTelecommunicationStandardizationSector

OCSP OnlineCertificateStatusProtocol

OID ObjectIdentifier

PKI PublicKeyInfrastructure

PKCS PublicKeyCryptographyStandard

RA RegistrationAuthority

SHA SecureHashingAlgorithm

SSL SecureSocketsLayer

TLS TransportLayerSecurity

URL UniformResourceLocator

X.509 TheITU‐TstandardforCertificatesandtheircorrespondingauthenticationframework

1.6.3. ReferencesNostipulation.

4

2. PUBLICATIONANDREPOSITORYRESPONSIBILITIES

2.1. REPOSITORIESCRLsandOCSPresponsesareavailablethroughonlineresources24hoursaday,7daysaweekwithsystemsdescribedinSection5tominimizedowntime.

2.2. PUBLICATIONOFCERTIFICATIONINFORMATIONTheDigiCertcertificateservicesandtherepositoryareaccessiblethroughseveralmeansofcommunication:

1.OnthewebviaURIsincludedinthecertificatesthemselves

[email protected]

3.Bymailaddressedto:DigiCert,Inc.,Suite500,2801N.ThanksgivingWay,Lehi,Utah84043

4.BytelephoneTel:1‐801‐877‐2100

5.Byfax:1‐801‐705‐0481

2.3. TIMEORFREQUENCYOFPUBLICATIONCRLsforend‐usercertificatesareissuedatleastonceperday.CRLsforCAcertificatesareissuedinaccordancewiththeapplicablecustomeragreement.Typically,thisisevery6monthsandalsowithin18hoursifaCAcertificateisrevoked.Underspecialcircumstances,DigiCertmaypublishnewCRLspriortothescheduledissuanceofthenextCRL.NewormodifiedversionsofthisCPS,SubscriberAgreements,orRelyingPartyWarrantiesaretypicallypublishedwithinsevendaysaftertheirapproval.

2.4. ACCESSCONTROLSONREPOSITORIESRead‐onlyaccesstotherepositoryisunrestricted.Logicalandphysicalcontrolspreventunauthorizedwriteaccesstorepositories.

3. IDENTIFICATIONANDAUTHENTICATION

3.1. NAMING3.1.1. TypesofNames

CertificatesareissuedwithasubjectDistinguishedName(DN)thatcomplieswithITUX.500standards.SomeCertificatesmayhaveanullsubjectDNifitincludesatleastonealternativenameformthatismarkedcritical.

3.1.2. NeedforNamestobeMeaningfulDigiCertusesdistinguishednamestoidentifythesubject(i.e.person,organization,device,orobject)orissuerofthecertificate.

3.1.3. AnonymityorPseudonymityofSubscribersDigiCertmayissueanonymousandpseudonymousend‐entitycertificatesprovidedthattheyarenotprohibitedbypolicyandanyapplicablenamespaceuniquenessrequirementsaremet.

3.1.4. RulesforInterpretingVariousNameFormsDistinguishedNamesincertificatesareinterpretedusingX.500standardsandASN.1syntax.SeeRFC2253andRFC2616forfurtherinformationonhowX.500distinguishednamesincertificatesareinterpretedasUniformResourceIdentifiersandHTTPreferences.

3.1.5. UniquenessofNamesTheuniquenessofeachsubjectnameinacertificatedependsonthecontractwiththecustomer.Typically,uniquenessismaintainedthroughthedomainnameinthecertificate,emailaddressinthecertificate,ora

5

combinationofthecertificate’ssubjectinformation.

3.1.6. Recognition,Authentication,andRoleofTrademarksSubscribersmaynotrequestcertificateswithcontentthatinfringesontheintellectualpropertyrightsofanotherentity.Unlessotherwisespecificallystatedinanagreementwithacustomer,DigiCertdoesnotverifyanApplicant’srighttouseatrademarkanddoesnotresolvetrademarkdisputes.DigiCertmayrejectanyapplicationorrequirerevocationofanycertificatethatispartofatrademarkdispute.

3.2. INITIALIDENTITYVALIDATIONDigiCertmayuseanylegalmeansofcommunicationorinvestigationtoascertaintheidentityofanorganizationalorindividualApplicant.DigiCertmayrefusetoissueaCertificateinitssolediscretion.

3.2.1. MethodtoProvePossessionofPrivateKeyDigiCertestablishesthattheApplicantholdsorcontrolsthePrivateKeycorrespondingtothePublicKeybyperformingsignatureverificationordecryptionondatapurportedtohavebeendigitallysignedorencryptedwiththePrivateKeybyusingthePublicKeyassociatedwiththecertificaterequest.

3.2.2. AuthenticationofOrganizationIdentityAssetforthintheapplicablecustomeragreement.Verificationdependsonthecommunityorderingthecertificate.

3.2.3. AuthenticationofIndividualIdentityVerificationofindividualidentitiesdependsontherequirementsofthecommunityorderingthecertificates.Verificationmayincludeconfirmationofanemailaddress,throughrecordchecksoftheindividual’sidentity,orothersimilarmeans.

3.2.3.1. AuthenticationforRole‐basedClientCertificatesDigiCertmayissuecertificatesthatidentifyaspecificrolethattheSubscriberholdsinsteadofaspecificindividual(e.g.,ChiefInformationOfficerisauniqueindividualwhereasProgramAnalystisnot).Theserole‐basedcertificatesareusedwhennon‐repudiationisdesired.Asponsoroftherole‐basedCertificatesisverifiedinaccordancewithSection3.2.3above.

3.2.3.2. AuthenticationforGroupClientCertificatesDigiCertissuesgroupcertificates(acertificatethatcorrespondstoaPrivateKeythatissharedbymultipleSubscribers)ifseveralentitiesareactinginonecapacityandifnon‐repudiationisnotrequired.AsponsorforthegroupCertificateisverifiedunderSection3.2.3beforetheCertificateisissued.ThesponsormustmaintainandcontinuouslyupdatealistofSubscriberswithaccesstotheprivatekeyandaccountforthetimeperiodduringwhicheachSubscriberhadcontrolofthekey.

3.2.3.3. AuthenticationofDevicesNostipulation.

3.2.4. Non‐verifiedSubscriberInformationPrivateclientcertificatesmaycontainnon‐verifiedsubscriberinformation.

3.3. IDENTIFICATIONANDAUTHENTICATIONFORRE‐KEYREQUESTS

3.3.1. IdentificationandAuthenticationforRoutineRe‐keySubscribersmayrequestre‐keyofacertificatepriortoacertificate’sexpiration.Afterreceivingarequestforre‐key,DigiCertcreatesanewcertificatewiththesamecertificatecontentsexceptforanewPublicKeyand,optionally,anextendedvalidityperiod.Ifthecertificatehasanextendedvalidityperiod,DigiCertmayperformsomerevalidationoftheApplicantbutmayalsorelyoninformationpreviouslyprovidedorobtained.

6

3.4. IDENTIFICATIONANDAUTHENTICATIONFORREVOCATIONREQUESTDigiCertoranRAauthenticatesallrevocationrequests.DigiCertmayauthenticaterevocationrequestsbyreferencingtheuseofthePrivateKeycorrespondingtotheCertificate’sPublicKey,regardlessofwhethertheassociatedPrivateKeyiscompromised.

4. CERTIFICATELIFE‐CYCLEOPERATIONALREQUIREMENTS

4.1. CERTIFICATEAPPLICATION4.1.1. WhoCanSubmitaCertificateApplication

EithertheApplicantoranindividualauthorizedtorequestcertificatesonbehalfoftheApplicantmaysubmitcertificaterequests.ApplicantsareresponsibleforanydatathattheApplicantoranagentoftheApplicantsuppliestoDigiCert.

4.1.2. EnrollmentProcessandResponsibilitiesInnoparticularorder,theenrollmentprocessmayinclude:

Submittingacertificateapplication,

Generatingakeypair,

DeliveringthepublickeyofthekeypairtoDigiCert,

AgreeingtotheapplicableSubscriberAgreement,and

Payinganyapplicablefees.

4.2. CERTIFICATEAPPLICATIONPROCESSING4.2.1. PerformingIdentificationandAuthenticationFunctions

Afterreceivingacertificateapplication,DigiCertoranRAverifiestheapplicationinformationandotherinformationinaccordancewithSection3.2.IfanRAassistsintheverification,theRAmustcreateandmaintainrecordssufficienttoestablishthatithasperformeditsrequiredverificationtasksandcommunicatethecompletionofsuchperformancetoDigiCert.Afterverificationiscomplete,DigiCertevaluatesthecorpusofinformationanddecideswhetherornottoissuethecertificate.DigiCertconsidersasource’savailability,purpose,andreputationwhendeterminingwhetherathirdpartysourceisreasonablyreliable.

4.2.2. ApprovalorRejectionofCertificateApplicationsDigiCertmayrejectacertificateapplicationifDigiCertbelievesthatissuingthecertificatecoulddamageordiminishDigiCert’sreputationorbusiness.

4.2.3. TimetoProcessCertificateApplicationsAsspecifiedintherelevantcustomeragreement.Ifthetimeframeisnotspecified,DigiCertwillusuallycompletethevalidationprocessandissueorrejectacertificateapplicationwithintwoworkingdaysafterreceivingallofthenecessarydetailsanddocumentationfromtheApplicant,althougheventsoutsideofthecontrolofDigiCertcandelaytheissuanceprocess.

4.3. CERTIFICATEISSUANCE4.3.1. CAActionsduringCertificateIssuance

IssuanceiscompletedusingtheappropriateCAcertificate.Afterissuanceiscomplete,thecertificateisstoredinadatabaseandsenttotheSubscriber.

7

4.3.2. NotificationtoSubscriberbytheCAofIssuanceofCertificateDigiCertmaydelivercertificatesinanysecuremannerwithinareasonabletimeafterissuance.Generally,DigiCertdeliverscertificatesbyprovidingtheSubscriberahypertextlinktoauserid/password‐protectedlocationwherethesubscribermayloginanddownloadthecertificateorviaemailtotheemailaddressdesignatedbytheSubscriberduringtheapplicationprocess.

4.4. CERTIFICATEACCEPTANCE4.4.1. ConductConstitutingCertificateAcceptance

SubscribersaresolelyresponsibleforinstallingtheissuedcertificateontheSubscriber’scomputerorhardwaresecuritymodule.Certificatesareconsideredaccepted30daysafterthecertificate’sissuance,orearlieruponuseofthecertificatewhenevidenceexiststhattheSubscriberusedthecertificate.

4.4.2. PublicationoftheCertificatebytheCADigiCertpublishesend‐entitycertificatesbydeliveringthemtotheSubscriber.

4.4.3. NotificationofCertificateIssuancebytheCAtoOtherEntitiesRAsmayreceivenotificationofacertificate’sissuanceiftheRAwasinvolvedintheissuanceprocess.

4.5. KEYPAIRANDCERTIFICATEUSAGE4.5.1. SubscriberPrivateKeyandCertificateUsage

SubscribersareobligatedtoprotecttheirPrivateKeysfromunauthorizeduseordisclosure,discontinueusingaPrivateKeyafterexpirationorrevocationoftheassociatedcertificate,anduseCertificatesinaccordancewiththeirintendedpurpose.

