7cfbc15400325a8ec04d89fcb5170a430c9f1845
[cacert-devel.git] / www / policy / CertificationPracticeStatement.html
1 <!DOCTYPE HTML>
2 <html>
3 <head>
4 <meta http-equiv="CONTENT-TYPE" content="text/html; charset=utf-8" lang="en">
5 <!--meta name="copyright" content="CAcert Inc http://www.cacert.org/" -->
6 <title>Certification Practice Statement (CPS)</title>
7
8 <!--[if lt IE 9]>
9 <script>
10 var e = ("abbr,article,aside,audio,canvas,datalist,details," +
11 "figure,footer,header,hgroup,mark,menu,meter,nav,output," +
12 "progress,section,time,video").split(',');
13 for (var i = 0; i < e.length; i++) {
14 document.createElement(e[i]);
15 }
16 </script>
17 <![endif]-->
18
19 <style type="text/css">
20
21 /* mark HTML5 block elements as such for HTML5 unaware browsers */
22 article,aside,dialog,figcaption,figure,footer,header,hgroup,main,nav,section{display:block}
23
24 body {
25 font-family : verdana, helvetica, arial, sans-serif;
26 }
27
28 pre, code, kbd, tt, samp, .pre {
29 font-family: Fixedsys,Courier,monospace;
30 list-style-type: none;
31 }
32
33 th {
34 font-weight: normal;
35 }
36
37 td, th{
38 padding: 5px;
39 }
40
41 dt {
42 font-weight: bold;
43 }
44
45 .blockpar {
46 text-indent : 2em;
47 margin-top : 0em;
48 margin-bottom : 0.5em;
49 text-align : justify;
50 }
51
52 figcaption {
53 text-align : center;
54 color : gray;
55 margin-top : 0.5em;
56 }
57
58 .center {
59 text-align : center;
60 }
61
62 .q {
63 color : green;
64 font-weight: bold;
65 text-align: center;
66 font-style:italic;
67 }
68
69 .error {
70 color : red;
71 font-weight: bold;
72 text-align: center;
73 font-style:italic;
74 }
75
76 .change {
77 color : blue;
78 font-weight: bold;
79 }
80
81 .strike {
82 color : blue;
83 text-decoration:line-through;
84 }
85
86 a:hover {
87 /*background-color : #666666;*/
88 color: #333333;
89 }
90
91 .c {
92 text-align : center;
93 }
94
95 .l {
96 text-align: left;
97 }
98
99 .r {
100 text-align : right;
101 }
102
103 .i {
104 font-style : italic;
105 }
106
107 .b {
108 font-weight:bold;
109 }
110
111 .parentC {
112 margin-left:auto;
113 margin-right:auto;
114 }
115
116 .clrGreen {
117 color: green;
118 border-color: inherit;
119 }
120
121 .clrRed {
122 color: red;
123 border-color: inherit;
124 }
125 .bgClrOrange {
126 background-color: #ffa500;
127 }
128
129 .bgClrRed {
130 background-color: red;
131 }
132
133 .size1{
134 font-size: 1.1em;
135 }
136
137 .size3{
138 font-size: 2em;
139 }
140
141 .u{
142 text-decoration:underline;
143 }
144
145 .vTop{
146 vertical-align:top;
147 }
148
149 .importend {
150 border: 6px solid #000;
151 background-color: #fff;
152 color: #000; /*bordercolor*/
153 padding: 5px;
154 margin: 1em 4em 0em 4em;
155 }
156 .importend div {
157 margin-top: 3em;
158 margin-bottom: 3em;
159 }
160 .importend-header {
161 border: 1px solid red;
162 border-width: 1px 2px 2px 1px;
163 margin-top: 1.6em;
164 background-color: #fcc;
165 width: 10%;
166 font-weight: bold;
167 text-align: center;
168 color: #666;
169 }
170 </style>
171
172
173 </head>
174 <body>
175
176
177 <header>
178
179 <table style="width: 100%;">
180 <tr>
181 <td>Name: CAcert CPS and CP <a style="color: steelblue" href="https://svn.cacert.org/CAcert/Policies/ControlledDocumentList.html">COD6</a><br />
182 Status: DRAFT&nbsp;<a href="https://wiki.cacert.org/PolicyDecisions#p20091108">p20091108</a>, DRAFT&nbsp;<a href="https://wiki.cacert.org/PolicyDecisions#p20111113">p20111113</a><br />
