DigiCert Certification Practices Statement v. 4.07 Oct-7-2014

DigiCert
CertificationPractices
Statement
DigiCert,Inc.
Version4.07
October7,2014
2600WestExecutiveParkway
Suite500
Lehi,UT84043
USA
Tel:1‐801‐877‐2100
Fax:1‐801‐705‐0481
www.digicert.com
TABLEOFCONTENTS
1. INTRODUCTION ................................................................................................................................... 1 1.1. Overview ...................................................................................................................................... 1 1.2. Document name and Identification............................................................................................... 1 1.3. PKI Participants ........................................................................................................................... 3 1.3.1. Certification Authorities ........................................................................................................... 3 1.3.2. Registration Authorities and Other Delegated Third Parties .................................................... 4 1.3.3. Subscribers ............................................................................................................................. 4 1.3.4. Relying Parties ........................................................................................................................ 4 1.3.5. Other Participants ................................................................................................................... 4 1.4. Certificate Usage ......................................................................................................................... 4 1.4.1. Appropriate Certificate Uses ................................................................................................... 5 1.4.2. Prohibited Certificate Uses ...................................................................................................... 6 1.5. Policy administration .................................................................................................................... 6 1.5.1. Organization Administering the Document .............................................................................. 6 1.5.2. Contact Person ....................................................................................................................... 6 1.5.3. Person Determining CPS Suitability for the Policy .................................................................. 7 1.5.4. CPS Approval Procedures ...................................................................................................... 7 1.6. Definitions and acronyms ............................................................................................................. 7 2. PUBLICATION AND REPOSITORY RESPONSIBILITIES .................................................................... 9 2.1. Repositories ................................................................................................................................. 9 2.2. Publication of certification information .......................................................................................... 9 2.3. Time or frequency of publication .................................................................................................. 9 2.4. Access controls on repositories ................................................................................................. 10 3. IDENTIFICATION AND AUTHENTICATION ....................................................................................... 10 3.1. Naming ...................................................................................................................................... 10 3.1.1. Types of Names .................................................................................................................... 10 3.1.2. Need for Names to be Meaningful......................................................................................... 11 3.1.3. Anonymity or Pseudonymity of Subscribers .......................................................................... 11 3.1.4. Rules for Interpreting Various Name Forms .......................................................................... 11 3.1.5. Uniqueness of Names ........................................................................................................... 11 3.1.6. Recognition, Authentication, and Role of Trademarks .......................................................... 11 3.2. Initial identity validation .............................................................................................................. 11 3.2.1. Method to Prove Possession of Private Key ......................................................................... 11 3.2.2. Authentication of Organization Identity .................................................................................. 11 3.2.3. Authentication of Individual Identity ....................................................................................... 13 3.2.4. Non-verified Subscriber Information ...................................................................................... 18 3.2.5. Validation of Authority ........................................................................................................... 18 3.3. Identification and authentication for re-key requests .................................................................. 19 3.3.1. Identification and Authentication for Routine Re-key............................................................. 19 3.3.2. Identification and Authentication for Re-key After Revocation............................................... 20 3.4. Identification and authentication for revocation request ............................................................. 20 4. CERTIFICATE LIFE-CYCLE OPERATIONAL REQUIREMENTS ....................................................... 20 4.1. Certificate Application ................................................................................................................ 20 4.1.1. Who Can Submit a Certificate Application ............................................................................ 20 4.1.2. Enrollment Process and Responsibilities .............................................................................. 20 4.2. Certificate application processing .............................................................................................. 21 4.2.1. Performing Identification and Authentication Functions ........................................................ 21 4.2.2. Approval or Rejection of Certificate Applications................................................................... 21 4.2.3. Time to Process Certificate Applications ............................................................................... 21 4.3. Certificate issuance.................................................................................................................... 22 4.3.1. CA Actions during Certificate Issuance ................................................................................. 22 4.3.2. Notification to Subscriber by the CA of Issuance of Certificate ............................................. 22 4.4. Certificate acceptance ............................................................................................................... 22 4.4.1. Conduct Constituting Certificate Acceptance ........................................................................ 22 4.4.2. Publication of the Certificate by the CA ................................................................................. 22 4.4.3. Notification of Certificate Issuance by the CA to Other Entities ............................................. 22 4.5. Key pair and certificate usage .................................................................................................... 22 4.5.1. Subscriber Private Key and Certificate Usage ...................................................................... 22 ii
4.5.2. Relying Party Public Key and Certificate Usage.................................................................... 22 4.6. Certificate renewal ..................................................................................................................... 23 4.6.1. Circumstance for Certificate Renewal ................................................................................... 23 4.6.2. Who May Request Renewal .................................................................................................. 23 4.6.3. Processing Certificate Renewal Requests ............................................................................ 23 4.6.4. Notification of New Certificate Issuance to Subscriber .......................................................... 23 4.6.5. Conduct Constituting Acceptance of a Renewal Certificate .................................................. 23 4.6.6. Publication of the Renewal Certificate by the CA .................................................................. 23 4.6.7. Notification of Certificate Issuance by the CA to Other Entities ............................................. 23 4.7. Certificate re-key ........................................................................................................................ 24 4.7.1. Circumstance for Certificate Rekey ....................................................................................... 24 4.7.2. Who May Request Certificate Rekey .................................................................................... 24 4.7.3. Processing Certificate Rekey Requests ................................................................................ 24 4.7.4. Notification of Certificate Rekey to Subscriber ...................................................................... 24 4.7.5. Conduct Constituting Acceptance of a Rekeyed Certificate .................................................. 24 4.7.6. Publication of the Issued Certificate by the CA ..................................................................... 24 4.7.7. Notification of Certificate Issuance by the CA to Other Entities ............................................. 24 4.8. Certificate modification ............................................................................................................... 24 4.8.1. Circumstances for Certificate Modification ............................................................................ 24 4.8.2. Who May Request Certificate Modification............................................................................ 24 4.8.3. Processing Certificate Modification Requests ....................................................................... 24 4.8.4. Notification of Certificate Modification to Subscriber ............................................................. 25 4.8.5. Conduct Constituting Acceptance of a Modified Certificate ................................................... 25 4.8.6. Publication of the Modified Certificate by the CA .................................................................. 25 4.8.7. Notification of Certificate Modification by the CA to Other Entities ........................................ 25 4.9. Certificate revocation and suspension ....................................................................................... 25 4.9.1. Circumstances for Revocation .............................................................................................. 25 4.9.2. Who Can Request Revocation .............................................................................................. 26 4.9.3. Procedure for Revocation Request ....................................................................................... 26 4.9.4. Revocation Request Grace Period ........................................................................................ 26 4.9.5. Time within which CA Must Process the Revocation Request .............................................. 26 4.9.6. Revocation Checking Requirement for Relying Parties......................................................... 27 4.9.7. CRL Issuance Frequency ...................................................................................................... 27 4.9.8. Maximum Latency for CRLs .................................................................................................. 27 4.9.9. On-line Revocation/Status Checking Availability ................................................................... 27 4.9.10. On-line Revocation Checking Requirements .................................................................... 27 4.9.11. Other Forms of Revocation Advertisements Available ..................................................... 27 4.9.12. Special Requirements Related to Key Compromise ......................................................... 27 4.9.13. Circumstances for Suspension ......................................................................................... 27 4.9.14. Who Can Request Suspension ........................................................................................ 27 4.9.15. Procedure for Suspension Request .................................................................................. 27 4.9.16. Limits on Suspension Period ............................................................................................ 27 4.10. Certificate status services .......................................................................................................... 28 4.10.1. Operational Characteristics .............................................................................................. 28 4.10.2. Service Availability ........................................................................................................... 28 4.10.3. Optional Features ............................................................................................................. 28 4.11. End of subscription .................................................................................................................... 28 4.12. Key escrow and recovery ........................................................................................................... 28 4.12.1. Key Escrow and Recovery Policy Practices ..................................................................... 28 4.12.2. Session Key Encapsulation and Recovery Policy and Practices ...................................... 29 5. FACILITY, MANAGEMENT, AND OPERATIONAL CONTROLS ........................................................ 29 5.1. Physical Controls ....................................................................................................................... 29 5.1.1. Site Location and Construction ............................................................................................. 29 5.1.2. Physical Access .................................................................................................................... 29 5.1.3. Power and Air Conditioning ................................................................................................... 30 5.1.4. Water Exposures................................................................................................................... 30 5.1.5. Fire Prevention and Protection .............................................................................................. 30 5.1.6. Media Storage ....................................................................................................................... 30 5.1.7. Waste Disposal ..................................................................................................................... 30 5.1.8. Off-site Backup...................................................................................................................... 30 5.1.9. Certificate Status Hosting, CMS and External RA Systems .................................................. 30 5.2. Procedural controls .................................................................................................................... 30 iii
5.2.1. Trusted Roles ........................................................................................................................ 30 5.2.2. Number of Persons Required per Task ................................................................................. 31 5.2.3. Identification and Authentication for each Role ..................................................................... 31 5.2.4. Roles Requiring Separation of Duties ................................................................................... 31 5.3. Personnel controls ..................................................................................................................... 31 5.3.1. Qualifications, Experience, and Clearance Requirements .................................................... 31 5.3.2. Background Check Procedures............................................................................................. 32 5.3.3. Training Requirements .......................................................................................................... 32 5.3.4. Retraining Frequency and Requirements .............................................................................. 32 5.3.5. Job Rotation Frequency and Sequence ................................................................................ 32 5.3.6. Sanctions for Unauthorized Actions ...................................................................................... 33 5.3.7. Independent Contractor Requirements ................................................................................. 33 5.3.8. Documentation Supplied to Personnel .................................................................................. 33 5.4. Audit logging procedures ........................................................................................................... 33 5.4.1. Types of Events Recorded .................................................................................................... 33 5.4.2. Frequency of Processing Log................................................................................................ 35 5.4.3. Retention Period for Audit Log .............................................................................................. 35 5.4.4. Protection of Audit Log .......................................................................................................... 35 5.4.5. Audit Log Backup Procedures ............................................................................................... 35 5.4.6. Audit Collection System (internal vs. external) ...................................................................... 36 5.4.7. Notification to Event-causing Subject .................................................................................... 36 5.4.8. Vulnerability Assessments .................................................................................................... 36 5.5. Records archival ........................................................................................................................ 36 5.5.1. Types of Records Archived ................................................................................................... 36 5.5.2. Retention Period for Archive ................................................................................................. 37 5.5.3. Protection of Archive ............................................................................................................. 37 5.5.4. Archive Backup Procedures .................................................................................................. 37 5.5.5. Requirements for Time-stamping of Records ........................................................................ 37 5.5.6. Archive Collection System (internal or external).................................................................... 37 5.5.7. Procedures to Obtain and Verify Archive Information ........................................................... 37 5.6. Key changeover ......................................................................................................................... 37 5.7. Compromise and disaster recovery ........................................................................................... 38 5.7.1. Incident and Compromise Handling Procedures ................................................................... 38 5.7.2. Computing Resources, Software, and/or Data Are Corrupted .............................................. 38 5.7.3. Entity Private Key Compromise Procedures ......................................................................... 38 5.7.4. Business Continuity Capabilities after a Disaster .................................................................. 38 5.8. CA or RA termination ................................................................................................................. 39 6. TECHNICAL SECURITY CONTROLS ................................................................................................ 39 6.1. Key pair generation and installation ........................................................................................... 39 6.1.1. Key Pair Generation .............................................................................................................. 39 6.1.2. Private Key Delivery to Subscriber ........................................................................................ 39 6.1.3. Public Key Delivery to Certificate Issuer ............................................................................... 40 6.1.4. CA Public Key Delivery to Relying Parties ............................................................................ 40 6.1.5. Key Sizes .............................................................................................................................. 40 6.1.6. Public Key Parameters Generation and Quality Checking .................................................... 41 6.1.7. Key Usage Purposes (as per X.509 v3 key usage field) ....................................................... 41 6.2. Private Key Protection and Cryptographic Module Engineering Controls .................................. 41 6.2.1. Cryptographic Module Standards and Controls..................................................................... 41 6.2.2. Private Key (n out of m) Multi-person Control ....................................................................... 42 6.2.3. Private Key Escrow ............................................................................................................... 42 6.2.4. Private Key Backup ............................................................................................................... 42 6.2.5. Private Key Archival .............................................................................................................. 43 6.2.6. Private Key Transfer into or from a Cryptographic Module ................................................... 43 6.2.7. Private Key Storage on Cryptographic Module ..................................................................... 43 6.2.8. Method of Activating Private Keys ......................................................................................... 43 6.2.9. Method of Deactivating Private Keys .................................................................................... 43 6.2.10. Method of Destroying Private Keys .................................................................................. 43 6.2.11. Cryptographic Module Rating ........................................................................................... 43 6.3. Other aspects of key pair management ..................................................................................... 44 6.3.1. Public Key Archival ............................................................................................................... 44 6.3.2. Certificate Operational Periods and Key Pair Usage Periods................................................ 44 6.4. Activation data ........................................................................................................................... 45 iv
6.4.1. Activation Data Generation and Installation .......................................................................... 45 6.4.2. Activation Data Protection ..................................................................................................... 45 6.4.3. Other Aspects of Activation Data .......................................................................................... 45 6.5. Computer security controls ........................................................................................................ 45 6.5.1. Specific Computer Security Technical Requirements ........................................................... 45 6.5.2. Computer Security Rating ..................................................................................................... 45 6.6. Life cycle technical controls ....................................................................................................... 45 6.6.1. System Development Controls .............................................................................................. 45 6.6.2. Security Management Controls ............................................................................................. 46 6.6.3. Life Cycle Security Controls .................................................................................................. 46 6.7. Network security controls ........................................................................................................... 46 6.8. Time-stamping ........................................................................................................................... 46 6.9. PIV-I Cards ................................................................................................................................ 47 7. CERTIFICATE, CRL, AND OCSP PROFILES .................................................................................... 48 7.1. Certificate profile ........................................................................................................................ 48 7.1.1. Version Number(s) ................................................................................................................ 48 7.1.2. Certificate Extensions ........................................................................................................... 48 7.1.3. Algorithm Object Identifiers ................................................................................................... 48 7.1.4. Name Forms ......................................................................................................................... 49 7.1.5. Name Constraints ................................................................................................................. 49 7.1.6. Certificate Policy Object Identifier ......................................................................................... 49 7.1.7. Usage of Policy Constraints Extension ................................................................................. 49 7.1.8. Policy Qualifiers Syntax and Semantics ................................................................................ 49 7.1.9. Processing Semantics for the Critical Certificate Policies Extension..................................... 49 7.2. CRL profile ................................................................................................................................. 49 7.2.1. Version number(s)................................................................................................................. 49 7.2.2. CRL and CRL Entry Extensions ............................................................................................ 49 7.3. OCSP profile .............................................................................................................................. 50 7.3.1. Version Number(s) ................................................................................................................ 50 7.3.2. OCSP Extensions ................................................................................................................. 50 8. COMPLIANCE AUDIT AND OTHER ASSESSMENTS ....................................................................... 50 8.1. Frequency or circumstances of assessment .............................................................................. 50 8.2. Identity/qualifications of assessor .............................................................................................. 50 8.3. Assessor's relationship to assessed entity ................................................................................. 51 8.4. Topics covered by assessment .................................................................................................. 51 8.5. Actions taken as a result of deficiency ....................................................................................... 51 8.6. Communication of results .......................................................................................................... 51 8.7. Self-Audits ................................................................................................................................. 51 9. OTHER BUSINESS AND LEGAL MATTERS ...................................................................................... 51 9.1. Fees ........................................................................................................................................... 51 9.1.1. Certificate Issuance or Renewal Fees ................................................................................... 51 9.1.2. Certificate Access Fees ........................................................................................................ 51 9.1.3. Revocation or Status Information Access Fees..................................................................... 51 9.1.4. Fees for Other Services ........................................................................................................ 51 9.1.5. Refund Policy ........................................................................................................................ 51 9.2. Financial responsibility ............................................................................................................... 52 9.2.1. Insurance Coverage .............................................................................................................. 52 9.2.2. Other Assets ......................................................................................................................... 52 9.2.3. Insurance or Warranty Coverage for End-Entities ................................................................. 52 9.3. Confidentiality of business information ....................................................................................... 52 9.3.1. Scope of Confidential Information ......................................................................................... 52 9.3.2. Information Not Within the Scope of Confidential Information ............................................... 52 9.3.3. Responsibility to Protect Confidential Information ................................................................. 52 9.4. Privacy of personal information .................................................................................................. 52 9.4.1. Privacy Plan .......................................................................................................................... 52 9.4.2. Information Treated as Private .............................................................................................. 52 9.4.3. Information Not Deemed Private ........................................................................................... 52 9.4.4. Responsibility to Protect Private Information ......................................................................... 53 9.4.5. Notice and Consent to Use Private Information .................................................................... 53 9.4.6. Disclosure Pursuant to Judicial or Administrative Process .................................................... 53 9.4.7. Other Information Disclosure Circumstances ........................................................................ 53 9.5. Intellectual property rights .......................................................................................................... 53 v
9.6. Representations and warranties ................................................................................................ 53 9.6.1. CA Representations and Warranties ..................................................................................... 53 9.6.2. RA Representations and Warranties ..................................................................................... 54 9.6.3. Subscriber Representations and Warranties ......................................................................... 54 9.6.4. Relying Party Representations and Warranties..................................................................... 54 9.6.5. Representations and Warranties of Other Participants ......................................................... 55 9.7. Disclaimers of warranties ........................................................................................................... 55 9.8. Limitations of liability .................................................................................................................. 55 9.9. Indemnities ................................................................................................................................ 56 9.9.1. Indemnification by DigiCert ................................................................................................... 56 9.9.2. Indemnification by Subscribers ............................................................................................. 56 9.9.3. Indemnification by Relying Parties ........................................................................................ 56 9.10. Term and termination ................................................................................................................. 56 9.10.1. Term ................................................................................................................................. 56 9.10.2. Termination ...................................................................................................................... 56 9.10.3. Effect of Termination and Survival .................................................................................... 56 9.11. Individual notices and communications with participants ........................................................... 56 9.12. Amendments .............................................................................................................................. 57 9.12.1. Procedure for Amendment ............................................................................................... 57 9.12.2. Notification Mechanism and Period .................................................................................. 57 9.12.3. Circumstances under which OID Must Be Changed ........................................................ 57 9.13. Dispute resolution provisions ..................................................................................................... 57 9.14. Governing law ............................................................................................................................ 57 9.15. Compliance with applicable law ................................................................................................. 57 9.16. Miscellaneous provisions ........................................................................................................... 57 9.16.1. Entire Agreement ............................................................................................................. 57 9.16.2. Assignment....................................................................................................................... 57 9.16.3. Severability ....................................................................................................................... 58 9.16.4. Enforcement (attorneys' fees and waiver of rights)........................................................... 58 9.16.5. Force Majeure .................................................................................................................. 58 9.17. Other provisions ......................................................................................................................... 58 Appendix A: Sample Opinion LETTER ......................................................................................................... 59 vi
1. INTRODUCTION
1.1.
OVERVIEW
ThisdocumentistheDigiCert,Inc.(“DigiCert”)CertificationPracticesStatement(CPS)thatoutlinesthe
principlesandpracticesrelatedtoDigiCert’scertificationandtime‐stampingservices.ThisCPSappliestoall
entitiesparticipatinginorusingDigiCert’scertificateandtime‐stampingservices,excludingparticipantsin
DigiCert’sPrivatePKIservices,whicharenotcross‐certifiedorpubliclytrusted.Specificrequirements
regardingthosecertificatesaresetforthintheindividualagreementswiththeappropriateDigiCert
customer.
ThisCPSdescribesthepracticesusedtocomplywiththeDigiCertCertificatePolicy(the“CP”),theAdobe
SystemsInc.(“Adobe”)AATLCertificatePolicy,theFederalBridgeCertificationAuthority(“FBCA”)Certificate
Policy,andotherapplicablepolicies.DigiCertconformstothecurrentversionoftheguidelinesadoptedby
theCertificationAuthority/BrowserForum(“CABForum”)whenissuingpubliclytrustedcertificates,
includingtheBaselineRequirementsfortheIssuanceandManagementofPublicly‐TrustedCertificates
(“BaselineRequirements”)andtheGuidelinesforExtendedValidationCertificates(“EVGuidelines”)bothof
whicharepublishedathttps://www.cabforum.org.IfanyinconsistencyexistsbetweenthisCPSandthe
BaselineRequirementsortheEVGuidelines,thentheEVGuidelinestakeprecedenceforEVCertificatesand
theBaselineRequirementstakeprecedenceforpubliclytrustedSSLcertificates.Time‐stampingservicesare
providedaccordingtoIETFRFC3161andothertechnicalstandards.
ThisCPSisonlyoneofseveraldocumentsthatcontrolDigiCert’scertificationservices.Otherimportant
documentsincludebothprivateandpublicdocuments,suchastheCP,DigiCert’sagreementswithits
customers,RelyingPartyagreements,andDigiCert’sprivacypolicy.DigiCertmayprovideadditional
certificatepoliciesorcertificationpracticestatements.Thesesupplementalpoliciesandstatementsare
availabletoapplicableusersorrelyingparties.
PursuanttotheIETFPKIXRFC3647CP/CPSframework,thisCPSisdividedintoninepartsthatcoverthe
securitycontrolsandpracticesandproceduresforcertificateandtime‐stampingserviceswithintheDigiCert
PKI.TopreservetheoutlinespecifiedbyRFC3647,sectionheadingsthatdonotapplyhavethestatement
"Notapplicable"or"Nostipulation."
1.2.
DOCUMENTNAMEANDIDENTIFICATION
ThisdocumentistheDigiCertCertificationPracticesStatementandwasapprovedforpublicationon9August
2010bytheDigiCertPolicyAuthority(DCPA).Thefollowingrevisionsweremadetotheoriginaldocument:
Date
Changes
Version
7‐October‐2014
UpdatedforconsistencywithDigiCertCPv.2.27
4.07
14‐May‐2014
Updatedpracticestocomplywithnewpolicyrequirementsand
4.06
changestotheDirectTrustCP,BaselineRequirements,EV
Guidelines,andEVCodeSigningGuidelines.
2‐May‐2013
Updatedmailingaddress.Alsoupdatedpracticestocomplywith 4.05
newpolicyrequirements,theDirectTrustCP,changestothe
Adobeprogram,andCABForumguidelines.
10‐May‐2012
UpdatedtoincludepracticessetforthintheBaseline
4.04
Requirements,thecurrentMozillaCAPolicy,EVCodeSigning,the
IGTF,andotherpolicybodies.
3‐May‐2011
IGTFCertificatesaddedandminorupdatesmadetoseveral
4.03
sections.
29‐October‐2010 ChangesmadeinresponsetocommentsfromtheFPKICPWG
4.02
regardingcertificatestatusservices,trustedroles,andoff‐site
backupofarchive.
26‐August‐2010
Updatedtheprocessusedtoauthenticatethecertificate
4.01
1
Date
9‐August‐2010
Changes
requester’sauthorityundersection3.2.5forcodesigning
certificatesissuedtoorganizations
Thisversion4.0replacestheDigiCertCertificatePolicyand
CertificationPracticesStatement,Version3.08,dated
May29,2009,andtheDigiCertCertificationPracticeStatement
forExtendedValidationCertificates,Version1.0.4,May29,2009.
Version
4.0
TheOIDforDigiCertisjoint‐iso‐ccitt(2)country(16)USA(840)US‐company(1)DigiCert(114412).
TheOID‐arcforthisversion4oftheCPSis2.16.840.1.114412.0.2.4.SubsequentrevisionstothisCPS
mighthavenewOIDassignments.DigiCertissuescertificatesandtime‐stamptokenscontainingthefollowing
OIDs/OIDarcs:
DigitallySignedObject
ObjectIdentifier(OID)
DomainVettedSSLCertificatesand
2.16.840.1.114412.1.2and/or
pertheBaselineRequirements
2.23.140.1.2.1(CABForumBaselineReqs.)
OrganizationVettedSSLCertificatesand
2.16.840.1.114412.1.1and/or
pertheBaselineRequirements
2.23.140.1.2.2(CABForumBaselineReqs.)
FederatedDeviceCertificate
2.16.840.1.114412.1.11
FederatedDeviceHardwareCertificate
2.16.840.1.114412.1.12
IssuerCA(whereallowedbypolicy)
2.5.29.32.0 (anyPolicy)
ExtendedValidationSSLCertificates
2.16.840.1.114412.2 and/or
2.23.140.1.1.X(CABForumEVGuidelines)
ObjectSigningCertificates
2.16.840.1.114412.3
CodeSigningCertificates
2.16.840.1.114412.3.1
ExtendedValidationCodeSigning
2.16.840.1.114412.3.2
WindowsKernelDriverSigning
2.16.840.1.114412.3.11
AdobeSigningCertificate
2.16.840.1.114412.3.21
ClientCertificateOIDArc
2.16.840.1.114412.4
Level1Certificates‐Personal
2.16.840.1.114412.4.1.1
Level1Certificates‐Enterprise
2.16.840.1.114412.4.1.2
Level2Certificates
2.16.840.1.114412.4.2
Level3Certificates‐US
2.16.840.1.114412.4.3.1
Level3Certificates‐CBP
2.16.840.1.114412.4.3.2
Level4Certificates‐US
2.16.840.1.114412.4.4.1
Level4Certificates‐CBP
2.16.840.1.114412.4.4.2
PIV‐IOIDArc
2.16.840.1.114412.4.5
PIV‐IHardware‐keysrequireactivationbythe 2.16.840.1.114412.4.5.1
PIV‐ICardholder(PIVAuth,DigSigandKey
Management)
PIV‐ICardAuthentication‐keysdonotrequire 2.16.840.1.114412.4.5.2
PIV‐ICardholderactivation
PIV‐IContentSigning–usebyPIV‐I‐compliant 2.16.840.1.114412.4.5.3
CMS
GridCertificateOIDArcs
2.16.840.1.114412.4.31 or
2.16.840.1.114412.31(Grid‐onlyarc)
IGTFClassicX.509Authoritieswithsecured
2.16.840.1.114412.4.31.1(Clientw/Public),
infrastructure
2.16.840.1.114412.31.4.1.1(ClientGridOnly),
and/or
1.2.840.113612.5.2.2.1.x(IGTF)
IGTFMemberIntegratedX.509Credential
2.16.840.1.114412.4.31.5and/or
ServiceswithSecuredInfrastructure
1.2.840.113612.5.2.2.5.x(IGTF)
Certificates
2
IGTFGridHost‐PublicTrust
IGTFGrid‐OnlyHostCertificate
2.16.840.1.114412.1.31.1
2.16.840.1.114412.31.1.1.1,
1.2.840.113612.5.2.2.1.x(IGTF),and/or
1.2.840.113612.5.2.2.5.x(IGTF)
2.16.840.1.114412.6
2.16.840.1.114412.7.1
2.16.840.1.114412.81
2.16.840.1.114412.99
Authentication‐OnlyCertificates
TrustedTime‐stamping
Legacyarc
Testarc
EUOIDs
EUQualifiedCertificates
ETSITS101456
EUQConSecureSignatureCreationDevice
ETSITS101456
ETSITS101862‐QualifiedCertificate
Statements
EUQualifiedTime‐stamping
ETSITS102023
0.4.0.1456.1.2
0.4.0.1456.1.1
0.4.0.1862.1.x
0.4.0.2023.1.x
AllOIDsmentionedabovebelongtotheirrespectiveowners.ThespecificOIDsusedwhenobjectsare
signedpursuanttothisCPSareindicatedintheapplicableCertificateProfilesdocument.WhenDigiCert
issuesanSSLcertificatecontainingoneoftheabove‐specifiedpolicyidentifiersfor“Baseline
Requirements”,itassertsthatthecertificateismanagedinaccordancewiththeBaselineRequirements.