4.5.2. RelyingPartyPublicKeyandCertificateUsageDigiCertdoesnotwarrantthatanythirdpartysoftwarewillsupportorenforcethecontrolsandrequirementsfoundherein.ARelyingPartyshouldusediscretionwhenrelyingonacertificateandshouldconsiderthetotalityofthecircumstancesandriskoflosspriortorelyingonacertificate.Ifthecircumstancesindicatethatadditionalassurancesarerequired,theRelyingPartymustobtainsuchassurancesbeforeusingthecertificate.

4.6. CERTIFICATERENEWAL4.6.1. CircumstanceforCertificateRenewal

DigiCertmayrenewacertificateif:

theassociatedpublickeyhasnotreachedtheendofitsvalidityperiod,

theSubscriberandattributesareconsistent,and

theassociatedprivatekeyremainsuncompromised.

DigiCertmayalsorenewacertificateifaCAcertificateisre‐keyedorasotherwisenecessarytoprovideservicestoacustomer.DigiCertmaynotifySubscriberspriortoacertificate’sexpirationdate.Certificaterenewalrequirespaymentofadditionalfees.

4.6.2. WhoMayRequestRenewalOnlythecertificatesubjectoranauthorizedrepresentativeofthecertificatesubjectmayrequestrenewaloftheSubscriber’scertificates.DigiCertmayrenewacertificatewithoutacorrespondingrequestifthesigningcertificateisre‐keyed.

8

4.6.3. ProcessingCertificateRenewalRequestsRenewalapplicationrequirementsandproceduresaregenerallythesameasthoseusedduringthecertificate’soriginalissuance.DigiCertmayrefusetorenewacertificateifitcannotverifyanyrecheckedinformation.Ifanindividualisrenewingaclientcertificateandtherelevantinformationhasnotchanged,thenDigiCertdoesnotrequireanyadditionalidentityvetting.IfthePrivateKeyanddomaininformationhasnotchanged,theSubscribermayrenewanSSL/TLSservercertificateusingapreviouslyissuedcertificateorprovidedCSR.

4.6.4. NotificationofNewCertificateIssuancetoSubscriberDigiCertmaydeliverthecertificateinanysecurefashion,typicallybyemailorbyprovidingtheSubscriberahypertextlinktoauserid/password‐protectedlocationwherethesubscribermayloginanddownloadthecertificate.

4.6.5. ConductConstitutingAcceptanceofaRenewalCertificateRenewedcertificatesareconsideredaccepted30daysafterthecertificate’srenewal,orearlieruponuseofthecertificatewhenevidenceexiststhattheSubscriberusedthecertificate.

4.6.6. PublicationoftheRenewalCertificatebytheCADigiCertpublishesarenewedcertificatebydeliveringittotheSubscriber.

4.6.7. NotificationofCertificateIssuancebytheCAtoOtherEntitiesRAsmayreceivenotificationofacertificate’srenewaliftheRAwasinvolvedintheissuanceprocess.

4.7. CERTIFICATERE‐KEY4.7.1. CircumstanceforCertificateRekey

Re‐keyingacertificateconsistsofcreatinganewcertificatewithanewpublickeyandserialnumberwhilekeepingthesubjectinformationthesame.Thenewcertificatemayhaveadifferentvaliditydate,keyidentifiers,CRLandOCSPdistributionpoints,andsigningkey.

4.7.2. WhoMayRequestCertificateRekeyDigiCertwillonlyacceptre‐keyrequestsfromthesubjectofthecertificateorthePKIsponsor.DigiCertmayinitiateacertificatere‐keyattherequestofthecertificatesubjectorinDigiCert’sowndiscretion.

4.7.3. ProcessingCertificateRekeyRequestsDigiCertmayre‐useexistingverificationinformationunlessre‐verificationandauthenticationisrequiredbycontractorifDigiCertbelievesthattheinformationhasbecomeinaccurate.

4.7.4. NotificationofCertificateRekeytoSubscriberDigiCertnotifiestheSubscriberwithinareasonabletimeafterthecertificateissues.

4.7.5. ConductConstitutingAcceptanceofaRekeyedCertificateIssuedcertificatesareconsideredaccepted30daysafterthecertificateisrekeyed,orearlieruponuseofthecertificatewhenevidenceexiststhattheSubscriberusedthecertificate.

4.7.6. PublicationoftheIssuedCertificatebytheCADigiCertpublishesrekeyedcertificatesbydeliveringthemtoSubscribers.

4.7.7. NotificationofCertificateIssuancebytheCAtoOtherEntitiesRAsmayreceivenotificationofacertificate’srekeyiftheRAwasinvolvedintheissuanceprocess.

9

4.8. CERTIFICATEMODIFICATION4.8.1. CircumstancesforCertificateModification

Modifyingacertificatemeanscreatinganewcertificateforthesamesubjectwithinformationthatdiffersslightlyfromtheoldcertificate(e.g.,changestoemailaddressornon‐essentialpartsofnamesorattributes)providedthatthemodificationotherwisecomplieswiththisCPS.Thenewcertificatemayhavethesameoradifferentsubjectpublickey.

4.8.2. WhoMayRequestCertificateModificationDigiCertmodifiescertificatesattherequestofcertaincertificatesubjectsorinitsowndiscretion.DigiCertdoesnotmakecertificatemodificationservicesavailabletoallSubscribers.

4.8.3. ProcessingCertificateModificationRequestsAfterreceivingarequestformodification,DigiCertverifiesanychangedinformationinaccordancewithsection3.2.

4.8.4. NotificationofCertificateModificationtoSubscriberDigiCertnotifiestheSubscriberwithinareasonabletimeafterthecertificateissues.

4.8.5. ConductConstitutingAcceptanceofaModifiedCertificateModifiedcertificatesareconsideredaccepted30daysafterthecertificateismodified,orearlieruponuseofthecertificatewhenevidenceexiststhattheSubscriberusedthecertificate.

4.8.6. PublicationoftheModifiedCertificatebytheCADigiCertpublishesmodifiedcertificatesbydeliveringthemtoSubscribers.

4.8.7. NotificationofCertificateModificationbytheCAtoOtherEntitiesRAsmayreceivenotificationofacertificate’smodificationiftheRAwasinvolvedintheissuanceprocess.

4.9. CERTIFICATEREVOCATIONANDSUSPENSION4.9.1. CircumstancesforRevocation

Revocationofacertificatepermanentlyendstheoperationalperiodofthecertificatepriortothecertificatereachingtheendofitsstatedvalidityperiod.Priortorevokingacertificate,DigiCertverifiestheidentityandauthorityoftheentityrequestingrevocation.DigiCertmayrevokeanycertificateinitssolediscretion,includingifDigiCertbelievesthat:

1. TheSubscriberrequestedrevocationofitscertificate;

2. TheSubscriberdidnotauthorizetheoriginalcertificaterequestanddidnotretroactivelygrantauthorization;

3. EitherthePrivateKeyassociatedwiththecertificateorthePrivateKeyusedtosignthecertificatewascompromisedormisused;

4. TheSubscriberbreachedamaterialobligationundertheCPSortherelevantagreement;

5. EithertheSubscriber’sorDigiCert’sobligationsundertheCPSaredelayedorpreventedbycircumstancesbeyondtheparty’sreasonablecontrol,includingcomputerorcommunicationfailure,and,asaresult,anotherentity’sinformationismateriallythreatenedorcompromised;

6. TheSubscriber,sponsor,orotherentitythatwasissuedthecertificatehaslostitsrightstoaname,trademark,device,IPaddress,domainname,orotherattributethatwasassociatedwiththecertificate;

7. ThecertificatewasnotissuedinaccordancewiththeCPSorapplicableindustrystandards;

10

8. DigiCertreceivedalawfulandbindingorderfromagovernmentorregulatorybodytorevokethecertificate;

9. DigiCertceasedoperationsanddidnotarrangeforanothercertificateauthoritytoproviderevocationsupportforthecertificates;

10. DigiCert'srighttomanagecertificatesunderapplicableindustrystandardswasterminated(unlessarrangementshavebeenmadetocontinuerevocationservicesandmaintaintheCRL/OCSPRepository);

11. AnyinformationappearingintheCertificatewasorbecameinaccurateormisleading;

12. ThetechnicalcontentorformatoftheCertificatepresentsanunacceptablerisk;or

13. TheSubscriberwasaddedasadeniedpartyorprohibitedpersontoablacklistorisoperatingfromadestinationprohibitedunderthelawsoftheUnitedStates.

4.9.2. WhoCanRequestRevocationAnyappropriatelyauthorizedparty,suchasarecognizedrepresentativeofasubscriberorcross‐signedpartner,mayrequestrevocationofacertificate.DigiCertmayrevokeacertificatewithoutreceivingarequestandwithoutreason.Thirdpartiesmayrequestcertificaterevocationforproblemsrelatedtofraud,misuse,orcompromise.Certificaterevocationrequestsmustidentifytheentityrequestingrevocationandspecifythereasonforrevocation.

4.9.3. ProcedureforRevocationRequestDigiCertprocessesarevocationrequestasfollows:

1. DigiCertlogstheidentityofentitymakingtherequestorproblemreportandthereasonforrequestingrevocation.DigiCertmayalsoincludeitsownreasonsforrevocationinthelog.

2. DigiCertmayrequestconfirmationoftherevocationfromtheSubscriberoraknownadministrator,whereapplicable,viaout‐of‐bandcommunication(e.g.,telephone,fax,etc.).

3. IftherequestisauthenticatedasoriginatingfromtheSubscriber,DigiCertrevokesthecertificate.

4. Forrequestsfromthirdparties,DigiCertpersonnelbegininvestigatingtherequestanddecidewhetherrevocationisappropriatebasedonthefollowingcriteria:

a. thenatureoftheallegedproblem,

b. thenumberofreportsreceivedaboutaparticularcertificate,

c. theidentityofthecomplainants(forexample,complaintsfromalawenforcementofficialthatawebsiteisengagedinillegalactivitieshavemoreweightthanacomplaintfromaconsumerallegingtheyneverreceivedthegoodstheyordered),and

d. relevantlegislation.

5. IfDigiCertdeterminesthatrevocationisappropriate,DigiCertpersonnelrevokethecertificateandupdatetheCRL.

DigiCertmaintainsacontinuous24/7abilitytointernallyrespondtoanyhighpriorityrevocationrequests.Ifappropriate,DigiCertforwardscomplaintstolawenforcement.

4.9.4. RevocationRequestGracePeriodSubscribersarerequiredtorequestrevocationwithinonedayafterdetectingthelossorcompromiseofthePrivateKey.DigiCertmaygrantandextendrevocationgraceperiodsonacase‐by‐casebasis.

11

4.9.5. TimewithinwhichCAMustProcesstheRevocationRequestDigiCertwillrevokeaCAcertificatewithinonehourafterreceivingclearinstructionsfromtheDCPA.Othercertificatesarerevokedasquicklyaspracticalaftervalidatingtherevocationrequest.

4.9.6. RevocationCheckingRequirementforRelyingPartiesNostipulation.

4.9.7. CRLIssuanceFrequencyCRLsaregenerallypublishedatleastevery24hours.

4.9.8. MaximumLatencyforCRLsCRLsforcertificatesissuedtoendentitysubscribersarepostedautomaticallytotheonlinerepositorywithinacommerciallyreasonabletimeaftergeneration,usuallywithinminutesofgeneration.RegularlyscheduledCRLsarepostedpriortothenextUpdatefieldinthepreviouslyissuedCRLofthesamescope.