183 Caveat: this document is already <a href="https://www.cacert.org/policy/CertificationPracticeStatement.html">on the main website in DRAFT</a>. p20111113.<br />
184 Creation date: 20060726<br />
185 Changes: <span class="change">p20111113, 20130309</span><br />
186 Licence: <a style="color: steelblue" href="https://wiki.cacert.org/Policy#Licence" title="this document is Copyright &copy; CAcert Inc., licensed openly under CC-by-sa with all disputes resolved under DRP. More at wiki.cacert.org/Policy" > CC-by-sa+DRP </a>
187 </td>
188 <td class="r">
189 <a href="https://www.cacert.org/policy/PolicyOnPolicy.html"><img src="images/cacert-draft.png" alt="CPS Status - DRAFT" height="31" width="88" style="border-style: none;" /></a>
190 </td>
191 </tr>
192 </table>
193
194 <br />
195
196
197 <h1>CAcert CPS and CP</h1>
198
199 <!-- $Id: CertificationPracticeStatement.html,v 1.3 2012-07-27 16:00:29 wytze Exp $ -->
200
201
202 <nav style="font-size: 12pt;">
203
204 <ol>
205 <li> <a href="#p1">INTRODUCTION</a>
206 <ul>
207 <li><a href="#p1.1">1.1. Overview</a></li>
208 <li><a href="#p1.2">1.2. Document name and identification</a></li>
209 <li><a href="#p1.3">1.3. PKI participants</a> </li>
210 <li><a href="#p1.4">1.4. Certificate usage</a> </li>
211 <li><a href="#p1.5">1.5. Policy administration</a> </li>
212 <li><a href="#p1.6">1.6. Definitions and acronyms</a></li>
213 </ul>
214 </li>
215 <li> <a href="#p2">PUBLICATION AND REPOSITORY RESPONSIBILITIES</a>
216 <ul>
217 <li><a href="#p2.1">2.1. Repositories</a></li>
218 <li><a href="#p2.2">2.2. Publication of certification information</a></li>
219 <li><a href="#p2.3">2.3. Time or frequency of publication</a></li>
220 <li><a href="#p2.4">2.4. Access controls on repositories</a></li>
221 </ul>
222 </li>
223 <li> <a href="#p3">IDENTIFICATION AND AUTHENTICATION (I&amp;A)</a>
224 <ul>
225 <li><a href="#p3.1">3.1. Naming</a> </li>
226 <li><a href="#p3.2">3.2. Initial Identity Verification</a> </li>
227 <li><a href="#p3.3">3.3. I&amp;A for Re-key Requests</a> </li>
228 <li><a href="#p3.4">3.4. I&amp;A for Revocation Request</a></li>
229 </ul>
230 </li>
231 <li><a href="#p4">CERTIFICATE LIFE-CYCLE OPERATIONAL REQUIREMENTS</a>
232 <ul>
233 <li><a href="#p4.1">4.1. Certificate Application</a> </li>
234 <li><a href="#p4.2">4.2. Certificate application processing</a> </li>
235 <li><a href="#p4.3">4.3. Certificate issuance</a> </li>
236 <li><a href="#p4.4">4.4. Certificate acceptance</a> </li>
237 <li><a href="#p4.5">4.5. Key pair and certificate usage</a> </li>
238 <li><a href="#p4.6">4.6. Certificate renewal</a> </li>
239 <li><a href="#p4.7">4.7. Certificate re-key</a> </li>
240 <li><a href="#p4.8">4.8. Certificate modification</a> </li>
241 <li><a href="#p4.9">4.9. Certificate revocation and suspension</a> </li>
242 <li><a href="#p4.10">4.10. Certificate status services</a> </li>
243 <li><a href="#p4.11">4.11. End of subscription</a></li>
244 <li><a href="#p4.12">4.12. Key escrow and recovery</a> </li>
245 </ul>
246 </li>
247 <li><a href="#p5">FACILITY, MANAGEMENT, AND OPERATIONAL CONTROLS</a>
248 <ul>
249 <li><a href="#p5.1">5.1. Physical controls</a> </li>
250 <li><a href="#p5.2">5.2. Procedural controls</a> </li>
251 <li><a href="#p5.3">5.3. Personnel controls</a> </li>
252 <li><a href="#p5.4">5.4. Audit logging procedures</a> </li>