CommercialBestPractices(“CBP”)differsfrom“US”inthattherearenotrustedrolecitizenshiprequirements
foranIssuerCAissuingunderaCBPpolicy,whereaspoliciesdesignated“US”mustfollowthecitizenship
practicessetforthinSection5.3.1.
TheLegacyarcexiststoidentifycertificatesissuedforpurposeofachievingcompatibilitywithlegacysystems
thatareincapableofprocessingneweralgorithmsthatmightberequiredbycomparableindustrybest
practices,e.g.,toidentifycertificatessignedusingtheSHA‐1algorithmwhenSHA‐256wouldberequired
underaCPthatDigiCerthascross‐certified.
1.3.
PKIPARTICIPANTS
1.3.1. CertificationAuthorities
DigiCertisacertificationauthority(CA)thatissuesdigitalcertificates.AsaCA,DigiCertperformsfunctions
associatedwithPublicKeyoperations,includingreceivingcertificaterequests,issuing,revokingand
renewingadigitalcertificate,andmaintaining,issuing,andpublishingCRLsandOCSPresponses.General
informationaboutDigiCert’sproductsandservicesareavailableatwww.digicert.com.
DigiCert’sofflineself‐signedRootCAsissueCAcertificatestosubordinateCAsandcrosscertificatestoother
RootCAsinaccordancewiththisCPS,applicablecross‐certification/federationpolicies,andDigiCert’s
memorandaofagreementwiththoseexternallyoperatedCAs.An“externalsubordinateCA”isanunaffiliated
thirdpartythatisissuedaCACertificatebyDigiCertwherethePrivateKeyassociatedwiththatCACertificate
isnotmaintainedunderthephysicalcontrolofDigiCert.InaccordancewithEUDirective99/93,DigiCert
doesnotallowexternalsubordinateCAstoissueEUQualifiedCertificates.Inaccordancewithrequirements
oftheU.S.FederalPKIPolicyAuthority(FPKIPA),DigiCertnotifiestheFPKIPApriortoissuingaCAcertificate
chainingtotheFederalBridgeCAtoanexternalsubordinateCA.AllexternalsubordinateCAsareprohibited,
eithertechnicallyorcontractually,fromissuingcertificatestodomainnamesorIPaddressesthata
Subscriberdoesnotlegitimatelyownorcontrol(i.e.issuanceforpurposesof“trafficmanagement”is
prohibited),andexternalsubordinateCAsarerequiredtoimplementproceduresthatareatleastas
restrictiveasthosefoundherein.
DigiCertisalsoatimestampingauthority(TSA)andprovidesproof‐of‐existencefordataataninstantintime
asdescribedherein.
3
1.3.2. RegistrationAuthoritiesandOtherDelegatedThirdParties
DigiCertmaydelegatetheperformanceofcertainfunctionstoRegistrationAuthorities(RA)andotherthird
partiestorequestcertificatesand/orperformidentificationandauthenticationforend‐usercertificates.The
specificroleofanRAorDelegatedThirdPartyvariesgreatlybetweenentities,rangingfromsimple
translationservicestoactualassistanceingatheringandverifyingApplicantinformation.SomeRAsoperate
identitymanagementsystems(IdMs)andmaymanagethecertificatelifecycleforend‐users.ForIGTF
certificates,designatedRAsareresponsibleforvettingtheidentityofeachcertificateapplicant.DigiCert
contractuallyobligateseachDelegatedThirdPartytoabidebythepoliciesandindustrystandardsthatare
applicabletothatDelegatedThirdParty’sroleincertificateissuance,management,revocationorother
relatedtaskthattheDelegatedThirdPartyperforms.
RApersonnelinvolvedintheissuanceofpublicly‐trustedSSLCertificatesmustundergotheskillsand
trainingrequiredunderSection5.3.AnRAoridentitymanagement(IdM)systemsupportingaparticular
communityofinterestwithcustomidentity‐vettingpracticesthatdifferfromthosefoundhereinmaysubmit
documentationtotheDCPAforreviewandapproval.Thedocumentationmustcontainsufficientdetailto
ensurethatalltasksrequiredbytheCPwillbeperformed.
1.3.3. Subscribers
SubscribersuseDigiCert’sservicesandPKItosupporttransactionsandcommunications.Subscribersarenot
alwaysthepartyidentifiedinacertificate,suchaswhencertificatesareissuedtoanorganization’s
employees.TheSubjectofacertificateisthepartynamedinthecertificate.ASubscriber,asusedherein,
referstoboththeSubjectofthecertificateandtheentitythatcontractedwithDigiCertforthecertificate’s
issuance.Priortoverificationofidentityandissuanceofacertificate,aSubscriberisanApplicant.
1.3.4. RelyingParties
RelyingPartiesareentitiesthatactinrelianceonacertificateand/ordigitalsignatureissuedbyDigiCert.
RelyingpartiesmustchecktheappropriateCRLorOCSPresponsepriortorelyingoninformationfeaturedin
acertificate.ThelocationoftheCRLdistributionpointisdetailedwithinthecertificate.
1.3.5. OtherParticipants
OtherparticipantsincludeAccreditationAuthorities(suchasPolicyManagementAuthorities,Federation
Operators,ApplicationSoftwareVendors,andapplicableCommunity‐of‐Interestsponsors);BridgeCAsand
CAsthatcross‐certifyDigiCertCAsastrustanchorsinotherPKIcommunities;CardManagementSystemsand
integrators(CMSs)thatensureproperoperationandprovisioningofPIV‐Icards;andTimeSourceEntities,
TimeStampTokenRequesters,andTimeStampVerifiersinvolvedintrustedtimestamping.Accreditation
Authoritiesaregrantedanunlimitedrighttore‐distributeDigiCert’srootcertificatesandrelatedinformation
inconnectionwiththeaccreditation.
WhenissuingPIV‐Icards,DigiCertusesaCardManagementSystems(CMS)thatmeetstherequirements
hereinresponsibleformanagingsmartcardtokencontent.DigiCertdoesnotissuecertificatestoaCMSthat
includeaPIV‐IHardwareorPIV‐ICardAuthenticationpolicyOID.
DigiCerthascross‐certifiedwiththeFederalBridgeCertificationAuthority(FBCA)andhasbeenissuedcross
certificatesbyEntrustandCybertrust.
1.4.
CERTIFICATEUSAGE
Adigitalcertificate(orcertificate)isformatteddatathatcryptographicallybindsanidentifiedsubscriber
withaPublicKey.Adigitalcertificateallowsanentitytakingpartinanelectronictransactiontoproveits
identitytootherparticipantsinsuchtransaction.Digitalcertificatesareusedincommercialenvironments
asadigitalequivalentofanidentificationcard.Atime‐stamptoken(TST)cryptographicallybindsa
representationofdatatoaparticulartimestamp,thusestablishingevidencethatthedataexistedatacertain
pointintime.
4
1.4.1. AppropriateCertificateUses
CertificatesissuedpursuanttothisCPSmaybeusedforalllegalauthentication,encryption,accesscontrol,
anddigitalsignaturepurposes,asdesignatedbythekeyusageandextendedkeyusagefieldsfoundwithinthe
certificate.However,thesensitivityoftheinformationprocessedorprotectedbyacertificatevariesgreatly,
andeachRelyingPartymustevaluatetheapplicationenvironmentandassociatedrisksbeforedecidingon
whethertouseacertificateissuedunderthisCPS.
ThisCPScoversseveraldifferenttypesofendentitycertificates/tokenswithvaryinglevelsofassurance.The
followingtableprovidesabriefdescriptionoftheappropriateusesofeach.Thedescriptionsareforguidance
onlyandarenotbinding.
Certificate
AppropriateUse
DVSSLCertificates
Usedtosecure onlinecommunicationwheretherisksand
consequencesofdatacompromisearelow,includingnon‐monetary
transactionsortransactionswithlittleriskoffraudormalicious
access.
OVSSLCertificates
Usedtosecureonlinecommunicationwheretherisksand
consequencesofdatacompromisearemoderate,including
transactionshavingsubstantialmonetaryvalueorriskoffraudor
involvingaccesstoprivateinformationwherethelikelihoodof
maliciousaccessissubstantial.
EVSSLCertificates
Usedtosecureonlinecommunicationwhererisksandconsequences
ofdatacompromisearehigh,includingtransactionshavinghigh
monetaryvalue,riskoffraud,orwhereinvolvingaccesstoprivate
informationwherethelikelihoodofmaliciousaccessishigh.
FederatedDevice
SimilartoSSLCertificates abovebutforuseasnecessaryin
Certificates
connectionwithcross‐certifiedPKIs
CodeSigningCertificates,
EstablishestheidentityoftheSubscribernamedinthecertificateand
includingEVCodeSigning thatthesignedcodehasnotbeenmodifiedsincesigning.
RudimentaryLevel1
Providesthelowestdegreeofassuranceconcerningidentityofthe
ClientCertificates‐
individualandisgenerallyusedonlytoprovidedataintegritytothe
Personal
informationbeingsigned.Thesecertificatesshouldonlybeused
wheretheriskofmaliciousactivityislowandifanauthenticated
transactionisnotrequired.
Level1ClientCertificates‐ Usedinenvironmentswheretherearerisksandconsequencesofdata
Enterprise
compromise,butsuchrisksarenotofmajorsignificance.Usersare
assumednotlikelytobemalicious.
Level2ClientCertificates
Issuedtoidentity‐vettedindividuals.Certificatesspecifyifthenameis
(FBCAbasicassurance
apseudonym.Usedinenvironmentswheretherearerisksand
certificates)
consequencesofdatacompromise,butsuchrisksarenotofmajor
significance.Usersareassumednotlikelytobemalicious.
Level3ClientCertificates
Usedinenvironmentswhererisksandconsequencesofdata
(FBCAmedium
compromisearemoderate,includingtransactionshavingsubstantial
certificates)
monetaryvalueorriskoffraudorinvolvingaccesstoprivate
informationwherethelikelihoodofmaliciousaccessissubstantial.
Level4ClientCertificates
Usedinenvironmentswhererisksandconsequencesofdata
(FBCAmediumhardware
compromisearehigh,includingtransactionshavinghighmonetary
certificates)
valueorriskoffraudorinvolvingaccesstoprivateinformationwhere
thelikelihoodofmaliciousaccessishigh.
DirectCertificates
UsedtotransferhealthcareinformationinaccordancewiththeDirect
ProtocoladoptedbytheONC.DirectCertificatesareissuedasLevel2
orLevel3Certificates.
AuthenticationOnly
Usedwheretheidentityofthecertificateholderisirrelevantand
wheretheriskofunauthorizedaccesstoasecuresiteislow.
5
IGTFandGrid‐only
Certificates
PIV‐IHardware
PIV‐ICardAuthentication
PIV‐IContentSigning
PIV‐IDigitalSignature
PIV‐IKeyManagement
EUQualifiedCertificate
andEUQConSecure
SignatureCreationDevice
AdobeSigningCertificates
TimeStampToken
Supportidentityassertionsandsystemauthenticationamongst
participantsintheInternationalGridTrustFederation.IGTF
Certificatesincludethoseissuedaspublicly‐trustedclientcertificates
andthoseissuedundertheGrid‐onlyarc.
Thislevelisrelevanttoenvironmentswhererisksandconsequences
ofdatacompromisearemoderate.Thismayincludecontactlesssmart
cardreaderswhereuseofanactivationPINisnotpractical.
PersonalIdentityVerification–Interoperable(PIV‐I)cardsare
intendedtotechnicallyinteroperatewithFederalPIVCardreaders
andapplications.TherequirementsassociatedwithPIV‐IHardware
andPIV‐IContentSigningareidenticaltoLevel4Certificatesexcept
wherespecificallynotedherein.PIV‐IContentSigningpolicyis
reservedforcertificatesusedbytheCardManagementSystem(CMS)
tosignthePIV‐Icardsecurityobjects
EUQualifiedCertificatesmayonlybeusedforsigning
(ETSITS101456)
UsedtosignAdobedocumentsandshowthattheportionofthe
documentsignedbytheauthorhasnotbeenmodifiedsincesigning.
Usedtoidentifytheexistenceofdataatasetperiodoftime.
1.4.2. ProhibitedCertificateUses
CertificatesdonotguaranteethattheSubjectistrustworthy,honest,reputableinitsbusinessdealings,
compliantwithanylaws,orsafetodobusinesswith.Acertificateonlyestablishesthattheinformationinthe
certificatewasverifiedasreasonablycorrectwhenthecertificateissued.Codesigningcertificatesdonot
indicatethatthesignedcodeissafetoinstallorfreefrommalware,bugs,orvulnerabilities.
CertificatesissuedunderthisCPSmaynotbeused(i)foranyapplicationrequiringfail‐safeperformancesuch
as(a)theoperationofnuclearpowerfacilities,(b)airtrafficcontrolsystems,(c)aircraftnavigationsystems,
(d)weaponscontrolsystems,or(e)anyothersystemwhosefailurecouldleadtoinjury,deathor
environmentaldamage;or(ii)whereprohibitedbylaw.CertificatesissuedundertheGrid‐onlyarccannotbe
usedtoestablishtrustoutsideoftherelevantgridnetwork.
1.5.
POLICYADMINISTRATION
1.5.1. OrganizationAdministeringtheDocument
ThisCPSandthedocumentsreferencedhereinaremaintainedbytheDCPA,whichcanbecontactedat:
DigiCertPolicyAuthority
Suite500
2600WestExecutiveParkway
Lehi,UT84043USA
Tel:1‐801‐877‐2100
Fax:1‐801‐705‐0481
1.5.2. ContactPerson
Attn:LegalCounsel
DigiCertPolicyAuthority
Suite500
2600WestExecutiveParkway
Lehi,UT84043USA
6
1.5.3. PersonDeterminingCPSSuitabilityforthePolicy
TheDCPAdeterminesthesuitabilityandapplicabilityofthisCPSbasedontheresultsandrecommendations
receivedfromanindependentauditor(seeSection8).TheDCPAisalsoresponsibleforevaluatingandacting
upontheresultsofcomplianceaudits.
1.5.4. CPSApprovalProcedures
TheDCPAapprovestheCPSandanyamendments.AmendmentsaremadeaftertheDCPAhasreviewedthe
amendments’consistencywiththeCP,byeitherupdatingtheentireCPSorbypublishinganaddendum.The
DCPAdetermineswhetheranamendmenttothisCPSisconsistentwiththeCP,requiresnotice,oranOID
change.SeealsoSection9.10andSection9.12below.
1.6.
DEFINITIONSANDACRONYMS
“AffiliatedOrganization”meansanorganizationthathasanorganizationalaffiliationwithaSubscriberand
thatapprovesorotherwiseallowssuchaffiliationtoberepresentedinacertificate.
“Applicant”meansanentityapplyingforacertificate.
“ApplicationSoftwareVendor”meansasoftwaredeveloperwhosesoftwaredisplaysorusesDigiCert
certificatesanddistributesDigiCert’srootcertificates.
“CABForum”isdefinedinsection1.1.
“CertificateApprover”isdefinedintheEVGuidelines.
“CertificateRequester”isdefinedintheEVGuidelines.
“ContractSigner”isdefinedintheEVGuidelines.
“DirectAddress”meansanemailaddressconformingtotheApplicabilityStatementforSecureHealth
Transport.
“DirectAddressCertificate”meansacertificatecontaininganentireDirectAddress.
“DirectDeviceCertificate”meansacertificatecontainingtheFQDNorIPaddressofahostmachine.
“DirectOrganizationalCertificate”meansacertificatecontainingonlythedomainnameportionofaDirect
Address.
“EUDirective99/93”meanstheEUCouncilDirective1999/93/ECoftheEuropeanParliamentandofthe
Councilof13December1999onaCommunityframeworkforElectronicSignatures,OJL13,19.01.2000,pp.
12‐20.
“EVGuidelines”isdefinedinsection1.1.
“KeyPair”meansaPrivateKeyandassociatedPublicKey.
“OCSPResponder”meansanonlinesoftwareapplicationoperatedundertheauthorityofDigiCertand
connectedtoitsrepositoryforprocessingcertificatestatusrequests.
“PIV‐IProfile”meanstheX.509CertificateandCertificateRevocationList(CRL)ExtensionsProfilefor
PersonalIdentityVerificationInteroperable(PIV‐I)Cards,Ver.1.0,Date:April232010.
7
“PrivateKey”meansthekeyofakeypairthatiskeptsecretbytheholderofthekeypair,andthatisusedto
createdigitalsignaturesand/ortodecryptelectronicrecordsorfilesthatwereencryptedwiththe
correspondingPublicKey.
“PublicKey”meansthekeyofakeypairthatmaybepubliclydisclosedbytheholderofthecorresponding
PrivateKeyandthatisusedbyaRelyingPartytoverifydigitalsignaturescreatedwiththeholder's
correspondingPrivateKeyand/ortoencryptmessagessothattheycanbedecryptedonlywiththeholder's
correspondingPrivateKey.
“QualifiedCertificate”meansacertificatethatmeetstherequirementsinAnnexIofEUDirective99/93and
isprovidedbyanIssuerCAmeetingtherequirementsofAnnexIIoftheDirective.
“RelyingParty”meansanentitythatreliesuponeithertheinformationcontainedwithinacertificateora
time‐stamptoken.
“RelyingPartyAgreement”meansanagreementwhichmustbereadandacceptedbytheRelyingParty
priortovalidating,relyingonorusingaCertificateoraccessingorusingDigiCert’sRepository.TheRelying
PartyAgreementisavailableforreferencethroughaDigiCertonlinerepository.
“SecureSignatureCreationDevice”meansasignature‐creationdevicethatmeetstherequirementslaid
downinAnnexIIIofEUDirective99/93.
“Subscriber”meanseithertheentityidentifiedasthesubjectinthecertificateortheentitythatisreceiving
DigiCert’stime‐stampingservices.
“SubscriberAgreement”meansanagreementthatgovernstheissuanceanduseofacertificatethatthe
Applicantmustreadandacceptbeforereceivingacertificate.
“WebTrust”meansthecurrentversionoftheAICPA/CICAWebTrustProgramforCertificationAuthorities.
“WebTrustEVProgram”meanstheadditionalauditproceduresspecifiedforCAsthatissueEVCertificates
bytheAICPA/CICAtobeusedinconjunctionwithitsWebTrustProgramforCertificationAuthorities.
Acronyms:
AATL
CA
CAB
CMS
CP
CPS
CRL
CSR
DBA DCPA
ETSI
EU
EV
FIPS FQDN FTP
HISP
HSM
HTTP
IANA ICANN AdobeApprovedTrustList
CertificateAuthorityorCertificationAuthority
”CA/Browser”asin“CABForum”
CardManagementSystem
CertificatePolicy
CertificationPracticeStatement
CertificateRevocationList
CertificateSigningRequest
DoingBusinessAs(alsoknownas"TradingAs")
DigiCertPolicyAuthority
EuropeanTelecommunicationsStandardsInstitute
EuropeanUnion
ExtendedValidation
(USGovernment)FederalInformationProcessingStandard
FullyQualifiedDomainName
FileTransferProtocol
HealthInformationServiceProvider
HardwareSecurityModule
HypertextTransferProtocol
InternetAssignedNumbersAuthority
InternetCorporationforAssignedNamesandNumbers
8
IdM
IDN
ISSO
IETF
IGTF
ITU
ITU‐T
MICS
OCSP
OID
ONC
PIN
PIV‐I
PKI
PKIX
PKCS
RA
RFC
SHA
SSCD
SSL
TLD TLS
TSA
TST
URL
UTC
X.509
IdentityManagementSystem
InternationalizedDomainName
InformationSystemSecurityOfficer
InternetEngineeringTaskForce
InternationalGridTrustFederation
InternationalTelecommunicationUnion
ITUTelecommunicationStandardizationSector
Member‐IntegratedCredentialService(IGTF)
OnlineCertificateStatusProtocol
ObjectIdentifier
OfficeoftheNationalCoordinatorforHealthcare(U.S.)
PersonalIdentificationNumber(e.g.asecretaccesscode)
PersonalIdentityVerification‐Interoperable
PublicKeyInfrastructure
IETFWorkingGrouponPublicKeyInfrastructure
PublicKeyCryptographyStandard
RegistrationAuthority
RequestforComments(atIETF.org)
SecureHashingAlgorithm
SecureSignatureCreationDevice
SecureSocketsLayer
Top‐LevelDomain
TransportLayerSecurity
TimeStampingAuthority
Time‐StampToken
UniformResourceLocator
CoordinatedUniversalTime
TheITU‐TstandardforCertificatesandtheircorrespondingauthentication
framework
2. PUBLICATIONANDREPOSITORYRESPONSIBILITIES
2.1.
REPOSITORIES
DigiCertmakesitsrootcertificates,revocationdataforissueddigitalcertificates,CPs,CPSs,RelyingParty
Agreements,andstandardSubscriberAgreementsavailableinpublicrepositories.
DigiCert’slegalrepositoryformostservicesislocatedathttp://www.digicert.com/ssl‐cps‐repository.htm.
DigiCert’srepositoryforInternationalGridTrustislocatedathttp://www.digicert‐grid.com/.
DigiCert’spubliclytrustedrootcertificatesanditsCRLsandOCSPresponsesareavailablethroughonline
resources24hoursaday,7daysaweekwithsystemsdescribedinSection5tominimizedowntime.
2.2.
PUBLICATIONOFCERTIFICATIONINFORMATION
TheDigiCertcertificateservicesandtherepositoryareaccessiblethroughseveralmeansofcommunication:
1. Ontheweb:www.digicert.com(andviaURIsincludedinthecertificatesthemselves)
2. [email protected]
3. Bymailaddressedto:DigiCert,Inc.,Suite500,2600WestExecutiveParkway,Lehi,Utah84043
4. BytelephoneTel:1‐801‐877‐2100
5. Byfax:1‐801‐705‐0481
2.3.
TIMEORFREQUENCYOFPUBLICATION
CAcertificatesarepublishedinarepositoryassoonaspossibleafterissuance.CRLsforend‐usercertificates
areissuedatleastonceperday.CRLsforCAcertificatesareissuedatleastevery6months(every31daysfor
offlineCAschainingtotheFederalBridgeCA),andalsowithin18hoursifaCAcertificateisrevoked.Under
9
specialcircumstances,DigiCertmaypublishnewCRLspriortothescheduledissuanceofthenextCRL.
(SeeSection4.9foradditionaldetails.)
NewormodifiedversionsoftheCP,thisCPS,SubscriberAgreements,orRelyingPartyWarrantiesare
typicallypublishedwithinsevendaysaftertheirapproval.
2.4.
ACCESSCONTROLSONREPOSITORIES
Read‐onlyaccesstotherepositoryisunrestricted.Logicalandphysicalcontrolspreventunauthorizedwrite
accesstorepositories.
3. IDENTIFICATIONANDAUTHENTICATION
3.1.
NAMING
3.1.1. TypesofNames
Certificatesareissuedwithanon‐nullsubjectDistinguishedName(DN)thatcomplieswithITUX.500
standardsexceptthatDigiCertmayissueaLevel1CertificatewithanullsubjectDNifitincludesatleastone
alternativenameformthatismarkedcritical.WhenDNsareused,commonnamesmustrespectnamespace
uniquenessrequirementsandmustnotbemisleading.Thisdoesnotprecludetheuseofpseudonymous
certificates,exceptwherestatedotherwiseunderSection3.1.3.SomeSSL/TLScertificates,including
certificatesforintranetuseandUnifiedCommunicationsCertificates,maycontainentriesinthesubject
alternativenameextensionthatarenotintendedtoberelieduponbythegeneralpublic(e.g.,theycontain
non‐standardtopleveldomainslike.localortheyareaddressedtoanIPnumberspacethathasbeen
allocatedasprivatebyRFC1918).Theissuanceofpublicly‐trustedSSLcertificatestotheselocalIPaddresses
orwithnon‐FQDN(DNS‐addressable)servernameshasbeendeprecated.Unlessotherwisemodifiedbythe
CA/BrowserForuminitsBaselineRequirements,asofJuly1,2012,DigiCertwillnotissueapubliclytrusted
SSLcertificatewithanExpiryDatelaterthanNovember1,2015ifithasasubjectAlternativeNameextension
orSubjectcommonNamefieldcontainingaReservedIPAddressorInternalName,andonOctober1,2016,
DigiCertwillrevokeanyunexpiredcertificatecontaininganinternalnameorreservedIPaddress.
CertificatesforPIV‐Icardsincludebothanon‐nullsubjectnameandsubjectalternativename.
EachPIV‐IHardwarecertificateindicateswhetherornottheSubscriberisassociatedwithanAffiliated
Organizationbytakingoneofthefollowingforms:
ForcertificateswithanAffiliatedOrganization:
cn=Subscriber'sfullname,ou=AffiliatedOrganizationName,{BaseDN}
ForcertificateswithnoAffiliatedOrganization:
cn=Subscriber'sfullname,ou=Unaffiliated,ou=EntityCA’sName,{BaseDN}
EachPIV‐IContentSigningcertificatealsoclearlyindicatestheorganizationadministeringtheCMS.PIV‐I
CardAuthenticationsubscribercertificatedonotincludeaSubscribercommonname.
EachPIV‐ICardAuthenticationcertificateindicateswhetherornottheSubscriberisassociatedwithan
AffiliatedOrganizationbytakingoneofthefollowingforms:
ForcertificateswithanAffiliatedOrganization:
serialNumber=UUID,ou=AffiliatedOrganizationName,{BaseDN}
ForcertificateswithnoAffiliatedOrganization:
serialNumber=UUID,ou=Unaffiliated,ou=EntityCA’sName,{BaseDN}
TheUUIDisencodedwithintheserialNumberattributeusingtheUUIDstringrepresentationdefinedin
Section3ofRFC4122(e.g.,"f81d4fae‐7dec‐11d0‐a765‐00a0c91e6bf6").
ThesubjectnameineachEUQualifiedCertificatecomplieswithsection3.1.2ofRFC3739
10
3.1.2. NeedforNamestobeMeaningful
DigiCertusesdistinguishednamesthatidentifyboththeentity(i.e.person,organization,device,orobject)
thatisthesubjectofthecertificateandtheentitythatistheissuerofthecertificate.DigiCertonlyallows
directoryinformationtreesthataccuratelyreflectorganizationstructures.
3.1.3. AnonymityorPseudonymityofSubscribers
Generally,DigiCertdoesnotissueanonymousorpseudonymouscertificates;however,forIDNs,DigiCertmay
includethePunycodeversionoftheIDNasasubjectname.DigiCertmayalsoissueotherpseudonymous
end‐entitycertificatesprovidedthattheyarenotprohibitedbypolicyandanyapplicablenamespace
uniquenessrequirementsaremet.
3.1.4. RulesforInterpretingVariousNameForms
DistinguishedNamesincertificatesareinterpretedusingX.500standardsandASN.1syntax.SeeRFC2253
andRFC2616forfurtherinformationonhowX.500distinguishednamesincertificatesareinterpretedas
UniformResourceIdentifiersandHTTPreferences.
3.1.5. UniquenessofNames
Theuniquenessofeachsubjectnameinacertificateisenforcedasfollows:
SSLServerCertificates
Inclusionofthedomainnameinthe Certificate.Domainname
uniquenessiscontrolledbytheInternetCorporationforAssigned
NamesandNumbers(ICANN).
ClientCertificates
Requiringauniqueemailaddress ora uniqueorganizationname
combined/associatedwithauniqueserialinteger.
IGTFandGrid‐onlyDevice
Fordevicecertificates,anFQDNisincludedintheappropriate
Certificates
fields.Forothercertificates,DigiCertmayappendauniqueIDtoa
namelistedinthecertificate.
CodeSigningCertificates
Requiringauniqueorganizationnameandaddressoraunique
(includingCDSCertificates) organizationnamecombined/associatedwithauniqueserial
integer.