4.9.9. On‐lineRevocation/StatusCheckingAvailabilityNostipulation.

4.9.10. On‐lineRevocationCheckingRequirementsNostipulation.

4.9.11. OtherFormsofRevocationAdvertisementsAvailableNostipulation.

4.9.12. SpecialRequirementsRelatedtoKeyCompromiseNostipulation.

4.9.13. CircumstancesforSuspensionNotapplicable.

4.9.14. WhoCanRequestSuspensionNotapplicable.

4.9.15. ProcedureforSuspensionRequestNotapplicable.

4.9.16. LimitsonSuspensionPeriodNotapplicable.

4.10. CERTIFICATESTATUSSERVICES

4.10.1. OperationalCharacteristicsCertificatestatusinformationmaybeavailableviaCRLandOCSPresponder.TheserialnumberofarevokedcertificateremainsontheCRLuntiloneadditionalCRLispublishedaftertheendofthecertificate’svalidityperiod.

4.10.2. ServiceAvailabilityCertificatestatusservicesareavailable24x7withoutinterruption.

4.10.3. OptionalFeaturesOCSPRespondersmaynotbeavailableforallcertificatetypes.

12

4.11. ENDOFSUBSCRIPTIONASubscriber’ssubscriptionserviceendsifitscertificateexpiresorisrevokedoriftheapplicableSubscriberAgreementexpireswithoutrenewal.

4.12. KEYESCROWANDRECOVERY

4.12.1. KeyEscrowandRecoveryPolicyPractices

Nostipulation.

4.12.2. SessionKeyEncapsulationandRecoveryPolicyandPracticesNostipulation.

5. FACILITY,MANAGEMENT,ANDOPERATIONALCONTROLS

5.1. PHYSICALCONTROLS5.1.1. SiteLocationandConstruction

DigiCertperformsitsCAoperationsfromsecureandgeographicallydiversecommercialdatacenters.ThedatacentersareequippedwithlogicalandphysicalcontrolsthatmakeDigiCert’sCAoperationsinaccessibletonon‐trustedpersonnel.DigiCertoperatesunderasecuritypolicydesignedtodetect,deter,andpreventunauthorizedaccesstoDigiCert'soperations.

5.1.2. PhysicalAccessDigiCertprotectsitsequipmentfromunauthorizedaccessandimplementsphysicalcontrolstoreducetheriskofequipmenttampering.ThesecurepartsofDigiCertCAhostingfacilitiesareprotectedusingphysicalaccesscontrolsmakingthemaccessibleonlytoappropriatelyauthorizedindividuals.Accesstosecureareasofthebuildingsrequirestheuseofan"access"or"pass"card.Thebuildingsareequippedwithmotiondetectingsensors,andtheexteriorandinternalpassagewaysofthebuildingsareunderconstantvideosurveillance.DigiCertsecurelystoresallremovablemediaandpapercontainingsensitiveplain‐textinformationrelatedtoitsCAoperationsinsecurecontainersinaccordancewithitsDataClassificationPolicy.

ThedatacenterswhereDigiCert’sCAsystemsoperatehavesecuritypersonnelondutyfulltime(24hoursperday,365daysperyear).AccesstothedatacentershousingtheCAplatformsrequirestwo‐factorauthentication—theindividualmusthaveanauthorizedaccesscardandpassbiometricaccesscontrolauthenticators.Thesebiometricauthenticationaccesssystemslogeachuseoftheaccesscard.

DigiCertdeactivatesandsecurelystoresitsCAequipmentwhennotinuse.Activationdatamusteitherbememorizedorrecordedandstoredinamannercommensuratewiththesecurityaffordedthecryptographicmodule.ActivationdataisneverstoredwiththecryptographicmoduleorremovablehardwareassociatedwithequipmentusedtoadministerDigiCert’sprivatekeys.Cryptographichardwareincludesamechanismtolockthehardwareafteracertainnumberoffailedloginattempts.

TheDigiCertdatacentersarecontinuouslyattended.However,ifDigiCerteverbecomesawarethatadatacenteristobeleftunattendedorhasbeenleftunattendedforanextendedperiodoftime,DigiCertpersonnelwillperformasecuritycheckofthedatacentertoverifythat:

1. DigiCert’sequipmentisinastateappropriatetothecurrentmodeofoperation,

2. Anysecuritycontainersareproperlysecured,

3. Physicalsecuritysystems(e.g.,doorlocks)arefunctioningproperly,and

4. Theareaissecuredagainstunauthorizedaccess.

13

DigiCert’sadministratorsareresponsibleformakingthesechecksandmustsignoffthatallnecessaryphysicalprotectionmechanismsareinplaceandactivated.Theidentityoftheindividualmakingthecheckislogged.

5.1.3. PowerandAirConditioningDatacentershaveprimaryandsecondarypowersuppliesthatensurecontinuousanduninterruptedaccesstoelectricpower.Uninterruptedpowersupplies(UPS)anddieselgeneratorsprovideredundantbackuppower.DigiCertmonitorscapacitydemandsandmakesprojectionsaboutfuturecapacityrequirementstoensurethatadequateprocessingpowerandstorageareavailable.DigiCert’sdatacenterfacilitiesusemultipleload‐balancedHVACsystemsforheating,cooling,andairventilationthroughperforated‐tileraisedflooringtopreventoverheatingandtomaintainasuitablehumiditylevelforsensitivecomputersystems.

5.1.4. WaterExposuresThecabinetshousingDigiCert'sCAsystemsarelocatedonraisedflooring,andthedatacentersareequippedwithmonitoringsystemstodetectexcessmoisture.

5.1.5. FirePreventionandProtectionThedatacentersareequippedwithfiresuppressionmechanisms.

5.1.6. MediaStorageDigiCertprotectsitsmediafromaccidentaldamageandunauthorizedphysicalaccess.Backupfilesarecreatedonaregularbasis.DigiCert’sbackupfilesaremaintainedatlocationsseparatefromDigiCert’sprimarydataoperationsfacility.

5.1.7. WasteDisposalAllunnecessarycopiesofprintedsensitiveinformationareshreddedon‐sitebeforedisposal.

5.1.8. Off‐siteBackupDigiCertmaintainsatleastonefullbackupandmakesregularbackupcopiesofanyinformationnecessarytorecoverfromasystemfailure.BackupcopiesofCAPrivateKeysandactivationdataarestoredfordisasterrecoverypurposesoff‐siteinsafedepositboxesthatareaccessibleonlybytrustedpersonnel.

5.2. PROCEDURALCONTROLS5.2.1. TrustedRoles

PersonnelactingintrustedrolesincludeCAandRAsystemadministrationpersonnel,andpersonnelinvolvedwithidentityvettingandtheissuanceandrevocationofcertificates.ThefunctionsanddutiesperformedbypersonsintrustedrolesaredistributedsothatonepersonalonecannotcircumventsecuritymeasuresorsubvertthesecurityandtrustworthinessofthePKIoperations.AllpersonnelintrustedrolesmustbefreefromconflictsofinterestthatmightprejudicetheimpartialityoftheDigiCertPKI’soperations.Trustedrolesareappointedbyseniormanagement.Alistofpersonnelappointedtotrustedrolesismaintainedandreviewedannually.

5.2.1.1. CAAdministratorsTheCAAdministratorinstallsandconfigurestheCAsoftware,includingkeygeneration,keybackup,andkeymanagement.TheCAAdministratorperformsandsecurelystoresregularsystembackupsoftheCAsystem.AdministratorsdonotissuecertificatestoSubscribers.

5.2.1.2. RegistrationOfficers–ValidationandVettingPersonnelTheRegistrationOfficerroleisresponsibleforissuingandrevokingcertificates,includingenrollment,identityverification,andcompliancewithrequiredissuanceandrevocationstepssuchasmanagingthecertificaterequestqueueandcompletingcertificateapprovalchecklistsasidentityvettingtasksaresuccessfullycompleted.

14

5.2.1.3. SystemAdministrators/SystemEngineers(Operator)TheSystemAdministrator/SystemEngineerinstallsandconfiguressystemhardware,includingservers,routers,firewalls,andnetworkconfigurations.TheSystemAdministrator/SystemEngineeralsokeepsCAandRAsystemsupdatedwithsoftwarepatchesandothermaintenanceneededforsystemstabilityandrecoverability.

5.2.1.4. InternalAuditorsInternalAuditorsareresponsibleforreviewing,maintaining,andarchivingauditlogsandperformingoroverseeinginternalcomplianceauditstodetermineifDigiCertisoperatinginaccordancewiththisCPS.

5.2.2. NumberofPersonsRequiredperTaskDigiCertrequiresthatatleasttwopeopleactinginatrustedrole(onetheCAAdministratorandtheothernotanInternalAuditor)takeactionrequiringatrustedrole,suchasactivatingDigiCert’sPrivateKeys,generatingaCAkeypair,orbackingupaDigiCertprivatekey.TheInternalAuditormayservetofulfilltherequirementofmultipartycontrolforphysicalaccesstotheCAsystembutnotlogicalaccess.

5.2.3. IdentificationandAuthenticationforeachRoleAllpersonnelarerequiredtoauthenticatethemselvestoCAandRAsystemsbeforetheyareallowedaccesstosystemsnecessarytoperformtheirtrustedroles.

5.2.4. RolesRequiringSeparationofDutiesRolesrequiringaseparationofdutiesinclude:

1. Thoseperformingauthorizationfunctionssuchastheverificationofinformationincertificateapplicationsandapprovalsofcertificateapplicationsandrevocationrequests,

2. Thoseperformingbackups,recording,andrecordkeepingfunctions;

3. Thoseperformingaudit,review,oversight,orreconciliationfunctions;and

4. ThoseperformingdutiesrelatedtoCAkeymanagementorCAadministration.

5.3. PERSONNELCONTROLS5.3.1. Qualifications,Experience,andClearanceRequirements

TheDCPAisresponsibleandaccountableforDigiCert’sPKIoperationsandensurescompliancewiththisCPS.DigiCert’spersonnelandmanagementpracticesprovidereasonableassuranceofthetrustworthinessandcompetenceofitsemployeesandofthesatisfactoryperformanceoftheirduties.

5.3.2. BackgroundCheckProceduresDigiCertverifiestheidentityofeachemployeeappointedtoatrustedroleandperformsabackgroundcheckpriortoallowingsuchpersontoactinatrustedrole.DigiCertrequireseachindividualtoappearin‐personbeforeahumanresourcesemployeewhoseresponsibilityitistoverifyidentity.Thehumanresourcesemployeeverifiestheindividual’sidentityusinggovernment‐issuedphotoidentification(e.g.,passportsand/ordriver’slicensesreviewedpursuanttoU.S.CitizenshipandImmigrationServicesFormI‐9,EmploymentEligibilityVerification,orcomparableprocedureforthejurisdictioninwhichtheindividual’sidentityisbeingverified).Backgroundchecksincludeemploymenthistory,education,characterreferences,socialsecuritynumber,previousresidences,drivingrecordsandcriminalbackground.Checksofpreviousresidencesareoverthepastthreeyears.Allotherchecksareforthepreviousfiveyears.Thehighesteducationdegreeobtainedisverifiedregardlessofthedateawarded.Basedupontheinformationobtainedduringthebackgroundcheck,thehumanresourcesdepartmentmakesanadjudicationdecision,withtheassistanceoflegalcounselwhennecessary,astowhethertheindividualissuitableforthepositiontowhichtheywillbeassigned.Backgroundchecksarerefreshedandre‐adjudicationoccursatleasteverytenyears.