253 <li><a href="#p5.5">5.5. Records archival</a> </li>
254 <li><a href="#p5.6">5.6. Key changeover</a></li>
255 <li><a href="#p5.7">5.7. Compromise and disaster recovery</a> </li>
256 <li><a href="#p5.8">5.8. CA or RA termination</a></li>
257 </ul>
258 </li>
259 <li><a href="#p6">TECHNICAL SECURITY CONTROLS</a>
260 <ul>
261 <li><a href="#p6.1">6.1. Key pair generation and installation</a> </li>
262 <li><a href="#p6.2">6.2. Private Key Protection and Cryptographic Module Engineering Controls</a> </li>
263 <li><a href="#p6.3">6.3. Other aspects of key pair management</a> </li>
264 <li><a href="#p6.4">6.4. Activation data</a> </li>
265 <li><a href="#p6.5">6.5. Computer security controls</a> </li>
266 <li><a href="#p6.6">6.6. Life cycle technical controls</a> </li>
267 <li><a href="#p6.7">6.7. Network security controls</a></li>
268 <li><a href="#p6.8">6.8. Time-stamping</a></li>
269 </ul>
270 </li>
271 <li><a href="#p7">CERTIFICATE, CRL, AND OCSP PROFILES</a>
272 <ul>
273 <li><a href="#p7.1">7.1. Certificate profile</a> </li>
274 <li><a href="#p7.2">7.2. CRL profile</a> </li>
275 <li><a href="#p7.3">7.3. OCSP profile</a> </li>
276 </ul>
277 </li>
278 <li><a href="#p8">COMPLIANCE AUDIT AND OTHER ASSESSMENTS</a>
279 <ul>
280 <li><a href="#p8.1">8.1. Frequency or circumstances of assessment</a></li>
281 <li><a href="#p8.2">8.2. Identity/qualifications of assessor</a></li>
282 <li><a href="#p8.3">8.3. Assessor's relationship to assessed entity</a></li>
283 <li><a href="#p8.4">8.4. Topics covered by assessment</a></li>
284 <li><a href="#p8.5">8.5. Actions taken as a result of deficiency</a></li>
285 <li><a href="#p8.6">8.6. Communication of results</a></li>
286 </ul>
287 </li>
288 <li><a href="#p9">OTHER BUSINESS AND LEGAL MATTERS</a>
289 <ul>
290 <li><a href="#p9.1">9.1. Fees</a> </li>
291 <li><a href="#p9.2">9.2. Financial responsibility</a> </li>
292 <li><a href="#p9.3">9.3. Confidentiality of business information</a> </li>
293 <li><a href="#p9.4">9.4. Privacy of personal information</a> </li>
294 <li><a href="#p9.5">9.5. Intellectual property rights</a></li>
295 <li><a href="#p9.6">9.6. Representations and warranties</a> </li>
296 <li><a href="#p9.7">9.7. Disclaimers of warranties</a></li>
297 <li><a href="#p9.8">9.8. Limitations of liability</a></li>
298 <li><a href="#p9.9">9.9. Indemnities</a></li>
299 <li><a href="#p9.10">9.10. Term and termination</a> </li>
300 <li><a href="#p9.11">9.11. Individual notices and communications with participants</a></li>
301 <li><a href="#p9.12">9.12. Amendments</a> </li>
302 <li><a href="#p9.13">9.13. Dispute resolution provisions</a></li>
303 <li><a href="#p9.14">9.14. Governing law</a></li>
304 <li><a href="#p9.15">9.15. Compliance with applicable law</a></li>
305 <li><a href="#p9.16">9.16. Miscellaneous provisions</a> </li>
306 </ul>
307 </li>
308 </ol>
309
310 </nav>
311
312 </header>
313
314
315 <!-- *************************************************************** -->
316 <section id="p1">
317 <h2>1. INTRODUCTION</h2>
318
319 <section id="p1.1">
320 <h3>1.1. Overview</h3>
321
322 <p>
323 This document is the Certification Practice Statement (CPS) of
324 CAcert, the Community Certification Authority (CA).
325 It describes rules and procedures used by CAcert for
326 operating its CA,
327 and applies to all CAcert PKI Participants,
328 including Assurers, Members, and CAcert itself.