TimeStamping
Requiringauniquehashandtimeoruniqueserialintegerassigned
tothetimestamp
3.1.6. Recognition,Authentication,andRoleofTrademarks
Subscribersmaynotrequestcertificateswithcontentthatinfringesontheintellectualpropertyrightsof
anotherentity.UnlessotherwisespecificallystatedinthisCPS,DigiCertdoesnotverifyanApplicant’srightto
useatrademarkanddoesnotresolvetrademarkdisputes.DigiCertmayrejectanyapplicationorrequire
revocationofanycertificatethatispartofatrademarkdispute.
3.2.
INITIALIDENTITYVALIDATION
DigiCertmayuseanylegalmeansofcommunicationorinvestigationtoascertaintheidentityofan
organizationalorindividualApplicant.DigiCertmayrefusetoissueaCertificateinitssolediscretion.
3.2.1. MethodtoProvePossessionofPrivateKey
DigiCertestablishesthattheApplicantholdsorcontrolsthePrivateKeycorrespondingtothePublicKeyby
performingsignatureverificationordecryptionondatapurportedtohavebeendigitallysignedorencrypted
withthePrivateKeybyusingthePublicKeyassociatedwiththecertificaterequest.
3.2.2. AuthenticationofOrganizationIdentity
DVSSLServerCertificates
DigiCertvalidatestheApplicant’srighttouseorcontrolthedomain
namesthatwillbelistedinthecertificateusingoneormoreofthe
followingprocedures:
1.
RelyingonpubliclyavailablerecordsfromtheDomainName
Registrar,suchasWHOISorotherDNSrecordinformation;
11
2.
Communicatingwithoneofthefollowingemailaddresses:
[email protected],[email protected],
[email protected],hostmaster@domain,
postmaster@domain,oranyaddresslistedinthetechnical,
registrant,oradministrativecontactfieldofthedomain’s
Registrarrecord;
3.
Requiringapracticaldemonstrationofdomaincontrol(e.g.,
requiringtheApplicanttomakeaspecifiedchangetoaDNS
zonefileoralivepageonthegivendomain);and/or
4.
Adomainauthorizationletter,providedthelettercontains
thesignatureofanauthorizedrepresentativeofthedomain
holder,adatethatisonorafterthecertificaterequest,alist
oftheapprovedfully‐qualifieddomainname(s),anda
statementgrantingtheApplicanttherighttousethedomain
namesinthecertificate.DigiCertalsocontactsthedomain
nameholderusingareliablethird‐partydatasourceto
confirmtheauthenticityofthedomainauthorizationletter;
and/or
5.
Asimilarprocedurethatoffersanequivalentlevelof
assuranceintheApplicant’sownership,control,orrightto
usetheDomainName.
DigiCertverifiesanincludedcountrycodeusing(a)theIPAddress
rangeassignmentbycountryforeither(i)thewebsite’sIPaddress,as
indicatedbytheDNSrecordforthewebsiteor(ii)theApplicant’sIP
address;(b)theccTLDoftherequestedDomainName;or(c)
informationprovidedbytheDomainNameRegistrar.
OVSSLServer,Object
DigiCertvalidatestheApplicant’srighttouseorcontroltheDomain
Signing,andDevice
Name(s)thatwillbelistedintheCertificateusingtheDVSSLServer
Certificates
Certificatevalidationproceduresabove.
(excludingdevice
certificatesissuedunder
DigiCertalsoverifiestheidentityandaddressoftheApplicantusing:
theGrid‐onlyarc)
1. areliablethirdparty/governmentdatabasesorthrough
communicationwiththeentityorjurisdictiongoverning
theorganization’slegalcreation,existence,or
recognition;
2. asitevisit;
3. anattestationletterthatissignedbyanaccountant,
lawyer,governmentofficial,orotherreliablethird
party;or
4. foraddressonly,autilitybill,bankstatement,credit
cardstatement,taxdocument,orotherreliableformof
identification.
DigiCertverifiesanyDBAincludedinacertificateusingathirdparty
orgovernmentsource,attestationletter,orreliableformof
identification.
Devicecertificatesissued
AnRAorTrustedAgentvalidatestheapplicant’sinformationin
undertheGrid‐onlyarc
accordancewithanRPS(orsimilardocument)applicabletothe
communityofinterest.
EVSSLandEVCode
Informationconcerningorganizationidentityrelatedtotheissuance
SigningCertificates
ofEVCertificatesisvalidatedinaccordancewiththeEVGuidelines.
Level1ClientCertificates‐ DigiCertverifies organizationalcontrolovertheemaildomainusing
Enterprise
authenticationproceduressimilartothoseusedbyDigiCertwhen
12
Level2,3,and4Client
Certificates
PIV‐I
establishingdomainownershipbyanorganizationbeforeissuanceof
aDVorOVSSLServerCertificate.
Ifthecertificatecontainsorganizationinformation,DigiCertobtains
documentationfromtheorganizationsufficienttoconfirmthatthe
individualhasanaffiliationwiththeorganizationnamedinthe
certificate.
Forcertificate requests thatassertanorganizationalaffiliation
betweenahumansubscriberandanorganization,DigiCertverifiesthe
organization’sidentityandlegalexistenceandtheorganizationis
requiredtoenterintoanagreementauthorizingorrecognizingthat
affiliationandrequiringthattheorganizationrequestrevocationof
thecertificatewhenthataffiliationends.
DigiCertmaintainsandutilizesascoringsystemtoflagcertificaterequeststhatpotentiallypresentahigher
riskoffraud.Thosecertificaterequeststhatareflagged“highrisk”receiveadditionalscrutinyorverification
priortoissuance,whichmayincludeobtainingadditionaldocumentationfromoradditionalcommunication
withtheApplicant.
BeforeissuinganSSLcertificatewithadomainnamethathasnotbeenpreviouslyverifiedaswithinthescope
ofanRA’sorotherDelegatedThirdParty’salloweddomainnames,DigiCertestablishesthattheRAor
DelegatedThirdPartyhastherighttousetheDomainNamebyindependentlyverifyingtheauthorization
withthedomainowner,asdescribedabove,orbyusingotherreliablemeans,suchasperformingaDNS
lookuptodeterminewhetherthereisamatchingDNSrecordthatpointstotheDelegatedThirdParty’sIP
addressordomainnamespace.
DigiCertverifiestheorganizationname,address,legalexistence,andauthorizationforCAcertificatesthat
cross‐certifywiththeFBCA.
3.2.3. AuthenticationofIndividualIdentity
Ifacertificatewillcontaintheidentityofanindividual,thenDigiCertoranRAvalidatestheidentityofthe
individualusingthefollowingprocedures:
Certificate
Validation
OVSSLServerCertificates 1. DigiCertortheRAobtainsa legiblecopy,whichdiscernibly
and
showstheApplicant’sface,ofatleastonecurrentlyvalid
ObjectSigningCertificates
government‐issuedphotoID(passport,driver’slicense,
(issuedtoanindividual)
militaryID,nationalID,orequivalentdocumenttype).
DigiCertortheRAinspectsthecopyforanyindicationof
alterationorfalsification.
2. DigiCertmayadditionallycross‐checktheApplicant’sname
andaddressforconsistencywithavailablethirdpartydata
sources.
3. Iffurtherassuranceisrequired,thentheApplicantmust
provideanadditionalformofidentification,suchasrecent
utilitybills,financialaccountstatements,creditcard,an
additionalIDcredential,orequivalentdocumenttype.
4. DigiCertortheRAconfirmsthattheApplicantisableto
receivecommunicationbytelephone,postalmail/courier,or
fax.
IfDigiCertcannotverifytheApplicant’sidentityusingthe
proceduresdescribedabove,thentheApplicantmustsubmita
13
DeviceCertificate
Sponsors
EVCertificates
issuedtoabusinessentity
Grid‐onlyCertificates
DeclarationofIdentity thatiswitnessedandsignedbya
RegistrationAuthority,TrustedAgent,notary,lawyer,accountant,
postalcarrier,oranyentitycertifiedbyaStateorNational
Governmentasauthorizedtoconfirmidentities.
Seesection3.2.3.3
AsspecifiedintheEVGuidelines
EithertheRAresponsibleforthegridcommunityoraTrusted
Agentobtainsanidentitydocumentduringaface‐to‐facemeeting
withtheApplicant,oraTrustedAgentatteststhattheApplicantis
personallyknowntotheTrustedAgent.TheRAmustretain
sufficientinformationabouttheapplicant’sidentitytoproveupon
DigiCert’srequestthattheapplicantwasproperlyidentified.
AuthenticationCertificates Theentitycontrollingthesecurelocationmustrepresentthatthe
certificateholderisauthorizedtoaccessthelocation.
Level1ClientCertificates
DigiCertoranRAverifiesApplicant'scontroloftheemailaddressor
–Personal
websitelistedinthecertificate.
(emailcertificates)
Level1ClientCertificates‐ Anyoneofthefollowing:
Enterprise
1. In‐personappearancebeforeapersonperformingidentity
proofingforaRegistrationAuthorityoraTrustedAgentwith
presentmentofanidentitycredential(e.g.,driver'slicenseor
birthcertificate).
2. Usingproceduressimilartothoseusedwhenapplyingfor
consumercreditandauthenticatedthroughinformationin
consumercreditdatabasesorgovernmentrecords,suchas:
a. theabilitytoplaceorreceivecallsfromagivennumber;or
b. theabilitytoobtainmailsenttoaknownphysicaladdress.
3. Throughinformationderivedfromanongoingbusiness
relationshipwiththecredentialproviderorapartnercompany
(e.g.,afinancialinstitution,airline,employer,orretailcompany).
Acceptableinformationincludes:
a. theabilitytoobtainmailatthebillingaddressusedinthe
businessrelationship;
b. verificationofinformationestablishedinprevious
transactions(e.g.,previousordernumber);or
c. theabilitytoplacecallsfromorreceivephonecallsata
phonenumberusedinpreviousbusinesstransactions.
4.
Level2ClientCertificates
andIGTFClassic/MICS
Certificates
AnymethodusedtoverifytheidentityofanApplicantforaLevel
2,3,or4ClientCertificate.
TheCAoranRAconfirms that thefollowingareconsistentwiththe
applicationandsufficienttoidentifyauniqueindividual:
(a)
thenameonthegovernment‐issuedphoto‐ID
referencedbelow;
(b)
dateofbirth;and
(c)
currentaddressorpersonaltelephonenumber.
14
Level3ClientCertificates
1. In‐personappearancebeforeapersonperformingidentity
proofingforaRegistrationAuthorityoraTrustedAgent(or
entitycertifiedbyastate,federal,ornationalentityas
authorizedtoconfirmidentities)withpresentmentofareliable
formofcurrentgovernment‐issuedphotoID.
2. TheApplicantmustpossessavalid,current,government‐issued,
photoID.TheRegistrationAuthorityorTrustedAgent
performingidentityproofingmustobtainandreview,whichmay
bethroughremoteverification,thefollowinginformationabout
theApplicant:(i)name,dateofbirth,andcurrentaddressor
telephonenumber;(ii)serialnumberassignedtotheprimary,
government‐issuedphotoID;and(iii)oneadditionalformofID
suchasanothergovernment‐issuedID,anemployeeorstudent
IDcardnumber,telephonenumber,afinancialaccountnumber
(e.g.,checkingaccount,savingsaccount,loanorcreditcard),ora
utilityserviceaccountnumber(e.g.,electricity,gas,orwater)for
anaddressmatchingtheapplicant’sresidence.Identityproofing
throughremoteverificationmayrelyondatabaserecordchecks
withanagent/institutionorthroughcreditbureausorsimilar
databases.
DigiCertoranRAmayconfirmanaddressbyissuingcredentials
inamannerthatconfirmstheaddressofrecordorbyverifying
knowledgeofrecentaccountactivityassociatedwiththe
Applicant’saddressandmayconfirmatelephonenumberby
sendingachallenge‐responseSMStextmessageorbyrecording
theapplicant’svoiceduringacommunicationafterassociating
thetelephonenumberwiththeapplicantinrecordsavailableto
DigiCertortheRA.
3. WhereDigiCertoranRAhasacurrentandongoingrelationship
withtheApplicant,identitymaybeverifiedthroughthe
exchangeofapreviouslyexchangedsharedsecret(e.g.,aPINor
password)thatmeetsorexceedsNISTSP800‐63Level2
entropyrequirements,providedthat:(a)identitywasoriginally
establishedwiththedegreeofrigorequivalenttothatrequired
in1or2aboveusingagovernment‐issuedphoto‐ID,and(b)an
ongoingrelationshipexistssufficienttoensuretheApplicant’s
continuedpersonalpossessionofthesharedsecret.
4. Anyofthemethodsusedtoverifytheidentityofanapplicantfor
aDigiCertLevel3or4ClientCertificate.
In‐personproofingbeforeanRA,TrustedAgent, oranentitycertified
byastate,federal,ornationalentitythatisauthorizedtoconfirm
identities.Theinformationmustbecollectedandstoredinasecure
manner.Requiredidentificationconsistsofoneunexpired
Federal/NationalGovernment‐issuedPictureI.D.(e.g.apassport),a
REALID,ortwounexpiredNon‐FederalGovernmentI.D.s,oneof
whichmustbeaphotoI.D.(e.g.,driver’slicense).
Thepersonperformingidentityproofingexaminesthecredentials
anddetermineswhethertheyareauthenticandunexpiredand
checkstheprovidedinformation(name,dateofbirth,andcurrent
15
Level4ClientCertificates
(BiometricIDcertificates)
PIV‐ICertificates
EUQualifiedCertificates
address)toensurelegitimacy. TheApplicantsignsaDeclarationof
Identity,definedbelow,towhichthepersonperformingidentity
proofingattests.DigiCertortheRAreviewsandkeepsarecordofthe
DeclarationofIdentity.
AtrustrelationshipbetweenanRAorTrustedAgentandthe
applicantthatisbasedonanin‐personantecedent(asdefinedin
FBCASupplementaryAntecedent,In‐PersonDefinition)sufficesas
meetingthein‐personidentityproofingrequirementprovidedthat
(1)itmeetsthethoroughnessandrigorofin‐personproofing
describedabove,(2)supportingIDproofingartifactsexistto
substantiatetheantecedentrelationship,and(3)mechanismsarein
placethatbindtheindividualtotheassertedidentity.
TheidentityoftheApplicantmustbeestablishedbyin‐person
proofingnoearlierthan30dayspriortoinitialcertificateissuance.
In‐personproofingbeforeanRA,TrustedAgent, oranentitycertified
byastate,federal,ornationalentitythatisauthorizedtoconfirm
identities.Acertifiedentitymustforwardthecollectedinformation
directlytoanRAinasecuremanner.TheApplicantmustsupplyone
unexpiredFederal/NationalGovernment‐issuedPictureI.D.(e.g.a
passport),aREALID,ortwounexpiredNon‐FederalGovernment
I.D.s,oneofwhichmustbeaphotoI.D.(e.g.,driver’slicense).The
entitycollectingthecredentialsmustalsoobtainatleastoneformof
biometricdata(e.g.photographorfingerprints)toensurethatthe
Applicantcannotrepudiatetheapplication.
ThepersonperformingidentityverificationforDigiCertortheRA
examinesthecredentialsforauthenticityandvalidity.TheApplicant
signsaDeclarationofIdentity,definedbelow,towhichtheperson
performingidentityproofingattests.DigiCertortheRAreviewsand
keepsarecordoftheDeclarationofIdentity.
Useofanin‐personantecedentisnotallowed.Theidentityofthe
Applicantmustbeestablishedbyin‐personproofingnoearlierthan
30dayspriortoinitialcertificateissuance.Level4ClientCertificates
areissuedinamannerthatconfirmstheApplicant’saddress.
PIV‐IHardwarecertificatesare onlyissuedtohumansubscribers.
ThefollowingbiometricdataiscollectedbyDigiCert,anRA,ora
TrustedAgentduringtheidentityproofingandregistrationprocess:
1. Anelectronicfacialimageusedforprintingfacialimageonthe
cardandforvisualauthenticationduringcardusage.Anew
facialimageiscollectedeachtimeacardisissued;and
2. Twoelectronicfingerprintsarestoredonthecardforautomated
authenticationduringcardusage.
TheSubscribermustalsopresenttwoidentitysourcedocumentsin
originalformthatcomefromthelistofacceptabledocuments
includedinFormI‐9,OMBNo.1115‐0136,EmploymentEligibility
Verification.Atleastonedocumentmustbeavalid,unexpiredState
orFederalGovernment‐issuedpictureidentification(ID).ForPIV‐I,
theuseofanin‐personantecedentisnotapplicable.Identityis
establishednomorethan30dayspriortoinitialcertificateissuance.
Usingidentityandattributevalidationproceduresinaccordancewith
16
nationallaw.Evidenceofidentityischeckeddirectlyagainsta
physicalpersonorindirectlyusingmeanswhichprovidesequivalent
assurancetophysicalpresence.
AcceptableformsofgovernmentIDincludeadriver'slicense,state‐issuedphotoIDcard,passport,national
identitycard,permanentresidentcard,trustedtravelercard,tribalID,militaryID,orsimilarphoto
identificationdocument.Acceptableformsofnon‐governmentIDincludeavoidedcheckfromacurrent
checkingaccount,recentutilitybillshowingApplicant’sname,address,andutilityaccountnumber,social
securitycard,orsimilardocument.
ADeclarationofIdentityconsistsof:
1. theidentityofthepersonperformingtheverification;
2. asigneddeclarationbytheverifyingpersonstatingthattheyverifiedtheidentityoftheSubscriberas
requiredusingtheformatsetforthat28U.S.C.1746(declarationunderpenaltyofperjury)or
comparableprocedureunderlocallaw,thesignatureonthedeclarationmaybeeitherahandwritten
ordigitalsignatureusingacertificatethatisofequalorhigherlevelofassuranceasthecredential
beingissued;
3. uniqueidentifyingnumber(s)fromtheApplicant’sidentificationdocument(s),orafacsimileofthe
ID(s);
4. thedateoftheverification;and
5. adeclarationofidentitybytheApplicantthatissigned(inhandwritingorusingadigitalsignature
thatisofequivalentorhigherassurancethanthecredentialbeingissued)inthepresenceofthe
personperformingtheverificationusingtheformatsetforthat28U.S.C.1746(declarationunder
penaltyofperjury)orcomparableprocedureunderlocallaw.
Ifin‐personidentityverificationisrequiredandtheApplicantcannotparticipateinface‐to‐faceregistration
alone(e.g.becauseApplicantisanetworkdevice,minor,orpersonnotlegallycompetent),thentheApplicant
maybeaccompaniedbyapersonalreadycertifiedbythePKIorwhohastherequiredidentitycredentialsfor
acertificateofthesametypeappliedforbytheApplicant.ThepersonaccompanyingtheApplicant(i.e.the
“Sponsor”)willpresentinformationsufficientforregistrationatthelevelofthecertificatebeingrequested,
forhimselforherself,andfortheApplicant.
Forin‐personidentityproofingatLevels3and4andforPIV‐I,DigiCertmayrelyonanentitycertifiedbya
state,federal,ornationalentityasauthorizedtoconfirmidentitiesmayperformtheauthenticationonbehalf
oftheRA.ThecertifiedentityshouldforwardtheinformationcollectedfromtheapplicantdirectlytotheRA
inasecuremanner.
3.2.3.1.
Authentication for Role‐based Client Certificates DigiCertmayissuecertificatesthatidentifyaspecificrolethattheSubscriberholds,providedthattherole
identifiesaspecificindividualwithinanorganization(e.g.,ChiefInformationOfficerisauniqueindividual
whereasProgramAnalystisnot).Theserole‐basedcertificatesareusedwhennon‐repudiationisdesired.
DigiCertonlyissuesrole‐basedcertificatestoSubscriberswhofirstobtainanindividualSubscribercertificate
thatisatthesameorhigherassurancelevelastherequestedrole‐basedcertificate.DigiCertmayissue
certificateswiththesameroletomultipleSubscribers.However,DigiCertrequiresthateachcertificatehave
auniquekeypair.Individualsmaynotsharetheirissuedrole‐basedcertificatesandarerequiredtoprotect
therole‐basedcertificateinthesamemannerasindividualcertificates.
DigiCertverifiestheidentityoftheindividualrequestingarole‐basedcertificate(thesponsor)inaccordance
withSection3.2.3beforeissuingarole‐basedcertificate.ThesponsormustholdaDigiCert‐issuedclient
individualcertificateatthesameorhigherassurancelevelastherole‐basedcertificate.Ifthecertificateisa
pseudonymouscertificatecross‐certifiedwiththeFBCAthatidentifiessubjectsbytheirorganizationalroles,
thenDigiCertoranRAvalidatesthattheindividualeitherholdsthatroleorhastheauthoritytosignon
behalfoftherole.
IGTFandEUQualifiedCertificatesarenotissuedasrole‐basedcertificates.
17
3.2.3.2.
Authentication for Group Client Certificates DigiCertissuesgroupcertificates(acertificatethatcorrespondstoaPrivateKeythatissharedbymultiple
Subscribers)ifseveralentitiesareactinginonecapacityandifnon‐repudiationisnotrequired.Direct
AddressCertificatesandDirectOrganizationalCertificatesareusedasgroupcertificatesconsistentwith
applicablerequirementsoftheDirectProgram.DigiCertortheRArecordstheinformationidentifiedin
Section3.2.3forasponsorbeforeissuingagroupcertificate.ThesponsormustbeatleastanInformation
SystemsSecurityOfficer(ISSO)oroftheequivalentrankorgreaterwithintheorganization.
Thesponsorisresponsibleforensuringcontroloftheprivatekey.Thesponsormustmaintainand
continuouslyupdatealistofSubscriberswithaccesstotheprivatekeyandaccountforthetimeperiod
duringwhicheachSubscriberhadcontrolofthekey.Groupcertificatesmaylisttheidentityofanindividual
inthesubjectNameDNprovidedthatthesubjectNameDNfieldalsoincludesatextstring,suchas“Direct
GroupCert,”sothatthecertificatespecifiesthesubjectisagroupandnotasingleindividual.Client
certificatesissuedinthiswaytoanorganizationarealwaysconsideredgroupclientcertificates.
3.2.3.3.
Authentication of Devices with Human Sponsors DigiCertissuesLevel1,2,3or4ClientandFederatedDeviceCertificatesforuseoncomputingornetwork
devices,providedthattheentityowningthedeviceislistedasthesubject.Inallcases,thedevicehasa
humansponsorwhoprovides:
1. Equipmentidentification(e.g.,serialnumber)orservicename(e.g.,DNSname),
2. Equipmentpublickeys,
3. Equipmentauthorizationsandattributes(ifanyaretobeincludedinthecertificate),and
4. Contactinformation.
Ifthecertificate’ssponsorchanges,thenewsponsorisrequiredtoreviewthestatusofeachdevicetoensure
itisstillauthorizedtoreceivecertificates.Eachsponsorisrequiredtoprovideproofthatthedeviceisstill
underthesponsor’scontrolorresponsibilityonrequest.Sponsorsarecontractuallyobligatedtonotify
DigiCertiftheequipmentisnolongerinuse,nolongerundertheircontrolorresponsibility,ornolonger
requiresacertificate.Allregistrationisverifiedcommensuratewiththerequestedcertificatetype.
3.2.4. Non‐verifiedSubscriberInformation
Level1‐PersonalClientCertificatesareverifiedbyemail,andthecommonnameisnotverifiedasthelegal
nameoftheSubscriber.DVSSLServerCertificatesdonotincludeaverifiedorganizationalidentity.Subjectto
thedeprecationdatelistedinSection3.1.1,OVSSLCertificatesmaycontainapseudo‐domainforusewithin
theSubscriber’sinternal,non‐public‐DNSnetworks.DigiCertdoesnotissueSSLcertificatestodomain
namesorIPaddressesthataSubscriberdoesnotlegitimatelyownorcontrol.DigiCertmayrelyonthe
Subscriber’sindicationofthehostorservernamethatformsthefullyqualifieddomainname.Anyothernon‐
verifiedinformationincludedinacertificateisdesignatedassuchinthecertificate.Unverifiedinformation
isneverincludedinaLevel2,Level,3,Level4,PIV‐I,ObjectSigning,EVSSL,FederatedDevice,orEU
QualifiedCertificate.,
3.2.5. ValidationofAuthority
Theauthorizationofacertificaterequestisverifiedasfollows:
Certificate
Verification
DVSSLServerCertificate
Therequest isverifiedwithanauthorizedcontactlistedwiththe
DomainNameRegistrar,throughapersonwithcontroloverthe
domain,orthroughanout‐of‐bandconfirmationwiththeapplicant.
Apersonwithaccesstoonemoreofthefollowingemailaddressesis
consideredtohavecontroloverthedomain:
[email protected],[email protected],
[email protected],hostmaster@domain,postmaster@domain,or
anyaddresslistedasacontactfieldofthedomain’sDomainName
Registrarrecord.
18
OVSSLServerand
FederatedDevice
Certificates
EVCertificates
ObjectSigningCertificates
andAdobeSigning
Certificates
TherequestisverifiedinaccordancewithSection11.2.3ofthe
BaselineRequirementsusingareliablemethodofcommunication.
TherequestisverifiedinaccordancewiththeEVGuidelines.
Ifthecertificatenamesanorganization,therequester’scontact
informationisverifiedwithanauthoritativesourcewithinthe
applicant’sorganizationusingareliablemethodofcommunication.
Thecontactinformationisthenusedtoconfirmtheauthenticityofthe
certificaterequest.
Level1ClientCertificates‐ Therequestisverifiedthroughtheemailaddresslistedinthe
Personal
certificate.
(emailcertificates)
Level1ClientCertificates‐ Therequestisverifiedwithapersonwhohastechnicalor
Enterprise
administrativecontroloverthedomainandtheemailaddresstobe
(emailcertificates)
listedinthecertificate.
ClientCertificatesLevels2, TheorganizationnamedinthecertificateconfirmstoDigiCertor
3and4andPIV‐I
anRAthattheindividualisauthorizedtoobtainthecertificate.
Certificates
Theorganizationisrequiredtorequestrevocationofthecertificate
whenthataffiliationends.
DirectAddressandDirect Theentitynamedinthecertificateauthorizes aHISPtoorderthe
OrganizationCertificates
certificateandusetherelatedprivatekeyontheentity’sbehalf.The
HISPISSOisresponsiblefortrackingaccesstoandensuringproper
useoftheprivatekey.
IGTFCertificates
Anauthorizedindividualapprovesthecertificaterequest.Fordevice
certificates,theRAretainscontactinformationforeachdevice’s
registeredowner.ThedeviceownerisrequiredtonotifytheRAand
requestrevocationifthedevicesponsorisnolongerauthorizedtouse
thedeviceortheFQDNinthecertificate.
EUQualifiedCertificates
DigiCertverifies thattheindividualisassociatedwiththe
organizationlistedinthecertificate(ifany)andthatthe
organizationconsentedtotheissuanceofthecertificate.
AnorganizationmaylimitwhoisauthorizedtorequestcertificatesbysendingarequesttoDigiCert.A
requesttolimitauthorizedindividualsisnoteffectiveuntilapprovedbyDigiCert.DigiCertwillrespondtoan
organization’sverifiedrequestforDigiCert’slistofitsauthorizedrequesters.
3.3.
IDENTIFICATIONANDAUTHENTICATIONFORRE‐KEYREQUESTS
3.3.1. IdentificationandAuthenticationforRoutineRe‐key
Subscribersmayrequestre‐keyofacertificatepriortoacertificate’sexpiration.Afterreceivingarequestfor
re‐key,DigiCertcreatesanewcertificatewiththesamecertificatecontentsexceptforanewPublicKeyand,
optionally,anextendedvalidityperiod.Ifthecertificatehasanextendedvalidityperiod,DigiCertmay
performsomerevalidationoftheApplicantbutmayalsorelyoninformationpreviouslyprovidedor
obtained.
