SUMMARY OF UPDATES - CPS v 4.0 (Amendment from CPS v.3.2)
Main Clause
Sub Clause
CPS v3.2
CPS v4.0
Reason
Important Notice
N/A
This CPS shall not be reproduced, whether in full or in
part, in any form whatsoever or be stored in any
reproducible form whether electronic or otherwise without
the prior consent of DIGICERT. This consent must be
obtained by contacting:
Digicert grants permission to reproduce the DIGICERT
CPS provided that (i) the copyright notice on the first
page of this CPS is retained on any copies of the
DIGICERT CPS, and (ii) the DIGICERT CPS is
reproduced fully and accurately. DIGICERT retains all
rights, title, and interest (including all intellectual
property rights), in, to and under the DIGICERT CPS.
CPS is a public
document which is
accessible via
Digicert’s website.
This CPS can be obtained:
in electronic form via DIGICERT’s website
http://www.digicert.com.my under the Repository
Section.
Change of URL
location in Digicert’s
website.
DIGICERT Sdn Bhd (457608-K)
No. 3-20 & 3-22, Jalan Jalil Perkasa 14, Aked Esplanad,
Bukit Jalil 57000 Kuala Lumpur, Malaysia
Tel: +603 8992 8800
Fax: +603 8992 8810
Email:
[email protected]
Clause 1.0 Preface
Clause 1.4
Publication and
Notification
This CPS can be obtained:
in electronic form via DIGICERT’s Internet servers at
http://www.digicert.com.my
To maintain integrity of this document, the web-based
version of the CPS must be viewed using SSL-enabled
browsers, e.g. Netscape Navigator 4.05 and above, or
Microsoft Internet Explorer 4.73 and above.
in electronic form via email from [email protected]
To maintain integrity of this document, the web-based
version of the CPS must be viewed using SSL-enabled
browsers, e.g. Mozilla Firefox version 3.0 and above, or
Microsoft Internet Explorer 7 and above.
in electronic form via email from [email protected]
Clause 1.0 Preface
Clause 1.5
Amendment of CPS
DIGICERT reserves the right to amend this CPS at any
time (prospectively and not retroactively). Amendments to
the CPS will be made available either as an amended
version of the CPS or retrospectively can be posted in the
Notices section of DIGICERT’s web site at the following
URL http://www.digicert.com.my/CPS/updates.
DIGICERT reserves the right to amend this CPS at any
time (prospectively and not retroactively). Amendments
to the CPS will be made available either as an amended
version of the CPS or retrospectively can be posted in
the Notices section of DIGICERT’s web site at the
following URL http://www.digicert.com.my under the
Repository Section.
Change of URL
location in Digicert’s
website.
Clause 1.6 CPS
Approval Procedures
This CPS and any subsequent changes are approved by
the Director of DIGICERT.
This CPS and any subsequent changes are approved by
the top management of DIGICERT.
CPS has been
reclassified as a
procedure/guideline
instead of policy, so
the approval is at
Digicert level only.
Clause 2.0
DIGICERT
Certification
Infrastructure
Clause 2.1 Trust
Infrastructure
Clause 2.0
DIGICERT
Certification
Infrastructure
Clause 2.1 Trust
Infrastructure
Clause 2.0
DIGICERT
Certification
Infrastructure
Clause 2.1 Trust
Infrastructure
To reflect the actual
scenario / category.
Figure 1
Updated info.
Figure 2
DIGICERT acts as the main naming authority in the PKI
structure. The naming convention for all subjects of
certificates registered through RAs will be determined by
DIGICERT. The naming convention for Enterprise CA will
be determined by DIGICERT on request from the
respective Enterprise CA.
DIGICERT acts as the main naming authority in the PKI
structure. The naming convention for all subjects of
certificates registered through RAs will be determined by
DIGICERT. The naming convention for Sub CA will be
determined by DIGICERT on request from the
respective Sub CA.
Updated Info
Clause 2.0
DIGICERT
Certification
Infrastructure
Clause 2.1 Trust
Infrastructure
Enterprise CA
Sub CA
In a distributed PKI model, organisations may wish to
become the issuer of end-entity certificates. An
Enterprise CA shall be the party who accepts
applications, verifies, issues and revoke end-entity client
certificates, subject to the agreement between Digicert
and the party being the Enterprise CA.