329 </p>
330 </section>
331
332 <section id="p1.2">
333 <h3>1.2. Document name and identification</h3>
334
335 <p>
336 This document is the Certification Practice Statement (CPS) of CAcert.
337 The CPS also fulfills the role of the Certificate Policy (CP)
338 for each class of certificate.
339 </p>
340
341 <ul>
342 <li>
343 This document is COD6 under CAcert Official Documents numbering scheme.
344 </li>
345 <li>
346 The document is structured according to
347 Chokhani, et al,
348 <a href="http://www.ietf.org/rfc/rfc3647.txt">RFC3647</a>,
349 <a href="http://tools.ietf.org/html/rfc3647#section-4">chapter 4</a>.
350 All headings derive from that Chapter.
351 </li>
352 <li>
353 It has been improved and reviewed (or will be reviewed)
354 to meet or exceed the criteria of the
355 <cite>Certificate Authority Review Checklist</cite>
356 from <em>David E. Ross</em> ("DRC")
357 and Mozilla Foundation's CA policy.
358 </li>
359 <li>
360 OID assigned to this document: 1.3.6.1.4.1.18506.4.4.x (x=approved Version)
361 (<a href="http://www.iana.org/assignments/enterprise-numbers">iana.org</a>)
362
363 </li>
364 <li>
365 &copy; CAcert Inc. 2006-2009.
366 <!-- note that CCS policies must be controlled by CAcert Inc. -->
367 </li>
368 <li>
369 Issued under the CAcert document licence policy,
370 as and when made policy.
371 See <a href="https://wiki.cacert.org/PolicyDrafts/DocumentLicence">
372 PolicyDrafts/DocumentLicence</a>.
373
374 </li>
375 <li>
376 Earlier notes were written by Christian Barmala
377 in a document placed under GNU Free Document License
378 and under FSF copyright.
379 However this clashed with the control provisions of
380 Configuration-Control Specification
381 (COD2) within Audit criteria.
382 </li>
383 </ul>
384
385 <p>
386 The CPS is an authoritive document,
387 and rules other documents
388 except where explicitly deferred to.
389 See also <a href="#p1.5.1">1.5.1 Organisation Administering the Document</a>.
390 </p>
391 </section>
392
393 <section id="p1.3">
394 <h3>1.3. PKI participants</h3>
395
396 <p>
397 The CA is legally operated by CAcert Incorporated,
398 an Association registered in 2002 in
399 New South Wales, Australia,
400 on behalf of the wider Community of Members of CAcert.
401 The Association details are at the
402 <a href="https://wiki.cacert.org/CAcertInc">CAcert wiki</a>.
403 </p>
404
405 <p>
406 CAcert is a Community formed of Members who agree to the
407 CAcert Community Agreement (<a href="https://www.cacert.org/policy/CAcertCommunityAgreement.html">COD9</a>).
408 The CA is technically operated by the Community,
409 under the direction of the Board of CAcert Incorporated.
410 (The Members of the Community are not to be confused
411 with the <em>Association Members</em>, which latter are
412 not referred to anywhere in this CPS.)
413 </p>
414
415 <section id="p1.3.1">
416 <h4>1.3.1. Certification authorities</h4>
417 <p>
418 CAcert does not issue certificates to external
419 intermediate CAs under the present CPS.
420 </p>
421 </section>
422
423 <section id="p1.3.2">
424 <h4>1.3.2. Registration authorities</h4>
425 <p>
426 Registration Authorities (RAs) are controlled under Assurance Policy
427 (<a href="https://www.cacert.org/policy/AssurancePolicy.html">COD13</a>).