Subscribersre‐establishtheiridentityasfollows:
Certificate
RoutineRe‐KeyAuthentication
Re‐VerificationRequired
DVandOVSSLServerand
Usernameandpassword
Atleastevery39months
DeviceCertificates
EVSSLCertificates
Usernameandpassword
AccordingtotheEVGuidelines
SubscriberEVCodeSigning Usernameandpassword
Atleastevery39months
Certificates
SigningAuthorityEVCode
Usernameandpassword
Atleastevery123months
SigningCertificates
19
TimestampEVCodeSigning Usernameandpassword
Certificates
Atleastevery123months
ObjectSigningCertificates
(includingAdobeSigning
Certificates)
Level1ClientCertificates
Level2ClientCertificates
Atleasteverysixyears
Usernameandpassword
Usernameandpassword
Atleasteverynineyears
Currentsignaturekeyormulti‐
Atleasteverynineyears
factorauthenticationmeetingNIST
SP800‐63Level3
Level3and4Client
Currentsignaturekeyormulti‐
Atleasteverynineyears
CertificatesandPIV‐I
factorauthenticationmeetingNIST
Certificates
SP800‐63Level3
FederatedDeviceand
Currentsignaturekeyormulti‐
Atleasteverynineyears
FederatedDevice‐hardware factorauthenticationmeetingNIST‐
800‐63Level3
IGTFCertificates
Usernameandpassword,RA
Atleastevery13months.However,
attestationaftercomparisonof
certificatesassociatedwithaprivate
identitydocuments,re‐authenticate keyrestrictedsolelytoahardware
throughanapprovedIdM,or
tokenmayberekeyedorrenewed
throughassociatedprivatekey
foraperiodofupto5years
AuthenticationCertificates Usernameandpasswordorwith
None
associatedprivatekey
DigiCertdoesnotre‐keyacertificatewithoutadditionalauthenticationifdoingsowouldallowtheSubscriber
tousethecertificatebeyondthelimitsdescribedabove.
3.3.2. IdentificationandAuthenticationforRe‐keyAfterRevocation
Ifacertificatewasrevokedforanyreasonotherthanarenewal,update,ormodificationaction,thenthe
Subscribermustundergotheinitialregistrationprocesspriortorekeyingthecertificate.
3.4.
IDENTIFICATIONANDAUTHENTICATIONFORREVOCATIONREQUEST
DigiCertoranRAauthenticatesallrevocationrequests.DigiCertmayauthenticaterevocationrequestsby
referencingtheCertificate’sPublicKey,regardlessofwhethertheassociatedPrivateKeyiscompromised.
4. CERTIFICATELIFE‐CYCLEOPERATIONALREQUIREMENTS
4.1.
CERTIFICATEAPPLICATION
4.1.1. WhoCanSubmitaCertificateApplication
EithertheApplicantoranindividualauthorizedtorequestcertificatesonbehalfoftheApplicantmaysubmit
certificaterequests.ApplicantsareresponsibleforanydatathattheApplicantoranagentoftheApplicant
suppliestoDigiCert.
EVCertificaterequestsmustbesubmittedbyanauthorizedCertificateRequesterandapprovedbya
CertificateApprover.Thecertificaterequestmustbeaccompaniedbyasigned(inwritingorelectronically)
SubscriberAgreementfromaContractSigner.
DigiCertdoesnotissuecertificatestoentitiesonagovernmentdeniedlistmaintainedbytheUnitedStatesor
thatislocatedinacountrywithwhichthelawsoftheUnitedStatesprohibitdoingbusiness.
4.1.2. EnrollmentProcessandResponsibilities
Innoparticularorder,theenrollmentprocessincludes:
1. Submittingacertificateapplication,
20
2.
3.
4.
5.
4.2.
Generatingakeypair,
DeliveringthepublickeyofthekeypairtoDigiCert,
AgreeingtotheapplicableSubscriberAgreement,and
Payinganyapplicablefees.
CERTIFICATEAPPLICATIONPROCESSING
4.2.1. PerformingIdentificationandAuthenticationFunctions
Afterreceivingacertificateapplication,DigiCertoranRAverifiestheapplicationinformationandother
informationinaccordancewithSection3.2.IfanRAassistsintheverification,theRAmustcreateand
maintainrecordssufficienttoestablishthatithasperformeditsrequiredverificationtasksandcommunicate
thecompletionofsuchperformancetoDigiCert.Afterverificationiscomplete,DigiCertevaluatesthecorpus
ofinformationanddecideswhetherornottoissuethecertificate.Aspartofthisevaluation,DigiCertchecks
thecertificateagainstaninternaldatabaseofpreviouslyrevokedcertificatesandrejectedcertificaterequests
toidentifysuspiciouscertificaterequests.Ifsomeorallofthedocumentationusedtosupportanapplication
isinalanguageotherthanEnglish,aDigiCertemployee,RA,oragentskilledinthelanguageperformsthe
finalcross‐correlationandduediligence.
DigiCertconsidersasource’savailability,purpose,andreputationwhendeterminingwhetherathirdparty
sourceisreasonablyreliable.DigiCertdoesnotconsideradatabase,source,orformofidentification
reasonablyreliableifDigiCertortheRAisthesolesourceoftheinformation.
4.2.2. ApprovalorRejectionofCertificateApplications
DigiCertrejectsanycertificateapplicationthatDigiCertoranRAcannotverify.DigiCertmayalsorejecta
certificateapplicationifDigiCertbelievesthatissuingthecertificatecoulddamageordiminishDigiCert’s
reputationorbusiness.
ExceptforEnterpriseEVCertificates,EVCertificateissuanceapprovalrequirestwoseparateDigiCert
validationspecialists.Thesecondvalidationspecialistcannotbethesameindividualwhocollectedthe
documentationandoriginallyapprovedtheEVCertificate.Thesecondvalidationspecialistreviewsthe
collectedinformationanddocumentsanydiscrepanciesordetailsthatrequirefurtherexplanation.The
secondvalidationspecialistmayrequireadditionalexplanationsanddocumentspriortoauthorizingthe
certificate’sissuance.EnterpriseRAsmayperformthefinalcross‐correlationandduediligencedescribed
hereinusingasinglepersonrepresentingtheEnterpriseRA.Ifsatisfactoryexplanationsand/oradditional
documentsarenotreceivedwithinareasonabletime,DigiCertwillrejecttheEVCertificaterequestandnotify
theApplicantaccordingly.
IfthecertificateapplicationisnotrejectedandissuccessfullyvalidatedinaccordancewiththisCPS,DigiCert
willapprovethecertificateapplicationandissuethecertificate.DigiCertisnotliableforanyrejected
certificateandisnotobligatedtodisclosethereasonsforarejection.RejectedApplicantsmayre‐apply.
Subscribersarerequiredtocheckthecertificate’scontentsforaccuracypriortousingthecertificate.
4.2.3. TimetoProcessCertificateApplications
Undernormalcircumstances,DigiCertverifiesanApplicant’sinformationandissuesadigitalcertificate
withinareasonabletimeframe.IssuancetimeframesaregreatlydependentonwhentheApplicantprovides
thedetailsanddocumentationnecessarytocompletevalidation.Fornon‐EVSSLcertificates,DigiCertwill
usuallycompletethevalidationprocessandissueorrejectacertificateapplicationwithintwoworkingdays
afterreceivingallofthenecessarydetailsanddocumentationfromtheApplicant,althougheventsoutsideof
thecontrolofDigiCertcandelaytheissuanceprocess.
21
4.3.
CERTIFICATEISSUANCE
4.3.1. CAActionsduringCertificateIssuance
DigiCertconfirmsthesourceofacertificaterequestbeforeissuance.DigiCertdoesnotissueendentity
certificatesdirectlyfromitsrootcertificates.DatabasesandCAprocessesoccurringduringcertificate
issuanceareprotectedfromunauthorizedmodification.Afterissuanceiscomplete,thecertificateisstoredin
adatabaseandsenttotheSubscriber.
4.3.2. NotificationtoSubscriberbytheCAofIssuanceofCertificate
DigiCertmaydelivercertificatesinanysecuremannerwithinareasonabletimeafterissuance.Generally,
DigiCertdeliverscertificatesviaemailtotheemailaddressdesignatedbytheSubscriberduringthe
applicationprocess.
4.4.
CERTIFICATEACCEPTANCE
4.4.1. ConductConstitutingCertificateAcceptance
SubscribersaresolelyresponsibleforinstallingtheissuedcertificateontheSubscriber’scomputeror
hardwaresecuritymodule.Certificatesareconsideredacceptedontheearlierof(i)theSubscriber’suseof
thecertificateor(ii)30daysafterthecertificate’sissuance.
4.4.2. PublicationoftheCertificatebytheCA
DigiCertpublishesallCAcertificatesinitsrepository.DigiCertpublishesend‐entitycertificatesbydelivering
themtotheSubscriber.
4.4.3. NotificationofCertificateIssuancebytheCAtoOtherEntities
RAsmayreceivenotificationofacertificate’sissuanceiftheRAwasinvolvedintheissuanceprocess.
4.5.
KEYPAIRANDCERTIFICATEUSAGE
4.5.1. SubscriberPrivateKeyandCertificateUsage
SubscribersarecontractuallyobligatedtoprotecttheirPrivateKeysfromunauthorizeduseordisclosure,
discontinueusingaPrivateKeyafterexpirationorrevocationoftheassociatedcertificate,anduse
Certificatesinaccordancewiththeirintendedpurpose.
4.5.2. RelyingPartyPublicKeyandCertificateUsage
RelyingPartiesmayonlyusesoftwarethatiscompliantwithX.509,IETFRFCs,andotherapplicable
standards.DigiCertdoesnotwarrantthatanythirdpartysoftwarewillsupportorenforcethecontrols
andrequirementsfoundherein.
ARelyingPartyshouldusediscretionwhenrelyingonacertificateandshouldconsiderthetotalityofthe
circumstancesandriskoflosspriortorelyingonacertificate.Ifthecircumstancesindicatethatadditional
assurancesarerequired,theRelyingPartymustobtainsuchassurancesbeforeusingthecertificate.Any
warrantiesprovidedbyDigiCertareonlyvalidifaRelyingParty’sreliancewasreasonableandiftheRelying
PartyadheredtotheRelyingPartyAgreementsetforthintheDigiCertrepository.
ARelyingPartyshouldrelyonadigitalsignatureorSSL/TLShandshakeonlyif:
1. thedigitalsignatureorSSL/TLSsessionwascreatedduringtheoperationalperiodofavalid
certificateandcanbeverifiedbyreferencingavalidcertificate,
2. thecertificateisnotrevokedandtheRelyingPartycheckedtherevocationstatusofthecertificate
priortothecertificate’susebyreferringtotherelevantCRLsorOCSPresponses,and
3. thecertificateisbeingusedforitsintendedpurposeandinaccordancewiththisCPS.
22
Beforerelyingonatime‐stamptoken,aRelyingPartymust:
1. verifythatthetime‐stamptokenhasbeencorrectlysignedandthatthePrivateKeyusedtosignthe
time‐stamptokenhasnotbeencompromisedpriortothetimeoftheverification,
2. takeintoaccountanylimitationsontheusageofthetime‐stamptokenindicatedbythetime‐stamp
policy,and
3. takeintoaccountanyotherprecautionsprescribedinthisCPSorelsewhere.
4.6.
CERTIFICATERENEWAL
4.6.1. CircumstanceforCertificateRenewal
DigiCertmayrenewacertificateif:
1. theassociatedpublickeyhasnotreachedtheendofitsvalidityperiod,
2. theSubscriberandattributesareconsistent,and
3. theassociatedprivatekeyremainsuncompromised.
DigiCertmayalsorenewacertificateifaCAcertificateisre‐keyedorasotherwisenecessarytoprovide
servicestoacustomer.DigiCertmaynotifySubscriberspriortoacertificate’sexpirationdate.Certificate
renewalrequirespaymentofadditionalfees.
4.6.2. WhoMayRequestRenewal
Onlythecertificatesubjectoranauthorizedrepresentativeofthecertificatesubjectmayrequestrenewal
oftheSubscriber’scertificates.Forcertificatescross‐certifiedwiththeFBCA,renewalrequestsareonly
acceptedfromcertificatesubjects,PKIsponsors,orRAs.DigiCertmayrenewacertificatewithouta
correspondingrequestifthesigningcertificateisre‐keyed.
4.6.3. ProcessingCertificateRenewalRequests
Renewalapplicationrequirementsandproceduresaregenerallythesameasthoseusedduringthe
certificate’soriginalissuance.DigiCertmayelecttoreusepreviouslyverifiedinformationinitssole
discretionbutwillrefreshanyinformationthatisolderthantheperiodsspecifiedinSection3.3.1.DigiCert
mayrefusetorenewacertificateifitcannotverifyanyrecheckedinformation.Ifanindividualisrenewinga
clientcertificateandtherelevantinformationhasnotchanged,thenDigiCertdoesnotrequireanyadditional
identityvetting. Somedeviceplatforms,e.g.Apache,allowreneweduseofthePrivateKey.IfthePrivateKey
anddomaininformationhasnotchanged,theSubscribermayrenewtheSSLcertificateusingapreviously
issuedcertificateorprovidedCSR.
4.6.4. NotificationofNewCertificateIssuancetoSubscriber
DigiCertmaydeliverthecertificateinanysecurefashion,typicallybyemailorbyprovidingtheSubscribera
hypertextlinktoauserid/password‐protectedlocationwherethesubscribermayloginanddownloadthe
certificate.
4.6.5. ConductConstitutingAcceptanceofaRenewalCertificate
Renewedcertificatesareconsideredacceptedontheearlierof(i)theSubscriber’suseofthecertificateor(ii)
30daysafterthecertificate’srenewal.
4.6.6. PublicationoftheRenewalCertificatebytheCA
DigiCertpublishesarenewedcertificatebydeliveringittotheSubscriber.RenewedCAcertificatesare
publishedinDigiCert’srepository.
4.6.7. NotificationofCertificateIssuancebytheCAtoOtherEntities
RAsmayreceivenotificationofacertificate’srenewaliftheRAwasinvolvedintheissuanceprocess.
23
4.7.
CERTIFICATERE‐KEY
4.7.1. CircumstanceforCertificateRekey
Re‐keyingacertificateconsistsofcreatinganewcertificatewithanewpublickeyandserialnumberwhile
keepingthesubjectinformationthesame.Thenewcertificatemayhaveadifferentvaliditydate,key
identifiers,CRLandOCSPdistributionpoints,andsigningkey.Afterre‐keyingacertificate,aPIV‐I
certificate,orafederateddevicecertificate,DigiCertmayrevoketheoldcertificatebutmaynotfurther
re‐key,renew,ormodifythepreviouscertificate.Subscribersrequestingre‐keyshouldidentifyand
authenticatethemselvesaspermittedbysection3.3.1.
4.7.2. WhoMayRequestCertificateRekey
DigiCertwillonlyacceptre‐keyrequestsfromthesubjectofthecertificateorthePKIsponsor.DigiCertmay
initiateacertificatere‐keyattherequestofthecertificatesubjectorinDigiCert’sowndiscretion.
4.7.3. ProcessingCertificateRekeyRequests
DigiCertwillonlyacceptre‐keyrequestsfromthesubjectofthecertificateorthePKIsponsor.Ifthe
PrivateKeyandanyidentityanddomaininformationinacertificatehavenotchanged,thenDigiCertcan
issueareplacementcertificateusingapreviouslyissuedcertificateorpreviouslyprovidedCSR.DigiCert
re‐usesexistingverificationinformationunlessre‐verificationandauthenticationisrequiredunder
section3.3.1orifDigiCertbelievesthattheinformationhasbecomeinaccurate.
4.7.4. NotificationofCertificateRekeytoSubscriber
DigiCertnotifiestheSubscriberwithinareasonabletimeafterthecertificateissues.
4.7.5. ConductConstitutingAcceptanceofaRekeyedCertificate
Issuedcertificatesareconsideredacceptedontheearlierof(i)theSubscriber’suseofthecertificateor(ii)30
daysafterthecertificateisrekeyed.
4.7.6. PublicationoftheIssuedCertificatebytheCA
DigiCertpublishesrekeyedcertificatesbydeliveringthemtoSubscribers.
4.7.7. NotificationofCertificateIssuancebytheCAtoOtherEntities
RAsmayreceivenotificationofacertificate’srekeyiftheRAwasinvolvedintheissuanceprocess.
4.8.
CERTIFICATEMODIFICATION
4.8.1. CircumstancesforCertificateModification
Modifyingacertificatemeanscreatinganewcertificateforthesamesubjectwithauthenticatedinformation
thatdiffersslightlyfromtheoldcertificate(e.g.,changestoemailaddressornon‐essentialpartsofnamesor
attributes)providedthatthemodificationotherwisecomplieswiththisCPS.Thenewcertificatemayhave
thesameoradifferentsubjectpublickey.Aftermodifyingacertificatethatiscross‐certifiedwiththeFBCA,
DigiCertmayrevoketheoldcertificatebutwillnotfurtherre‐key,renew,ormodifytheoldcertificate.
4.8.2. WhoMayRequestCertificateModification
DigiCertmodifiescertificatesattherequestofcertaincertificatesubjectsorinitsowndiscretion.DigiCert
doesnotmakecertificatemodificationservicesavailabletoallSubscribers.
4.8.3. ProcessingCertificateModificationRequests
Afterreceivingarequestformodification,DigiCertverifiesanyinformationthatwillchangeinthemodified
certificate.DigiCertwillonlyissuethemodifiedcertificateaftercompletingtheverificationprocessonall
modifiedinformation.DigiCertwillnotissueamodifiedcertificatethathasavalidityperiodthatexceedsthe
applicabletimelimitsfoundinsection3.3.1or6.3.2.
24
4.8.4. NotificationofCertificateModificationtoSubscriber
DigiCertnotifiestheSubscriberwithinareasonabletimeafterthecertificateissues.
4.8.5. ConductConstitutingAcceptanceofaModifiedCertificate
Issuedcertificatesareconsideredacceptedontheearlierof(i)theSubscriber’suseofthecertificateor(ii)30
daysafterthecertificateisrekeyed.
4.8.6. PublicationoftheModifiedCertificatebytheCA
DigiCertpublishesmodifiedcertificatesbydeliveringthemtoSubscribers.
4.8.7. NotificationofCertificateModificationbytheCAtoOtherEntities
RAsmayreceivenotificationofacertificate’smodificationiftheRAwasinvolvedintheissuanceprocess.
4.9.
CERTIFICATEREVOCATIONANDSUSPENSION
4.9.1. CircumstancesforRevocation
Revocationofacertificatepermanentlyendstheoperationalperiodofthecertificatepriortothecertificate
reachingtheendofitsstatedvalidityperiod.Priortorevokingacertificate,DigiCertverifiestheidentityand
authorityoftheentityrequestingrevocation.DigiCertmayrevokeanycertificateinitssolediscretion,
includingifDigiCertbelievesthat:
1. TheSubscriberrequestedrevocationofitscertificate;
2. TheSubscriberdidnotauthorizetheoriginalcertificaterequestanddidnotretroactivelygrant
authorization;
3. EitherthePrivateKeyassociatedwiththecertificateorthePrivateKeyusedtosignthecertificate
wascompromisedormisused;
4. TheSubscriberbreachedamaterialobligationundertheCP,theCPS,ortherelevantSubscriber
Agreement;
5. EithertheSubscriber’sorDigiCert’sobligationsundertheCPorCPSaredelayedorpreventedby
circumstancesbeyondtheparty’sreasonablecontrol,includingcomputerorcommunication
failure,and,asaresult,anotherentity’sinformationismateriallythreatenedorcompromised;
6. TheSubscriber,sponsor,orotherentitythatwasissuedthecertificatehaslostitsrightstoaname,
trademark,device,IPaddress,domainname,orotherattributethatwasassociatedwiththe
certificate;
7. Awildcardcertificatewasusedtoauthenticateafraudulentlymisleadingsubordinatedomainname;
8. ThecertificatewasnotissuedinaccordancewiththeCP,CPS,orapplicableindustrystandards;
9. DigiCertreceivedalawfulandbindingorderfromagovernmentorregulatorybodytorevokethe
certificate;
10. DigiCertceasedoperationsanddidnotarrangeforanothercertificateauthoritytoprovide
revocationsupportforthecertificates;
11. DigiCert'srighttomanagecertificatesunderapplicableindustrystandardswasterminated(unless
arrangementshavebeenmadetocontinuerevocationservicesandmaintaintheCRL/OCSP
Repository);
12. AnyinformationappearingintheCertificatewasorbecameinaccurateormisleading;
13. ThetechnicalcontentorformatoftheCertificatepresentsanunacceptablerisktoapplication
softwarevendors,RelyingParties,orothers;
14. TheSubscriberwasaddedasadeniedpartyorprohibitedpersontoablacklistorisoperatingfroma
destinationprohibitedunderthelawsoftheUnitedStates;
15. ForAdobeSigningCertificates,Adobehasrequestedrevocation;or
16. Forcode‐signingcertificates,thecertificatewasusedtosign,publish,ordistributemalware,code
thatisdownloadedwithoutuserconsent,orotherharmfulcontent.
DigiCertalwaysrevokesacertificateifthebindingbetweenthesubjectandthesubject’spublickeyinthe
certificateisnolongervalidorifanassociatedPrivateKeyiscompromised.
25
DigiCertwillrevokeacross‐certificateifthecross‐certifiedentity(includingDigiCert)nolongermeetsthe
stipulationsofthecorrespondingpolicies,asindicatedbypolicyOIDslistedinthepolicymappingextension
ofthecross‐certificate.
4.9.2. WhoCanRequestRevocation
Anyappropriatelyauthorizedparty,suchasarecognizedrepresentativeofasubscriberorcross‐signed
partner,mayrequestrevocationofacertificate.DigiCertmayrevokeacertificatewithoutreceivingarequest
andwithoutreason.Thirdpartiesmayrequestcertificaterevocationforproblemsrelatedtofraud,misuse,or
compromise.Certificaterevocationrequestsmustidentifytheentityrequestingrevocationandspecifythe
reasonforrevocation.
4.9.3. ProcedureforRevocationRequest
DigiCertprocessesarevocationrequestasfollows:
1. DigiCertlogstheidentityofentitymakingtherequestorproblemreportandthereasonfor
requestingrevocation.DigiCertmayalsoincludeitsownreasonsforrevocationinthelog.
2. DigiCertmayrequestconfirmationoftherevocationfromaknownadministrator,whereapplicable,
viaout‐of‐bandcommunication(e.g.,telephone,fax,etc.).
3. IftherequestisauthenticatedasoriginatingfromtheSubscriber,DigiCertrevokesthecertificate.
4. Forrequestsfromthirdparties,DigiCertpersonnelbegininvestigatingtherequestwithin24hours
afterreceiptanddecidewhetherrevocationisappropriatebasedonthefollowingcriteria:
a. thenatureoftheallegedproblem,
b. thenumberofreportsreceivedaboutaparticularcertificateorwebsite,
c. theidentityofthecomplainants(forexample,complaintsfromalawenforcementofficial
thatawebsiteisengagedinillegalactivitieshavemoreweightthanacomplaintfroma
consumerallegingtheyneverreceivedthegoodstheyordered),and
d. relevantlegislation.
5. IfDigiCertdeterminesthatrevocationisappropriate,DigiCertpersonnelrevokethecertificateand
updatetheCRL.
DigiCertmaintainsacontinuous24/7abilitytointernallyrespondtoanyhighpriorityrevocationrequests.If
appropriate,DigiCertforwardscomplaintstolawenforcement.
WheneveraPIV‐ICardisnolongervalid,theRAresponsibleforitsissuanceormaintenanceisrequiredto
collectthePIV‐ICardfromtheSubscriberassoonaspossibleanddestroythePIV‐ICard.TheRAmustlogthe
collectionandphysicaldestructionofeachPIV‐ICard.
4.9.4. RevocationRequestGracePeriod
Subscribersarerequiredtorequestrevocationwithinonedayafterdetectingthelossorcompromiseofthe
PrivateKey.DigiCertmaygrantandextendrevocationgraceperiodsonacase‐by‐casebasis.DigiCert
reportsthesuspectedcompromiseofitsCAprivatekeyandrequestsrevocationtoboththepolicyauthority
andoperatingauthorityofthesuperiorissuingCAwithinonehourofdiscovery.
4.9.5. TimewithinwhichCAMustProcesstheRevocationRequest
DigiCertwillrevokeaCAcertificatewithinonehourafterreceivingclearinstructionsfromtheDCPA.Other
certificatesarerevokedasquicklyaspracticalaftervalidatingtherevocationrequest,generallywithinthe
followingtimeframes:
1. Certificaterevocationrequestsforpublicly‐trustedcertificatesareprocessedwithin18hoursafter
theirreceipt,
2. RevocationrequestsreceivedtwoormorehoursbeforeCRLissuanceareprocessedbeforethenext
CRLispublished,and
3. RevocationrequestsreceivedwithintwohoursofCRLissuanceareprocessedbeforethefollowing
CRLispublished.
26
4.9.6. RevocationCheckingRequirementforRelyingParties
Priortorelyingoninformationlistedinacertificate,aRelyingPartymustconfirmthevalidityofeach
certificateinthecertificatepathinaccordancewithIETFPKIXstandards,includingcheckingforcertificate
validity,issuer‐to‐subjectnamechaining,policyandkeyuseconstraints,andrevocationstatusthroughCRLs
orOCSPrespondersidentifiedineachcertificateinthechain.
4.9.7. CRLIssuanceFrequency
DigiCertusesitsofflinerootCAstopublishCRLsforitsintermediateCAsatleastevery6months.Foran
offlineCAthathasbeencross‐signedbytheFederalBridgeCAandonlyissuesCAcertificates,certificate‐
status‐checkingcertificates,orinternaladministrativecertificates,DigiCertissuesaCRLatleastevery31
days.AllotherCRLsarepublishedatleastevery24hours.IfaCertificateisrevokedforreasonofkey
compromise,aninterimCRLispublishedassoonasfeasible,butnolaterthan18hoursafterreceiptofthe
noticeofkeycompromise.
4.9.8. MaximumLatencyforCRLs
CRLsforcertificatesissuedtoendentitysubscribersarepostedautomaticallytotheonlinerepositorywithin
acommerciallyreasonabletimeaftergeneration,usuallywithinminutesofgeneration.Irregular,interim,or
emergencyCRLsarepostedwithinfourhoursaftergenerationandwithin18hoursofdeterminingofthe
occurrenceofakeycompromise.RegularlyscheduledCRLsarepostedpriortothenextUpdatefieldinthe
previouslyissuedCRLofthesamescope.
4.9.9. On‐lineRevocation/StatusCheckingAvailability
DigiCertmakescertificatestatusinformationavailableviaOCSPforSSLandPIV‐Icertificates.OCSPmaynot
beavailableforotherkindsofcertificates.WhereOCSPsupportisrequiredbytheapplicableCP,OCSP
responsesareprovidedwithinacommerciallyreasonabletimeandnolaterthansixsecondsaftertherequest
isreceived,subjecttotransmissionlatenciesovertheInternet.
4.9.10. On‐lineRevocationCheckingRequirements
Arelyingpartymustconfirmthevalidityofacertificateinaccordancewithsection4.9.6priortorelyingon
thecertificate.
4.9.11. OtherFormsofRevocationAdvertisementsAvailable
Nostipulation.
4.9.12. SpecialRequirementsRelatedtoKeyCompromise
DigiCertusescommerciallyreasonableeffortstonotifypotentialRelyingPartiesifitdiscoversorsuspectsthe
compromiseofaPrivateKey.DigiCertwilltransitionanyrevocationreasoncodeinaCRLto“key
compromise”upondiscoveryofsuchreasonorasrequiredbyanapplicableCP.Ifacertificateisrevoked
becauseofcompromise,DigiCertwillissueanewCRLwithin18hoursafterreceivingnoticeofthe
compromise.
4.9.13. CircumstancesforSuspension
Notapplicable.
4.9.14. WhoCanRequestSuspension
Notapplicable.
4.9.15. ProcedureforSuspensionRequest
Notapplicable.
4.9.16. LimitsonSuspensionPeriod
Notapplicable.
