This section establishes the foundation and controls for trustworthy PCS operations. It includes the operating requirements for VeriSign's PCS, including record keeping, auditing, and personnel requirements. It also presents the obligations of an IA upon the termination or cessation of its operations.
3.1 Prerequisites for Approval as a Non-VeriSign CA Within the PCS
3.2 VeriSign's Right to Investigate Compromises
3.6 Records Documenting Compliance
3.8 Records Retention Schedule
3.10 Contingency Planning and Disaster Recovery
3.11 Availability of IA Certificates
3.12 Publication by Issuing Authorities
3.14 Personnel Management and Practices
3.18 Conformance to Operational Period Constraints
3.20 Local Registration Authority Administrator (LRAA) Requirements
3.21 Termination or Cessation of IA Operations
NOTE: CERTIFICATE APPLICATION PROCEDURES ARE PRESENTED IN CPS SECTION 4.
VeriSign's PCS are founded upon IAs operated by VeriSign. In VeriSign's discretion, other trustworthy entities may participate in VeriSign's PCS as CAs or subordinate CAs. To achieve uniform levels of trustworthiness throughout the PCS, non-VeriSign CAs and subordinate CAs agree to follow the various control requirements of this CPS.
Each non-VeriSign entity desiring to serve as a CA or subordinate CA shall complete the non-VeriSign CA application applicable to the class of certificate it intends to issue (inquire of VeriSign for the non-VeriSign CA application form). The non-VeriSign CA application will include among other things:
(a) the name, street address, voice and facsimile telephone numbers, and electronic mail address(es) of the CA applicant, its administrative contacts, and its authorized representatives,
(b) the CA applicant's proposed distinguished name,
(c) the CA applicant's public key(s) and the procedures for the generation, storage, use, and destruction of its corresponding private key(s),
(d) a description of any event (for example, current or past insolvency) that could materially affect the CA applicant's ability to act as a CA or subordinate CA pursuant to the CPS,
(e) a reference to, and confirmation of the adoption of, this CPS by the CA applicant and the CA applicant's procedures for distributing copies of this CPS,
(f) a statement of the purpose and scope of anticipated certificate technology, management, or operations to be outsourced,
(g) certified or acknowledged copies of the CA applicant's appropriate business registration documents,
(h) a representation by the CA applicant that to its best knowledge and belief it can and will comply with the requirements of this CPS, and
(i) any other information required by VeriSign.
CA applications must be acknowledged before a notary. For domestic (U.S.) CA applications, an authentication of the notary's authority to take the acknowledgment (via a certificate of authenticity -- see the Notary FAQ in the VeriSign repository at https://www.verisign.com), issued by the applicable secretary of state or other government officer, is also required. (See CPS Section 2.6 - Notaries)
Failure by a CA applicant to provide the required information will delay or preclude CA application processing.
Completed, notarially acknowledged CA applications (including required supplemental information) shall be submitted to the applicable VeriSign PCA at: 1390 Shorebird Way, Mountain View, CA 94043 USA, Attn. Certification Services.
Upon completion of its review of a CA application and the performance of such further investigation as it shall deem appropriate, the applicable VeriSign PCA shall approve or deny the CA applicant's participation as a CA or subordinate CA. The applicable VeriSign PCA shall make a reasonable effort to approve or deny such applications within three to six business weeks.
A PCA will indicate its approval of a CA application by (i) executing a VeriSign PCA-CA agreement and (ii) issuing a certificate to the applicant. The decision to approve or deny a CA application shall be solely at the discretion of the applicable VeriSign PCA, which further reserves the right to rescind CA or subordinate CA approval at any time. Breach of or failure to observe CPS requirements is reasonable basis for rescission.