428 </p>
429 </section>
430
431 <section id="p1.3.3">
432 <h4>1.3.3. Subscribers</h4>
433
434 <p>
435 CAcert issues certificates to Members only.
436 Such Members then become Subscribers.
437 </p>
438 </section>
439
440 <section id="p1.3.4">
441 <h4>1.3.4. Relying parties</h4>
442
443 <p>
444 A relying party is a Member,
445 having agreed to the
446 CAcert Community Agreement
447 (<a href="https://www.cacert.org/policy/CAcertCommunityAgreement.html">COD9</a>),
448 who, in the act of using a CAcert certificate,
449 makes a decision on the basis of that certificate.
450 </p>
451 </section>
452
453 <section id="p1.3.5">
454 <h4>1.3.5. Other participants</h4>
455
456 <dl>
457
458 <dt>Member</dt>
459 <dd>Membership of the Community is as defined in the
460 <a href="https://www.cacert.org/policy/CAcertCommunityAgreement.html">COD9</a>.
461 Only Members may RELY or may become Subscribers.
462 Membership is free.
463 </dd>
464
465 <dt>Arbitrator</dt>
466 <dd>A senior and experienced Member of the CAcert Community
467 who resolves disputes between Members, including ones
468 of certificate reliance, under
469 Dispute Resolution Policy
470 (<a href="https://www.cacert.org/policy/DisputeResolutionPolicy.html">COD7</a>).
471 </dd>
472
473 <dt>Vendor</dt>
474 <dd>Software suppliers who integrate the root certificates of CAcert
475 into their software also assume a proxy role of Relying Parties,
476 and are subject to another licence.
477 </dd>
478
479 <dt>Non-Related Persons (NRPs)</dt>
480 <dd>These are users of browsers and similar software who are
481 unaware of the CAcert certificates they may use, and
482 are unaware of the ramifications of usage.
483 Their relationship with CAcert
484 is described by the
485 Root Distribution License
486 (<a href="https://www.cacert.org/policy/RootDistributionLicense.html">COD14</a>).
487 No other rights nor relationship is implied or offered.
488 </dd>
489
490 </dl>
491 </section>
492
493 </section>
494
495 <section id="p1.4">
496 <h3>1.4. Certificate usage</h3>
497
498 <p>CAcert serves as issuer of certificates for
499 individuals, businesses, governments, charities,
500 associations, churches, schools,
501 non-governmental organisations or other groups.
502 CAcert certificates are intended for low-cost
503 community applications especially where volunteers can
504 become Assurers and help CAcert to help the Community.
505 </p>
506
507 <p>
508 Types of certificates and their appropriate and
509 corresponding applications are defined in
510 <a href="#p1.4.1">&sect;1.4.1</a>.
511 Prohibited applications are defined in <a href="#p1.4.2">&sect;1.4.2</a>.
512 Specialist uses may be agreed by contract or within
513 a specific environment, as described in
514 <a href="#p1.4.4">&sect;1.4.4</a>.
515 Note also the
516 unreliable applications in
517 <a href="#p1.4.3">&sect;1.4.3</a>
518 and risks, liabilities and obligations in
519 <a href="#p9">&sect;9</a>.