27
4.10. CERTIFICATESTATUSSERVICES
4.10.1. OperationalCharacteristics
CertificatestatusinformationisavailableviaCRLandOCSPresponder.Theserialnumberofarevoked
certificateremainsontheCRLuntiloneadditionalCRLispublishedaftertheendofthecertificate’svalidity
period,exceptforrevokedEVCodeSigningCertificates,whichremainontheCRLforatleast365days
followingthecertificate’svalidityperiod.OCSPinformationforsubscribercertificatesisupdatedatleast
everyfourdays.OCSPinformationforsubordinateCAcertificatesisupdatedatleastevery12monthsand
within24hoursafterrevokingthecertificate.
4.10.2. ServiceAvailability
Certificatestatusservicesareavailable24x7withoutinterruption.
4.10.3. OptionalFeatures
OCSPRespondersmaynotbeavailableforallcertificatetypes.
4.11. ENDOFSUBSCRIPTION
ASubscriber’ssubscriptionserviceendsifitscertificateexpiresorisrevokedoriftheapplicableSubscriber
Agreementexpireswithoutrenewal.
4.12. KEYESCROWANDRECOVERY
4.12.1. KeyEscrowandRecoveryPolicyPractices
DigiCertneverescrowsCAPrivateKeys.
DigiCertmayescrowSubscriberkeymanagementkeystoprovidekeyrecoveryservices.DigiCertencrypts
andprotectsescrowedPrivateKeysusingthesameorahigherlevelofsecurityasusedtogenerateand
deliverthePrivateKey.ASubscriber’sprivatesignaturekeysarenotescrowedexceptasallowedbyother
supersedingpoliciesoragreementsamongSubscribers,RelyingParties,andescrowagents.
DigiCertallowsSubscribersandotherauthorizedentitiestorecoverescrowed(decryption)PrivateKeys.
DigiCertusesmulti‐personcontrolsduringkeyrecoverytopreventunauthorizedaccesstoaSubscriber’s
escrowedPrivateKeys.DigiCertacceptskeyrecoveryrequests:
1. FromtheSubscriberorSubscriber’sorganization,iftheSubscriberhaslostordamagedtheprivate
keytoken;
2. FromtheSubscriber’sorganization,iftheSubscriberisnotavailableorisnolongerpartofthe
organizationthatcontractedwithDigiCertforPrivateKeyescrow;
3. Fromanauthorizedinvestigatororauditor,ifthePrivateKeyispartofarequiredinvestigationor
audit;
4. Fromarequesterauthorizedbyacompetentlegalauthoritytoaccessthecommunicationthatis
encryptedusingthekey;
5. Fromarequesterauthorizedbylaworgovernmentalregulation;or
6. FromanentitycontractingwithDigiCertforescrowofthePrivateKeywhenkeyrecoveryismission
criticalormissionessential.
EntitiesusingDigiCert’skeyescrowservicesarerequiredto:
1. NotifySubscribersthattheirPrivateKeysareescrowed;
2. Protectescrowedkeysfromunauthorizeddisclosure;
3. ProtectanyauthenticationmechanismsthatcouldbeusedtorecoverescrowedPrivateKeys;
4. Releaseanescrowedkeyonlyaftermakingorreceiving(asapplicable)aproperlyauthorizedrequest
forrecovery;and
5. Complywithanylegalobligationstodiscloseorkeepconfidentialescrowedkeys,escrowedkey‐
relatedinformation,orthefactsconcerninganykeyrecoveryrequestorprocess.
28
4.12.2. SessionKeyEncapsulationandRecoveryPolicyandPractices
Nostipulation.
5. FACILITY,MANAGEMENT,ANDOPERATIONALCONTROLS
5.1.
PHYSICALCONTROLS
5.1.1. SiteLocationandConstruction
DigiCertperformsitsCAandTSAoperationsfromsecureandgeographicallydiversecommercialdata
centers.ThedatacentersareequippedwithlogicalandphysicalcontrolsthatmakeDigiCert’sCAandTSA
operationsinaccessibletonon‐trustedpersonnel.DigiCertoperatesunderasecuritypolicydesignedto
detect,deter,andpreventunauthorizedaccesstoDigiCert'soperations.
5.1.2. PhysicalAccess
DigiCertprotectsitsequipment(includingcertificatestatusserversandCMSequipmentcontainingPIV‐I
ContentSigningkeys)fromunauthorizedaccessandimplementsphysicalcontrolstoreducetheriskof
equipmenttampering.ThesecurepartsofDigiCertCAhostingfacilitiesareprotectedusingphysicalaccess
controlsmakingthemaccessibleonlytoappropriatelyauthorizedindividuals.
Accesstosecureareasofthebuildingsrequirestheuseofan"access"or"pass"card.Thebuildingsare
equippedwithmotiondetectingsensors,andtheexteriorandinternalpassagewaysofthebuildingsare
underconstantvideosurveillance.DigiCertsecurelystoresallremovablemediaandpapercontaining
sensitiveplain‐textinformationrelatedtoitsCAoperationsinsecurecontainersinaccordancewithitsData
ClassificationPolicy.
5.1.2.1.
Data Center ThedatacenterswhereDigiCert’sCAandTSAsystemsoperatehavesecuritypersonnelondutyfulltime(24
hoursperday,365daysperyear).AccesstothedatacentershousingtheCAandTSAplatformsrequires
two‐factorauthentication—theindividualmusthaveanauthorizedaccesscardandpassbiometricaccess
controlauthenticators.Thesebiometricauthenticationaccesssystemslogeachuseoftheaccesscard.
DigiCertdeactivatesandsecurelystoresitsCAequipmentwhennotinuse.Activation data must either be
memorized or recorded and stored in a manner commensurate with the security afforded the cryptographic module.
Activation data is never stored with the cryptographic module or removable hardware associated with equipment
used to administer DigiCert’s private keys.Cryptographichardwareincludesamechanismtolockthe
hardwareafteracertainnumberoffailedloginattempts.
The DigiCert data centers are continuously attended. However,ifDigiCerteverbecomesawarethatadata
centeristobeleftunattendedorhasbeenleftunattendedforanextendedperiodoftime,DigiCertpersonnel
willperformasecuritycheckofthedatacentertoverifythat:
1. DigiCert’sequipmentisinastateappropriatetothecurrentmodeofoperation,
2. Anysecuritycontainersareproperlysecured,
3. Physicalsecuritysystems(e.g.,doorlocks)arefunctioningproperly,and
4. Theareaissecuredagainstunauthorizedaccess.
DigiCert’sadministratorsareresponsibleformakingthesechecksandmustsignoffthatallnecessary
physicalprotectionmechanismsareinplaceandactivated.Theidentityoftheindividualmakingthecheckis
logged.
5.1.2.2.
Support and Vetting Room Controlledaccessandkeyed‐lockdoorssecurethesupportandvettingroomswhereDigiCertpersonnel
performidentityvettingandotherRAfunctions.Accesscarduseisloggedbythebuildingsecuritysystem.
Theroomisequippedwithmotion‐activatedvideosurveillancecameras.
29
5.1.3. PowerandAirConditioning
Datacentershaveprimaryandsecondarypowersuppliesthatensurecontinuousanduninterruptedaccess
toelectricpower.Uninterruptedpowersupplies(UPS)anddieselgeneratorsprovideredundantbackup
power.DigiCertmonitorscapacitydemandsandmakesprojectionsaboutfuturecapacityrequirementsto
ensurethatadequateprocessingpowerandstorageareavailable.
DigiCert’sdatacenterfacilitiesusemultipleload‐balancedHVACsystemsforheating,cooling,andair
ventilationthroughperforated‐tileraisedflooringtopreventoverheatingandtomaintainasuitablehumidity
levelforsensitivecomputersystems.
5.1.4. WaterExposures
ThecabinetshousingDigiCert'sCAandTSAsystemsarelocatedonraisedflooring,andthedatacentersare
equippedwithmonitoringsystemstodetectexcessmoisture.
5.1.5. FirePreventionandProtection
Thedatacentersareequippedwithfiresuppressionmechanisms.
5.1.6. MediaStorage
DigiCertprotectsitsmediafromaccidentaldamageandunauthorizedphysicalaccess.Backupfilesare
createdonadailybasis.Onaweeklybasis,backupmediaareremovedandstoredinabackuplocationthat
isseparatefromDigiCert’sprimaryfacility.
5.1.7. WasteDisposal
Allunnecessarycopiesofprintedsensitiveinformationareshreddedon‐sitebeforedisposal.Allelectronic
mediaarezeroized(alldataisoverwrittenwithbinaryzerossoastopreventtherecoveryofthedata)using
programsmeetingU.S.DepartmentofDefenserequirements.
5.1.8. Off‐siteBackup
DigiCertmaintainsatleastonefullbackupandmakesregularbackupcopiesofanyinformationnecessaryto
recoverfromasystemfailure.Onatleastaweeklybasis,DigiCertmovesmediadesignatedforstorageoff‐
sitetoasafedepositboxlocatedinsideafederallyinsuredfinancialinstitution.BackupcopiesofCAPrivate
Keysandactivationdataarestoredoff‐siteinlocationsthatareaccessibleonlybytrustedpersonnel.
5.1.9. CertificateStatusHosting,CMSandExternalRASystems
AllphysicalcontrolrequirementsunderSection5.1applyequallytoanyCertificateStatusHosting,CMS,or
externalRAsystem.
5.2.
PROCEDURALCONTROLS
5.2.1. TrustedRoles
PersonnelactingintrustedrolesincludeCA,TSA,andRAsystemadministrationpersonnel,andpersonnel
involvedwithidentityvettingandtheissuanceandrevocationofcertificates.Thefunctionsandduties
performedbypersonsintrustedrolesaredistributedsothatonepersonalonecannotcircumventsecurity
measuresorsubvertthesecurityandtrustworthinessofthePKIorTSAoperations.Allpersonnelintrusted
rolesmustbefreefromconflictsofinterestthatmightprejudicetheimpartialityoftheDigiCertPKI’s
operations.Trustedrolesareappointedbyseniormanagement.Alistofpersonnelappointedtotrusted
rolesismaintainedandreviewedannually.
PersonsactingintrustedrolesareonlyallowedtoaccessaCMSaftertheyareauthenticatedusingamethod
commensuratewithissuanceandcontrolofPIV‐IHardware.
30
5.2.1.1.
CA Administrators TheCAAdministratorinstallsandconfigurestheCAsoftware,includingkeygeneration,keybackup,andkey
management.TheCAAdministratorperformsandsecurelystoresregularsystembackupsoftheCAsystem.
AdministratorsdonotissuecertificatestoSubscribers.
5.2.1.2.
CA Officers – CMS, RA, Validation and Vetting Personnel TheCAOfficerroleisresponsibleforissuingandrevokingcertificates,includingenrollment,identity
verification,andcompliancewithrequiredissuanceandrevocationstepssuchasmanagingthecertificate
requestqueueandcompletingcertificateapprovalchecklistsasidentityvettingtasksaresuccessfully
completed.
5.2.1.3.
System Administrators/ System Engineers (Operator) TheSystemAdministrator/SystemEngineerinstallsandconfiguressystemhardware,includingservers,
routers,firewalls,andnetworkconfigurations.TheSystemAdministrator/SystemEngineeralsokeepsCA,
CMSandRAsystemsupdatedwithsoftwarepatchesandothermaintenanceneededforsystemstabilityand
recoverability.
5.2.1.4.
Internal Auditors InternalAuditorsareresponsibleforreviewing,maintaining,andarchivingauditlogsandperformingor
overseeinginternalcomplianceauditstodetermineifDigiCert,anIssuerCA,orRAisoperatinginaccordance
withthisCPSoranRA’sRegistrationPracticesStatement.
5.2.2. NumberofPersonsRequiredperTask
DigiCertrequiresthatatleasttwopeopleactinginatrustedrole(onetheCAAdministratorandtheothernot
anInternalAuditor)takeactionrequiringatrustedrole,suchasactivatingDigiCert’sPrivateKeys,
generatingaCAkeypair,orbackingupaDigiCertprivatekey.TheInternalAuditormayservetofulfillthe
requirementofmultipartycontrolforphysicalaccesstotheCAsystembutnotlogicalaccess.
NosingleindividualhasthecapabilitytoissueaPIV‐Icredential.
5.2.3. IdentificationandAuthenticationforeachRole
AllpersonnelarerequiredtoauthenticatethemselvestoCA,TSA,andRAsystemsbeforetheyareallowed
accesstosystemsnecessarytoperformtheirtrustedroles.
5.2.4. RolesRequiringSeparationofDuties
Rolesrequiringaseparationofdutiesinclude:
1. Thoseperformingauthorizationfunctionssuchastheverificationofinformationincertificate
applicationsandapprovalsofcertificateapplicationsandrevocationrequests,
2. Thoseperformingbackups,recording,andrecordkeepingfunctions;
3. Thoseperformingaudit,review,oversight,orreconciliationfunctions;and
4. ThoseperformingdutiesrelatedtoCA/TSAkeymanagementorCA/TSAadministration.
Toaccomplishthisseparationofduties,DigiCertspecificallydesignatesindividualstothetrustedroles
definedinSection5.2.1above.DigiCertappointsindividualstoonlyoneoftheOfficer,Administrator,
Operator,orAuditorroles.DigiCert’ssystemsidentifyandauthenticateindividualsactingintrustedroles,
restrictanindividualfromassumingmultipleroles,andpreventanyindividualfromhavingmorethanone
identity.
5.3.
PERSONNELCONTROLS
5.3.1. Qualifications,Experience,andClearanceRequirements
TheDCPAisresponsibleandaccountableforDigiCert’sPKIoperationsandensurescompliancewiththisCPS
andtheCP.DigiCert’spersonnelandmanagementpracticesprovidereasonableassuranceofthe
trustworthinessandcompetenceofitsemployeesandofthesatisfactoryperformanceoftheirduties.All
31
trustedrolesforCAsissuingFederatedDeviceCertificates,ClientCertificatesatLevels3‐USand4‐US(which
areintendedforinteroperabilitythroughtheFederalBridgeCAatid‐fpki‐certpcy‐mediumAssuranceandid‐
fpki‐certpcy‐mediumHardware),andPIV‐ICertificatesareheldbycitizensoftheUnitedStates.Anindividual
performingatrustedroleforanRAmaybeacitizenofthecountrywheretheRAislocated.Thereisno
citizenshiprequirementforpersonnelperformingtrustedrolesassociatedwiththeissuanceofotherkindsof
certificates.
Managementandoperationalsupportpersonnelinvolvedintime‐stampoperationspossessexperiencewith
informationsecurityandriskassessmentandknowledgeoftime‐stampingtechnology,digitalsignature
technology,mechanismsforcalibrationoftimestampingclockswithUTC,andsecurityprocedures.The
DCPAensuresthatallindividualsassignedtotrustedroleshavetheexperience,qualifications,and
trustworthinessrequiredtoperformtheirdutiesunderthisCPS.
5.3.2. BackgroundCheckProcedures
DigiCertverifiestheidentityofeachemployeeappointedtoatrustedroleandperformsabackgroundcheck
priortoallowingsuchpersontoactinatrustedrole.DigiCertrequireseachindividualtoappearin‐person
beforeahumanresourcesemployeewhoseresponsibilityitistoverifyidentity.Thehumanresources
employeeverifiestheindividual’sidentityusinggovernment‐issuedphotoidentification(e.g.,passports
and/ordriver’slicensesreviewedpursuanttoU.S.CitizenshipandImmigrationServicesFormI‐9,
EmploymentEligibilityVerification,orcomparableprocedureforthejurisdictioninwhichtheindividual’s
identityisbeingverified).Backgroundchecksincludeemploymenthistory,education,characterreferences,
socialsecuritynumber,previousresidences,drivingrecordsandcriminalbackground.Checksofprevious
residencesareoverthepastthreeyears.Allotherchecksareforthepreviousfiveyears.Thehighest
educationdegreeobtainedisverifiedregardlessofthedateawarded.Backgroundchecksarerefreshed
atleasteverytenyears.
5.3.3. TrainingRequirements
DigiCertprovidesskillstrainingtoallemployeesinvolvedinDigiCert’sPKIandTSAoperations.Thetraining
relatestotheperson’sjobfunctionsandcovers:
1. basicPublicKeyInfrastructure(PKI)knowledge,
2. softwareversionsusedbyDigiCert,
3. authenticationandverificationpoliciesandprocedures,
4. DigiCertsecurityprincipalsandmechanisms,
5. disasterrecoveryandbusinesscontinuityprocedures,
6. commonthreatstothevalidationprocess,includingphishingandothersocialengineeringtactics,
and
7. applicableindustryandgovernmentguidelines.
Trainingisprovidedviaamentoringprocessinvolvingseniormembersoftheteamtowhichtheemployee
belongs.
DigiCertmaintainsrecordsofwhoreceivedtrainingandwhatleveloftrainingwascompleted.Validation
Specialistsmusthavetheminimumskillsnecessarytosatisfactorilyperformvalidationdutiesbeforebeing
grantedvalidationprivileges.AllValidationSpecialistsarerequiredtopassaninternalexaminationonthe
EVGuidelinesandtheBaselineRequirementspriortovalidatingandapprovingtheissuanceofcertificates.
Wherecompetenceisdemonstratedinlieuoftraining,DigiCertmaintainssupportingdocumentation.
5.3.4. RetrainingFrequencyandRequirements
Employeesmustmaintainskilllevelsthatareconsistentwithindustry‐relevanttrainingandperformance
programsinordertocontinueactingintrustedroles.DigiCertmakesallemployeesactingintrustedroles
awareofanychangestoDigiCert’soperations.IfDigiCert’soperationschange,DigiCertwillprovide
documentedtraining,inaccordancewithanexecutedtrainingplan,toallemployeesactingintrustedroles.
5.3.5. JobRotationFrequencyandSequence
Nostipulation.
32
5.3.6. SanctionsforUnauthorizedActions
DigiCertemployeesandagentsfailingtocomplywiththisCPS,whetherthroughnegligenceormalicious
intent,aresubjecttoadministrativeordisciplinaryactions,includingterminationofemploymentoragency
andcriminalsanctions.Ifapersoninatrustedroleiscitedbymanagementforunauthorizedor
inappropriateactions,thepersonwillbeimmediatelyremovedfromthetrustedrolependingmanagement
review.Aftermanagementhasreviewedanddiscussedtheincidentwiththeemployeeinvolved,
managementmayreassignthatemployeetoanon‐trustedroleordismisstheindividualfromemploymentas
appropriate.
5.3.7. IndependentContractorRequirements
Independentcontractorswhoareassignedtoperformtrustedrolesaresubjecttothedutiesand
requirementsspecifiedforsuchrolesinthisSection5.3andaresubjecttosanctionsstatedaboveinSection
5.3.6.
5.3.8. DocumentationSuppliedtoPersonnel
Personnelintrustedrolesareprovidedwiththedocumentationnecessarytoperformtheirduties,including
acopyoftheCP,thisCPS,EVGuidelines,andothertechnicalandoperationaldocumentationneededto
maintaintheintegrityofDigiCert'sCAoperations.Personnelarealsogivenaccesstoinformationoninternal
systemsandsecuritydocumentation,identityvettingpoliciesandprocedures,discipline‐specificbooks,
treatisesandperiodicals,andotherinformation.
5.4.
AUDITLOGGINGPROCEDURES
5.4.1. TypesofEventsRecorded
DigiCert’ssystemsrequireidentificationandauthenticationatsystemlogonwithauniqueusernameand
password.Importantsystemactionsareloggedtoestablishtheaccountabilityoftheoperatorswhoinitiate
suchactions.
DigiCertenablesallessentialeventauditingcapabilitiesofitsCAandTSAapplicationsinordertorecordthe
eventslistedbelow.IfDigiCert’sapplicationscannotautomaticallyrecordanevent,DigiCertimplements
manualprocedurestosatisfytherequirements.Foreachevent,DigiCertrecordstherelevant(i)dateand
time,(ii)typeofevent,(iii)successorfailure,and(iv)userorsystemthatcausedtheeventorinitiatedthe
action.DigiCertrecordstheprecisetimeofanysignificantTSAevents.Alleventrecordsareavailableto
auditorsasproofofDigiCert’spractices.
AuditableEvent
SECURITYAUDIT
Anychangestotheauditparameters,e.g.,auditfrequency,typeofeventaudited
Anyattempttodeleteormodifytheauditlogs
AUTHENTICATIONTOSYSTEMS
Successfulandunsuccessfulattemptstoassumearole
Thevalueofmaximumnumberofauthenticationattemptsischanged
Maximumnumberofauthenticationattemptsoccurduringuserlogin
Anadministratorunlocksanaccountthathasbeenlockedasaresultofunsuccessful
authenticationattempts
Anadministratorchangesthetypeofauthenticator,e.g.,fromapasswordtoabiometric
LOCALDATAENTRY
Allsecurity‐relevantdatathatisenteredinthesystem
REMOTEDATAENTRY
Allsecurity‐relevantmessagesthatarereceivedbythesystem
DATAEXPORTANDOUTPUT
Allsuccessfulandunsuccessfulrequestsforconfidentialandsecurity‐relevantinformation
KEYGENERATION
WheneveraCAgeneratesakey(notmandatoryforsinglesessionorone‐timeusesymmetric
33
AuditableEvent
keys)
PRIVATEKEYLOADANDSTORAGE
TheloadingofComponentPrivateKeys
AllaccesstocertificatesubjectPrivateKeysretainedwithintheCAforkeyrecoverypurposes
TRUSTEDPUBLICKEYENTRY,DELETIONANDSTORAGE
SECRETKEYSTORAGE
Themanualentryofsecretkeysusedforauthentication
PRIVATEANDSECRETKEYEXPORT
Theexportofprivateandsecretkeys(keysusedforasinglesessionormessageareexcluded)
CERTIFICATEREGISTRATION
Allcertificaterequests,includingissuance,re‐key,renewal,andrevocation
Certificateissuance
Verificationactivities
CERTIFICATEREVOCATION
Allcertificaterevocationrequests
CERTIFICATESTATUSCHANGEAPPROVALANDREJECTION
CACONFIGURATION
Anysecurity‐relevantchangestotheconfigurationofaCAsystemcomponent
ACCOUNTADMINISTRATION
Rolesandusersareaddedordeleted
Theaccesscontrolprivilegesofauseraccountorarolearemodified
CERTIFICATEPROFILEMANAGEMENT
Allchangestothecertificateprofile
REVOCATIONPROFILEMANAGEMENT
Allchangestotherevocationprofile
CERTIFICATEREVOCATIONLISTPROFILEMANAGEMENT
Allchangestothecertificaterevocationlistprofile
GenerationofCRLsandOCSPentries
TIMESTAMPING
Clocksynchronization
MISCELLANEOUS
AppointmentofanindividualtoaTrustedRole
Designationofpersonnelformultipartycontrol
InstallationofanOperatingSystem,PKIApplication,orHardwareSecurityModule RemovalorDestructionofHSMs
SystemStartup
LogonattemptstoPKIApplication
Receiptofhardware/software
Attemptstosetormodifypasswords
BackuporrestorationoftheinternalCAdatabase
Filemanipulation(e.g.,creation,renaming,moving)
Postingofanymaterialtoarepository
AccesstotheinternalCAdatabase
Allcertificatecompromisenotificationrequests
LoadingHSMswithCertificates
ShipmentofHSMs
ZeroizingHSMs
Re‐keyoftheComponent
CONFIGURATIONCHANGES
Hardware
Software
34
AuditableEvent
OperatingSystem
Patches
SecurityProfiles
PHYSICALACCESS/SITESECURITY
PersonnelaccesstosecureareahousingCAorTSAcomponent
AccesstoaCAorTSAcomponent
Knownorsuspectedviolationsofphysicalsecurity
Firewallandrouteractivities
ANOMALIES
Systemcrashesandhardwarefailures
Softwareerrorconditions
Softwarecheckintegrityfailures
Receiptofimpropermessagesandmisroutedmessages
Networkattacks(suspectedorconfirmed)
Equipmentfailure
Electricalpoweroutages
UninterruptiblePowerSupply(UPS)failure
Obviousandsignificantnetworkserviceoraccessfailures
ViolationsofaCPS
ResettingOperatingSystemclock
5.4.2. FrequencyofProcessingLog
Atleastonceeverytwomonths,aDigiCertadministratorreviewsthelogsgeneratedbyDigiCert’ssystems,
makessystemandfileintegritychecks,andconductsavulnerabilityassessment.Theadministratormay
performthechecksusingautomatedtools.Duringthesechecks,theadministrator(1)checkswhether
anyonehastamperedwiththelog,(2)scansforanomaliesorspecificconditions,includinganyevidenceof
maliciousactivity,and(3)preparesawrittensummaryofthereview.Anyanomaliesorirregularitiesfound
inthelogsareinvestigated.ThesummariesincluderecommendationstoDigiCert’soperationsmanagement
committeeandaremadeavailabletoDigiCert'sauditorsuponrequest.DigiCertdocumentsanyactionstaken
asaresultofareview.
5.4.3. RetentionPeriodforAuditLog
DigiCertretainsauditlogson‐siteuntilaftertheyarereviewed.Theindividualswhoremoveauditlogs
fromDigiCert’sCAsystemsaredifferentthantheindividualswhocontrolDigiCert’ssignaturekeys.
5.4.4. ProtectionofAuditLog
CAauditloginformationisretainedonequipmentuntilafteritiscopiedbyasystemadministrator.DigiCert’s
CAandTSAsystemsareconfiguredtoensurethat(i)onlyauthorizedpeoplehavereadaccesstologs,(ii)only
authorizedpeoplemayarchiveauditlogs,and(iii)auditlogsarenotmodified.Auditlogsareprotectedfrom
destructionpriortotheendoftheauditlogretentionperiodandareretainedsecurelyon‐siteuntil
transferredtoabackupsite.DigiCert’soff‐sitestoragelocationisasafeandsecurelocationthatisseparate
fromthelocationwherethedatawasgenerated.
DigiCertmakestime‐stampingrecordsavailablewhenrequiredtoproveinalegalproceedingthatDigiCert’s
time‐stampingservicesareoperatingcorrectly.Auditlogsaremadeavailabletoauditorsuponrequest.
5.4.5. AuditLogBackupProcedures
DigiCertmakesregularbackupcopiesofauditlogsandauditlogsummariesandsendsacopyoftheauditlog
off‐siteonamonthlybasis.
35
5.4.6. AuditCollectionSystem(internalvs.external)
Automaticauditprocessesbeginonsystemstartupandendatsystemshutdown.Ifanautomatedaudit
systemfailsandtheintegrityofthesystemorconfidentialityoftheinformationprotectedbythesystemisat
risk,DigiCert’sAdministratorswillconsidersuspendingitsoperationuntiltheproblemisremedied.
5.4.7. NotificationtoEvent‐causingSubject
Nostipulation.
5.4.8. VulnerabilityAssessments
DigiCertperformsannualriskassessmentsthatidentifyandassessreasonablyforeseeableinternaland
externalthreatsthatcouldresultinunauthorizedaccess,disclosure,misuse,alteration,ordestructionofany
certificatedataorcertificateissuanceprocess.DigiCertalsoroutinelyassessesthesufficiencyofthepolicies,
procedures,informationsystems,technology,andotherarrangementsthatDigiCerthasinplacetocontrol
suchrisks.DigiCert’sInternalAuditorsreviewthesecurityauditdatachecksforcontinuityandwillalertthe
appropriatepersonnelofanyevents,suchasrepeatedfailedactions,requestsforprivilegedinformation,
attemptedaccessofsystemfiles,andunauthenticatedresponses.
5.5.
RECORDSARCHIVAL
DigiCert complies with all record retention policies that apply by law. DigiCert includes sufficient detail in all
archived records to show that a certificate or time-stamp token was issued in accordance with this CPS.