IAs and VeriSign may, but are not obligated to, investigate all compromises to the furthest extent of the law. By submitting a CA application (see CPS Section 3.1) or certificate application (see CPS Section 4), all applicants authorize the undertaking and scope of such investigations and agree to assist in determining all facts, circumstances, and other pertinent information that the IA and VeriSign deem appropriate and consistent with the CPS, provided that such investigations comply with all applicable privacy and data protection laws. Investigations of IAs may include but are not necessarily limited to interviews, the review of applicable books, records, and procedures, and the examination and inspection of relevant facilities. Investigations of certificate applicants and subscribers may include but are not necessarily limited to interviews and requests for and evaluation of documents.
IAs, LRAs, and the VeriSign repository shall conform to this CPS in performing their respective services.
IAs, LRAs, and the VeriSign repository shall utilize only trustworthy systems in performing their respective services.
IAs shall have sufficient financial resources to maintain their operations and perform their duties, and they must be reasonably able to bear the risk of liability to subscribers and recipients of certificates and other persons who may rely on the certificates and time stamps they issue. IAs shall also maintain insurance coverage for errors and omissions.
IAs shall maintain and make available to VeriSign upon request, records in a trustworthy fashion, including
(i) documentation of their own compliance with the CPS, and
(ii) documentation of actions and information that is material to each certificate application and to the creation, issuance, use, suspension, revocation, expiration, and renewal or re-enrollment of each certificate it issues. These records shall include all relevant evidence in the IA's possession regarding
Records may be kept in the form of either computer-based messages or paper-based documents, provided their indexing, storage, preservation, and reproduction are accurate and complete. An IA may require a subscriber or its agent to submit documents to enable the IA to comply with this section.
Time stamping is intended to enhance the integrity of VeriSign's PCS and the trustworthiness of certificates and to contribute to the nonrepudiation of digitally signed messages. Time stamping creates a notation that indicates (at least) the correct date and time of an action (expressly or implicitly) and the identity of the person or device that created the notation. All time stamps reflect Greenwich mean time (GMT) and adopt the Universal Time Conventions (UTC). For purposes of this CPS, any two-digit year in the range 00-69 means 2000-2069, and in the range 70-99 means 1970-1999.
The following data shall be time stamped, either directly on the data or on a correspondingly trustworthy audit trail, by the applicable IAs:
Note: Cryptographic-based time stamping will be incrementally implemented by VeriSign IAs for all relevant messages.
IAs shall retain in a trustworthy fashion records associated with Class 1 and 2 certificates for at least five (5) years and records associated with Class 3 certificates for at least thirty (30) years after the date a certificate is revoked or expires. Such records may be retained as either retrievable computer-based messages or paper-based documents.
IAs shall implement and maintain trustworthy systems to preserve an audit trail for all material events, such as key generation and certificate application, validation, suspension, and revocation. A certified public accountant with demonstrated expertise in computer security or an accredited computer security professional shall audit the operations of each IA and corresponding LRAs at least annually, at the sole expense of the audited entity, to evaluate its compliance with this CPS and other applicable agreements, guidelines, procedures, and standards. Non-VeriSign IAs shall promptly submit audit reports concerning such audits to VeriSign.
VeriSign's receipt of such third-party audit reports constitutes neither endorsement nor approval on the part of VeriSign of the content, findings, and recommendations of such reports. VeriSign may review such reports to protect VeriSign's PCS. Since VeriSign is not the author of such audit reports and is therefore not responsible for their content, VeriSign does not express any opinion on such audit reports and shall not be held responsible for any damages to anyone resulting from VeriSign's reliance on such audit reports.
IAs shall implement, document, and periodically test appropriate contingency planning and disaster recovery capabilities and procedures, consistent with this CPS and the VSP.
IAs shall make copies of their own certificates (i.e., those in which the IA is the subject) and any revocation data (where applicable) available to any person who has and desires to duly verify a digital signature that is verifiable by reference to such a certificate.
IAs must publish their certificate, revocation data, and this CPS.
The following information shall be considered received and generated in confidence by VeriSign and the applicable IA and may not be disclosed except as provided below:
Neither IAs nor VeriSign shall disclose or sell applicant names or other identifying information, and neither shall share such information, except in accordance with this CPS. Note, however, that the VeriSign repository shall contain certificates, as well as revocation and other certificate status information (see CPS Sections 2.5.6, 2.5.7 regarding the VeriSign repository).