520 </p>
521
522 <figure id="t1.4">
523 <table border="1" class="parentC">
524 <thead>
525 <tr>
526 <th colspan="2" class="i">Type</th>
527 <th colspan="2" class="i">Appropriate Certificate uses</th>
528 </tr>
529 <tr>
530 <th class="b">General</th>
531 <th class="b">Protocol</th>
532 <th class="b">Description</th>
533 <th class="b">Comments</th>
534 </tr>
535 </thead>
536 <tbody>
537 <tr>
538 <th scope="rowgroup" rowspan="2">Server</th>
539 <th scope="row" class="l"> TLS </th>
540 <td> web server encryption </td>
541 <td> enables encryption </td>
542 </tr>
543 <tr>
544 <th scope="row" class="l"> embedded </th>
545 <td> embedded server authentication </td>
546 <td> mail servers, IM-servers </td>
547 </tr>
548 </tbody>
549 <tbody>
550 <tr>
551 <th scope="rowgroup" rowspan="4">Client</th>
552 <th scope="row" class="l"> S/MIME </th>
553 <td> email encryption </td>
554 <td> "digital signatures" employed in S/MIME
555 are not legal / human signatures,
556 but instead enable the encryption mode of S/MIME </td>
557 </tr>
558 <tr>
559 <th scope="row" class="l"> TLS </th>
560 <td> client authentication </td>
561 <td> the nodes must be secure </td>
562 </tr>
563 <tr>
564 <th scope="row" class="l"> TLS </th>
565 <td> web based signature applications </td>
566 <td> the certificate authenticates only. See <a href="#p1.4.3">&sect;1.4.3</a>. </td>
567 </tr>
568 <tr>
569 <th scope="row" class="l"> &quot;Digital Signing&quot; </th>
570 <td> for human signing over documents </td>
571 <td> Only within a wider application and rules
572 such as by separate policy,
573 as agreed by contract, etc.
574 See <a href="#p1.4.4">&sect;1.4.4</a>.
575 </td>
576 </tr>
577 </tbody>
578 <tbody>
579 <tr>
580 <th scope="rowgroup">Code</th>
581 <th scope="row" class="l"> Authenticode, ElfSign, Java </th>
582 <td> Code Signing </td>
583 <td> Signatures on packages are evidence of their Membership and indicative of Identity </td>
584 </tr>
585 </tbody>
586 <tbody>
587 <tr>
588 <th scope="rowgroup">PGP</th>
589 <th scope="row" class="l"> OpenPGP </th>
590 <td> Key Signing </td>
591 <td> Signatures on Member Keys are evidence of their Membership and indicative of Identity </td>
592 </tr>
593 </tbody>
594 <tbody>
595 <tr>
596 <th scope="rowgroup">Special</th>
597 <th scope="row" class="l"> X.509 </th>
598 <td> OCSP, Timestamping </td>
599 <td> Only available to CAcert Systems Administrators, as controlled by Security Policy </td>
600 </tr>
601 </tbody>
602 </table>
603
604 <figcaption>Table 1.4. Types of Certificate</figcaption>
605 </figure>
606
607
608 <section id="p1.4.1">
609 <h4>1.4.1. Appropriate certificate uses</h4>
610
611 <p>
612 General uses.
613 </p>
614
615 <ul><li>
616 CAcert server certificates can be used to enable encryption
617 protection in web servers.
618 Suitable applications include webmail and chat forums.
619 </li><li>
620 CAcert server certificates can be used to enable encryption
621 in SSL/TLS links in embedded protocols such as mail servers
622 and IM-servers.
623 </li><li>
624 CAcert client certificates can be used to enable encryption
625 protection in email clients.
626 (See <a href="#p1.4.3">&sect;1.4.3</a> for caveat on signatures.)
627 </li><li>
628 CAcert client certificates can be used to replace password-based
629 authentication to web servers.
630 </li><li>
631 OpenPGP keys with CAcert signatures can be used
632 to encrypt and sign files and emails,
633 using software compatible with OpenPGP.
634 </li><li>
635 CAcert client certificates can be used in web-based
636 authentication applications.
637 </li><li>
638 CAcert code signing certificates can be used to sign code
639 for distribution to other people.
640 </li><li>
641 Time stamping can be used to attach a time record
642 to a digital document.
643 </li></ul>
644 </section>
645
646
647 <section id="p1.4.2">
648 <h4>1.4.2. Prohibited certificate uses</h4>
649 <p>
650 CAcert certificates are not designed, intended, or authorised for
651 the following applications:
652 </p>
653 <ul><li>
654 Use or resale as control equipment in hazardous circumstances
655 or for uses requiring fail-safe performance such as the operation
656 of nuclear facilities, aircraft navigation or communication systems,
657 air traffic control systems, or weapons control systems,
658 where failure could lead directly to death, personal injury,
659 or severe environmental damage.