A Sub CA shall be the party who accepts applications,
verifies, and revoke end-entity client certificates, subject
to the agreement between Digicert and the party being
the Sub CA.
Updated Info
Sub CA has the authority to act as its own RA.
Enterprise CA has the authority to act as its own RA.
Clause 2.0
DIGICERT
Certification
Infrastructure
Clause 2.0
DIGICERT
Certification
Infrastructure
2.2.2 Class 2
Certificates
(Individuals)
2.3 Certificate Profile
Assurance: The subscriber is not a falsely created person
insofar as the records of the subscriber’s identity are
maintained by reliable and independent third parties. RAs
and enterprise CA provide that the subscriber is as
portrayed by the information provided by government
agencies (i.e. National Registration Department,
Immigration Department etc).
Assurance: The subscriber is not a falsely created
person insofar as the records of the subscriber’s identity
are maintained by reliable and independent third parties.
RAs and Sub CA provide that the subscriber is as
portrayed by the information provided by government
agencies (i.e. National Registration Department,
Immigration Department etc).
Validation: The reliability of the information is determined
at the sole discretion of the CA, RAs or Enterprise CA or
database owner.
Validation: The reliability of the information is
determined at the sole discretion of the CA, RAs or Sub
CA or database owner.
Certificate serial number : 12345678
Certificate serial number : Unique Value per Issued
Certificate
Updated Info
Updated Info
Clause 2.0
DIGICERT
Certification
Infrastructure
2.3.2 Certificate
Extensions
The ‘Value’ field holds any necessary data that is
appended to the certificate.
As described previously, the IETF RFC 5280 X.509
defines a number of extensions. These extensions can be
categorised into the following four groups:
Key Information Extensions
These extensions define the usage of a public key pair
and certificate.
Policy Information Extensions
These extensions define a means for the CA to specify
the method of interpretation and the use of the certificate.
There are 2 extensions in this group:
•Certificate policy extension (see CPS Part 2.3.6).
•Policy mapping extension serves a similar purpose to the
certificate policies extension. However, it applies only to
cross certificates. This field allows an application to
search and establish a set of consistent policies across
multiple CAs.
User and CA Attribute Extensions
These extensions provide a means of specifying
additional information regarding the subscriber and the
CA that issued the certificate.
Certification Path Extensions
These extensions are used in cross-certified
environments e.g. where two CAs cross-certify each
other. They allow CAs to limit third-party trust in such an
environment. This group can be subdivided into:
•Basic constraint extension specifies whether the subject
of the certificate shall act as a subscriber only or as both
a subscriber and a CA.
•Name constraints extension
•Policy constraints extension
A number of X.509 version 3 certificate extensions are
included in certificates issued by DIGICERT. These are
outlined in CPS Part 2.3.2.1. The X.509 version 3
certificate extensions, which are never present in
certificates issued by DIGICERT, are outlined in CPS Part
2.3.2.2.
Deleted
This part is not
required to be
inserted in the CPS
as per the Webtrust
Trust Principle.
Clause 2.0
DIGICERT
Certification
Infrastructure
2.3.2.1 Supported
Extensions
The following certificate extensions are used in
DIGICERT PKI:
Extension
Criticality Optional Notes
AuthorityKeyIdentifier
No
No
•
contains a 20 byte hash of the
subjectPublicKeyinfo in the CA certificate
•
only element [0] AuthorityKeyIdentifier is filled.
SubjectKeyIdentifier Yes
No
•contains a 20
byte hash of the subjectPublicKeyInfo in the CA certificate
KeyUsage
Yes
No
•elements [5]
keyCertSign and [6] cRLSign are set for CA certificate
PrivateKeyUsagePeriod
No
No
•notafter is always used
•notbefore is always used
SubjectAltName
No
Yes
•GeneralName
– choices [0], [3] and [5] are not implemented.