Voluntary Release / Disclosure of Confidential Information.
Neither IAs nor VeriSign shall release or be required to release any confidential information without an authenticated, reasonably specific request prior to such release from (i) the person to whom the IA or VeriSign owes a duty to keep such information confidential and (ii) the person requesting confidential information (if not the same person); or a court order. The IA or VeriSign may require that the requesting person pay a reasonable fee before disclosing such information.
IAs shall formulate and follow personnel and management practices that provide reasonable assurance of the trustworthiness and competence of their employees and of the satisfactory performance of their duties. Such practices shall be consistent with this CPS.
All employees, contractors, and consultants of an IA (collectively, "personnel") that have access to or control over cryptographic operations that may materially affect the IA's issuance, use, suspension, or revocation of certificates, including access to restricted operations of the VeriSign repository, shall, for purposes of this CPS, be considered as serving in a trusted position. Such personnel include, but are not limited to, customer service personnel, system administration personnel, designated engineering personnel, and executives who are designated to oversee the IA's trustworthy system infrastructures.
IAs shall conduct an initial investigation of all personnel who are candidates to serve in trusted positions to make a reasonable attempt to determine their trustworthiness and competence. IAs shall conduct periodic investigations of all personnel who serve in trusted positions to verify their continued trustworthiness and competence in accordance with VeriSign's personnel practices or equivalent.
All personnel who fail an initial or periodic investigation shall not serve in a trusted position. The removal of any person serving in a trusted position shall be at the sole discretion of the applicable IA (or VeriSign, in the case of VeriSign personnel).
All PCS-related hardware and software shall be approved by VeriSign, an authorized VeriSign consultant, or other recognized authority (as designated from time to time by VeriSign), as appropriate.
All personnel serving in trusted positions shall be accredited by a recognized external accreditation organization, as appropriate. This provision does not include members of the board of directors of VeriSign or of any IA, except for such persons serving in an operational capacity in the PCS.
An IA shall be in good standing with (and, where applicable, accredited, certified, or licensed by) applicable agencies and authorities whose rules and regulations materially affect IA trustworthiness and as required by law or contract.
An IA shall securely generate and protect its own private key(s), using a trustworthy system, and take necessary precautions to prevent its loss, disclosure, modification, or unauthorized use.
An IA shall use secret sharing, using
authorized secret share holders, to
enhance the trustworthiness of their private key(s) and provide for their
key's recovery, as described below.
|
Entity |
Required Secret Shares to Enable IA's Private Key to Sign End-User Subscriber Certificates |
Required Secret Shares to Sign IA's Certificate |
Total Secret Shares Distributed |
Disaster
Recovery Shares* Needed | Total |
|
| VR |
TBD |
TBD |
TBD |
TBD |
TBD |
| Class 1 PCA |
n/a |
5 |
9 |
3 |
4 |
| Class 2 PCA |
n/a |
5 |
9 |
3 |
4 |
| Class 3 PCA |
n/a |
5 |
9 |
3 |
4 |
| Class 1 CA |
2 (+1 CK) * |
3 (+1 CK) |
6 |
2 (+1 CK) |
3 (+1 CK) |
| Class 2 CA and subordinate CAs |
2 (+1 CK) |
3 (+1 CK) |
6 |
2 (+1 CK) |
3 (+1 CK) |
| Class 3 CA and subordinate CAs |
2 (+1 CK) |
3 (+1 CK) |
6 |
2 (+1 CK) |
3 (+1 CK) |
*In addition to the above-listed number of assigned secret shares required for CAs and subordinate CAs, a common key ("CK") is required (thus effectively increasing by one the total number of keys required for all CAs and subordinate CAs for secret sharing purposes). However, an assigned secret share can be used as a substitute for a common key. Common keys are used to keep certain hardware cryptomodules in operational mode without the security risk that results from leaving assigned secret shares in such cryptomodules (other than to enable them).