15

5.3.3. TrainingRequirementsDigiCertprovidesskillstrainingtoallemployeesinvolvedinDigiCert’sPKIoperations.Thetrainingrelatestotheperson’sjobfunctionsandcovers:

1. basicPublicKeyInfrastructure(PKI)knowledge,

2. softwareversionsusedbyDigiCert,

3. authenticationandverificationpoliciesandprocedures,

4. DigiCertsecurityprincipalsandmechanisms,

5. disasterrecoveryandbusinesscontinuityprocedures,

6. commonthreatstothevalidationprocess,includingphishingandothersocialengineeringtactics,and

7. applicableindustryandgovernmentguidelines.

Trainingisprovidedviaamentoringprocessinvolvingseniormembersoftheteamtowhichtheemployeebelongs.

DigiCertmaintainsrecordsofwhoreceivedtrainingandwhatleveloftrainingwascompleted.RegistrationOfficersmusthavetheminimumskillsnecessarytosatisfactorilyperformvalidationdutiesbeforebeinggrantedvalidationprivileges.Wherecompetenceisdemonstratedinlieuoftraining,DigiCertmaintainssupportingdocumentation.

5.3.4. RetrainingFrequencyandRequirementsEmployeesmustmaintainskilllevelsthatareconsistentwithindustry‐relevanttrainingandperformanceprogramsinordertocontinueactingintrustedroles.DigiCertmakesallemployeesactingintrustedrolesawareofanychangestoDigiCert’soperations.IfDigiCert’soperationschange,DigiCertwillprovidedocumentedtraining,inaccordancewithanexecutedtrainingplan,toallemployeesactingintrustedroles.

5.3.5. JobRotationFrequencyandSequenceNostipulation.

5.3.6. SanctionsforUnauthorizedActionsDigiCertemployeesandagentsfailingtocomplywiththisCPS,whetherthroughnegligenceormaliciousintent,aresubjecttoadministrativeordisciplinaryactions,includingterminationofemploymentoragencyandcriminalsanctions.Ifapersoninatrustedroleiscitedbymanagementforunauthorizedorinappropriateactions,thepersonwillbeimmediatelyremovedfromthetrustedrolependingmanagementreview.Aftermanagementhasreviewedanddiscussedtheincidentwiththeemployeeinvolved,managementmayreassignthatemployeetoanon‐trustedroleordismisstheindividualfromemploymentasappropriate.

5.3.7. IndependentContractorRequirementsIndependentcontractorswhoareassignedtoperformtrustedrolesaresubjecttothedutiesandrequirementsspecifiedforsuchrolesinthisSection5.3andaresubjecttosanctionsstatedaboveinSection5.3.6.

5.3.8. DocumentationSuppliedtoPersonnelPersonnelintrustedrolesareprovidedwiththedocumentationnecessarytoperformtheirduties.Personnelarealsogivenaccesstoinformationoninternalsystemsandsecuritydocumentation,identityvettingpoliciesandprocedures,discipline‐specificbooks,treatisesandperiodicals,andotherinformation.

16

5.4. AUDITLOGGINGPROCEDURES5.4.1. TypesofEventsRecorded

DigiCert’ssystemsrequireidentificationandauthenticationatsystemlogonwithauniqueusernameandpassword.Importantsystemactionsareloggedtoestablishtheaccountabilityoftheoperatorswhoinitiatesuchactions.

DigiCertenablesallessentialeventauditingcapabilitiesofitsCAapplicationsinordertorecordtheeventslistedbelow.IfDigiCert’sapplicationscannotautomaticallyrecordanevent,DigiCertimplementsmanualprocedurestosatisfytherequirements.Foreachevent,DigiCertrecordstherelevant(i)dateandtime,(ii)typeofevent,(iii)successorfailure,and(iv)userorsystemthatcausedtheeventorinitiatedtheaction.EventrecordsareavailabletoauditorsasproofofDigiCert’spractices.

AuditableEventSECURITYAUDITAnychangestotheauditparameters,e.g.,auditfrequency,typeofeventauditedAnyattempttodeleteormodifytheauditlogsAUTHENTICATIONTOSYSTEMSSuccessfulandunsuccessfulattemptstoassumearoleThevalueofmaximumnumberofauthenticationattemptsischangedMaximumnumberofauthenticationattemptsoccurduringuserloginAnadministratorunlocksanaccountthathasbeenlockedasaresultofunsuccessfulauthenticationattemptsAnadministratorchangesthetypeofauthenticator,e.g.,fromapasswordtoabiometricLOCALDATAENTRYAllsecurity‐relevantdatathatisenteredinthesystemREMOTEDATAENTRYAllsecurity‐relevantmessagesthatarereceivedbythesystemDATAEXPORTANDOUTPUTAllsuccessfulandunsuccessfulrequestsforconfidentialandsecurity‐relevantinformationKEYGENERATIONWheneveraCAgeneratesakey(notmandatoryforsinglesessionorone‐timeusesymmetrickeys)PRIVATEKEYLOADANDSTORAGETheloadingofComponentPrivateKeysAllaccesstocertificatesubjectPrivateKeysretainedwithintheCAforkeyrecoverypurposesTRUSTEDPUBLICKEYENTRY,DELETIONANDSTORAGESECRETKEYSTORAGEThemanualentryofsecretkeysusedforauthenticationPRIVATEANDSECRETKEYEXPORTTheexportofprivateandsecretkeys(keysusedforasinglesessionormessageareexcluded)CERTIFICATEREGISTRATIONAllcertificaterequests,includingissuance,re‐key,renewal,andrevocationCertificateissuanceVerificationactivitiesCERTIFICATEREVOCATIONAllcertificaterevocationrequestsCERTIFICATESTATUSCHANGEAPPROVALANDREJECTIONCACONFIGURATIONAnysecurity‐relevantchangestotheconfigurationofaCAsystemcomponentACCOUNTADMINISTRATIONRolesandusersareaddedordeletedTheaccesscontrolprivilegesofauseraccountorarolearemodified

17

CERTIFICATEPROFILEMANAGEMENTAllchangestothecertificateprofileREVOCATIONPROFILEMANAGEMENTAllchangestotherevocationprofileCERTIFICATEREVOCATIONLISTPROFILEMANAGEMENTAllchangestothecertificaterevocationlistprofileGenerationofCRLsandOCSPentriesTIMESTAMPINGClocksynchronizationMISCELLANEOUSAppointmentofanindividualtoaTrustedRoleDesignationofpersonnelformultipartycontrolInstallationofanOperatingSystem,PKIApplication,orHardwareSecurityModuleRemovalorDestructionofHSMsSystemStartupLogonattemptstoPKIApplicationReceiptofhardware/softwareAttemptstosetormodifypasswordsBackuporrestorationoftheinternalCAdatabaseFilemanipulation(e.g.,creation,renaming,moving)PostingofanymaterialtoarepositoryAccesstotheinternalCAdatabaseAllcertificatecompromisenotificationrequestsLoadingHSMswithCertificatesShipmentofHSMsZeroizingHSMsRe‐keyoftheComponentCONFIGURATIONCHANGESHardwareSoftwareOperatingSystemPatchesSecurityProfilesPHYSICALACCESS/SITESECURITYPersonnelaccesstosecureareahousingCAcomponentAccesstoaCAcomponentKnownorsuspectedviolationsofphysicalsecurityFirewallandrouteractivitiesANOMALIESSystemcrashesandhardwarefailuresSoftwareerrorconditionsSoftwarecheckintegrityfailuresReceiptofimpropermessagesandmisroutedmessagesNetworkattacks(suspectedorconfirmed)EquipmentfailureElectricalpoweroutagesUninterruptiblePowerSupply(UPS)failureObviousandsignificantnetworkserviceoraccessfailuresViolationsofaCPSResettingOperatingSystemclock

5.4.2. FrequencyofProcessingLogAtleastonceeverytwomonths,aDigiCertadministratorreviewsthelogsgeneratedbyDigiCert’ssystems,

18

makessystemandfileintegritychecks,andconductsavulnerabilityassessment.Theadministratormayperformthechecksusingautomatedtools.Duringthesechecks,theadministrator(1)checkswhetheranyonehastamperedwiththelog,(2)scansforanomaliesorspecificconditions,includinganyevidenceofmaliciousactivity,and(3)preparesawrittensummaryofthereview.Anyanomaliesorirregularitiesfoundinthelogsareinvestigated.ThesummariesincluderecommendationstoDigiCert’soperationsmanagementcommitteeandaremadeavailabletoDigiCert'sauditorsuponrequest.DigiCertdocumentsanyactionstakenasaresultofareview.

5.4.3. RetentionPeriodforAuditLogDigiCertretainsauditlogson‐siteuntilaftertheyarereviewed.TheindividualswhoremoveauditlogsfromDigiCert’sCAsystemsaredifferentthantheindividualswhocontrolDigiCert’ssignaturekeys.

5.4.4. ProtectionofAuditLogCAauditloginformationisretainedonequipmentuntilafteritiscopiedbyasystemadministrator.DigiCert’sCAsystemsareconfiguredtoensurethat(i)onlyauthorizedpeoplehavereadaccesstologs,(ii)onlyauthorizedpeoplemayarchiveauditlogs,and(iii)auditlogsarenotmodified.Auditlogsareprotectedfromdestructionpriortotheendoftheauditlogretentionperiodandareretainedsecurelyon‐siteuntiltransferredtoabackupsite.DigiCert’soff‐sitestoragelocationisasafeandsecurelocationthatisseparatefromthelocationwherethedatawasgenerated.

5.4.5. AuditLogBackupProceduresDigiCertmakesregularbackupcopiesofauditlogsandauditlogsummariesandsavesacopyoftheauditlogoff‐siteonatleastamonthlybasis.

5.4.6. AuditCollectionSystem(internalvs.external)Automaticauditprocessesbeginonsystemstartupandendatsystemshutdown.Ifanautomatedauditsystemfailsandtheintegrityofthesystemorconfidentialityoftheinformationprotectedbythesystemisatrisk,DigiCert’sAdministratorsandtheDCPAshallbenotifiedandtheDCPAwillconsidersuspendingtheCA’sorRA’soperationsuntiltheproblemisremedied.

5.4.7. NotificationtoEvent‐causingSubjectNostipulation.

5.4.8. VulnerabilityAssessmentsDigiCertperformsannualriskassessmentsthatidentifyandassessreasonablyforeseeableinternalandexternalthreatsthatcouldresultinunauthorizedaccess,disclosure,misuse,alteration,ordestructionofanycertificatedataorcertificateissuanceprocess.DigiCertalsoroutinelyassessesthesufficiencyofthepolicies,procedures,informationsystems,technology,andotherarrangementsthatDigiCerthasinplacetocontrolsuchrisks.DigiCert’sInternalAuditorsreviewthesecurityauditdatachecksforcontinuity.DigiCert’sauditlogmonitoringtoolsalerttheappropriatepersonnelofanyevents,suchasrepeatedfailedactions,requestsforprivilegedinformation,attemptedaccessofsystemfiles,andunauthenticatedresponses.

5.5. RECORDSARCHIVALDigiCertcomplieswithallrecordretentionpoliciesthatapplybylaw.DigiCertincludessufficientdetailinallarchivedrecordstoshowthatacertificatewasissuedinaccordancewiththisCPS.