5.5.1. TypesofRecordsArchived
DigiCertretainsthefollowinginformationinitsarchives(assuchinformationpertainstoDigiCert’sCA/TSA
operations):
1. AccreditationsofDigiCert,
2. CPandCPSversions,
3. ContractualobligationsandotheragreementsconcerningtheoperationoftheCA/TSA,
4. Systemandequipmentconfigurations,modifications,andupdates,
5. Rejectionoracceptanceofacertificaterequest,
6. Certificateissuance,rekey,renewal,andrevocationrequests,
7. SufficientidentityauthenticationdatatosatisfytheidentificationrequirementsofSection3.2,
includinginformationabouttelephonecallsmadeforverificationpurposes,
8. Anydocumentationrelatedtothereceiptoracceptanceofacertificateortoken,
9. SubscriberAgreements,
10. Issuedcertificates,
11. Arecordofcertificatere‐keys,
12. CRLandOCSPentries,
13. Dataorapplicationsnecessarytoverifyanarchive’scontents,
14. Complianceauditorreports,
15. ChangestoDigiCert’sauditparameters,
16. Anyattempttodeleteormodifyauditlogs,
17. Keygeneration,destruction,storage,backup,andrecovery,
18. AccesstoPrivateKeysforkeyrecoverypurposes,
19. ChangestotrustedPublicKeys,
20. ExportofPrivateKeys,
21. Approvalorrejectionofacertificatestatuschangerequest,
22. Appointmentofanindividualtoatrustedrole,
23. Destructionofacryptographicmodule,
24. Certificatecompromisenotifications,
25. Remedialactiontakenasaresultofviolationsofphysicalsecurity,and
26. ViolationsoftheCPorCPS.
36
5.5.2. RetentionPeriodforArchive
DigiCertretainsarchiveddataassociatedwithLevel3orLevel4,federateddevice,andPIV‐Icertificatesfor
atleast10.5years.DigiCert,ortheRAsupportingissuance,archivesdataforothercertificatetypesforat
least7.5years.
5.5.3. ProtectionofArchive
Archiverecordsarestoredatasecureoff‐sitelocationandaremaintainedinamannerthatprevents
unauthorizedmodification,substitution,ordestruction.Archivesarenotreleasedexceptasallowedby
theDCPAorasrequiredbylaw.DigiCertmaintainsanysoftwareapplicationrequiredtoprocessthe
archivedatauntilthedataiseitherdestroyedortransferredtoanewermedium.
IfDigiCertneedstotransferanymediatoadifferentarchivesiteorequipment,DigiCertwillmaintain
botharchivedlocationsand/orpiecesofequipmentuntilthetransferarecomplete.Alltransferstonew
archiveswilloccurinasecuremanner.
5.5.4. ArchiveBackupProcedures
Onasemi‐annualbasis,DigiCertcreatesanarchivediskofthedatalistedinsection5.5.1bygroupingthedata
typestogetherbysourceintoseparate,compressedarchivefiles.Eacharchivefileishashedtoproduce
checksumsthatarestoredseparatelyforintegrityverificationatalaterdate.DigiCertstoresthearchivedisk
inasecureoff‐sitelocationforthedurationofthesetretentionperiod.RAscreateandstorearchived
recordsinaccordancewiththeapplicabledocumentationretentionpolicy.
5.5.5. RequirementsforTime‐stampingofRecords
DigiCertautomaticallytime‐stampsarchivedrecordswithsystemtime(non‐cryptographicmethod)asthey
arecreated.DigiCertsynchronizesitssystemtimeatleasteveryeighthoursusingarealtimevalue
distributedbyarecognizedUTC(k)laboratoryorNationalMeasurementInstitute.
Certificateissuanceistime‐stampedasafunctionofthe"ValidFrom"fieldinaccordancewiththeX.509
CertificateProfile.Certificaterevocationistime‐stampedasafunctionofthe"RevocationDate"fieldin
accordancewiththeX.509CertificateRevocationListProfile.
5.5.6. ArchiveCollectionSystem(internalorexternal)
ArchiveinformationiscollectedinternallybyDigiCert.
5.5.7. ProcedurestoObtainandVerifyArchiveInformation
Detailsconcerningthecreationandstorageofarchiveinformationarefoundinsection5.5.4.Afterreceiving
arequestmadeforaproperpurposebyaCustomer,itsagent,orapartyinvolvedinadisputeovera
transactioninvolvingtheDigiCertPKI,DigiCertmayelecttoretrievetheinformationfromarchival.The
integrityofarchiveinformationisverifiedbycomparingahashofthecompressedarchivefilewiththefile
checksumoriginallystoredforthatfile,asdescribedinSection5.5.4.DigiCertmayelecttotransmitthe
relevantinformationviaasecureelectronicmethodorcourier,oritmayalsorefusetoprovidethe
informationinitsdiscretionandmayrequirepriorpaymentofallcostsassociatedwiththedata.
5.6.
KEYCHANGEOVER
KeychangeoverproceduresenablethesmoothtransitionfromexpiringCAcertificatestonewCAcertificates.
TowardstheendofaCAPrivateKey’slifetime,DigiCertceasesusingtheexpiringCAPrivateKeytosign
certificatesandusestheoldPrivateKeyonlytosignCRLsandOCSPrespondercertificates.AnewCAsigning
keypairiscommissionedandallsubsequentlyissuedcertificatesandCRLsaresignedwiththenewprivate
signingkey.Boththeoldandthenewkeypairsmaybeconcurrentlyactive.Thiskeychangeoverprocess
helpsminimizeanyadverseeffectsfromCAcertificateexpiration.ThecorrespondingnewCAPublicKey
certificateisprovidedtosubscribersandrelyingpartiesthroughthedeliverymethodsdetailedinSection
6.1.4.WhereDigiCerthascross‐certifiedanotherCAthatisintheprocessofakeyrollover,DigiCertobtainsa
newCApublickey(PKCS#10)ornewCAcertificatefromtheotherCAanddistributesanewCAcross
certificatefollowingtheproceduresdescribedabove.
37
5.7.
COMPROMISEANDDISASTERRECOVERY
5.7.1. IncidentandCompromiseHandlingProcedures
DigiCertmaintainsincidentresponseprocedurestoguidepersonnelinresponsetosecurityincidents,
naturaldisasters,andsimilareventsthatmaygiverisetosystemcompromise.DigiCertreviews,tests,and
updatesitsincidentresponseplansandproceduresonatleastanannualbasis.
5.7.2. ComputingResources,Software,and/orDataAreCorrupted
DigiCertmakesregularsystembackupsonatleastaweeklybasisandmaintainsbackupcopiesofitsPrivate
Keys,whicharestoredinasecure,off‐sitelocation.IfDigiCertdiscoversthatanyofitscomputingresources,
software,ordataoperationshavebeencompromised,DigiCertassessesthethreatsandrisksthatthe
compromisepresentstotheintegrityorsecurityofitsoperationsorthoseofaffectedparties.IfDigiCert
determinesthatacontinuedoperationcouldposeasignificantrisktoRelyingPartiesorSubscribers,DigiCert
suspendssuchoperationuntilitdeterminesthattheriskismitigated.
5.7.3. EntityPrivateKeyCompromiseProcedures
IfDigiCertsuspectsthatoneofitsPrivateKeyshasbeencomprisedorlostthenanemergencyresponseteam
willconveneandassessthesituationtodeterminethedegreeandscopeoftheincidentandtakeappropriate
action.Specifically,DigiCertwill:
1. Collectinformationrelatedtotheincident;
2. Begininvestigatingtheincidentanddeterminethedegreeandscopeofthecompromise;
3. Haveitsincidentresponseteamdetermineandreportonthecourseofactionorstrategythatshould
betakentocorrecttheproblemandpreventreoccurrence;
4. Ifappropriate,contactgovernmentagencies,lawenforcement,andotherinterestedpartiesand
activateanyotherappropriateadditionalsecuritymeasures;
5. IfthecompromiseinvolvesaPrivateKeyusedtosigntime‐stamptokens,provideadescriptionofthe
compromisetoSubscribersandRelyingParties;
6. Notifyanycross‐certifiedentitiesofthecompromisesothattheycanrevoketheircross‐certificates;
7. Makeinformationavailablethatcanbeusedtoidentifywhichcertificatesandtime‐stamptokensare
affected,unlessdoingsowouldbreachtheprivacyofaDigiCertuserorthesecurityofDigiCert’s
services;
8. Monitoritssystem,continueitsinvestigation,ensurethatdataisstillbeingrecordedasevidence,and
makeaforensiccopyofdatacollected;
9. Isolate,contain,andstabilizeitssystems,applyinganyshort‐termfixesneededtoreturnthesystem
toanormaloperatingstate;
10. Prepareandcirculateanincidentreportthatanalyzesthecauseoftheincidentanddocumentsthe
lessonslearned;and
11. IncorporatelessonslearnedintotheimplementationoflongtermsolutionsandtheIncident
ResponsePlan.
DigiCertmaygenerateanewkeypairandsignanewcertificate.IfadisasterphysicallydamagesDigiCert’s
equipmentanddestroysallcopiesofDigiCert’ssignaturekeysthenDigiCertwillprovidenoticetoaffected
partiesattheearliestfeasibletime.
5.7.4. BusinessContinuityCapabilitiesafteraDisaster
Tomaintaintheintegrityofitsservices,DigiCertimplementsdatabackupandrecoveryproceduresaspart
ofitsBusinessContinuityManagementPlan(BCMP).StatedgoalsoftheBCMParetoensurethatcertificate
statusservicesbeonlyminimallyaffectedbyanydisasterinvolvingDigiCert’sprimaryfacilityandthat
DigiCertbecapableofmaintainingotherservicesorresumingthemasquicklyaspossiblefollowinga
disaster.DigiCertreviews,tests,andupdatestheBCMPandsupportingproceduresatleastannually.
DigiCert'ssystemsareredundantlyconfiguredatitsprimaryfacilityandaremirroredataseparate,
geographicallydiverselocationforfailoverintheeventofadisaster.IfadisastercausesDigiCert’sprimary
38
CAorTSAoperationstobecomeinoperative,DigiCertwillre‐initiateitsoperationsatitssecondarylocation
givingprioritytotheprovisionofcertificatestatusinformationandtimestampingcapabilities,ifaffected.
5.8.
CAORRATERMINATION
BeforeterminatingitsCAorTSAactivities,DigiCertwill:
1. Providenoticeandinformationabouttheterminationbysendingnoticebyemailtoits
customers,ApplicationSoftwareVendors,andcross‐certifyingentitiesandbypostingsuch
informationonDigiCert’swebsite;and
2. Transferallresponsibilitiestoaqualifiedsuccessorentity.
Ifaqualifiedsuccessorentitydoesnotexist,DigiCertwill:
1. transferthosefunctionscapableofbeingtransferredtoareliablethirdpartyandarrangeto
preserveallrelevantrecordswithareliablethirdpartyoragovernment,regulatory,orlegal
bodywithappropriateauthority;
2. revokeallcertificatesthatarestillun‐revokedorun‐expiredonadateasspecifiedinthenotice
andpublishfinalCRLs;
3. destroyallPrivateKeys;and
4. makeothernecessaryarrangementsthatareinaccordancewiththisCPS.
DigiCerthasmadearrangementstocoverthecostsassociatedwithfulfillingtheserequirementsincase
DigiCertbecomesbankruptorisunabletocoverthecosts.Anyrequirementsofthissectionthatare
variedbycontractapplyonlythecontractingparties.
6. TECHNICALSECURITYCONTROLS
6.1.
KEYPAIRGENERATIONANDINSTALLATION
6.1.1. KeyPairGeneration
AllkeysmustbegeneratedusingaFIPS‐approvedmethodorequivalentinternationalstandard.
DigiCert'sCAkeypairsaregeneratedbymultipletrustedindividualsactingintrustedrolesandusinga
cryptographichardwaredeviceaspartofscriptedkeygenerationceremony.Thecryptographichardwareis
evaluatedtoFIPS140‐1Level3andEAL4+.Activationofthehardwarerequirestheusetwo‐factor
authenticationtokens.DigiCertcreatesauditableevidenceduringthekeygenerationprocesstoprovethat
theCPSwasfollowedandroleseparationwasenforcedduringthekeygenerationprocess.DigiCertrequires
thatanauditorwitnessthegenerationofanyCAkeystobeusedaspubliclytrustedrootcertificatesortosign
EVCertificates.ForotherCAkeypairgenerationceremonies,DigiCertestablishesitscompliancewiththis
requirementbyhavinganauditororindependentthirdpartyattendtheceremonyorbyhavinganauditor
examinethesignedanddocumentedrecordofthekeygenerationceremony,asallowedbyapplicablepolicy.
Subscribersmustgeneratetheirkeysinamannerthatisappropriateforthecertificatetype.Certificates
issuedatLevel3HardwareoratLevel4Biometricmustbegeneratedonvalidatedhardwarecryptographic
modulesusingaFIPS‐approvedmethod.SubscriberswhogeneratetheirownkeysforaQualifiedCertificate
onanSSCDshallensurethattheSSCDmeetstherequirementsofCWA14169andthatthePublicKeytobe
certifiedisfromthekeypairgeneratedbytheSSCD.ForAdobeSigningCertificates,Subscribersmust
generatetheirkeypairsinamediumthatpreventsexportationorduplicationandthatmeetsorexceedsFIPS
140‐1Level2certificationstandards.
6.1.2. PrivateKeyDeliverytoSubscriber
IfDigiCert,aCMS,oranRAgeneratesakeyforaSubscriber,thenitmustdeliverthePrivateKeysecurelyto
theSubscriber.Keysmaybedeliveredelectronically(suchasthroughsecureemailorstoredinacloud‐based
system)oronahardwarecryptographicmodule/SSCD.Inallcases:
1. Exceptwhereescrow/backupservicesareauthorizedandpermitted,thekeygeneratormustnot
retainaccesstotheSubscriber’sPrivateKeyafterdelivery,
39
2.
3.
4.
Thekeygeneratormustprotecttheprivatekeyfromactivation,compromise,ormodificationduring
thedeliveryprocess,
TheSubscribermustacknowledgereceiptoftheprivatekey(s),typicallybyhavingtheSubscriber
usetherelatedcertificate,and
ThekeygeneratormustdeliverthePrivateKeyinawaythatensuresthatthecorrecttokensand
activationdataareprovidedtothecorrectSubscribers,including:
a. Forhardwaremodules,thekeygeneratormaintainingaccountabilityforthelocationand
stateofthemoduleuntiltheSubscriberacceptspossessionofitand
b. Forelectronicdeliveryofprivatekeys,thekeygeneratorencryptingkeymaterialusinga
cryptographicalgorithmandkeysizeatleastasstrongastheprivatekey.Thekeygenerator
shalldeliveractivationdatausingaseparatesecurechannel.
TheentityassistingtheSubscriberwithkeygenerationshallmaintainarecordoftheSubscriber’s
acknowledgementofreceiptofthedevicecontainingtheSubscriber’sKeyPair.ACMSorRAprovidingkey
deliveryservicesisrequiredtoprovideacopyofthisrecordtoDigiCert.
6.1.3. PublicKeyDeliverytoCertificateIssuer
SubscribersgeneratekeypairsandsubmitthePublicKeytoDigiCertinaCSRaspartofthecertificaterequest
process.TheSubscriber’ssignatureontherequestisauthenticatedpriortoissuingthecertificate.
6.1.4. CAPublicKeyDeliverytoRelyingParties
DigiCert'sPublicKeysareprovidedtoRelyingPartiesasspecifiedinacertificatevalidationorpathdiscovery
policyfile,astrustanchorsincommercialbrowsersandoperatingsystemrootstore,and/orasrootssigned
byotherCAs.AllaccreditationauthoritiessupportingDigiCertcertificatesandallapplicationsoftware
providersarepermittedtoredistributeDigiCert’srootanchors.
DigiCertmayalsodistributePublicKeysthatarepartofanupdatedsignaturekeypairasaself‐signed
certificate,asanewCAcertificate,orinakeyroll‐overcertificate.RelyingPartiesmayobtainDigiCert'sself‐
signedCAcertificatesfromDigiCert'swebsiteorbyemail.
6.1.5. KeySizes
DigiCertgenerallyfollowstheNISTtimelinesinusingandretiringsignaturealgorithmsandkeysizes.
Currently,DigiCertgeneratesandusesatleastthefollowingminimumkeysizes,signaturealgorithms,and
hashalgorithmsforsigningcertificates,CRLs,andcertificatestatusserverresponses:
Fornon‐FBCAcertificates:
2048‐bitRSAKeywithSecureHashAlgorithmversion1(SHA‐1)(SHA‐1isbeingphasedout)
Forallcertificates:
2048‐bitRSAKeywithSecureHashAlgorithmversion2(SHA‐256)
384‐bitECDSAKeywithSecureHashAlgorithmversion2(SHA‐256)
DigiCertrequiresend‐entitycertificatestocontainakeysizethatisatleast2048bitsforRSA,DSA,orDiffie‐
Hellmanand224bitsforellipticcurvealgorithms.
DigiCertmayrequirehigherbitkeysinitssolediscretion.PIV‐ICertificatescontainpublickeysand
algorithmsthatconformto[NISTSP800‐78].
Anycertificates(whetherCAorend‐entity)expiringafter12/31/2030mustbeatleast3072‐bitforRSAand
256‐bitforECDSA.
SignaturesonCRLs,OCSPresponses,andOCSPrespondercertificatesthatprovidestatusinformationfor
certificatesthatweregeneratedusingSHA‐1arealsogeneratedusingtheSHA‐1algorithm.Allother
signaturesonCRLs,OCSPresponses,andOCSPrespondercertificatesusetheSHA‐256hashalgorithmorone
thatisequallyormoreresistanttocollisionattack.
40
DigiCertandSubscribersmayfulfilltheirrequirementsundertheCPandthisCPSusingTLSoranother
protocolthatprovidessimilarsecurity,providedtheprotocolrequiresatleastAES128bitsorequivalentfor
thesymmetrickeyandatleast2048bitRSAorequivalentfortheasymmetrickeys(andatleast3072bitRSA
orequivalentforasymmetrickeysafter12/31/2030).
6.1.6. PublicKeyParametersGenerationandQualityChecking
DigiCertusesacryptomodulethatconformstoFIPS186‐2andprovidesrandomnumbergenerationandon‐
boardgenerationofupto4096‐bitRSAPublicKeysandawiderangeofECCcurves.
6.1.7. KeyUsagePurposes(asperX.509v3keyusagefield)
DigiCert'scertificatesincludekeyusageextensionfieldsthatspecifytheintendeduseofthecertificateand
technicallylimitthecertificate’sfunctionalityinX.509v3compliantsoftware.
TheuseofaspecifickeyisdeterminedbythekeyusageextensionintheX.509certificate.
Subscribercertificatesassertkeyusagesbasedontheintendedapplicationofthekeypair.Inparticular,
certificatestobeusedfordigitalsignatures(includingauthentication)setthedigitalSignatureand/or
nonRepudiationbits.CertificatestobeusedforkeyordataencryptionshallsetthekeyEnciphermentand/or
dataEnciphermentbits.CertificatestobeusedforkeyagreementshallsetthekeyAgreementbit.
Keyusagebitsandextendedkeyusagesarespecifiedinthecertificateprofileforeachtypeofcertificateasset
forthinDigiCert’sCertificateProfilesdocument.DigiCert’sCAcertificateshaveatleasttwokeyusagebits
set:keyCertSignandcRLSign,andforsigningOCSPresponses,thedigitalSignaturebitisalsoset.
Exceptforlegacyapplicationsrequiringasinglekeyfordualusewithbothencryptionandsignature,DigiCert
doesnotissuecertificateswithkeyusageforbothsigningandencryption.Instead,DigiCertissues
Subscriberstwokeypairs—oneforkeymanagementandonefordigitalsignatureandauthentication.For
CertificatesatLevels1,2and3thatareusedforsigningandencryptioninsupportoflegacyapplications,
theymust:
1. begeneratedandmanagedinaccordancewiththeirrespectivesignaturecertificaterequirements,
exceptwhereotherwisenotedinthisCPS,
2. neverassertthenon‐repudiationkeyusagebit,and
3. notbeusedforauthenticatingdatathatwillbeverifiedonthebasisofthedual‐usecertificateata
futuretime.
NoLevel4certificatesmayhavesuchdual‐usekeypairs.
PIV‐IContentSigningcertificatesalsoincludeanextendedkeyusageofid‐fpki‐pivi‐content‐signing.
6.2.
PRIVATEKEYPROTECTIONANDCRYPTOGRAPHICMODULEENGINEERING
CONTROLS
6.2.1. CryptographicModuleStandardsandControls
DigiCert'scryptographicmodulesforallofitsCAandOCSPresponderkeypairsarevalidatedtotheFIPS140
Level3andInternationalCommonCriteria(CC)InformationTechnologySecurityEvaluationAssuranceLevel
(EAL)14169EAL4+Type3(EAL4AugmentedbyAVA_VLA.4andAVA_MSU.3)intheEuropeanUnion(EU).
IGTFCertificateSubscribersmustprotecttheirPrivateKeysinaccordancewiththeapplicableGuidelineson
PrivateKeyProtection,includingtheuseofstrongpassphrasestoprotectprivatekeys.
Cryptographicmodulerequirementsforsubscribersandregistrationauthoritiesareshowninthetable
below.
41
AssuranceLevel
Subscriber
RegistrationAuthority
EVCodeSigning
FIPS140Level2
(Hardware)
FIPS140Level2
(Hardware)
AdobeSigning
FIPS140Level2
(Hardware)
FIPS140Level3
(Hardware)
Rudimentary
N/A
FIPS140Level1
(HardwareorSoftware)
Basic,LOA2,andLOA3
FIPS140Level1
(HardwareorSoftware)
FIPS140Level1
(HardwareorSoftware)
Medium
FIPS140Level1
(Software)
FIPS140Level2
(Hardware)
FIPS140Level2
(Hardware)
MediumHardware,
Biometric&PIV‐I
Card/Hardware
Authentication
FIPS140Level2
(Hardware)
FIPS140Level2
(Hardware)
EUQConSSCD
EAL4Augmented
(Hardware)
EAL4Augmented
(Hardware)
DigiCertensuresthatthePrivateKeyofanEVCodeSigningCertificateisproperlygenerated,used,andstored
inacryptomodulethatmeetsorexceedstherequirementsofFIPS140level2by(i)shippingconforming
cryptomoduleswithpreinstalledkeypairs,(ii)communicatingviaPKCS#11cryptoAPIsofcryptomodules
thatDigiCerthasverifiedmeetorexceedrequirements,or(iii)obtaininganITauditfromtheSubscriberthat
indicatescompliancewithFIPS140‐2level2ortheequivalent.
6.2.2. PrivateKey(noutofm)Multi‐personControl
DigiCert'sauthenticationmechanismsareprotectedsecurelywhennotinuseandmayonlybeaccessedby
actionsofmultipletrustedpersons.
BackupsofCAPrivateKeysaresecurelystoredoff‐siteandrequiretwo‐personaccess.Re‐activationofa
backed‐upCAPrivateKey(unwrapping)requiresthesamesecurityandmulti‐personcontrolaswhen
performingothersensitiveCAPrivateKeyoperations.
6.2.3. PrivateKeyEscrow
DigiCertdoesnotescrowitssignaturekeys.Subscribersmaynotescrowtheirprivatesignaturekeysordual
usekeysexceptasallowedbyothersupersedingpoliciesoragreementsamongSubscribers,RelyingParties,
andescrowagents.DigiCertmayprovideescrowservicesforothertypesofcertificatesinordertoprovide
keyrecoveryasdescribedinsection4.12.1.
6.2.4. PrivateKeyBackup
DigiCert'sPrivateKeysaregeneratedandstoredinsideDigiCert’scryptographicmodule,whichhasbeen
evaluatedtoatleastFIPS140Level3andEAL4+.Whenkeysaretransferredtoothermediaforbackupand
disasterrecoverypurposes,thekeysaretransferredandstoredinanencryptedform.DigiCert'sCAkeypairs
arebackedupbymultipletrustedindividualsusingacryptographichardwaredeviceaspartofscriptedand
videotapedkeybackupprocess.
42
DigiCertmayprovidebackupservicesforPrivateKeysthatarenotrequiredtobekeptonahardwaredevice.
AccesstobackupcertificatesisprotectedinamannerthatonlytheSubscribercancontroltheprivatekey.
DigiCertmayrequirebackupofPIV‐IContentSigningprivatesignaturekeystofacilitatedisasterrecovery,
providedthatallbackupisperformedundermulti‐personcontrol.Backedupkeysareneverstoredinaplain
textformoutsideofthecryptographicmodule.
6.2.5. PrivateKeyArchival
DigiCertdoesnotarchivePrivateKeys.
6.2.6. PrivateKeyTransferintoorfromaCryptographicModule
Allkeysmustbegeneratedbyandinacryptographicmodule.PrivateKeysareexportedfromthe
cryptographicmoduleonlyforbackuppurposes.ThePrivateKeysareencryptedwhentransferredoutofthe
moduleandneverexistinplaintextform.Whentransportedbetweencryptographicmodules,DigiCert
encryptstheprivatekeyandprotectsthekeysusedforencryptionfromdisclosure.PrivateKeysusedto
encryptbackupsaresecurelystoredandrequiretwo‐personaccess.
6.2.7. PrivateKeyStorageonCryptographicModule
DigiCert'sPrivateKeysaregeneratedandstoredinsideDigiCert’scryptographicmodule,whichhasbeen
evaluatedtoatleastFIPS140Level3andEAL4+.
6.2.8. MethodofActivatingPrivateKeys
DigiCert'sPrivateKeysareactivatedaccordingtothespecificationsofthecryptographicmodule
manufacturer.Activationdataentryisprotectedfromdisclosure.
SubscribersaresolelyresponsibleforprotectingtheirPrivateKeys.Subscribersshoulduseastrong
passwordorequivalentauthenticationmethodtopreventunauthorizedaccessoruseoftheSubscriber’s
PrivateKey.Ataminimum,Subscribersarerequiredtoauthenticatethemselvestothecryptographic
modulebeforeactivatingtheirprivatekeys.SeealsoSection6.4.
6.2.9. MethodofDeactivatingPrivateKeys
DigiCert’sPrivateKeysaredeactivatedvialogoutproceduresontheapplicableHSMdevicewhennotinuse.
RootPrivateKeysarefurtherdeactivatedbyremovingthementirelyfromthestoragepartitionontheHSM
device.DigiCertneverleavesitsHSMdevicesinanactiveunlockedorunattendedstate.
SubscribersshoulddeactivatetheirPrivateKeysvialogoutandremovalprocedureswhennotinuse.
6.2.10. MethodofDestroyingPrivateKeys
DigiCertpersonnel,actingintrustedroles,destroyCA,RA,andstatusserverPrivateKeyswhennolonger
needed.SubscribersshalldestroytheirPrivateKeyswhenthecorrespondingcertificateisrevokedor
expiredorifthePrivateKeyisnolongerneeded.
DigiCertmaydestroyaPrivateKeybydeletingitfromallknownstoragepartitions.DigiCertalsozeroizesthe
HSMdeviceandassociatedbackuptokensaccordingtothespecificationsofthehardwaremanufacturer.This
reinitializesthedeviceandoverwritesthedatawithbinaryzeros.Ifthezeroizationorre‐initialization
procedurefails,DigiCertwillcrush,shred,and/orincineratethedeviceinamannerthatdestroystheability
toextractanyPrivateKey.
6.2.11. CryptographicModuleRating
SeeSection6.2.1.
43
6.3.
OTHERASPECTSOFKEYPAIRMANAGEMENT
6.3.1. PublicKeyArchival
DigiCertarchivescopiesofPublicKeysinaccordancewithSection5.5.