TABLE 4 - SECRET SHARE DISTRIBUTION
IAs must use approved trustworthy hardware cryptomodules for all operations requiring the use of their private key, except for Class 1 CAs, which may use trustworthy software with secret sharing. The procedure for creating such private keys may be published in the VeriSign repository.
An IA intending to distribute secret shares of its private key(s) represents and warrants to all applicable entities that it lawfully possesses private key(s) intended to be secret shared and has the authority to transfer them to authorized secret share holders, in accordance with this CPS.
For a secret share holder to accept a secret share, a majority of the designated secret share holders must have personally observed the creation, re-creation, and distribution of the share and its subsequent chain of custody.
Each secret share holder must receive the secret share within a physical medium, such as a VeriSign-approved hardware token. Once the secret share holder is satisfied that his or her inspection of the delivered secret share is complete, he or she shall acknowledge acceptance of the secret share by signing and returning to the applicable IA a secret share acceptance form provided by that IA.
The secret share holder shall use trustworthy systems to protect the secret share against compromise. Except as provided in this CPS, the secret share holder agrees that he or she shall not
The secret share holder shall make the secret share available to authorized entities (listed in the secret share holder acceptance form) only when provided with proper authorization by an authenticated record (see next paragraph). In the event of a disaster situation (when declared by the secret share issuer), the secret share holder shall report to a disaster recovery site in accordance with instructions from the secret share issuer. Prior to traveling to any contingency/disaster recovery site and releasing the secret share, the secret share holder shall authenticate the declaration of the secret share issuer as specified on the secret share acceptance form (except where prohibited by law or legal process, such as concerning certain criminal investigations). This procedure will include the use of a challenge phrase (communicated from the secret share issuer to the secret share holder) to ensure that the secret share holder is not tricked into traveling to the wrong location thereby incapacitating the secret share issuer's ability to recover. At the disaster recovery site, the secret share holder shall physically deliver (in person) the secret share in order to participate in the disaster recovery procedure.
The secret share holder may rely upon any instruction, document, message, record, instrument, or signature he or she reasonably believes to be genuine, provided he or she authenticates such declaration of the secret share issuer in the manner provided by the preceding paragraph. The secret share issuer will provide the secret share holder with a sample set of all signatures to be used to authenticate the instructions of the secret share issuer.
Secret share issuers and holders shall keep records of activities pertaining to all secret share materials. The secret share holder shall provide information regarding the status of the secret share to the secret share issuer or its designee upon authenticated request.
The secret share holder shall perform his or her obligations under this CPS and must act in a reasonable and prudent manner in all respects. The secret share holder shall notify the secret share issuer of any loss, theft, improper disclosure, or compromise of the secret share immediately upon learning of it. The secret share holder is not responsible for failure to fulfill his or her obligations due to causes beyond his or her reasonable control but shall be liable for improper disclosure of secret shares or failure to notify the secret share issuer of improper disclosure or compromise through his or her fault, including negligence or recklessness.
The secret share issuer agrees to indemnify and hold harmless the secret share holder from all claims, actions, damages, judgments, arbitration fees, expenses, costs, attorney's fees, and other liabilities incurred by the secret share holder related to the secret share that are not caused or contributed to by the secret share holder's fault, including negligence, or recklessness.
The CA applicant shall ensure that the operational period assigned to an IA certificate conforms to the restrictions imposed on that IA by the superior IA that establishes operational periods.
All communications pursuant to this CPS among VeriSign and the other parties in the PCS must use an application that provides appropriate security mechanisms commensurate with the attendant risks. Without limiting the generality of the foregoing, computer-based notices, corresponding notice acknowledgments, and any other communications affecting the security of the PCS shall also be appropriately secured.
An IA shall operate trustworthy facilities that are in substantial conformance with the VSP, or equivalent.