5.5.1. TypesofRecordsArchivedDigiCertretainsthefollowinginformationinitsarchives(assuchinformationpertainstoDigiCert’sCAoperations):

1. AccreditationsofDigiCert,

2. CPandCPSversions,

3. ContractualobligationsandotheragreementsconcerningtheoperationoftheCA,

19

4. Systemandequipmentconfigurations,modifications,andupdates,

5. Rejectionoracceptanceofacertificaterequest,

6. Certificateissuance,rekey,renewal,andrevocationrequests,

7. SufficientidentityauthenticationdatatosatisfytheidentificationrequirementsofSection3.2,includinginformationabouttelephonecallsmadeforverificationpurposes,

8. Anydocumentationrelatedtothereceiptoracceptanceofacertificateortoken,

9. SubscriberAgreements,

10. Issuedcertificates,

11. Arecordofcertificatere‐keys,

12. CRLandOCSPentries,

13. Dataorapplicationsnecessarytoverifyanarchive’scontents,

14. Complianceauditorreports,

15. ChangestoDigiCert’sauditparameters,

16. Anyattempttodeleteormodifyauditlogs,

17. Keygeneration,destruction,storage,backup,andrecovery,

18. AccesstoPrivateKeysforkeyrecoverypurposes,

19. ExportofPrivateKeys,

20. Approvalorrejectionofacertificatestatuschangerequest,

21. Appointmentofanindividualtoatrustedrole,

22. Destructionofacryptographicmodule,

23. Certificatecompromisenotifications,

24. Remedialactiontakenasaresultofviolationsofphysicalsecurity,and

25. ViolationsoftheCPS.

5.5.2. RetentionPeriodforArchiveNostipulation.

5.5.3. ProtectionofArchiveArchiverecordsarestoredatasecureoff‐sitelocationandaremaintainedinamannerthatpreventsunauthorizedmodification,substitution,ordestruction.ArchivesarenotreleasedexceptasallowedbytheDCPAorasrequiredbylaw.DigiCertmaintainsanysoftwareapplicationrequiredtoprocessthearchivedatauntilthedataiseitherdestroyedortransferredtoanewermedium.

IfDigiCertneedstotransferanymediatoadifferentarchivesiteorequipment,DigiCertwillmaintainbotharchivedlocationsand/orpiecesofequipmentuntilthetransferarecomplete.Alltransferstonewarchiveswilloccurinasecuremanner.

20

5.5.4. ArchiveBackupProceduresOnatleastanannualbasis,DigiCertcreatesanarchivediskofthedatalistedinsection5.5.1bygroupingthedatatypestogetherbysourceintoseparate,compressedarchivefiles.DigiCertstoresthearchivediskinasecureoff‐sitelocationforthedurationofthesetretentionperiod.

5.5.5. RequirementsforTime‐stampingofRecordsDigiCertautomaticallytime‐stampsarchivedrecordswithsystemtime(non‐cryptographicmethod)astheyarecreated.DigiCertsynchronizesitssystemtimeatleasteveryeighthoursusingarealtimevaluedistributedbyarecognizedUTC(k)laboratoryorNationalMeasurementInstitute.

5.5.6. ArchiveCollectionSystem(internalorexternal)ArchiveinformationiscollectedinternallybyDigiCert.

5.5.7. ProcedurestoObtainandVerifyArchiveInformationDetailsconcerningthecreationandstorageofarchiveinformationarefoundinsection5.5.4.AfterreceivingarequestmadeforaproperpurposebyaCustomer,itsagent,orapartyinvolvedinadisputeoveratransactioninvolvingthePKI,DigiCertmayelecttoretrievetheinformationfromarchival.DigiCertmayelecttotransmittherelevantinformationviaasecureelectronicmethodorcourier,oritmayalsorefusetoprovidetheinformationinitsdiscretionandmayrequirepriorpaymentofallcostsassociatedwiththedata.

5.6. KEYCHANGEOVERKeychangeoverproceduresenablethesmoothtransitionfromexpiringCAcertificatestonewCAcertificates.TowardstheendofaCAPrivateKey’slifetime,DigiCertceasesusingtheexpiringCAPrivateKeytosigncertificatesandusestheoldPrivateKeyonlytosignCRLs,OCSPresponses,andOCSPrespondercertificates.AnewCAsigningkeypairiscommissionedandallsubsequentlyissuedcertificatesandCRLsaresignedwiththenewprivatesigningkey.Boththeoldandthenewkeypairsmaybeconcurrentlyactive.ThiskeychangeoverprocesshelpsminimizeanyadverseeffectsfromCAcertificateexpiration.

5.7. COMPROMISEANDDISASTERRECOVERY5.7.1. IncidentandCompromiseHandlingProcedures

DigiCertmaintainsincidentresponseprocedurestoguidepersonnelinresponsetosecurityincidents,naturaldisasters,andsimilareventsthatmaygiverisetosystemcompromise.DigiCertreviews,tests,andupdatesitsincidentresponseplansandproceduresonatleastanannualbasis.

5.7.2. ComputingResources,Software,and/orDataAreCorruptedDigiCertmakesregularsystembackupsonatleastaweeklybasisandmaintainsbackupcopiesofitsPrivateKeys,whicharestoredinasecure,off‐sitelocation.IfDigiCertdiscoversthatanyofitscomputingresources,software,ordataoperationshavebeencompromised,DigiCertassessesthethreatsandrisksthatthecompromisepresentstotheintegrityorsecurityofitsoperationsorthoseofaffectedparties.IfDigiCertdeterminesthatacontinuedoperationcouldposeasignificantrisktoRelyingPartiesorSubscribers,DigiCertsuspendssuchoperationuntilitdeterminesthattheriskismitigated.

5.7.3. EntityPrivateKeyCompromiseProceduresIfDigiCertsuspectsthatoneofitsPrivateKeyshasbeencomprisedorlost,thenanemergencyresponseteamwillconveneandassessthesituationtodeterminethedegreeandscopeoftheincidentandtakeappropriateaction.DigiCertmaygenerateanewkeypairandsignanewcertificate.IfadisasterphysicallydamagesDigiCert’sequipmentanddestroysallcopiesofDigiCert’ssignaturekeys,thenDigiCertwillprovidenoticetoaffectedpartiesattheearliestfeasibletime.

5.7.4. BusinessContinuityCapabilitiesafteraDisasterTomaintaintheintegrityofitsservices,DigiCertimplementsdatabackupandrecoveryproceduresaspartofitsBusinessContinuityManagementPlan(BCMP).StatedgoalsoftheBCMParetoensurethatcertificate

21

statusservicesbeonlyminimallyaffectedbyanydisasterinvolvingDigiCert’sprimaryfacilityandthatDigiCertbecapableofmaintainingotherservicesorresumingthemasquicklyaspossiblefollowingadisaster.DigiCertreviews,tests,andupdatestheBCMPandsupportingproceduresatleastannually.

DigiCert'ssystemsareredundantlyconfiguredatitsprimaryfacilityandaremirroredataseparate,geographicallydiverselocationforfailoverintheeventofadisaster.IfadisastercausesDigiCert’sprimaryCAoperationstobecomeinoperative,DigiCertwillre‐initiateitsoperationsatitssecondarylocationgivingprioritytotheprovisionofcertificatestatusinformationandtimestampingcapabilities,ifaffected.

5.8. CAORRATERMINATIONBeforeterminatingitsCAactivities,DigiCertwill:

1. Providenoticeandinformationabouttheterminationbysendingnoticebyemailtoitscustomers;and

2. Transferallresponsibilitiestoaqualifiedsuccessorentity.

Ifaqualifiedsuccessorentitydoesnotexist,DigiCertwill:

1. transferthosefunctionscapableofbeingtransferredtoareliablethirdpartyandarrangetopreserveallrelevantrecordswithareliablethirdpartyoragovernment,regulatory,orlegalbodywithappropriateauthority;

2. revokeallcertificatesthatarestillun‐revokedorun‐expiredonadateasspecifiedinthenoticeandpublishfinalCRLs;

3. destroyallPrivateKeys;and

4. makeothernecessaryarrangementsthatareinaccordancewiththisCPS.

DigiCerthasmadearrangementstocoverthecostsassociatedwithfulfillingtheserequirementsincaseDigiCertbecomesbankruptorisunabletocoverthecosts.Anyrequirementsofthissectionthatarevariedbycontractapplyonlythecontractingparties.

6. TECHNICALSECURITYCONTROLS

6.1. KEYPAIRGENERATIONANDINSTALLATION6.1.1. KeyPairGeneration

CAkeypairsaregeneratedbytrustedrolesandusingacryptographichardwaredevice.Typically,thecryptographichardwareisevaluatedtoFIPS140‐1Level3andEAL4+.DigiCertcreatesauditableevidenceduringthekeygenerationprocesstoprovethattheCPSwasfollowedandroleseparationwasenforcedduringthekeygenerationprocess.

6.1.2. PrivateKeyDeliverytoSubscriberNostipulation.

6.1.3. PublicKeyDeliverytoCertificateIssuerSubscribersgeneratekeypairsandsubmitthePublicKeytoDigiCertinaCSRaspartofthecertificaterequestprocess.TheSubscriber’ssignatureontherequestisauthenticatedpriortoissuingthecertificate.

6.1.4. CAPublicKeyDeliverytoRelyingPartiesNostipulation.

22

6.1.5. KeySizesNostipulation.

6.1.6. PublicKeyParametersGenerationandQualityCheckingDigiCertusesacryptomodulethatconformstoFIPS186‐2andprovidesrandomnumbergenerationandon‐boardgenerationofupto4096‐bitRSAPublicKeysandawiderangeofECCcurves.

6.1.7. KeyUsagePurposes(asperX.509v3keyusagefield)DigiCert'scertificatesmayincludekeyusageextensionfieldsthatspecifytheintendeduseofthecertificateandtechnicallylimitthecertificate’sfunctionalityinX.509v3compliantsoftware.TheuseofaspecifickeyisdeterminedbythekeyusageextensionintheX.509certificate.Subscribercertificatesassertkeyusagesbasedontheintendedapplicationofthekeypair.Inparticular,certificatestobeusedfordigitalsignatures(includingauthentication)setthedigitalSignatureand/ornonRepudiationbits.CertificatestobeusedforkeyordataencryptionshallsetthekeyEnciphermentand/ordataEnciphermentbits.CertificatestobeusedforkeyagreementshallsetthekeyAgreementbit.

Keyusagebitsandextendedkeyusagesarespecifiedinthecertificateprofileforeachtypeofcertificateassetforthinrelevantprofileddocument.

6.2. PRIVATEKEYPROTECTIONANDCRYPTOGRAPHICMODULEENGINEERINGCONTROLS6.2.1. CryptographicModuleStandardsandControls

Nostipulation.

6.2.2. PrivateKey(noutofm)Multi‐personControlDigiCert'sauthenticationmechanismsareprotectedsecurelywhennotinuseandmayonlybeaccessedbyactionsofmultipletrustedpersons.BackupsofCAPrivateKeysaresecurelystoredoff‐siteandrequiretwo‐personaccess.Re‐activationofabacked‐upCAPrivateKey(unwrapping)requiresthesamesecurityandmulti‐personcontrolaswhenperformingothersensitiveCAPrivateKeyoperations.