BasicConstraints
Yes
No
•only the CA
Boolean is used
CertificatePolicies Yes
No
•only
policyIdentifier element is supported with up to 10 OlDs
•policyQualifiers contains URL indicating the location of
DIGICERT CPS
CRLDistributionPoints
No
No
•only
1 distribution point name is included in each certificate
•only element [0] (distribution point) is used and
includes the full DN
Deleted
This part is not
required to be
inserted in the CPS
as per the Webtrust
Trust Principle.
Clause 2.0
DIGICERT
Certification
Infrastructure
2.3.2.2 Unsupported
Extensions
The following X.509 version 3 certificate extensions are
optionally used whenever applicable in this PKI:
Deleted
This part is not
required to be
inserted in the CPS
as per the Webtrust
Trust Principle.






extended key usage;
policy mappings;
name constraints;
policy constraints;
issuer alternative name; and
subject directory attributes.
Clause 2.0
DIGICERT
Certification
Infrastructure
2.3.3 Algorithm Object
Identifiers
RSA-with-MD5
Clause 2.3
Certificate Profile
2.3.5 Processing
Semantics for the
Critical Certificate
Object Identifier
Extension
3.0 DIGICERT
Operational
Requirements
1 2 840 113549 1 1 4
Deleted
Updated Info
Processing Semantics for the Critical Certificate Policy
Extension
Processing Semantics for the Critical Certificate Object
Identifier Extension
CPS has been
reclassified as a
procedure/guideline
instead of policy, so
the approval is at
Digicert level only.
3.1.1 Key Generation
and Protection
Class 2 (Enterprise CA)
generates key pair
Class 2 (Sub CA)
Updated Info
3.0 DIGICERT
Operational
Requirements
3.1.2 Certificate
Application
Class 2 (Digisign ID Basic/Enhanced)
Class 2 (Digisign ID Basic/Enhanced)
For Enterprise CA, requests shall have to come from the
organisation assuming the role of Enterprise CA itself,
subject to prior arrangement between DIGICERT and the
Enterprise CA.
For Sub CA, requests shall have to come from the
organisation assuming the role of Sub CA itself, subject
to prior arrangement between DIGICERT and the Sub
CA.
3.0 DIGICERT
Operational
Requirements
3.1.2 Certificate
Application
The RP of DIGICERT or its RA or the appointed
Authorised Personnel of an Enterprise CA is principally
responsible for ensuring that the required information is
obtained from the subscriber prior to approving the
application for a certificate.
The RP of DIGICERT or its RA or the appointed
Authorised Personnel of aSub CA is principally
responsible for ensuring that the required information is
obtained from the subscriber prior to approving the
application for a certificate.
Updated Info
3.0 DIGICERT
Operational
Requirements
3.1.2 Certificate
Application
Class 2 (Enterprise CA)
Class 2 (Sub CA)
Updated Info
Similar to Individual Class 2 certificates mentioned above.
Any changes in the requirements shall be reflected in the
agreement between Digicert and Enterprise CA.
Similar to Individual Class 2 certificates mentioned
above. Any changes in the requirements shall be
reflected in the agreement between Digicert and Sub
CA.
CA or Enterprise CA
CA or Sub CA generates key pair
Updated Info
3.0 DIGICERT
Operational
Requirements
3.1.3 Validation of
Certificate
Applications
The word “Floppy Disk”
Replaced with “USB token and other applicable media”
Change in technology
3.0 DIGICERT
Operational
Requirements
3.2.1 Certificate
Acceptance
The word “Enterprise CA“
Replaced with the word “Sub CA”
Updated Info
3.2.3 Time of
Certificate Issuance
3.0 DIGICERT
Operational
Requirements
3.4 Certificate
Revocation and
Suspension
Suspension or Revocation of certificates can occur due to
the reasons specified in CPS Part 3.4.1 and CPS Part
3.4.2.
Suspension or Revocation of certificates can occur due
to the reasons specified in CPS Part 3.4.1 and CPS Part
3.4.2.
In the event that DIGICERT believes or has reason to
believe, due to reliable evidence or while acting in good
faith, that a certificate should be suspended or revoked,
DIGICERT will take all necessary to do so even if this is
without the consent of the subscriber. In most instances,
the suspension or revocation occurs when there is a
security breach of the private key or the certificate will
materially affect the truth of the information reflected in
the certificate and thus possibly mislead a person relying
on that information.