LRAAs serve in trusted positions (see CPS Section 3.14 -- Personnel Management and Practices). The minimum requirements for an LRAA depend upon the class and affiliation of the certificates issued, based on the applications that an LRAA is authorized to approve. Note that certain non-VeriSign organizational LRA requirements are less rigorous than requirements for a normal LRAA because the former does not issue certificates to the general public and therefore requires less experience in the general validation of identification documents. Rather, the non-VeriSign organizational LRA bases its certificate approval decisions upon a simplified, internal list of authorized employees and other "affiliates" or other business records. LRAA requirements are presented in Table 5.
|
LRAA Class 1 and 2 |
Non-VeriSign Organizational LRAA Class 2 |
LRAA Class 3 |
|
| Education
|
n/a - LRAA functions are automated | No less than requirements for the companys human resources personnel handling company confidential employee records | At least 2 years of college, completion of
paralegal or notary course of instruction, or equivalent experience
|
| Training | n/a - LRAA functions are automated
|
Successful completion of on-line LRAA demonstration program and must be employed by the LRA for at least 3 months | Two weeks of LRAA apprenticeship and must be employed by the LRA for at least 3 months. Completion of notary training within six (6) months of commencing LRAA employment |
| Accreditations | n/a - LRAA functions are automated | n/a - Must be in good standing with his / her LRA | Paralegal certificate or notary commission, or comparable accreditation within stated parameters. Must be in good standing with his / her LRA |
| Initial Investigation | n/a - LRAA functions are automated | Per applicable trusted position requirements
(see CPS Section 3.14.1) |
Per trusted position requirements
(see CPS Section 3.14.1) |
| Ongoing Investigations | n/a - LRAA functions are automated | Annually (recommended) | Annually
|
| Bonding | n/a - LRAA functions are automated | No | Yes |
| Record Keeping | Per CPS Section 3.6 | Yes, per CPS Section 3.6
|
Yes, per CPS Section 3.6. LRAAs not associated
with a VeriSign-owned or operated IA shall independently retain applicable
records per CPS Section 3.6
|
TABLE 5 -- LRAA REQUIREMENTS
The following obligations are intended to reduce the impact of a termination of service by providing for timely notice, transfer of responsibilities to succeeding entities, maintenance of records, and certain remedies.
Before ceasing to act as an IA, an IA must:
(i) Notify its superior IA (and also VeriSign, if the superior IA is not owned and operated by VeriSign) of its intention to cease acting as an IA. Such notice shall be made at least ninety (90) days before ceasing to act as an IA. The superior IA may require additional statements in order to verify compliance with this provision.
(ii) Provide to the subscriber of each unrevoked or unexpired certificate it issued ninety (90) days notice of its intention to cease acting as an IA.
(iii) Revoke all certificates that remain unrevoked or unexpired at the end of the ninety (90) day notice period, whether or not the subscribers have requested revocation.
(iv) Give notice of revocation to each affected subscriber, as detailed in CPS Section 9.
(v) Make a reasonable effort to ensure that discontinuing its certification services will cause minimal disruption to its subscribers and to persons duly needing to verify digital signatures by reference to the public keys contained in outstanding certificates.
(vi) Make reasonable arrangements for preserving its records.
(vii) Pay reasonable restitution (not to exceed the certificate purchase price) to subscribers for revoking their certificates before their expiration date.
To provide uninterrupted IA services to its certificate applicants and subscribers, a discontinuing IA must arrange with another such authority, subject to the other IA's prior written approval, for reissuance of its outstanding subscriber certificates. In reissuing a certificate, the succeeding IA (not to be confused with a subordinate IA) is subrogated to the rights and defenses of the discontinuing IA and, to the extent agreed in writing between the discontinuing and succeeding IA, assumes all of its obligations and liabilities regarding outstanding certificates. Unless a contract between the discontinuing IA and a subscriber provides otherwise, and subject to the succeeding IA's written approval, the CPS will remain in effect under the succeeding IA as under the original IA.
The requirements of this subsection may be varied by contract, provided
such modifications affect only the contracting parties.