6.3.2. CertificateOperationalPeriodsandKeyPairUsagePeriods
DigiCertcertificateshavemaximumvalidityperiodsof:
Type
PrivateKeyUse
CertificateTerm
RootCA
20 years
25years
SubCA*
12 years
15years
FBCAorIGTFCross‐certifiedSubCA*
6years
15years
CRLandOCSPrespondersigning
3 years
31days†
OVSSL
Nostipulation
42months
EVSSL
Nostipulation
27months
TimeStampingAuthority
Nostipulation
123months
CodeSigningCertificate
Nostipulation
123months
EVCodeSigningCertificateissuedto
No stipulation
39months
Subscriber
EVCodeSigningCertificateissuedtoSigning
123months
123months
Authority
AdobeSigningCertificate
39months
5years
EndEntityClientusedforsignatures,
36months
36months
includingEUQualifiedCertificates,codeand
contentsignatures
EndEntityClientusedforkeymanagement
36months
36months
Clientcross‐certifiedwithFBCA
36months
36months
EndEntityClientforallotherpurposes(non
42months
42months
FBCAandIGTFcerts)
PIV‐ICards
36 months
36 months
IGTF(2048‐bitRSAkeys)onhardware
60 months
13 months
IGTF(1024‐bitRSAkeys)onhardware
36 months
13 months
IGTFnotonhardware
13 months
13 months
*IGTFsigningcertificateshavealifetimethatisatleasttwicethemaximumlifetimeofanendentity
certificate.
†OCSPresponderandCRLsigningcertificatesassociatedwithaPIV‐Icertificateonlyhaveamaximum
certificatevalidityperiodof31days.
Relyingpartiesmaystillvalidatesignaturesgeneratedwiththesekeysafterexpirationofthecertificate.
Privatekeysassociatedwithself‐signedrootcertificatesthataredistributedastrustanchorsareusedfora
maximumof20years.DigiCertdoesnotissuePIV‐Isubscribercertificatesthatexpirelaterthanthe
expirationdateofthePIV‐Ihardwaretokenonwhichthecertificatesreside.
DigiCertmayvoluntarilyretireitsCAPrivateKeysbeforetheperiodslistedabovetoaccommodatekey
changeoverprocesses.DigiCertdoesnotissueSubscribercertificateswithanexpirationdatethatispastthe
signingroot’spublickeyexpirationdateorthatexceedstheroutinere‐keyidentificationrequirements
specifiedinSection3.1.1.
44
6.4.
ACTIVATIONDATA
6.4.1. ActivationDataGenerationandInstallation
DigiCertactivatesthecryptographicmodulecontainingitsCAPrivateKeysaccordingtothespecificationsof
thehardwaremanufacturer.ThismethodhasbeenevaluatedasmeetingtherequirementsofFIPS140‐2
Level3.Thecryptographichardwareisheldundertwo‐personcontrolasexplainedinSection5.2.2and
elsewhereinthisCPS.DigiCertwillonlytransmitactivationdataviaanappropriatelyprotectedchanneland
atatimeandplacethatisdistinctfromthedeliveryoftheassociatedcryptographicmodule.
AllDigiCertpersonnelandSubscribersareinstructedtousestrongpasswordsandtoprotectPINsand
passwords.DigiCertemployeesarerequiredtocreatenon‐dictionary,alphanumericpasswordswitha
minimumlengthandtochangetheirpasswordsonaregularbasis.IfDigiCertusespasswordsasactivation
dataforasigningkey,DigiCertwillchangetheactivationdatachangeuponrekeyoftheCAcertificate.
6.4.2. ActivationDataProtection
DigiCert protects data used to unlock private keys from disclosure using a combination of cryptographic and
physical access control mechanisms. Protection mechanisms include keepingactivationmechanismssecure
usingrole‐basedphysicalcontrol.AllDigiCertpersonnelareinstructedtomemorizeandnottowritedown
theirpasswordorshareitwithanotherindividual.DigiCertlocksaccountsusedtoaccesssecureCA
processesifacertainnumberoffailedpasswordattemptsoccur.
6.4.3. OtherAspectsofActivationData
IfDigiCertmustresetactivationdataassociatedwithaPIV‐IcertificatethenDigiCertoranRAperformsa
successfulbiometric1:1matchoftheapplicantagainstthebiometricscollectedinSection3.2.3.
6.5.
COMPUTERSECURITYCONTROLS
6.5.1. SpecificComputerSecurityTechnicalRequirements
DigiCertsecuresitsCAsystemsandauthenticatesandprotectscommunicationsbetweenitssystemsand
trustedroles.DigiCert'sCAserversandsupport‐and‐vettingworkstationsrunontrustworthysystemsthat
areconfiguredandhardenedusingindustrybestpractices.AllCAsystemsarescannedformaliciouscodeand
protectedagainstspywareandviruses.
DigiCert’sCAsystems,includinganyremoteworkstations,areconfiguredto:
1. authenticatetheidentityofusersbeforepermittingaccesstothesystemorapplications,
2. managetheprivilegesofusersandlimituserstotheirassignedroles,
3. generateandarchiveauditrecordsforalltransactions,
4. enforcedomainintegrityboundariesforsecuritycriticalprocesses,and
5. supportrecoveryfromkeyorsystemfailure.
AllCertificateStatusServers:
1. authenticatetheidentityofusersbeforepermittingaccesstothesystemorapplications,
2. manageprivilegestolimituserstotheirassignedroles,
3. enforcedomainintegrityboundariesforsecuritycriticalprocesses,and
4. supportrecoveryfromkeyorsystemfailure.
6.5.2. ComputerSecurityRating
Nostipulation.
6.6.
LIFECYCLETECHNICALCONTROLS
6.6.1. SystemDevelopmentControls
DigiCerthasmechanismsinplacetocontrolandmonitortheacquisitionanddevelopmentofitsCAsystems.
Changerequestsrequiretheapprovalofatleastoneadministratorwhoisdifferentfromtheperson
45
submittingtherequest.DigiCertonlyinstallssoftwareonCAsystemsifthesoftwareispartoftheCA’s
operation.CAhardwareandsoftwarearededicatedtoperformingoperationsoftheCA.
Vendorsareselectedbasedontheirreputationinthemarket,abilitytodeliverqualityproduct,andlikelihood
ofremainingviableinthefuture.Managementisinvolvedinthevendorselectionandpurchasedecision
process.Non‐PKIhardwareandsoftwareispurchasedwithoutidentifyingthepurposeforwhichthe
componentwillbeused.Allhardwareandsoftwareareshippedunderstandardconditionstoensure
deliveryofthecomponentdirectlytoatrustedemployeewhoensuresthattheequipmentisinstalledwithout
opportunityfortampering.
SomeofthePKIsoftwarecomponentsusedbyDigiCertaredevelopedin‐houseorbyconsultantsusing
standardsoftwaredevelopmentmethodologies.Allsuchsoftwareisdesignedanddevelopedinacontrolled
environmentandsubjectedtoqualityassurancereview.Othersoftwareispurchasedcommercialoff‐the‐
shelf(COTS).Qualityassuranceismaintainedthroughouttheprocessthroughtestinganddocumentationor
bypurchasingfromtrustedvendorsasdiscussedabove.
Updatesofequipmentandsoftwarearepurchasedordevelopedinthesamemannerastheoriginal
equipmentorsoftwareandareinstalledandtestedbytrustedandtrainedpersonnel.Allhardwareand
softwareessentialtoDigiCert’soperationsisscannedformaliciouscodeonfirstuseandperiodically
thereafter.
6.6.2. SecurityManagementControls
DigiCerthasmechanismsinplacetocontrolandmonitorthesecurity‐relatedconfigurationsofitsCA
systems.WhenloadingsoftwareontoaCAsystem,DigiCertverifiesthatthesoftwareisthecorrectversion
andissuppliedbythevendorfreeofanymodifications.DigiCertverifiestheintegrityofsoftwareusedwith
itsCAprocessesatleastonceaweek.
6.6.3. LifeCycleSecurityControls
Nostipulation.
6.7.
NETWORKSECURITYCONTROLS
DigiCertdocumentsandcontrolstheconfigurationofitssystems,includinganyupgradesormodifications
made.DigiCert'sCAsystemisconnectedtooneinternalnetworkandisprotectedbyfirewallsandNetwork
AddressTranslationforallinternalIPaddresses(e.g.,192.168.x.x).DigiCert'scustomersupportandvetting
workstationsarealsoprotectedbyfirewall(s)andonlyuseinternalIPaddresses.RootKeysarekeptoffline
andbroughtonlineonlywhennecessarytosigncertificate‐issuingsubordinateCAs,OCSPResponder
Certificates,orperiodicCRLs.Firewallsandboundarycontroldevicesareconfiguredtoallowaccessonlyby
theaddresses,ports,protocolsandcommandsrequiredforthetrustworthyprovisionofPKIservicesbysuch
systems.
DigiCert'ssecuritypolicyistoblockallportsandprotocolsandopenonlyportsnecessarytoenableCA
functions.AllCAequipmentisconfiguredwithaminimumnumberofservicesandallunusednetworkports
andservicesaredisabled.DigiCert'snetworkconfigurationisavailableforreviewon‐sitebyitsauditorsand
consultantsunderanappropriatenon‐disclosureagreement.
6.8.
TIME‐STAMPING
ThesystemtimeonDigiCert’scomputersisupdatedusingtheNetworkTimeProtocol(NTP)tosynchronize
systemclocksatleastonceeveryeighthours(Windowsdefault).Alltimesaretraceabletoarealtimevalue
distributedbyaUTC(k)laboratoryorNationalMeasurementInstituteandareupdatedwhenaleapsecond
occursasnotifiedbytheappropriatebody.DigiCertmaintainsaninternalNTPserverthatsynchronizeswith
cellulartelephonenetworksandmaintainstheaccuracyofitsclockwithinonesecondorless.Foreach
timestamprequesttheinternalNTPserverisqueriedforthecurrenttime.However,RelyingPartiesshould
beawarethatalltimesincludedinatime‐stamptokenaresynchronizedwithUTCwithintheaccuracy
definedinthetime‐stamptokenitself,ifpresent.
46
DigiCertwillnotissueatime‐stamptokenusinganyclockthatisdetectedasinaccurate.Allclocksusedfor
time‐stampingarehousedintheDigiCert’ssecurefacilitiesandareprotectedagainstthreatsthatcouldresult
inanunexpectedchangetotheclock’stime.DigiCert'sfacilitiesautomaticallydetectandreportanyclock
thatdriftsorjumpsoutofsynchronizationwithUTC.Clockadjustmentsareauditableevents.
SomeaspectsofRFC3161timestampsdifferfromMicrosoftAuthenticodetimestamps.ForRFC3161‐
complianttimestamps,DigiCertincludesauniqueintegerforeachnewlygeneratedtime‐stamptoken.
DigiCertonlytime‐stampshashrepresentationsofdata,notthedataitself.Informationcanbehashedfor
time‐stampingusingSHA‐1orSHA‐256withRSAencryptionandeither1024or2048bitkeysizefor
signaturecreation.(SHA‐1,SHA‐256,SHA‐384,SHA‐512,MD5,MD4,andMD2aresupportedforRFC3161‐
basedrequests.)DigiCertdoesnotexaminetheimprintbeingtime‐stampedotherthantochecktheimprint’s
length.DigiCertalsodoesnotincludeanyidentificationoftheTimeStampTokenRequester(TSTRequester)
inthetime‐stamptoken.Alltime‐stamptokensaresignedusingakeygeneratedexclusivelyforthat
purposesandhavethepropertyofthekeyindicatedinthecertificate.
TSTRequestersrequesttime‐stamptokensbysendingarequesttoDigiCert.AftertheTSTRequester
receivesaresponsefromDigiCert,itmustverifythestatuserrorreturnedintheresponse.Ifanerrorwasnot
returned,theTSTRequestermustthenverifythefieldscontainedinthetime‐stamptokenandthevalidityof
thetime‐stamptoken’sdigitalsignature.Inparticular,theTSTRequestermustverifythatthetime‐stamped
datacorrespondstowhatwasrequestedandthatthetime‐stamptokencontainsthecorrectcertificate
identifier,thecorrectdataimprint,andthecorrecthashalgorithmOID.TheTSTRequestermustalsoverify
thetimelinessoftheresponsebyverifyingtheresponseagainstalocaltrustedtimereference.TheTST
RequesterisrequiredtonotifyDigiCertimmediatelyifanyinformationcannotbeverified.
TimeStampVerifiersshallverifythedigitalsignatureonthetime‐stamptokenandconfirmthatthedata
correspondstothehashvalueinthetime‐stamptoken.
6.9.
PIV‐ICARDS
ThefollowingrequirementsapplytoPIV‐ICards:
1. ToensureinteroperabilitywithFederalsystems,PIV‐ICardsuseasmartcardplatformthatison
GSA’sFIPS201EvaluationProgramApprovedProductList(APL)andusethePIVapplication
identifier(AID).
2. AllPIV‐ICardsconformto[NISTSP800‐731].
3. ThemandatoryX.509CertificateforAuthenticationisonlyissuedunderapolicythatiscross
certifiedwiththeFBCAPIV‐IHardwarepolicyOID.
4. PIV‐IcertificatesconformtothePIV‐IProfile.
5. AnasymmetricX.509CertificateforCardAuthenticationisincludedineachPIV‐Icard.The
Certificate:
a. conformstoPIV‐IProfile,
b. conformsto[NISTSP800‐73],and
c. isissuedunderthePIV‐ICardAuthenticationpolicy.
6. TheCMSincludesanelectronicrepresentation(asspecifiedinSP800‐73andSP800‐76)ofthe
cardholder’sfacialimageineachPIV‐Icard.
7. TheX.509CertificatesforDigitalSignatureandKeyManagementdescribedin[NISTSP800‐73]are
optionalforPIV‐ICards.
8. TheCMSmakesitsPIV‐ICardsvisuallydistinctfromaFederalPIVCardtopreventcreationofa
fraudulentFederalPIVCard.Ataminimum,theCMSdoesnotallowedimagesorlogosonaPIV‐I
CardtobeplacedwithinZone11,AgencySeal,asdefinedby[FIPS201].
9. TheCMSrequiresthefollowingitemsonthefrontofacard:
a. Cardholderfacialimage,
b. Cardholderfullname,
c. OrganizationalAffiliation,ifexists;otherwisetheissuerofthecard,and
d. Cardexpirationdate.
10. PIV‐Icardsareissuedwithanexpirationdatethatisfiveyearsorless.
11. AllPIV‐ICardsexpirelaterthanthePIV‐IContentSigningcertificateonthecard.
47
12. ApolicyOIDthathasbeenmappedtotheFBCAPIV‐IContentSigningpolicyOIDisincludedinthe
digitalsignaturecertificateusedtosignobjectsonthePIV‐ICard.ThePIV‐IContentSigning
certificateconformstothePIV‐IProfile.
13. ThePIV‐IContentSigningcertificateandcorrespondingprivatekeyaremanagedwithinatrusted
CardManagementSystem.
14. Atissuance,thePIV‐ICardisactivatedandreleasedtothesubscriberonlyafterasuccessful1:1
biometricmatchoftheapplicantagainstthebiometricscollectedinSection3.2.3.
15. PIV‐ICardsmaysupportcardactivationbythecardmanagementsystemtosupportcard
personalizationandpost‐issuancecardupdate.Toactivatethecardforpersonalizationorupdate,
thecardmanagementsystemperformsachallengeresponseprotocolusingcryptographickeys
storedonthecardinaccordancewith[SP800‐73].Whencardsarepersonalized,cardmanagement
keysaresettobespecifictoeachPIV‐ICard.Thatis,eachPIV‐ICardcontainsauniquecard
managementkey.Cardmanagementkeysmeetthealgorithmandkeysizerequirementsstatedin
SpecialPublication800‐78,CryptographicAlgorithmsandKeySizesforPersonalIdentity
Verification.[SP800‐78].
7. CERTIFICATE,CRL,ANDOCSPPROFILES
DigiCertusestheITUX.509,version3standardtoconstructdigitalcertificatesforusewithintheDigiCertPKI.
DigiCertaddscertaincertificateextensionstothebasiccertificatestructureforthepurposesintendedby
X.509v3asperAmendment1toISO/IEC9594‐8,1995.ForPIV‐ICertificates,DigiCertfollowstheFPKIPA’s
X.509CertificateandCertificateRevocationList(CRL)ExtensionsProfileforPersonalIdentityVerification
Interoperable(PIV‐I)Cards.ForQualifiedCertificates,DigiCertfollowsETSITS101862.
7.1.
CERTIFICATEPROFILE
7.1.1. VersionNumber(s)
AllcertificatesareX.509version3certificates.
7.1.2. CertificateExtensions
SeeDigiCert’sCertificateProfilesdocument.IGTFcertificatescomplywiththeGridCertificateProfileas
definedbytheOpenGridForumGFD.125.
PIV‐ICertificatescomplywiththeX.509CertificateandCertificateRevocationList(CRL)ExtensionsProfile
forPersonalIdentityVerificationInteroperable(PIV‐I)Cards,Date:April232010,assetforthat:
http://www.idmanagement.gov/fpkipa/documents/pivi_certificate_crl_profile.pdf.
7.1.3. AlgorithmObjectIdentifiers
DigiCertcertificatesaresignedusingoneofthefollowingalgorithms:
sha‐1WithRSAEncryption
[iso(1)member‐body(2)us(840)rsadsi(113549)pkcs(1)pkcs‐1(1)5]
sha256WithRSAEncryption [iso(1)member‐body(2)us(840)rsadsi(113549)pkcs(1)pkcs‐1(1)
11]
ecdsa‐with‐sha384
[iso(1)member‐body(2)us(840)ansi‐X9‐62(10045)signatures(4)
ecdsa‐with‐SHA2(3)3]
DigiCertdoesnotcurrentlysigncertificatesusingRSAwithPSSpadding.
DigiCertandSubscribersmaygenerateKeyPairsusingthefollowing:
id‐dsa
[iso(1)member‐body(2)us(840)x9‐57(10040)x9cm(4)1]
RsaEncryption
[iso(1)member‐body(2)us(840)rsadsi(113549)pkcs(1)pkcs‐1(1)1]
Dhpublicnumber
[iso(1)member‐body(2)us(840)ansi‐x942(10046)number‐type(2)1]
[joint‐iso‐ccitt(2)country(16)us(840)organization(1)gov(101)
id‐keyExchangeAlgorithm
dod(2)infosec(1)algorithms(1)22]
[iso(1)member‐body(2)us(840)ansi‐X9‐62(10045)id‐
id‐ecPublicKey
publicKeyType(2)1]
48
EllipticcurvepublickeyssubmittedtoDigiCertforinclusioninendentitycertificatesshouldallbebasedon
NIST“SuiteB”curves.
SignaturealgorithmsforPIV‐IcertificatesarelimitedtothoseidentifiedbyNISTSP800‐78.
7.1.4. NameForms
Eachcertificateincludesauniqueserialnumberthatisneverreused.Optionalsubfieldsinthesubjectofan
SSLCertificatemusteithercontaininformationverifiedbyDigiCertorbeleftempty.SSLCertificatescannot
containmetadatasuchas‘.’,‘‐‘and‘‘charactersoranyotherindicationthatthefieldisnotapplicable.
DigiCertlogicallyrestrictsOUfieldsfromcontainingSubscriberinformationthathasnotbeenverifiedin
accordancewithSection3.
TheDistinguishedNameforeachCertificatetypeissetforthinDigiCert’scertificateprofilesdocument.The
contentsofthefieldsinEVCertificatesmustmeettherequirementsinSection8.1oftheEVGuidelines.
7.1.5. NameConstraints
Nostipulation.
7.1.6. CertificatePolicyObjectIdentifier
Anobjectidentifier(OID)isauniquenumberthatidentifiesanobjectorpolicy.TheOIDsusedbyDigiCert
arelistedinSection1.2andinDigiCert’sCertificateProfilesdocument.
7.1.7. UsageofPolicyConstraintsExtension
Notapplicable.
7.1.8. PolicyQualifiersSyntaxandSemantics
DigiCertincludesbriefstatementsincertificatesaboutthelimitationsofliabilityandothertermsassociated
withtheuseofacertificateinthePolicyQualifierfieldoftheCertificatesPolicyextension.
7.1.9. ProcessingSemanticsfortheCriticalCertificatePoliciesExtension
Nostipulation.
7.2.
CRLPROFILE
ForPIV‐ICertificates,DigiCertfollowstheFPKIPA’sX.509CertificateandCertificateRevocationList(CRL)
ExtensionsProfileforPersonalIdentityVerificationInteroperable(PIV‐I)Cards.
7.2.1. Versionnumber(s)
DigiCertissuesversion2CRLsthatcontainthefollowingfields:
Field
Value
IssuerSignatureAlgorithm
sha‐1WithRSAEncryption[12840113549115] OR
sha‐256WithRSAEncryption[128401135491111]OR
ecdsa‐with‐sha384[1284010045433]
IssuerDistinguishedName
DigiCert
thisUpdate
CRLissuedateinUTCformat
nextUpdate
DatewhenthenextCRLwillissueinUTCformat.
RevokedCertificatesList
Listofrevokedcertificates,includingtheserialnumberand
revocationdate
Issuer’sSignature
[Signature]
7.2.2. CRLandCRLEntryExtensions
CRLshavethefollowingextensions:
Extension
Value
CRLNumber
Neverrepeatedmonotonicallyincreasinginteger
49
AuthorityKeyIdentifier
InvalidityDate
ReasonCode
7.3.
SameastheAuthorityKeyIdentifierlistedinthecertificate
OptionaldateinUTCformat
Optional reasonforrevocation
OCSPPROFILE
ForPIV‐ICertificates,DigiCertfollowstheFPKIPA’sX.509CertificateandCertificateRevocationList(CRL)
ExtensionsProfileforPersonalIdentityVerificationInteroperable(PIV‐I)Cards.
7.3.1. VersionNumber(s)
DigiCert’sOCSPrespondersconformtoversion1ofRFC2560.
7.3.2. OCSPExtensions
Nostipulation.
8. COMPLIANCEAUDITANDOTHERASSESSMENTS
ThepracticesinthisCPSaredesignedtomeetorexceedtherequirementsofgenerallyacceptedindustry
standards,includingthelatestversionoftheEVGuidelinesandtheAICPA/CICAWebTrustProgramfor
CertificationAuthorities,ANSX9.79/ISO21188PKIPracticesandPolicyFramework("CAWebTrust/ISO
21188").ForpurposesofinteroperationwiththeU.S.Government,compliancecanbedeterminedby
referencetoanycurrentauditorletterofcompliancemeetingtheFPKIPA’sAuditorLetterofCompliance
Requirements,datedOctober28,2009(FPKIPAAuditRequirements).
8.1.
FREQUENCYORCIRCUMSTANCESOFASSESSMENT
DigiCertreceivesanannualauditbyanindependentexternalauditortoassessDigiCert'scompliancewith
thisCPS,anyapplicableCPs,andtheCAWebTrust/ISO21188andWebTrustEVProgramcriteria.Theaudit
coversDigiCert’sRAsystems,SubCAs,andOCSPResponders.
8.2.
IDENTITY/QUALIFICATIONSOFASSESSOR
WebTrustauditorsmustmeettherequirementsofSection14.1.14oftheEVGuidelines.Specifically:
(1) Qualificationsandexperience:Auditingmustbetheauditor’sprimarybusinessfunction.The
individualoratleastonememberoftheauditgroupmustbequalifiedasaCertifiedInformation
SystemsAuditor(CISA),anAICPACertifiedInformationTechnologyProfessional(CPA.CITP),a
CertifiedInternalAuditor(CIA),orhaveanotherrecognizedinformationsecurityauditingcredential.
Auditorsmustbesubjecttodisciplinaryactionbyitslicensingbody.
(2) Expertise:Theindividualorgroupmustbetrainedandskilledintheauditingofsecureinformation
systemsandbefamiliarwithPublicKeyinfrastructures,certificationsystems,andInternetsecurity
issues.
(3) Rulesandstandards:Theauditormustconformtoapplicablestandards,rules,andbestpractices
promulgatedbytheAmericanInstituteofCertifiedPublicAccountants(AICPA),theCanadian
InstituteofCharteredAccountants(CICA),theInstituteofCharteredAccountantsofEngland&Wales
(ICAEW),theInternationalAccountingStandardsadoptedbytheEuropeanCommission(IAS),
InformationSystemsAuditandControlAssociation(ISACA),theInstituteofInternalAuditors(IIA),
oranotherqualifiedauditingstandardsbody.
(4) Reputation:Thefirmmusthaveareputationforconductingitsauditingbusinesscompetentlyand
correctly.
(5) Insurance:EVauditorsmustmaintainProfessionalLiability/ErrorsandOmissionsInsurance,with
policylimitsofatleast$1millionincoverage.
50
8.3.
ASSESSOR'SRELATIONSHIPTOASSESSEDENTITY
DigiCert’sWebTrustauditordoesnothaveafinancialinterest,businessrelationship,orcourseofdealingthat
couldforeseeablycreateasignificantbiasfororagainstDigiCert.
8.4.
TOPICSCOVEREDBYASSESSMENT
TheauditcoversDigiCert'sbusinesspracticesdisclosure,theintegrityofDigiCert'sPKIoperations,and
DigiCert’scompliancewiththeEVGuidelines.TheauditverifiesthatDigiCertiscompliantwiththeCP,this
CPS,andanyMOAbetweenitandanyotherPKI.
8.5.
ACTIONSTAKENASARESULTOFDEFICIENCY
Ifanauditreportsamaterialnoncompliancewithapplicablelaw,thisCPS,theCP,oranyothercontractual
obligationsrelatedtoDigiCert’sservices,then(1)theauditorwilldocumentthediscrepancy,(2)theauditor
willpromptlynotifyDigiCert,and(3)DigiCertwilldevelopaplantocurethenoncompliance.DigiCertwill
submittheplantotheDCPAforapprovalandtoanythirdpartythatDigiCertislegallyobligatedtosatisfy.
TheDCPAmayrequireadditionalactionifnecessarytorectifyanysignificantissuescreatedbythenon‐
compliance,includingrequiringrevocationofaffectedcertificates.
8.6.
COMMUNICATIONOFRESULTS
TheresultsofeachauditarereportedtotheDCPAandtoanythirdpartyentitieswhichareentitledbylaw,
regulation,oragreementtoreceiveacopyoftheauditresults.Onanannualbasis,DigiCertsubmitsareport
ofitsauditcompliancetovariousparties,suchasMozilla,theFederalPKIPolicyAuthority,CAlicensing
bodies,etc.
8.7.
SELF‐AUDITS
Onatleastaquarterlybasis,DigiCertperformsregularinternalauditsagainstarandomlyselectedsampleof
atleastthreepercentofthecertificatesissuedsincethelastinternalaudit.InternalauditsonEVCertificates
areperformedinaccordancewithsection14.1.2oftheEVGuidelines.
9. OTHERBUSINESSANDLEGALMATTERS
9.1.
FEES
9.1.1. CertificateIssuanceorRenewalFees
DigiCertchargesfeesforcertificateissuanceandrenewal.DigiCertmaychangeitsfeesatanytimein
accordancewiththeapplicablecustomeragreement.
9.1.2. CertificateAccessFees
DigiCertmaychargeareasonablefeeforaccesstoitscertificatedatabases.
9.1.3. RevocationorStatusInformationAccessFees
DigiCertdoesnotchargeacertificaterevocationfeeorafeeforcheckingthevaliditystatusofanissued
certificateusingaCRL.DigiCertmaychargeafeeforprovidingcertificatestatusinformationviaOCSP.
9.1.4. FeesforOtherServices
Nostipulation.
9.1.5. RefundPolicy
Subscribersmustrequestrefunds,inwriting,within30daysafteracertificateissues.Afterreceivingthe
refundrequest,DigiCertmayrevokethecertificateandrefundtheamountpaidbytheApplicant,minus
anyapplicableapplicationprocessingfees.
51
9.2.