660 </li></ul>
661 </section>
662
663 <section id="p1.4.3">
664 <h4>1.4.3. Unreliable Applications</h4>
665
666 <p>
667 CAcert certificates are not designed nor intended for use in
668 the following applications, and may not be reliable enough
669 for these applications:
670 </p>
671
672 <dl>
673 <dt>Signing within Protocols</dt>
674 <dd>
675 Digital signatures made by CAcert certificates carry
676 <span class="u">NO default legal or human meaning</span>.
677 See <a href="#p9.15.1">&sect;9.15.1</a>.
678 Especially, protocols such as S/MIME commonly will automatically
679 apply digital signatures as part of their protocol needs.
680 The purpose of the cryptographic signature in S/MIME
681 and similar protocols is limited by default to strictly
682 protocol security purposes:
683 to provide some confirmation that a familiar certificate
684 is in use, to enable encryption, and to ensure the integrity
685 of the email in transit.
686 </dd>
687
688 <dt>Non-repudiation applications</dt>
689 <dd>
690 Non-repudiation is not to be implied from use of
691 CAcert certificates. Rather, certificates may
692 provide support or evidence of actions, but that
693 evidence is testable in any dispute.
694 </dd>
695
696 <dt>Ecommerce applications</dt>
697 <dd>
698 Financial transactions or payments or valuable e-commerce.
699 </dd>
700
701 <dt>Identity verification</dt>
702 <dd>
703 Use of anonymous (Class 1 or Member SubRoot) certificates
704 in any application that requires or expects identity.
705 </dd>
706 </dl>
707 </section>
708
709
710 <section id="p1.4.4">
711 <h4>1.4.4. Limited certificate uses</h4>
712
713 <p>
714 By contract or within a specific environment
715 (e.g. internal to a company),
716 CAcert Members are permitted to use Certificates
717 for higher security, customised or experimental applications.
718 Any such usage, however, is limited to such entities
719 and these entities take on the whole responsible for
720 any harm or liability caused by such usage.
721 </p>
722
723 <dl>
724 <dt>Digital signing applications</dt>
725 <dd>CAcert client certificates
726 may be used by Assured Members in
727 applications that provide or support the human signing of documents
728 (known here as "digital signing").
729 This must be part of a wider framework and set of rules.
730 Usage and reliance
731 must be documented either under a separate CAcert digital signing
732 policy or other external regime agreed by the parties.</dd>
733 </dl>
734 </section>
735
736 <section id="p1.4.5">
737 <h4>1.4.5. Roots and Names</h4>
738
739 <dl>
740 <dt>Named Certificates</dt>
741 <dd>
742 Assured Members may be issued certificates
743 with their verified names in the certificate. In this role, CAcert
744 operates and supports a network of Assurers who verify the
745 identity of the Members.
746 All Names are verified, either by Assurance or another defined
747 method under policy (c.f. Organisations).
748 </dd>
749
750 <dt>Anonymous Certificates.</dt>
751 <dd>
752 Members can be issued certificates that are anonymous,
753 which is defined as the certificate with no Name included,
754 or a shared name such as "Community Member".
755 These may be considered to be somewhere between Named certificates
756 and self-signed certificates. They have serial numbers in them
757 which is ultimately traceable via dispute to a Member, but
758 reliance is undefined.
759 In this role, CAcert provides the
760 infrastructure, saving the Members from managing a difficult
761 and messy process in order to get manufactured certificates.
762 </dd>
763
764 <dt>Psuedonymous Certificates</dt>
765 <dd>
766 Note that CAcert does not currently issue pseudonymous certificates,
767 being those with a name chosen by the Member and not verifiable
768 according to documents.
769 </dd>
770
771 <dt>Advanced Certificates</dt>
772 <dd>
773 Members who are as yet unassured are not permitted to create
774 advanced forms such as wildcard or subjectAltName
775 certificates.
776 </dd>
777
778
779 <dt>Roots</dt>
780 <dd>
781 The CAcert root layout is as below.
782 These roots are pending Audit,
783 and will be submitted to vendors via the (Top-level) Root.
784 <dl>
785 <dt>(Top-level) Root</dt>
786 <dd>
787 Used to sign on-line CAcert SubRoots only.
788 This Root is kept offline.
789 </dd>
790
791 <dt>Member SubRoot</dt>
792 <dd>
793 For Community Members who are new and unassured (some restrictions exist).
794 Reliance is undefined.
795 (Replacement for the Class 1 root, matches "Domain Validation" type.)
