CPS Section 4: Certificate Application
Procedures
This section describes the certificate application process. It includes
the requirements for key pair generation and protection and lists the information
required for each class of certificate.
4.1 Key Generation and Protection
4.1.1 Holder Exclusivity; Controlling Access
to Private Keys
4.1.2 Delegation Of Responsibilities for Private
Keys
4.2 Certificate Application Information and
Communication
4.3 Software Publisher's Pledge
All persons (other than an IA) desiring a certificate shall contemporaneously
complete the following general procedures for each certificate application:
- generate a key pair and demonstrate
to the applicable IA that it is a functioning key pair,
- protect the private key (of this key pair) from compromise,
- determine a proposed distinguished name, and
- submit a certificate application (and subscriber agreement), including
the public key of this key pair, to the applicable IA.
4.1 Key Generation and Protection
The following procedures are applicable to all entities generating keys
as provided in this CPS.
4.1.1 Holder Exclusivity; Controlling
Access to Private Keys
Unless otherwise permitted by this CPS, each certificate applicant shall
securely generate his, her, or its own private key, using a trustworthy
system, and take necessary precautions to prevent its compromise, loss,
disclosure, modification, or unauthorized use. It is understood that subscribers
(and certificate applicants) will generally use non-VeriSign products that
provide appropriate protection to keys. See the Subscriber Private
Key Protection FAQ at https://www.verisign.com/repository/PrivateKey_FAQ.
EACH CERTIFICATE APPLICANT (AND, UPON APPROVAL, EACH SUBSCRIBER)
ACKNOWLEDGES THAT SUCH PERSON, AND NOT VERISIGN (OR THE APPLICABLE IA),
IS EXCLUSIVELY RESPONSIBLE FOR PROTECTING HIS, HER, OR ITS PRIVATE KEY(S)
FROM COMPROMISE, LOSS, DISCLOSURE, MODIFICATION, OR UNAUTHORIZED USE.
Users and IAs agree not to monitor, interfere with, or reverse engineer
the technical implementation of the PCS except as explicitly permitted
by this CPS or upon prior written approval of VeriSign.
4.1.2 Delegation of Responsibilities for
Private Keys
Delegation, if it occurs, does not relieve the delegator of his, her,
or its responsibilities and liabilities concerning the generation, use,
retention, or proper destruction from his, her, or its private key.
4.2 Certificate Application Information
and Communication
Certificate application information includes the items listed in the
following Table 6. Not all of the following information will appear in
a certificate (see Figure 3 - Certificates and Information Incorporated
by Reference). Note: The items of such information not included in the
certificate will be kept confidential by the IA (see CPS
Section 3.13). Certain Class 2 information for affiliated individuals
of non-VeriSign organizational LRAs may be not be required in an application
but instead made generally available through such LRAs.
| Class of Certificate |
Required Certificate Application Information |
| Class 1 |
Individuals:
Required Information
(a) Common name (or alias)
(b) Subject public key
(c) E-mail address
(d) Executed subscriber agreement
(e) Credit card information (if applicable)
(f) Challenge phrase (to later authenticate subscriber to the IA)
(g) Other information as prescribed by the IA or VeriSign
Optional
(h) Demographic data (Registration Field Information)
Method of Communicating Application: The IA communicates
a certificate prototype (unsigned) and a subscriber agreement to the certificate
applicant. By completing this on-line dialog via a secure Web channel,
the certificate applicant then affirms that (i) the certificate applicant
information is accurate and (ii) he or she has read, understands, and agrees
to the term of the subscriber agreement. Upon completion of specified validation
procedures, the IA sends E-mail to the E-mail address that was provided
by the certificate applicant in the certificate application. This E-mail
message contains a PIN (and optionally, a draft of information content
to be included in the certificate) that authorizes the certificate applicant
to obtain a certificate from the IA.
Business Entities: Class 1 certificates are issued to individuals
only.
|
| Class 2 |
Individuals:
Required Information
(a) Legal name (in the form of a common name)
(b) Proposed distinguished name
(c) Street, city, state, postal/zip code, country (of residence)
(d) Voice telephone numbers (of residence)
(e) E-mail address
(f) Subject public key
(g) Credit card information
(h) Spouse's first name (if applicable)
(i) Social security number
(j) Date of birth
(k) Employer (if applicable)
(l) Challenge phrase (to later authenticate subscriber to the IA)
(m) Executed subscriber agreement
(n) Previous address (if changed within last two years)
(o) Driver's license information (if applicable)
(p) The "software publisher's pledge" (for individual software
publisher certificate applicants only see - CPS Section 4.3)
Other information as prescribed by the IA or VeriSign
Optional
(r) Demographic data (Registration Field Information)
Method of Communicating Application: Same as Class
1.
Agents/Authorized Representatives: n/a
Business Entities: Class 2 certificates are issued to individuals
only.
|
| Class 3 |
Individuals:
Required Information Same as Class 2, plus:
(a) Subscriber agreement acknowledged by a notary or LRA (to fulfill
the "personal presence" requirement) upon presentation of three
(3) forms of identification by the certificate applicant.
Optional
(b) Previous employer
Agents/Authorized Representative: Class 3 permits businesses
(but not individuals) to have an agent apply for a certificate, naming
the principal (business) as a subscriber. Method of Communicating
Application: TBD
Business Entities:
Required Information
(a) Domain name
(b) Organization
(c) Organizational unit (if applicable)
(d) Technical and billing contact persons
(e) City, state, country, postal/zip code
(f) Proof of right to use name (via third-party database checks and
out-of-band verification)
(g) Proof of organizational status (such as proof of articles of incorporation,
where applicable, or comparable proof)
(h) Proof of agent's authority
(i) The "software publisher's pledge" (for commercial software
publisher certificate applicants only see CPS Section 4.3)
(j) Server serial number (for non-U.S. based Export Control Certificate
applicants only - see CPS Section 5.1.6)
Optional
(k) DUNS number
Agents/Authorized Representative: See above
Method of Communicating Application: The completed application
(and subscriber agreement) shall be submitted in electronic form.
|
TABLE 6 -- REQUIRED CERTIFICATE APPLICATION INFORMATION
4.3 Software Publisher's Pledge (For Microsoft
AuthenticodeTM Only)
Each individual and commercial software publisher who applies for an
individual or commercial software publisher certificate hereby makes the
following software publisher's pledge to all users and the applicable IA
concerning software that the software publisher digitally signs with a
private key corresponding to the public key contained in a certificate:
In addition to the other representations, obligations, and warranties
contained or referenced in the certificate application, the [individual]
[commercial] software publisher certificate applicant represents and warrants
that he, she, or it shall exercise reasonable care consistent with prevailing
industry standards to exclude programs, extraneous code, viruses, or data
that may be reasonably expected to damage, misappropriate, or interfere
with the use of data, software, systems, or operations of the other party.
This software publisher's pledge is made exclusively by the [individual]
[commercial] software publisher certificate applicant. Issuing authorities
and VeriSign shall not be held responsible for the breach of such representations
and warranties by the [individual] [commercial] software publisher under
any circumstance. The decision of the applicable IA and VeriSign shall
be final as to whether or not (i) a software publisher materially breached
this software pledge, and (ii) any responsive actions taken (or not taken)
by the IA and VeriSign were necessary and appropriate.
COPYRIGHT © 1997 VERISIGN, INC.
ALL RIGHTS RESERVED