FINANCIALRESPONSIBILITY
9.2.1. InsuranceCoverage
DigiCertmaintainsCommercialGeneralLiabilityinsurancewithapolicylimitofatleast$2millionin
coverageandProfessionalLiability/Errors&Omissionsinsurancewithapolicylimitofatleast$5millionin
coverage.InsuranceiscarriedthroughcompaniesratednolessthanA‐astoPolicyHolder’sRatinginthe
currenteditionofBest’sInsuranceGuide(orwithanassociationofcompanies,eachofthemembersofwhich
aresorated).
9.2.2. OtherAssets
Nostipulation.
9.2.3. InsuranceorWarrantyCoverageforEnd‐Entities
Insurancecoverageforend‐entitiesisspecifiedinDigiCert’sRelyingPartyAgreement.
9.3.
CONFIDENTIALITYOFBUSINESSINFORMATION
9.3.1. ScopeofConfidentialInformation
Thefollowinginformationisconsideredconfidentialandprotectedagainstdisclosureusingareasonable
degreeofcare:
1. PrivateKeys;
2. ActivationdatausedtoaccessPrivateKeysortogainaccesstotheCAsystem;
3. Businesscontinuity,incidentresponse,contingency,anddisasterrecoveryplans;
4. Othersecuritypracticesusedtoprotecttheconfidentiality,integrity,oravailabilityofinformation;
5. InformationheldbyDigiCertasprivateinformationinaccordancewithSection9.4;
6. Auditlogsandarchiverecords;and
7. Transactionrecords,financialauditrecords,andexternalorinternalaudittrailrecordsandanyaudit
reports(withtheexceptionofanauditor’sletterconfirmingtheeffectivenessofthecontrolssetforth
inthisCPS).
9.3.2. InformationNotWithintheScopeofConfidentialInformation
Anyinformationnotlistedasconfidentialisconsideredpublicinformation.Publishedcertificateand
revocationdataisconsideredpublicinformation.
9.3.3. ResponsibilitytoProtectConfidentialInformation
DigiCert’semployees,agents,andcontractorsareresponsibleforprotectingconfidentialinformationandare
contractuallyobligatedtodoso.Employeesreceivetrainingonhowtohandleconfidentialinformation.
9.4.
PRIVACYOFPERSONALINFORMATION
9.4.1. PrivacyPlan
DigiCertfollowstheprivacypolicypostedonitswebsitewhenhandlingpersonalinformation.Personal
informationisonlydisclosedwhenthedisclosureisrequiredbylaworwhenrequestedbythesubjectof
thepersonalinformation.
9.4.2. InformationTreatedasPrivate
DigiCerttreatsallpersonalinformationaboutanindividualthatisnotpubliclyavailableinthecontentsofa
certificateorCRLasprivateinformation.DigiCertprotectsprivateinformationusingappropriatesafeguards
andareasonabledegreeofcare.
9.4.3. InformationNotDeemedPrivate
Privateinformationdoesnotincludecertificates,CRLs,ortheircontents.
52
9.4.4. ResponsibilitytoProtectPrivateInformation
DigiCertemployeesandcontractorsareexpectedtohandlepersonalinformationinstrictconfidenceand
meettherequirementsofUSandEuropeanlawconcerningtheprotectionofpersonaldata.Allsensitive
informationissecurelystoredandprotectedagainstaccidentaldisclosure.
9.4.5. NoticeandConsenttoUsePrivateInformation
Personalinformationobtainedfromanapplicantduringtheapplicationoridentityverificationprocessis
consideredprivateinformationiftheinformationisnotincludedinacertificate.DigiCertwillonlyuse
privateinformationafterobtainingthesubject'sconsentorasrequiredbyapplicablelaworregulation.All
Subscribersmustconsenttotheglobaltransferandpublicationofanypersonaldatacontainedina
certificate.
9.4.6. DisclosurePursuanttoJudicialorAdministrativeProcess
DigiCertmaydiscloseprivateinformation,withoutnotice,ifDigiCertbelievesthedisclosureisrequiredby
laworregulation.
9.4.7. OtherInformationDisclosureCircumstances
Nostipulation.
9.5.
INTELLECTUALPROPERTYRIGHTS
DigiCertand/oritsbusinesspartnersowntheintellectualpropertyrightsinDigiCert’sservices,includingthe
certificates,trademarksusedinprovidingtheservices,andthisCPS.“DigiCert”isaregisteredtrademarkof
DigiCert,Inc.
CertificateandrevocationinformationarethepropertyofDigiCert.DigiCertgrantspermissiontoreproduce
anddistributecertificatesonanon‐exclusiveandroyalty‐freebasis,providedthattheyarereproducedand
distributedinfull.DigiCertdoesnotallowderivativeworksofitscertificatesorproductswithoutprior
writtenpermission.PrivateandPublicKeysremainthepropertyoftheSubscriberswhorightfullyhold
them.Allsecretshares(distributedelements)oftheDigiCertPrivateKeysarethepropertyofDigiCert.
9.6.
REPRESENTATIONSANDWARRANTIES
9.6.1. CARepresentationsandWarranties
ExceptasexpresslystatedinthisCPSorinaseparateagreementwithaSubscriber,DigiCertdoesnotmake
anyrepresentationsregardingitsproductsorservices.DigiCertrepresents,totheextentspecifiedinthis
CPS,that:
1. DigiCertcomplies,inallmaterialaspects,withtheCP,thisCPS,andallapplicablelawsand
regulations,
2. DigiCertpublishesandupdatesCRLsandOCSPresponsesonaregularbasis,
3. AllcertificatesissuedunderthisCPSwillbeverifiedinaccordancewiththisCPSandmeetthe
minimumrequirementsfoundhereinandintheBaselineRequirements,
4. DigiCertwillmaintainarepositoryofpublicinformationonitswebsite,and
5. InformationpublishedonaqualifiedcertificatemeetstherequirementsspecifiedinEUDirective
99/93.
TotheextentallowedunderEUDirective99/93,DigiCert:
1. Doesnotwarranttheaccuracy,authenticity,completeness,orfitnessofanyunverified
information,includingnameverificationfor(1)certificatesintendedforemailandintranetuse,(2)
UnifiedCommunicationsCertificates,and(3)othercertificatesissuedtoindividualsandintranets.
2. IsnotresponsibleforinformationcontainedinacertificateexceptasstatedinthisCPS,
3. Doesnotwarrantthequality,function,orperformanceofanysoftwareorhardwaredevice,and
4. IsnotresponsibleforfailingtocomplywiththisCPSbecauseofcircumstancesoutsideof
DigiCert’scontrol.
53
ForEVCertificates,DigiCertrepresentstoSubscribers,Subjects,ApplicationSoftwareVendorsthatdistribute
DigiCert’srootcertificates,andRelyingPartiesthatuseaDigiCertcertificatewhilethecertificateisvalidthat
DigiCertfollowedtheEVGuidelineswhenverifyinginformationandissuingEVCertificates.
ThisrepresentationislimitedsolelytoDigiCert’scompliancewiththeEVGuidelines(e.g.,DigiCertmayrely
onerroneousinformationprovidedinanattorney’sopinionoraccountant’sletterthatischeckedin
accordancewiththeGuidelines).
ForPIVCertificates,DigiCertmaintainsanagreementwithAffiliatedOrganizationsthatincludesobligations
relatedtoauthorizingaffiliationwithSubscribersofPIV‐Icertificates.
9.6.2. RARepresentationsandWarranties
RAsrepresentthat:
1. TheRA’scertificateissuanceandmanagementservicesconformtotheDigiCertCPandthisCPS,
2. InformationprovidedbytheRAdoesnotcontainanyfalseormisleadinginformation,
3. TranslationsperformedbytheRAareanaccuratetranslationoftheoriginalinformation,and
4. AllcertificatesrequestedbytheRAmeettherequirementsofthisCPS.
DigiCert’sagreementwiththeRAmaycontainadditionalrepresentations.
9.6.3. SubscriberRepresentationsandWarranties
PriortobeingissuedandreceivingaCertificate,subscribersaresolelyresponsibleforany
misrepresentationstheymaketothirdpartiesandforalltransactionsthatuseSubscriber’sPrivateKey,
regardlessofwhethersuchusewasauthorized.SubscribersarerequiredtonotifyDigiCertandany
applicableRAifachangeoccursthatcouldaffectthestatusofthecertificate.Subscribersrepresentto
DigiCert,ApplicationSoftwareVendors,andRelyingPartiesthat,foreachcertificate,theSubscriberwill:
1. SecurelygenerateitsPrivateKeysandprotectitsPrivateKeysfromcompromise,
2. ProvideaccurateandcompleteinformationwhencommunicatingwithDigiCert,
3. Confirmtheaccuracyofthecertificatedatapriortousingthecertificate,
4. PromptlyceaseusingacertificateandnotifyDigiCertif(i)anyinformationthatwassubmitted
toDigiCertorisincludedinacertificatechangesorbecomesmisleadingor(ii)thereisany
actualorsuspectedmisuseorcompromiseofthePrivateKeyassociatedwiththecertificate,
5. Ensurethatindividualsusingcertificatesonbehalfofanorganizationhavereceivedsecurity
trainingappropriatetothecertificate,
6. Usethecertificateonlyforauthorizedandlegalpurposes,consistentwiththecertificatepurpose,this
CPS,anyapplicableCP,andtherelevantSubscriberAgreement,includingonlyinstallingSSL
certificatesonserversaccessibleatthedomainlistedinthecertificateandnotusingcodesigning
certificatestosignmaliciouscodeoranycodethatisdownloadedwithoutauser’sconsent,and
7. PromptlyceaseusingthecertificateandrelatedPrivateKeyafterthecertificate’sexpiration.
9.6.4. RelyingPartyRepresentationsandWarranties
EachRelyingPartyrepresentsthat,priortorelyingonaDigiCertcertificate,it:
1. ObtainedsufficientknowledgeontheuseofdigitalcertificatesandPKI,
2. StudiedtheapplicablelimitationsontheusageofcertificatesandagreestoDigiCert’slimitationson
liabilityrelatedtotheuseofcertificates,
3. Hasread,understands,andagreestotheDigiCertRelyingPartyAgreementandthisCPS,
4. VerifiedboththeDigiCertcertificateandthecertificatesinthecertificatechainusingtherelevant
CRLorOCSP,
5. WillnotuseaDigiCertcertificateifthecertificatehasexpiredorbeenrevoked,and
6. Willtakeallreasonablestepstominimizetheriskassociatedwithrelyingonadigitalsignature,
includingonlyrelyingonaDigiCertcertificateafterconsidering:
a) applicablelawandthelegalrequirementsforidentificationofaparty,protectionofthe
confidentialityorprivacyofinformation,andenforceabilityofthetransaction;
b) theintendeduseofthecertificateaslistedinthecertificateorthisCPS,
c) thedatalistedinthecertificate,
54
d) theeconomicvalueofthetransactionorcommunication,
e) thepotentiallossordamagethatwouldbecausedbyanerroneousidentificationoralossof
confidentialityorprivacyofinformationintheapplication,transaction,orcommunication,
f) theRelyingParty’spreviouscourseofdealingwiththeSubscriber,
g) theRelyingParty’sunderstandingoftrade,includingexperiencewithcomputer‐based
methodsoftrade,and
h) anyotherindiciaofreliabilityorunreliabilitypertainingtotheSubscriberand/orthe
application,communication,ortransaction.
Anyunauthorizedrelianceonacertificateisataparty’sownrisk.
9.6.5. RepresentationsandWarrantiesofOtherParticipants
Nostipulation.
9.7.
DISCLAIMERSOFWARRANTIES
EXCEPTASEXPRESSLYSTATEDINSECTION9.6.1,ALLCERTIFICATESANDANYRELATEDSOFTWAREAND
SERVICESAREPROVIDED"ASIS"AND"ASAVAILABLE”.TOTHEMAXIMUMEXTENTPERMITTEDBYLAW,
DIGICERTDISCLAIMSALLEXPRESSANDIMPLIEDWARRANTIES,INCLUDINGALLWARRANTIESOF
MERCHANTABILITY,FITNESSFORAPARTICULARPURPOSE,ANDNON‐INFRINGEMENT.DIGICERTDOES
NOTWARRANTTHATANYSERVICEORPRODUCTWILLMEETANYEXPECTATIONSORTHATACCESSTO
CERTIFICIATESWILLBETIMELYORERROR‐FREE.DigiCertdoesnotguaranteetheavailabilityofany
productsorservicesandmaymodifyordiscontinueanyproductorserviceofferingatanytime.Afiduciary
dutyisnotcreatedsimplybecauseanentityusesDigiCert’sservices.
9.8.
LIMITATIONSOFLIABILITY
NOTHINGHEREINLIMITSLIABILTYRELATEDTO(I)DEATHORPERSONALINJURYRESULTINGFROM
DIGICERT’SNEGLIGENCEOR(II)FRAUDCOMMITTEDBYDIGICERT.EXCEPTASSTATEDABOVE,ANY
ENTITYUSINGADIGICERTCERTIFICATEORSERVICEWAIVESALLLIABILITYOFDIGICERTRELATEDTO
SUCHUSE,PROVIDEDTHATDIGICERTHASMATERIALLYCOMPLIEDWITHTHISCPSINPROVIDINGTHE
CERTIFICATEORSERVICE.DIGICERT’SLIABILITYFORCERTIFICATESANDSERVICESTHATDONOT
MATERIALLYCOMPLYWITHTHISCPSISLIMITEDASFOLLOWS:
1.
2.
3.
4.
NOLIABILITYIFTHEDAMAGEORLOSSRELATESTOACERTIFICATEOTHERTHANASSL
CERTIFICATEORCODESIGNINGCERTIFICATE,
AMAXIMUMLIABILITYOF$1,000PERTRANSACTIONFORSSLCERTIFICATES,
ANAGGREGATEMAXIMUMLIABILITYOF$10,000FORALLCLAIMSRELATEDTOASINGLE
CERTIFICATEORSERVICE,
ANDANAGGREGATEMAXIMUMLIABILITYOF$1MILLIONFORALLCLAIMS,REGARDLESSOF
THENUMBERORSOURCEOFTHECLAIMS.
DIGICERTAPPORTIONSPAYMENTSRELATEDTOANAGGREGATEMAXIMUMLIMITATIONONLIABILITY
UNDERTHISSECTIONTOTHEFIRSTCLAIMSTHATACHIEVEFINALRESOLUTION.
Allliabilityislimitedtoactualandlegallyprovabledamages.DigiCertisnotliablefor:
1. Anyindirect,consequential,special,orpunitivedamagesoranylossofprofit,revenue,data,or
opportunity,evenifDigiCertisawareofthepossibilityofsuchdamages;
2. LiabilityrelatedtofraudorwillfulmisconductoftheApplicant;
3. Liabilityrelatedtouseofacertificatethatexceedsthelimitationsonuse,value,ortransactionsas
statedeitherinthecertificateorthisCPS;
4. Liabilityrelatedtothesecurity,usability,orintegrityofproductsnotsuppliedbyDigiCert,including
theSubscriber’sandRelyingParty’shardware;or
5. LiabilityrelatedtothecompromiseofaSubscriber’sPrivateKey.
Thelimitationsinthissectionapplytothemaximumextentpermittedbylawandapplyregardlessof(i)the
reasonforornatureoftheliability,includingtortclaims,(ii)thenumberofclaimsofliability,(iii)theextent
55
ornatureofthedamages,(iv)whetherDigiCertfailedtofollowanyprovisionofthisCPS,or(v)whetherany
provisionofthisCPSwasprovenineffective.
ThedisclaimersandlimitationsonliabilitiesinthisCPSarefundamentaltermstotheuseofDigiCert’s
certificatesandservices.
9.9.
INDEMNITIES
9.9.1. IndemnificationbyDigiCert
DigiCertshallindemnifyeachApplicationSoftwareVendoragainstanyclaim,damage,orlosssufferedbyan
ApplicationSoftwareVendorrelatedtoanEVCertificateissuedbyDigiCert,regardlessofthecauseofaction
orlegaltheoryinvolved,exceptwheretheclaim,damage,orlosssufferedbytheApplicationSoftwareVendor
wasdirectlycausedbytheApplicationSoftwareVendor’ssoftwaredisplayingeither(1)avalidand
trustworthyEVCertificateasnotvalidortrustworthyor(2)displayingastrustworthy(i)anEVCertificate
thathasexpiredor(ii)arevokedEVCertificatewheretherevocationstatusisavailableonlinebutthe
ApplicationSoftwareVendor’ssoftwarefailedtocheckorignoredthestatus.
9.9.2. IndemnificationbySubscribers
Totheextentpermittedbylaw,eachSubscribershallindemnifyDigiCert,itspartners,andanycross‐signed
entities,andtheirrespectivedirectors,officers,employees,agents,andcontractorsagainstanyloss,damage,
orexpense,includingreasonableattorney’sfees,relatedto(i)anymisrepresentationoromissionofmaterial
factbySubscriber,regardlessofwhetherthemisrepresentationoromissionwasintentionalorunintentional;
(ii)Subscriber’sbreachoftheSubscriberAgreement,thisCPS,orapplicablelaw;(iii)thecompromiseor
unauthorizeduseofacertificateorPrivateKeycausedbytheSubscriber’snegligenceorintentionalacts;or
(iv)Subscriber’smisuseofthecertificateorPrivateKey.
9.9.3. IndemnificationbyRelyingParties
Totheextentpermittedbylaw,eachRelyingPartyshallindemnifyDigiCert,itspartners,andanycross‐
signedentities,andtheirrespectivedirectors,officers,employees,agents,andcontractorsagainstanyloss,
damage,orexpense,includingreasonableattorney’sfees,relatedtotheRelyingParty’s(i)breachofthe
RelyingPartyAgreement,anEnd‐UserLicenseAgreement,thisCPS,orapplicablelaw;(ii)unreasonable
relianceonacertificate;or(iii)failuretocheckthecertificate’sstatuspriortouse.
9.10. TERMANDTERMINATION
9.10.1. Term
ThisCPSandanyamendmentstotheCPSareeffectivewhenpublishedtoDigiCert’sonlinerepositoryand
remainineffectuntilreplacedwithanewerversion.
9.10.2. Termination
ThisCPSandanyamendmentsremainineffectuntilreplacedbyanewerversion.
9.10.3. EffectofTerminationandSurvival
DigiCertwillcommunicatetheconditionsandeffectofthisCPS’sterminationviatheDigiCertRepository.The
communicationwillspecifywhichprovisionssurvivetermination.Ataminimum,allresponsibilitiesrelated
toprotectingconfidentialinformationwillsurvivetermination.AllSubscriberAgreementsremaineffective
untilthecertificateisrevokedorexpired,evenifthisCPSterminates.
9.11. INDIVIDUALNOTICESANDCOMMUNICATIONSWITHPARTICIPANTS
DigiCertacceptsnoticesrelatedtothisCPSatthelocationsspecifiedinSection2.2.Noticesaredeemed
effectiveafterthesenderreceivesavalidanddigitallysignedacknowledgmentofreceiptfromDigiCert.Ifan
acknowledgementofreceiptisnotreceivedwithinfivedays,thesendermustresendthenoticeinpaper
formtothestreetaddressspecifiedinSection2.2usingeitheracourierservicethatconfirmsdeliveryor
56
viacertifiedorregisteredmailwithpostageprepaidandreturnreceiptrequested.DigiCertmayallowother
formsofnoticeinitsSubscriberAgreements.
9.12. AMENDMENTS
9.12.1. ProcedureforAmendment
ThisCPSisreviewedannually.AmendmentsaremadebypostinganupdatedversionoftheCPStotheonline
repository.ControlsareinplacetoreasonablyensurethatthisCPSisnotamendedandpublishedwithout
thepriorauthorizationoftheDCPA.
9.12.2. NotificationMechanismandPeriod
DigiCertpostsCPSrevisionstoitswebsite.DigiCertdoesnotguaranteeorsetanotice‐and‐commentperiod
andmaymakechangestothisCPSwithoutnoticeandwithoutchangingtheversionnumber.Majorchanges
affectingaccreditedcertificatesareannouncedandapprovedbytheaccreditingagencypriortobecoming
effective.TheDCPAisresponsiblefordeterminingwhatconstitutesamaterialchangeoftheCPS.
9.12.3. CircumstancesunderwhichOIDMustBeChanged
TheDCPAissolelyresponsiblefordeterminingwhetheranamendmenttotheCPSrequiresanOIDchange.
9.13. DISPUTERESOLUTIONPROVISIONS
PartiesarerequiredtonotifyDigiCertandattempttoresolvedisputesdirectlywithDigiCertbeforeresorting
toanydisputeresolutionmechanism,includingadjudicationoranytypeofalternativedisputeresolution.
9.14. GOVERNINGLAW
ThenationallawoftherelevantmemberstategovernsanydisputeinvolvingQualifiedCertificates.Except
fordisputesinvolvingQualifiedCertificates,thelawsofthestateofUtahgoverntheinterpretation,
construction,andenforcementofthisCPSandallproceedingsrelatedtoDigiCert’sproductsandservices,
includingtortclaims,withoutregardtoanyconflictsoflawprinciples.ThestateofUtahhasnon‐exclusive
venueandjurisdictionoveranyproceedingsrelatedtotheCPSoranyDigiCertproductorservice.
9.15. COMPLIANCEWITHAPPLICABLELAW
ThisCPSissubjecttoallapplicablelawsandregulations,includingUnitedStatesrestrictionsontheexportof
softwareandcryptographyproducts.Subjecttosection9.4.5’sNoticeandConsenttoUsePrivateInformation
containedinCertificates,DigiCertmeetstherequirementsoftheEuropeandataprotectiondirective
95/46/ECandhasestablishedappropriatetechnicalandorganizationmeasuresagainstunauthorizedor
unlawfulprocessingofpersonaldataandagainsttheloss,damage,ordestructionofpersonaldata.
9.16. MISCELLANEOUSPROVISIONS
9.16.1. EntireAgreement
DigiCertcontractuallyobligateseachRAtocomplywiththisCPSandapplicableindustryguidelines.DigiCert
alsorequireseachpartyusingitsproductsandservicestoenterintoanagreementthatdelineatestheterms
associatedwiththeproductorservice.IfanagreementhasprovisionsthatdifferfromthisCPS,thenthe
agreementwiththatpartycontrols,butsolelywithrespecttothatparty.Thirdpartiesmaynotrelyonor
bringactiontoenforcesuchagreement.
9.16.2. Assignment
AnyentitiesoperatingunderthisCPSmaynotassigntheirrightsorobligationswithoutthepriorwritten
consentofDigiCert.Unlessspecifiedotherwiseinacontactwithaparty,DigiCertdoesnotprovidenoticeof
assignment.
57
9.16.3. Severability
IfanyprovisionofthisCPSisheldinvalidorunenforceablebyacompetentcourtortribunal,theremainderof
theCPSwillremainvalidandenforceable.EachprovisionofthisCPSthatprovidesforalimitationofliability,
disclaimerofawarranty,oranexclusionofdamagesisseverableandindependentofanyotherprovision.
9.16.4. Enforcement(attorneys'feesandwaiverofrights)
DigiCertmayseekindemnificationandattorneys'feesfromapartyfordamages,losses,andexpensesrelated
tothatparty'sconduct.DigiCert’sfailuretoenforceaprovisionofthisCPSdoesnotwaiveDigiCert’srightto
enforcethesameprovisionlaterorrighttoenforceanyotherprovisionofthisCPS.Tobeeffective,waivers
mustbeinwritingandsignedbyDigiCert.
9.16.5. ForceMajeure
DigiCertisnotliableforanydelayorfailuretoperformanobligationunderthisCPStotheextentthatthe
delayorfailureiscausedbyanoccurrencebeyondDigiCert’sreasonablecontrol.Theoperationofthe
InternetisbeyondDigiCert’sreasonablecontrol.
9.17. OTHERPROVISIONS
Nostipulation.
58
APPENDIXA:SAMPLEOPINIONLETTER
[Date]
To:
DigiCert,Inc.
2600WestExecutiveParkway
Suite500
Lehi,UT84043
Email:[email protected]
Fax:801‐705‐0481
Re:
DigitalCertificatefor[Exactcompanynameofclient–seefootnote1](“Client”)
ThisfirmrepresentsClient,whoaskedthatI,asits[accountant,lawyer,solicitors,barrister,advocate,
etc.],attesttothefollowinginformationsolelyasrelatedtotheClient’sapplicationforadigitalcertificate.
AfterreviewingtheClient’srecordsandbasedonmyinvestigation,myprofessionalopinionisthat:
1. Clientisadulyformed[corporation,LLC,etc.]underthelawsofthe[state/province]of[nameof
governingjurisdictionwhereClientisincorporatedorregistered];is“active,”“valid,”“current,”orthe
equivalent;andisnotunderanyknownlegaldisability.
2. [Ifapplicable]TheRomanizedtransliterationofClient’sformallegalnameis:[Romanizedname].
3. [Ifapplicable]Clientconductsbusinessunderthe[assumed/DBA/trade]nameof[assumednameof
Client].Clienthasacurrentlyvalidregistrationofthenamewiththegovernmentagencythathas
jurisdictionovertheplaceofbusinesslistedbelow.
4. Theaddresswhere[Client,Client’sparent,orClient’ssubsidiary–selectone]conductsbusiness
operationsis:
[Insertplaceofbusiness–thisshouldmatchtheaddressonthecertificateapplication]
5. AmaintelephonenumberatClient’splaceofbusinessis:
[Insertprimarytelephonenumberofbusiness]
6. [NameofClient’sRepresentative–seefootnote2]isanindividual(orareindividuals)withthe
authoritytoactonbehalfofClientto:
a) ProvideinformationabouttheClientcontainedinthereferencedapplication,
b) Requestoneormoredigitalcertificatesanddesignateotherpersonstorequestdigital
certificates,and
c) AgreetothecontractualobligationscontainedinDigiCert’sagreements.
7. [NameandtitleofClient’sRepresentative],whoisClient’s[TitleofClientRepresentative],canbe
contactedat:
Email:[EmailaddressofClientRepresentative]
Phone:[PhonenumberofClientRepresentative]
8. Clienthaseitheroperatedasabusinessforthreeormoreyearsorhasanactivedepositaccountheld
atabankorotherfinancialinstitutionwherefundsdepositedarepayableondemand.
9. Clienthastheexclusiverighttousethefollowingdomainname(s)inidentifyingitselfontheInternet
andisawarethatithassuchcontrol:
[Insertdomainnames]
59
Althoughwedidnotfindanyexceptionstotheaboveidentificationprocedures,theseproceduresdonot
constituteanauditoropinionofClient'sapplicationforadigitalcertificate.Wearenotexpressinganopinion
onClient'sdigitalcertificateapplicationandhaveprovidedthislettersolelyforthebenefitofDigiCertin
connectionwithClient'sapplicationforadigitalcertificate.Nootherpersonorentitymayrelyonthisletter
withoutmyexpresswrittenconsent.Thislettershallnotbequotedinwholeorinpart,used,publishedor
otherwisereferredtoorrelieduponinanymanner,including,withoutlimitation,inanyfinancialstatement
orotherdocument.
Signature:__________________________________________________
PrintAccountant/AttorneyName:______________________________________________________
PhoneNumber:_____________________________________________
Email:_____________________________________________
FirmName:_____________________________________________
Licensedin:___________________________________
Licensenumber,ifany:__________________________________
Contactinformationforlicensingagencywherethisaccountant's/attorney'slicenseinformationmaybe
verified:___________________________________________________________________
Note1:ThismustbetheClient’sexactcorporatenameasregisteredwiththerelevantIncorporatingAgency
intheClient’sJurisdictionofIncorporation.
Note2:APowerofAttorneyfromanofficeroftheClientwhohasthepowertodelegateauthorityissufficient
toestablishtheClientRepresentative’sactualauthority.Multiplerepresentativesmaybelisted.
Note3:In‐housecounseloftheClientmaysubmitthisletterifpermittedbytherulesofyourjurisdiction.
Note4: Thislettermaybesubmittedbymail,fax,oremail.
60

Download Report

DigiCert Certification Practices Statement v. 4.07 Oct-7-2014

Paperzz.com

Your Paperzz