6.2.3. PrivateKeyEscrowNostipulation.

6.2.4. PrivateKeyBackupNostipulation.

6.2.5. PrivateKeyArchivalNostipulation.

6.2.6. PrivateKeyTransferintoorfromaCryptographicModuleNostipulation.

6.2.7. PrivateKeyStorageonCryptographicModuleNostipulation.

6.2.8. MethodofActivatingPrivateKeysDigiCert'sPrivateKeysareactivatedaccordingtothespecificationsofthecryptographicmodulemanufacturer.Activationdataentryisprotectedfromdisclosure.SubscribersaresolelyresponsibleforprotectingtheirPrivateKeys.SubscribersshoulduseastrongpasswordorequivalentauthenticationmethodtopreventunauthorizedaccessoruseoftheSubscriber’sPrivateKey.Ataminimum,Subscribersarerequiredtoauthenticatethemselvestothecryptographicmodulebeforeactivatingtheirprivatekeys.

23

6.2.9. MethodofDeactivatingPrivateKeysDigiCert’sPrivateKeysaredeactivatedvialogoutproceduresontheapplicableHSMdevicewhennotinuse.DigiCertneverleavesitsHSMdevicesinanactiveunlockedorunattendedstate.SubscribersshoulddeactivatetheirPrivateKeysvialogoutandremovalprocedureswhennotinuse.

6.2.10. MethodofDestroyingPrivateKeysDigiCert/RApersonnel,actingintrustedroles,destroyCA,RA,andstatusserverPrivateKeyswhennolongerneeded.SubscribersshalldestroytheirPrivateKeyswhenthecorrespondingcertificateisrevokedorexpiredorifthePrivateKeyisnolongerneeded.DigiCertmaydestroyaPrivateKeybydeletingitfromallknownstoragepartitions.DigiCertalsozeroizestheHSMdeviceandassociatedbackuptokensaccordingtothespecificationsofthehardwaremanufacturer.Thisreinitializesthedeviceandoverwritesthedatawithbinaryzeros.

6.2.11. CryptographicModuleRatingSeeSection6.2.1.

6.3. OTHERASPECTSOFKEYPAIRMANAGEMENT

6.3.1. PublicKeyArchivalDigiCertarchivescopiesofPublicKeysinaccordancewithSection5.5.

6.3.2. CertificateOperationalPeriodsandKeyPairUsagePeriodsNostipulation.

6.4. ACTIVATIONDATA

6.4.1. ActivationDataGenerationandInstallationDigiCertactivatesthecryptographicmodulecontainingitsCAPrivateKeysaccordingtothespecificationsofthehardwaremanufacturer.AllDigiCertpersonnelandSubscribersareinstructedtousestrongpasswordsandtoprotectPINsandpasswords.DigiCertemployeesarerequiredtocreatenon‐dictionary,alphanumericpasswordswithaminimumlengthandtochangetheirpasswordsonaregularbasis.IfDigiCertusespasswordsasactivationdataforasigningkey,DigiCertwillchangetheactivationdatachangeuponrekeyoftheCAcertificate.

6.4.2. ActivationDataProtectionDigiCertprotectsdatausedtounlockprivatekeysfromdisclosureusingacombinationofcryptographicandphysicalaccesscontrolmechanisms.Protectionmechanismsincludekeepingactivationmechanismssecureusingrole‐basedphysicalcontrol.AllDigiCertpersonnelareinstructedtomemorizeandnottowritedowntheirpasswordorshareitwithanotherindividual.DigiCertlocksaccountsusedtoaccesssecureCAprocessesifacertainnumberoffailedpasswordattemptsoccur.

6.4.3. OtherAspectsofActivationDataNostipulation.

6.5. COMPUTERSECURITYCONTROLS6.5.1. SpecificComputerSecurityTechnicalRequirements

DigiCertsecuresitsCAsystemsandauthenticatesandprotectscommunicationsbetweenitssystemsandtrustedroles.DigiCert'sCAserversandsupport‐and‐vettingworkstationsrunontrustworthysystemsthatareconfiguredandhardenedusingindustrybestpractices.

6.5.2. ComputerSecurityRatingNostipulation.

24

6.6. LIFECYCLETECHNICALCONTROLS6.6.1. SystemDevelopmentControls

DigiCerthasmechanismsinplacetocontrolandmonitortheacquisitionanddevelopmentofitsCAsystems.Changerequestsrequiretheapprovalofatleastoneadministratorwhoisdifferentfromthepersonsubmittingtherequest.DigiCertonlyinstallssoftwareonCAsystemsifthesoftwareispartoftheCA’soperation.CAhardwareandsoftwarearededicatedtoperformingoperationsoftheCA.

Vendorsareselectedbasedontheirreputationinthemarket,abilitytodeliverqualityproduct,andlikelihoodofremainingviableinthefuture.Managementisinvolvedinthevendorselectionandpurchasedecisionprocess.Non‐PKIhardwareandsoftwareispurchasedwithoutidentifyingthepurposeforwhichthecomponentwillbeused.Allhardwareandsoftwareareshippedunderstandardconditionstoensuredeliveryofthecomponentdirectlytoatrustedemployeewhoensuresthattheequipmentisinstalledwithoutopportunityfortampering.

SomeofthePKIsoftwarecomponentsusedbyDigiCertaredevelopedin‐houseorbyconsultantsusingstandardsoftwaredevelopmentmethodologies.Allsuchsoftwareisdesignedanddevelopedinacontrolledenvironmentandsubjectedtoqualityassurancereview.Othersoftwareispurchasedcommercialoff‐the‐shelf(COTS).Qualityassuranceismaintainedthroughouttheprocessthroughtestinganddocumentationorbypurchasingfromtrustedvendorsasdiscussedabove.

Updatesofequipmentandsoftwarearepurchasedordevelopedinthesamemannerastheoriginalequipmentorsoftwareandareinstalledandtestedbytrustedandtrainedpersonnel.AllhardwareandsoftwareessentialtoDigiCert’soperationsisscannedformaliciouscodeonfirstuseandperiodicallythereafter.

6.6.2. SecurityManagementControlsDigiCerthasmechanismsinplacetocontrolandmonitorthesecurity‐relatedconfigurationsofitsCAsystems.WhenloadingsoftwareontoaCAsystem,DigiCertverifiesthatthesoftwareisthecorrectversionandissuppliedbythevendorfreeofanymodifications.DigiCertverifiestheintegrityofsoftwareusedwithitsCAprocessesatleastonceaweek.

6.6.3. LifeCycleSecurityControlsNostipulation.

6.7. NETWORKSECURITYCONTROLSDigiCertdocumentsandcontrolstheconfigurationofitssystems,includinganyupgradesormodificationsmade.DigiCert'sCAsystemisconnectedtooneinternalnetworkandisprotectedbyfirewallsandNetworkAddressTranslationforallinternalIPaddresses(e.g.,192.168.x.x).DigiCert'scustomersupportandvettingworkstationsarealsoprotectedbyfirewall(s)andonlyuseinternalIPaddresses.RootKeysarekeptofflineandbroughtonlineonlywhennecessarytosigncertificate‐issuingsubordinateCAs,OCSPresponses,OCSPResponderCertificates,orperiodicCRLs.Firewallsandboundarycontroldevicesareconfiguredtoallowaccessonlybytheaddresses,ports,protocolsandcommandsrequiredforthetrustworthyprovisionofPKIservicesbysuchsystems.DigiCert'ssecuritypolicyistoblockallportsandprotocolsandopenonlyportsnecessarytoenableCAfunctions.AllCAequipmentisconfiguredwithaminimumnumberofservicesandallunusednetworkportsandservicesaredisabled.DigiCert'snetworkconfigurationisavailableforreviewon‐sitebyitsauditorsandconsultantsunderanappropriatenon‐disclosureagreement.

6.8. TIME‐STAMPINGNostipulation.

7. CERTIFICATE,CRL,ANDOCSPPROFILES

DigiCertusestheITUX.509,version3standardtoconstructdigitalcertificatesforusewithintheDigiCertPKI.

25

7.1. CERTIFICATEPROFILE7.1.1. VersionNumber(s)

AllcertificatesareX.509version3certificates.

7.1.2. CertificateExtensionsAsagreedtowiththecustomer.

7.1.3. AlgorithmObjectIdentifiersAsagreedtowiththecustomer.DigiCertstronglyrecommendsthefollowing:

sha256WithRSAEncryption [iso(1)member‐body(2)us(840)rsadsi(113549)pkcs(1)pkcs‐1(1)11]

ecdsa‐with‐sha384 [iso(1)member‐body(2)us(840)ansi‐X9‐62(10045)signatures(4)ecdsa‐with‐SHA2(3)3]

7.1.4. NameFormsNostipulation.

7.1.5. NameConstraintsNostipulation.

7.1.6. CertificatePolicyObjectIdentifierNostipulation.

7.1.7. UsageofPolicyConstraintsExtensionNotapplicable.

7.1.8. PolicyQualifiersSyntaxandSemanticsDigiCertmayincludebriefstatementsincertificatesaboutthelimitationsofliabilityandothertermsassociatedwiththeuseofacertificateinthePolicyQualifierfieldoftheCertificatesPolicyextension.

7.1.9. ProcessingSemanticsfortheCriticalCertificatePoliciesExtensionNostipulation.

7.2. CRLPROFILE

7.2.1. Versionnumber(s)DigiCertissuesversion2CRLsthatcontainthefollowingfields:

Field ValueIssuerSignatureAlgorithm sha‐1WithRSAEncryption[12840113549115]OR

sha‐256WithRSAEncryption[128401135491111]ORecdsa‐with‐sha384[1284010045433]

IssuerDistinguishedName [Asappropriate]thisUpdate CRLissuedateinUTCformatnextUpdate DatewhenthenextCRLwillissueinUTCformat.RevokedCertificatesList Listofrevokedcertificates,includingtheserialnumberand

revocationdateIssuer’sSignature [Signature]

7.2.2. CRLandCRLEntryExtensionsCRLshavethefollowingextensions:

26

Extension ValueCRLNumber NeverrepeatedmonotonicallyincreasingintegerAuthorityKeyIdentifier SameastheAuthorityKeyIdentifierlistedinthecertificateInvalidityDate OptionaldateinUTCformatReasonCode Optionalreasonforrevocation

7.3. OCSPPROFILE7.3.1. VersionNumber(s)

DigiCert’sOCSPrespondersconformtoversion1ofRFC2560.

7.3.2. OCSPExtensionsNostipulation.

8. COMPLIANCEAUDITANDOTHERASSESSMENTS

8.1. FREQUENCYORCIRCUMSTANCESOFASSESSMENTAuditsreferencingthisCPSshallcoverDigiCert’sCAsystems,SubCAs,andOCSPResponders.

8.2. IDENTITY/QUALIFICATIONSOFASSESSORNostipulation.

8.3. ASSESSOR'SRELATIONSHIPTOASSESSEDENTITYNostipulation.

8.4. TOPICSCOVEREDBYASSESSMENTAnyauditcoversDigiCert'sbusinesspracticesdisclosure,theintegrityofDigiCert'sPKIoperations,andDigiCert’scompliancewithrelevantstandards.