In the event that DIGICERT believes or has reason to
believe, due to reliable evidence or while acting in good
faith, that a certificate should be revoked, DIGICERT will
take all necessary to do so even if this is without the
consent of the subscriber. In most instances, the
revocation occurs when there is a security breach of the
private key or the certificate will materially affect the
truth of the information reflected in the certificate and
thus possibly mislead a person relying on that
information.
In the event that the subscriber requested for a revocation
or suspension, DIGICERT will take all necessary
precautions to verify the identity of the subscriber.
Suspension and Revocation will not proceed without the
verification that the purported party is indeed the
subscriber.
In the event that the subscriber requested for a
revocation, DIGICERT will take all necessary
precautions to verify the identity of the subscriber.
Revocation will not proceed without the verification that
the purported party is indeed the subscriber.
Upon revocation of the certificate, DIGICERT shall within
24 hours indicate that it is revoked by updating the CRL.
The CRL will be published in at least one recognised
Repository at an interval specified in CPS Part 3.4.3.
Subscribers with revoked certificates are allowed to
reapply for a new certificate at the discretion of
DIGICERT. Under no circumstances can the revoked
certificate be reinstated to its original state after
revocation.
Updated Info
Upon revocation of the certificate, DIGICERT shall
within 24 hours indicate that it is revoked by updating
the CRL. The CRL will be published in at least one
recognised Repository at an interval specified in CPS
Part 3.4.3. Subscribers with revoked certificates are
allowed to reapply for a new certificate at the discretion
of DIGICERT. Under no circumstances can the revoked
certificate be reinstated to its original state after
revocation.
DIGICERT does not offer suspension services of
certificates.
3.0 DIGICERT
Operational
Requirements
3.4.2 Revocation by
Subscriber
The word “Enterprise CA“
Replaced with the word “Sub CA”
Updated Info
3.0 DIGICERT
Operational
Requirements
(new addition)
(new addition)
3.4.5 Circumstances for Suspension
DIGICERT does not suspend certificates.
3.4.6 Who Can Request Suspension
DIGICERT does not suspend certificates.
This part is required
to be inserted in the
CPS as per the
Webtrust Trust
Principle.
3.4.7 Procedure for Suspension Request
DIGICERT does not suspend certificates.
3.4.8 Limits on Suspension Period
DIGICERT does not suspend certificates.
3.0 DIGICERT
Operational
Requirements
3.5.1 Notice of
Expiration
The word “Enterprise CA“
Replaced with the word “Sub CA”
Updated Info
3.0 DIGICERT
Operational
Requirements
3.5.3 Renewal /
Rekey of Certificate
Header: Renewal of Certificate
Header: Renewal / Rekey of Certificate
3.5.3 Renewal of Certificate
3.5.3 Renewal / Rekey of Certificate
The certificate renewal process is similar to an application
for a new certificate unless agreed upon the relying
parties between the Certification Authority and the
Enterprise CA subscriber. However, for all classes of
certificates with the exception of Class 1, the subscriber
only needs to provide information that has changed since
the expiration date of the certificate. Class 1 certificates
can only be renewed by re-applying for a new certificate
using the same procedure as described in CPS Part 3.1.
The certificate renewal process is similar to an
application for a new certificate unless agreed upon the
relying parties between the Certification Authority and
the Sub CA subscriber. The certificate renewal is also
technically defined as “rekey” and often used
interchangeably. However, for all classes of certificates
with the exception of Class 1, the subscriber only needs
to provide information that has changed since the
expiration date of the certificate. Class 1 certificates can
only be renewed by re-applying for a new certificate
using the same procedure as described in CPS Part 3.1.
This part is required
to be inserted in the
CPS as per the
Webtrust Trust
Principle.
3.0 DIGICERT
Operational
Requirements
3.8 Compromise and
Disaster Recovery
DIGICERT has a comprehensive disaster recovery plan
to enable complete recovery of all CA systems in the
event of a disaster.