8.5. ACTIONSTAKENASARESULTOFDEFICIENCYIfanauditreportsamaterialnoncompliancewithapplicablelaw,thisCPS,oranyothercontractualobligationsrelatedtoDigiCert’sservices,then(1)theauditorwilldocumentthediscrepancy,(2)theauditorwillpromptlynotifyDigiCert,and(3)DigiCertwilldevelopaplantocurethenoncompliance.DigiCertwillsubmittheplantotheDCPAforapprovalandtoanythirdpartythatDigiCertislegallyobligatedtosatisfy.TheDCPAmayrequireadditionalactionifnecessarytorectifyanysignificantissuescreatedbythenon‐compliance,includingrequiringrevocationofaffectedcertificates.

8.6. COMMUNICATIONOFRESULTSTheresultsofeachauditarereportedtotheDCPAandtoanythirdpartyentitieswhichareentitledbylaw,regulation,oragreementtoreceiveacopyoftheauditresults.

8.7. SELF‐AUDITSNostipulation.

9. OTHERBUSINESSANDLEGALMATTERS

9.1. FEES9.1.1. CertificateIssuanceorRenewalFees

DigiCertchargesfeesforcertificateissuanceandrenewal.DigiCertmaychangeitsfeesinaccordancewiththeapplicablecustomeragreement.

27

9.1.2. CertificateAccessFeesDigiCertmaychargeareasonablefeeforaccesstoitscertificatedatabases.

9.1.3. RevocationorStatusInformationAccessFeesDigiCertdoesnotchargeacertificaterevocationfeeorafeeforcheckingthevaliditystatusofanissuedcertificateusingaCRL.DigiCertmaychargeafeeforprovidingcertificatestatusinformationviaOCSP.

9.1.4. FeesforOtherServicesNostipulation.

9.1.5. RefundPolicyAssetforthintherelevantcustomeragreement.

9.2. FINANCIALRESPONSIBILITY

9.2.1. InsuranceCoverageDigiCertmaintainsCommercialGeneralLiabilityinsurancewithapolicylimitofatleast$2millionincoverageandProfessionalLiability/Errors&Omissionsinsurancewithapolicylimitofatleast$5millionincoverage.InsuranceiscarriedthroughcompaniesratednolessthanA‐astoPolicyHolder’sRatinginthecurrenteditionofBest’sInsuranceGuide(orwithanassociationofcompanies,eachofthemembersofwhicharesorated).

9.2.2. OtherAssetsNostipulation.

9.2.3. InsuranceorWarrantyCoverageforEnd‐EntitiesNostipulation.

9.3. CONFIDENTIALITYOFBUSINESSINFORMATION

9.3.1. ScopeofConfidentialInformationThefollowinginformationisconsideredconfidentialandprotectedagainstdisclosureusingareasonabledegreeofcare:

PrivateKeys;

ActivationdatausedtoaccessPrivateKeysortogainaccesstotheCAsystem;

Businesscontinuity,incidentresponse,contingency,anddisasterrecoveryplans;

Othersecuritypracticesusedtoprotecttheconfidentiality,integrity,oravailabilityofinformation;

InformationheldbyDigiCertasprivateinformationinaccordancewithSection9.4;

Auditlogsandarchiverecords;and

Transactionrecords,financialauditrecords,andaudittrailrecordsandanyauditreports(withtheexceptionofanauditor’sletterconfirmingtheeffectivenessofthecontrolssetforthinthisCPS).

9.3.2. InformationNotWithintheScopeofConfidentialInformationAnyinformationnotlistedasconfidentialisconsideredpublicinformation.Publishedcertificateandrevocationdataisconsideredpublicinformation.

28

9.3.3. ResponsibilitytoProtectConfidentialInformationDigiCert’semployees,agents,andcontractorsareresponsibleforprotectingconfidentialinformationandarecontractuallyobligatedtodoso.Employeesreceivetrainingonhowtohandleconfidentialinformation.

9.4. PRIVACYOFPERSONALINFORMATION

9.4.1. PrivacyPlanDigiCertfollowstheprivacypolicypostedonitswebsitewhenhandlingpersonalinformation.Personalinformationisonlydisclosedwhenthedisclosureisrequiredbylaworwhenrequestedbythesubjectofthepersonalinformation.

9.4.2. InformationTreatedasPrivateDigiCerttreatsallpersonalinformationaboutanindividualthatisnotpubliclyavailableinthecontentsofacertificateorCRLasprivateinformation.DigiCertprotectsprivateinformationusingappropriatesafeguardsandareasonabledegreeofcare.

9.4.3. InformationNotDeemedPrivatePrivateinformationdoesnotincludecertificates,CRLs,ortheircontents.

9.4.4. ResponsibilitytoProtectPrivateInformationDigiCertemployeesandcontractorsareexpectedtohandlepersonalinformationinstrictconfidenceandmeettherequirementsofUSandEuropeanlawconcerningtheprotectionofpersonaldata.Allsensitiveinformationissecurelystoredandprotectedagainstaccidentaldisclosure.

9.4.5. NoticeandConsenttoUsePrivateInformationPersonalinformationobtainedfromanapplicantduringtheapplicationoridentityverificationprocessisconsideredprivateinformationiftheinformationisnotincludedinacertificate.DigiCertwillonlyuseprivateinformationafterobtainingthesubject'sconsentorasrequiredbyapplicablelaworregulation.AllSubscribersmustconsenttotheglobaltransferandpublicationofanypersonaldatacontainedinacertificate.

9.4.6. DisclosurePursuanttoJudicialorAdministrativeProcessDigiCertmaydiscloseprivateinformation,withoutnotice,ifDigiCertbelievesthedisclosureisrequiredbylaworregulation.

9.4.7. OtherInformationDisclosureCircumstancesNostipulation.

9.5. INTELLECTUALPROPERTYRIGHTSDigiCertand/oritsbusinesspartnersowntheintellectualpropertyrightsinDigiCert’sservices,includingthecertificates,trademarksusedinprovidingtheservices,andthisCPS.“DigiCert”isaregisteredtrademarkofDigiCert,Inc.

CertificateandrevocationinformationarethepropertyofDigiCert.DigiCertgrantspermissiontoreproduceanddistributecertificatesonanon‐exclusiveandroyalty‐freebasis,providedthattheyarereproducedanddistributedinfull.DigiCertdoesnotallowderivativeworksofitscertificatesorproductswithoutpriorwrittenpermission.PrivateandPublicKeysremainthepropertyoftheSubscriberswhorightfullyholdthem.Allsecretshares(distributedelements)oftheDigiCertPrivateKeysarethepropertyofDigiCert.

9.6. REPRESENTATIONSANDWARRANTIES

9.6.1. CARepresentationsandWarrantiesExceptasexpresslystatedinthisCPSorinaseparateagreementwithaSubscriber,DigiCertdoesnotmake

29

anyrepresentationsregardingitsproductsorservices.DigiCertrepresents,totheextentspecifiedinthisCPS,that:

DigiCertcomplies,inallmaterialaspects,withthisCPSandallapplicablelawsandregulations,and

DigiCertpublishesandupdatesCRLsandOCSPresponsesonaregularbasis,

DigiCert:

Doesnotwarranttheaccuracy,authenticity,completeness,orfitnessofanyunverifiedinformation,

IsnotresponsibleforinformationcontainedinacertificateexceptasstatedinthisCPS,

Doesnotwarrantthequality,function,orperformanceofanysoftwareorhardwaredevice,and

IsnotresponsibleforfailingtocomplywiththisCPSbecauseofcircumstancesoutsideofDigiCert’scontrol.

9.6.2. RARepresentationsandWarrantiesRAsrepresentthat:

1. TheRA’scertificateissuanceandmanagementservicesconformtothisCPS,

2. InformationprovidedbytheRAdoesnotcontainanyfalseormisleadinginformation,

3. TranslationsperformedbytheRAareanaccuratetranslationoftheoriginalinformation,and

4. AllcertificatesrequestedbytheRAmeettherequirementsofthisCPS.

DigiCert’sagreementwiththeRAmaycontainadditionalrepresentations.

9.6.3. SubscriberRepresentationsandWarrantiesSubscribersaresolelyresponsibleforanymisrepresentationstheymaketothirdpartiesandforalltransactionsthatusetheSubscriber’sPrivateKey,regardlessofwhethersuchusewasauthorized.SubscribersarerequiredtonotifyDigiCertandanyapplicableRAifachangeoccursthatcouldaffectthestatusofthecertificate.SubscribersrepresenttoDigiCert,ApplicationSoftwareVendors,andRelyingPartiesthat,foreachcertificate,theSubscriberwill:

1. SecurelygenerateitsPrivateKeysandprotectitsPrivateKeysfromcompromise,

2. ProvideaccurateandcompleteinformationwhencommunicatingwithDigiCert,

3. Confirmtheaccuracyofthecertificatedatapriortousingthecertificate,

4. PromptlyceaseusingacertificateandnotifyDigiCertif(i)anyinformationthatwassubmittedtoDigiCertorisincludedinacertificatechangesorbecomesmisleadingor(ii)thereisanyactualorsuspectedmisuseorcompromiseofthePrivateKeyassociatedwiththecertificate,

5. Ensurethatindividualsusingcertificatesonbehalfofanorganizationhavereceivedsecuritytrainingappropriatetothecertificate,

6. Usethecertificateonlyforauthorizedandlegalpurposes,consistentwiththecertificatepurpose,thisCPS,anyapplicableCP,andtherelevantSubscriberAgreement,includingonlyinstallingSSLcertificatesonserversaccessibleatthedomainlistedinthecertificateandnotusingcodesigningcertificatestosignmaliciouscodeoranycodethatisdownloadedwithoutauser’sconsent,and

30

7. PromptlyceaseusingthecertificateandrelatedPrivateKeyafterthecertificate’sexpiration.

9.6.4. RelyingPartyRepresentationsandWarrantiesEachRelyingPartyrepresentsthat,priortorelyingonaDigiCertcertificate,it:

1. ObtainedsufficientknowledgeontheuseofdigitalcertificatesandPKI,

2. StudiedtheapplicablelimitationsontheusageofcertificatesandagreestoDigiCert’slimitationsonliabilityrelatedtotheuseofcertificates,

3. Hasread,understands,andagreestotheDigiCertRelyingPartyAgreementandthisCPS,

4. VerifiedboththeDigiCertcertificateandthecertificatesinthecertificatechainusingtherelevantCRLorOCSP,

5. WillnotuseaDigiCertcertificateifthecertificatehasexpiredorbeenrevoked,and

6. Willtakeallreasonablestepstominimizetheriskassociatedwithrelyingonadigitalsignature,includingonlyrelyingonaDigiCertcertificateafterconsidering:

a) applicablelawandthelegalrequirementsforidentificationofaparty,protectionoftheconfidentialityorprivacyofinformation,andenforceabilityofthetransaction;

b) theintendeduseofthecertificateaslistedinthecertificateorthisCPS,

c) thedatalistedinthecertificate,

d) theeconomicvalueofthetransactionorcommunication,

e) thepotentiallossordamagethatwouldbecausedbyanerroneousidentificationoralossofconfidentialityorprivacyofinformationintheapplication,transaction,orcommunication,

f) theRelyingParty’spreviouscourseofdealingwiththeSubscriber,

g) theRelyingParty’sunderstandingoftrade,includingexperiencewithcomputer‐basedmethodsoftrade,and

h) anyotherindiciaofreliabilityorunreliabilitypertainingtotheSubscriberand/ortheapplication,communication,ortransaction.

Anyunauthorizedrelianceonacertificateisataparty’sownrisk.

9.6.5. RepresentationsandWarrantiesofOtherParticipantsNostipulation.

9.7. DISCLAIMERSOFWARRANTIESEXCEPTASEXPRESSLYSTATEDINSECTION9.6.1,ALLCERTIFICATESANDANYRELATEDSOFTWAREANDSERVICESAREPROVIDED"ASIS"AND"ASAVAILABLE”.TOTHEMAXIMUMEXTENTPERMITTEDBYLAW,DIGICERTDISCLAIMSALLEXPRESSANDIMPLIEDWARRANTIES,INCLUDINGALLWARRANTIESOFMERCHANTABILITY,FITNESSFORAPARTICULARPURPOSE,ANDNON‐INFRINGEMENT.DIGICERTDOESNOTWARRANTTHATANYSERVICEORPRODUCTWILLMEETANYEXPECTATIONSORTHATACCESSTOCERTIFICIATESWILLBETIMELYORERROR‐FREE.DigiCertdoesnotguaranteetheavailabilityofanyproductsorservicesandmaymodifyordiscontinueanyproductorserviceofferingatanytime.AfiduciarydutyisnotcreatedsimplybecauseanentityusesDigiCert’sservices.

31

9.8. LIMITATIONSOFLIABILITYNOTHINGHEREINLIMITSLIABILTYRELATEDTO(I)DEATHORPERSONALINJURYRESULTINGFROMDIGICERT’SNEGLIGENCEOR(II)FRAUDCOMMITTEDBYDIGICERT.EXCEPTASSTATEDABOVE,ANYENTITYUSINGADIGICERTCERTIFICATEORSERVICEWAIVESALLLIABILITYOFDIGICERTRELATEDTOSUCHUSE,PROVIDEDTHATDIGICERTHASMATERIALLYCOMPLIEDWITHTHISCPSINPROVIDINGTHECERTIFICATEORSERVICE.DIGICERT’SLIABILITYFORCERTIFICATESANDSERVICESTHATDONOTMATERIALLYCOMPLYWITHTHISCPSISLIMITEDASFOLLOWS:

1. NOLIABILITYIFTHEDAMAGEORLOSSRELATESTOACERTIFICATEOTHERTHANASSLCERTIFICATEORCODESIGNINGCERTIFICATE,

2. AMAXIMUMLIABILITYOF$1,000PERTRANSACTIONFORSSLCERTIFICATES,

3. ANAGGREGATEMAXIMUMLIABILITYOF$10,000FORALLCLAIMSRELATEDTOASINGLECERTIFICATEORSERVICE,

4. ANDANAGGREGATEMAXIMUMLIABILITYOF$1MILLIONFORALLCLAIMS,REGARDLESSOFTHENUMBERORSOURCEOFTHECLAIMS.

DIGICERTAPPORTIONSPAYMENTSRELATEDTOANAGGREGATEMAXIMUMLIMITATIONONLIABILITYUNDERTHISSECTIONTOTHEFIRSTCLAIMSTHATACHIEVEFINALRESOLUTION.

Allliabilityislimitedtoactualandlegallyprovabledamages.DigiCertisnotliablefor:

1. Anyindirect,consequential,special,orpunitivedamagesoranylossofprofit,revenue,data,oropportunity,evenifDigiCertisawareofthepossibilityofsuchdamages;

2. LiabilityrelatedtofraudorwillfulmisconductoftheApplicant;

3. Liabilityrelatedtouseofacertificatethatexceedsthelimitationsonuse,value,ortransactionsasstatedeitherinthecertificateorthisCPS;

4. Liabilityrelatedtothesecurity,usability,orintegrityofproductsnotsuppliedbyDigiCert,includingtheSubscriber’sandRelyingParty’shardware;or

5. LiabilityrelatedtothecompromiseofaSubscriber’sPrivateKey.

Thelimitationsinthissectionapplytothemaximumextentpermittedbylawandapplyregardlessof(i)thereasonforornatureoftheliability,includingtortclaims,(ii)thenumberofclaimsofliability,(iii)theextentornatureofthedamages,(iv)whetherDigiCertfailedtofollowanyprovisionofthisCPS,or(v)whetheranyprovisionofthisCPSwasprovenineffective.

ThedisclaimersandlimitationsonliabilitiesinthisCPSarefundamentaltermstotheuseofDigiCert’scertificatesandservices.

9.9. INDEMNITIES9.9.1. IndemnificationbyDigiCert

Assetforthintherelevantcustomeragreement.

9.9.2. IndemnificationbySubscribersTotheextentpermittedbylaw,eachSubscribershallindemnifyDigiCert,itspartners,andanycross‐signedentities,andtheirrespectivedirectors,officers,employees,agents,andcontractorsagainstanyloss,damage,orexpense,includingreasonableattorney’sfees,relatedto(i)anymisrepresentationoromissionofmaterialfactbySubscriber,regardlessofwhetherthemisrepresentationoromissionwasintentionalorunintentional;

(ii)Subscriber’sbreachoftheSubscriberAgreement,thisCPS,orapplicablelaw;(iii)thecompromiseor

32

unauthorizeduseofacertificateorPrivateKeycausedbytheSubscriber’snegligenceorintentionalacts;or

(iv)Subscriber’smisuseofthecertificateorPrivateKey.

9.9.3. IndemnificationbyRelyingPartiesTotheextentpermittedbylaw,eachRelyingPartyshallindemnifyDigiCert,itspartners,andanycross‐signedentities,andtheirrespectivedirectors,officers,employees,agents,andcontractorsagainstanyloss,damage,orexpense,includingreasonableattorney’sfees,relatedtotheRelyingParty’s(i)breachoftheRelyingPartyAgreement,anEnd‐UserLicenseAgreement,thisCPS,orapplicablelaw;(ii)unreasonablerelianceonacertificate;or(iii)failuretocheckthecertificate’sstatuspriortouse.

9.10. TERMANDTERMINATION9.10.1. Term

ThisCPSandanyamendmentstotheCPSareeffectivewhenadoptedbytheDCPAandremainineffectuntilreplacedwithanewerversion.

9.10.2. TerminationThisCPSandanyamendmentsremainineffectuntilreplacedbyanewerversion.

9.10.3. EffectofTerminationandSurvivalDigiCertwillcommunicatetheconditionsandeffectofthisCPS’sterminationviaemailortheDigiCertrepository.Thecommunicationwillspecifywhichprovisionssurvivetermination.Ataminimum,allresponsibilitiesrelatedtoprotectingconfidentialinformationwillsurvivetermination.Allagreementsremaineffectiveuntilthecertificateisrevokedorexpired,evenifthisCPSterminates.

9.11. INDIVIDUALNOTICESANDCOMMUNICATIONSWITHPARTICIPANTSDigiCertacceptsnoticesrelatedtothisCPSatthelocationsspecifiedinSection2.2.NoticesaredeemedeffectiveafterthesenderreceivesavalidanddigitallysignedacknowledgmentofreceiptfromDigiCert.Ifanacknowledgementofreceiptisnotreceivedwithinfivedays,thesendermustresendthenoticeinpaperformtothestreetaddressspecifiedinSection2.2usingeitheracourierservicethatconfirmsdeliveryorviacertifiedorregisteredmailwithpostageprepaidandreturnreceiptrequested.DigiCertmayallowotherformsofnoticeintherelevantcustomeragreement.

9.12. AMENDMENTS

9.12.1. ProcedureforAmendmentThisCPSisperiodicallyreviewedandupdatedbytheDCPA.ControlsareinplacetoreasonablyensurethatthisCPSisnotamendedandpublishedwithoutthepriorauthorizationoftheDCPA.

9.12.2. NotificationMechanismandPeriodDigiCertdoesnotguaranteeorsetanotice‐and‐commentperiodandmaymakechangestothisCPSwithoutnoticeandwithoutchangingtheversionnumber.Majorchangesaffectingaccreditedcertificatesareannouncedandapprovedbytheaccreditingagencypriortobecomingeffective.TheDCPAisresponsiblefordeterminingwhatconstitutesamaterialchangeoftheCPS.

9.12.3. CircumstancesunderwhichOIDMustBeChangedTheDCPAissolelyresponsiblefordeterminingwhetheranamendmenttotheCPSrequiresanOIDchange.

9.13. DISPUTERESOLUTIONPROVISIONSPartiesarerequiredtonotifyDigiCertandattempttoresolvedisputesdirectlywithDigiCertbeforeresortingtoanydisputeresolutionmechanism,includingadjudicationoranytypeofalternativedisputeresolution.

9.14. GOVERNINGLAWThelawsofthestateofUtahgoverntheinterpretation,construction,andenforcementofthisCPSandall

33

proceedingsrelatedtoDigiCert’sproductsandservices,includingtortclaims,withoutregardtoanyconflictsoflawprinciples.ThestateofUtahhasnon‐exclusivevenueandjurisdictionoveranyproceedingsrelatedtotheCPSoranyDigiCertproductorservice.

9.15. COMPLIANCEWITHAPPLICABLELAWThisCPSissubjecttoallapplicablelawsandregulations,includingUnitedStatesrestrictionsontheexportofsoftwareandcryptographyproducts.

9.16. MISCELLANEOUSPROVISIONS9.16.1. EntireAgreement

DigiCertcontractuallyobligatesanyentityoperatingunderthisCPStocomplywiththisCPSandapplicableindustryguidelines.DigiCertalsorequireseachpartyusingitsproductsandservicestoenterintoanagreementthatdelineatesthetermsassociatedwiththeproductorservice.IfanagreementhasprovisionsthatdifferfromthisCPS,thentheagreementwiththatpartycontrols,butsolelywithrespecttothatparty.Thirdpartiesmaynotrelyonorbringactiontoenforcesuchagreement.

9.16.2. AssignmentAnyentitiesoperatingunderthisCPSmaynotassigntheirrightsorobligationswithoutthepriorwrittenconsentofDigiCert.Unlessspecifiedotherwiseinacontractwithaparty,DigiCertdoesnotprovidenoticeofassignment.

9.16.3. SeverabilityIfanyprovisionofthisCPSisheldinvalidorunenforceablebyacompetentcourtortribunal,theremainderoftheCPSwillremainvalidandenforceable.EachprovisionofthisCPSthatprovidesforalimitationofliability,disclaimerofawarranty,oranexclusionofdamagesisseverableandindependentofanyotherprovision.

9.16.4. Enforcement(attorneys'feesandwaiverofrights)DigiCertmayseekindemnificationandattorneys'feesfromapartyfordamages,losses,andexpensesrelatedtothatparty'sconduct.DigiCert’sfailuretoenforceaprovisionofthisCPSdoesnotwaiveDigiCert’srighttoenforcethesameprovisionlaterorrighttoenforceanyotherprovisionofthisCPS.Tobeeffective,waiversmustbeinwritingandsignedbyDigiCert.

9.16.5. ForceMajeureDigiCertisnotliableforanydelayorfailuretoperformanobligationunderthisCPStotheextentthatthedelayorfailureiscausedbyanoccurrencebeyondDigiCert’sreasonablecontrol.TheoperationoftheInternetisbeyondDigiCert’sreasonablecontrol.

9.17. OTHERPROVISIONSNostipulation.

Date post:	16-Oct-2020
Category:	Documents
Upload:	others
View:	3 times
Download:	0 times

DigiCert Private PKI CPS v1...Jun 13, 2018 · DigiCert Certification Practices Statement for...

Documents