3.8.1 Compromise CA Key
If a CA s private key is compromised or suspected to be
compromised, the CA shall perform the following
procedures:
•
•
•
•
Inform regulator
inform subscribers, cross-certifying CAs and
relying parties
terminate the certificates and CRLs
distribution service for certificates/CRLs
issued using the compromised private key
request the revocation of the CA's certificate
If a RA s private key is compromised or suspected to be
compromised, the RA SHALL inform the CA and request
the revocation of the RA's certificate
If subscriber’s private key is compromised or suspected
to be compromised, the entity SHALL inform the relying
parties and request the revocation of the entity's
certificate. Subscriber may request to have new key.
3.8.2 Disaster Recovery
DIGICERT has a comprehensive disaster recovery plan
to enable complete recovery of all CA systems in the
event of a disaster.
This part is required
to be inserted in the
CPS as per the
Webtrust Trust
Principle.
3.0 DIGICERT
Operational
Requirements
(new addition)
(new addition)
3.9 CA / RA Termination
In the event that DIGICERT ceases operation, the
Controller shall appoint another licensed certification
authority to take over the certificates issued by the
certification authority whose licence has been revoked
or surrendered or has expired and such certificates
shall, to the extent that they comply with the
requirements of the appointed licensed certification
authority, be deemed to have been issued by that
licensed certification authority.
DIGICERT shall develop a termination plan accordingly
to minimize disruption to Customers, Subscribers, and
Relying Parties.
Further information on RA termination is detailed out in
the RA Appointment Guideline which is available under
the Repository Section on DIGICERT’s website
www.digicert.com.my.
3.10 Key Changeover
DIGICERT’s key pairs will be retired from service at the
end of their respective lifetimes as defined in Section
4.4.1.10. New Certification Authority key pairs will be
created as required to support the continuation of
Digicert Certification Authority Services. Digicert will
continue to publish CRLs signed with the original key
pair until all certificates issued using that original key
pair have expired. The Certification Authority key
changeover process will be performed such that it
causes minimal disruption to Subscribers and Relying
Parties.
3.11 Certificate Modification
Certificate modification refers to the application for the
issuance of a new certificate due to changes in the
information in an existing certificate (other than the
subscriber’s public key). Certificate modification is
considered a Certificate Application in terms of Section
3.1.
This part is required
to be inserted in the
CPS as per the
Webtrust Trust
Principle.
4.0 Security Controls
4.4.1.1 Key Pair
Generation
The word “Enterprise CA“
Replaced with the word “Sub CA”
Updated Info
4.0 Security Controls
4.4.1.8 Key Usage
Purposes (as per
X.509 v3 key usage
field)
The word “Enterprise CA“
Replaced with the word “Sub CA”
Updated Info
4.0 Security Controls
4.4.1.10 Usage
Periods for the Public
and Private Keys
The word “Enterprise CA“
Replaced with the word “Sub CA”
Updated Info
4.0 Security Controls
(new addition)
(new addition)
4.8 Life Cycle Security Controls
This part is required
to be inserted in the
CPS as per the
Webtrust Trust
Principle.
4.8.1 System Development Controls
Applications are developed and implemented in line with
DIGICERT systems development and change
management standards. DIGICERT provides client
software to its Managed PKI for performing RA and
certain CA functions. Such software is developed in
accordance with DIGICERT system development
standards.
4.8.2 Security Management Controls
DIGICERT has mechanisms and/or policies in place to
control and monitor the configuration of its CA systems.
Upon installation and periodically thereafter, DIGICERT
validates the integrity of its CA systems.
4.8.3 Life Cycle Security Ratings
No stipulation.
4.0 Security Controls
(new addition)
(new addition)
4.9 Network Security Controls
DIGICERT performs all its CA and RA functions using
secured networks in compliance with Audit
Requirements Guide to prevent unauthorized access
and malicious activity. DIGICERT protects its
communications of sensitive information through the use
of encryption and digital signatures
This part is required
to be inserted in the
CPS as per the
Webtrust Trust
Principle.
4.10 Security Considerations
DIGICERT applies high level security standards to
ensure the trustworthiness of the CA system.
5.0 General
Provisions
5.1.1 CA Obligations
The word “Enterprise CA“
Replaced with the word “Sub CA”
Updated Info
5.0 General
Provisions
5.1.3 Relying Party
Obligations
restrict reliance on the certificates issued by DIGICERT to
the appropriate usage for those certificates in accordance
with this CPS and with the certificate policy under which
the certificate was issued;
restrict reliance on the certificates issued by DIGICERT
to the appropriate usage for those certificates in
accordance with this CPS and with the certificate
procedure under which the certificate was issued;
CPS has been
reclassified as a
procedure/guideline
instead of policy, so
the approval is at
Digicert level only.
5.0 General
Provisions
5.2.1 CA Liability
The word “Enterprise CA“
Replaced with the word “Sub CA”
Updated Info
5.0 General
Provisions
5.14 Exceptions
With regards to certification issued to Jabatan Imigresen
Malaysia (JIM) under the Root CA of Malaysia Country
Signer and prescribed to ICAO 9303 document (Part 1
Vol 2), some exceptions are given as below:
Deleted
This part is not
required to be
inserted in the CPS
as per the Webtrust
Trust Principle.
5.14.1 Key length is at 3072 bits.
5.14.2 The Malaysia Country Signer key pairs are
generated as and when necessary through proper
documented procedures on Hardware Security Module
(HSM).
5.14.3 The requirement for the Document Signer
Certificates issuance is bound by the agreed procedure
between DIGICERT and Jabatan Imigresen Malaysia
(please see Appendices 6.3).
5.14.4 Algorithm used for subscriber (Document Signer
Certificate) is SHA256 with the corresponding identifier.
5.0 General
Provisions
5.8.1 Types of
Information to be Kept
Confidential
DIGICERT, other than that which is explicitly published as
part of a certificate, CRL, ARL, certificate policy or this
CPS is considered confidential and shall not be released
unless required by law (see CPS Part 5.8.4).
DIGICERT, other than that which is explicitly published
as part of a certificate, CRL, ARL, certificate Object
Identifier or this CPS is considered confidential and shall
not be released unless required by law (see CPS Part
5.8.4).
CPS has been
reclassified as a
procedure/guideline
instead of policy, so
the approval is at
Digicert level only.
5.0 General
Provisions
5.8.2 Types of
Information Not
Considered
Confidential
Information included in certificates, CRLs and issued by
DIGICERT and DIGICERT’s certificate policies are not
considered confidential.
Information included in certificates, CRLs and issued by
DIGICERT and DIGICERT’s certificate structure are not
considered confidential.
Information in this CPS itself is not considered
confidential. However DIGICERT policy requires that it
only be made available to subscribers of its certification
services, including those in cross certified CA domains.
Information in this CPS itself is not considered
confidential. However DIGICERT requires that it only be
made available to subscribers of its certification
services, including those in cross certified CA domains.
CPS has been
reclassified as a
procedure/guideline
instead of policy, so
the approval is at
Digicert level only.
6.0 Appendices
6.1 Glossary of Terms
(new addition)
Sub-CA: Sub-CAs are allowed to be created for
different organizations and agencies, for ease of
operations and management. However, Sub-CAs shall
be created purely in a technical context, to be part of the
DIGICERT’s technical infrastructure. The keys created
for Sub-CA shall be located only on DIGICERT’s
technical infrastructure. The certificate issuing authority
for the Sub-CA shall remain only with DIGICERT.
This part is required
to be inserted in the
CPS as per the
Webtrust Trust
Principle
6.0 Appendices
6.2 List of Certificates
for Enterprise CA
List of certificates for Enterprise CA
1.
Digisign iVest CA
2.
Digisign iVest CA Enhanced
3.
MyKad Online
4.
CIMB Investment Bank Bhd Enterprise CA
5.
Bumiputra Commerce Bank Bhd Enterprise CA
6.
Bank Negara Malaysia Sub CA
7.
Alliance Bank Sub CA
List of Certificates for Sub CA
1.
Digisign iVest CA
2.
Digisign iVest CA Enhanced
3.
CIMB Investment Bank Bhd Enterprise CA
4.
Bank Negara Malaysia Sub CA
Updated info
6.0 Appendices
6.3 Document Signer
Certificates Issuance Process Flow
Deleted
This part is not
required to be
inserted in the CPS
as per the Webtrust
Trust Principle