796 </dd>
797
798 <dt>Assured SubRoot</dt>
799 <dd>
800 Only available for Assured individual Members,
801 intended to sign certificates with Names.
802 Suitable for Reliance under this and other policies.
803 Approximates the type known as Individual Validation.
804 </dd>
805
806 <dt>Organisation SubRoot</dt>
807 <dd>
808 Only available for Assured Organisation Members.
809 Suitable for Reliance under this and other policies.
810 Approximates the type known as Organisational Validation.
811 </dd>
812 </dl>
813 </dl>
814
815
816 <figure id="t1.4.5.b">
817 <table border="1" class="parentC">
818 <thead>
819 <tr>
820 <th></th>
821 <th colspan="5" class="i">Level of Assurance</th>
822 <th></th>
823 </tr>
824 <tr>
825 <th></th>
826 <th colspan="2" class="b">Members &dagger;</th>
827 <th colspan="2" class="b">Assured Members</th>
828 <th colspan="1" class="b">Assurers</th>
829 <th colspan="1" class="b"></th>
830 </tr>
831 <tr>
832 <th class="i">Class of Root</th>
833 <th class="b">Anon</th>
834 <th>Name</th>
835 <th>Anon</th>
836 <th class="b">Name</th>
837 <th>Name+Anon</th>
838 <th class="i">Remarks</th>
839 </tr>
840 </thead>
841 <tbody>
842 <tr>
843 <th scope="row">Top level<br><strong>Root</strong></th>
844 <td title="pass" class="c clrGreen size3"> &bull;</td>
845 <td title="pass" class="c clrGreen size3"> &bull;</td>
846 <td title="pass" class="c clrGreen size3"> &bull;</td>
847 <td title="pass" class="c clrGreen size3"> &bull;</td>
848 <td title="pass" class="c clrGreen size3"> &bull;</td>
849 <td> Signs other CAcert SubRoots only. </td>
850 </tr>
851 <tr>
852 <th scope="row"><strong>Member</strong><br>SubRoot</th>
853 <td title="pass" class="c clrGreen size3"> &#10004;</td>
854 <td title="fail" class="c clrRed size3"> &#10008;</td>
855 <td title="pass" class="c clrGreen size3"> &#10004;</td>
856 <td title="pass" class="c clrGreen size3"> &#10004;</td>
857 <td title="pass" class="c clrGreen size3"> &#10004;</td>
858 <td> &dagger; For Members meeting basic checks in <a href="#p4.2.2">&sect;4.2.2</a><br>(Reliance is undefined.) </td>
859 </tr>
860 <tr>
861 <th scope="row"><strong>Assured</strong><br>SubRoot</th>
862 <td title="fail" class="c clrRed size3"> &#10008;</td>
863 <td title="fail" class="c clrRed size3"> &#10008;</td>
864 <td title="pass" class="c clrGreen size3"> &#10004;</td>
865 <td title="pass" class="c clrGreen size3"> &#10004;</td>
866 <td title="pass" class="c clrGreen size3"> &#10004;</td>
867 <td> Assured Members only.<br>Fully intended for reliance. </td>
868 </tr>
869 <tr>
870 <th scope="row"><strong>Organisation</strong><br>SubRoot</th>
871 <td title="fail" class="c clrRed size3"> &#10008;</td>
872 <td title="fail" class="c clrRed size3"> &#10008;</td>
873 <td title="pass" class="c clrGreen size3"> &#10004;</td>
874 <td title="pass" class="c clrGreen size3"> &#10004;</td>
875 <td title="pass" class="c clrGreen size3"> &#10004;</td>
876 <td> Assured Organisation Members only.<br>Fully intended for reliance. </td>
877 </tr>
878 <tr>
879 <th scope="row">Expiry of Certificates</th>
880 <td colspan="2" class="c">6 months</td>
881 <td colspan="3" class="c">24 months</td>
882 <td></td>
883 </tr>
884 <tr>
885 <th scope="row">Types</th>
886 <td colspan="2" class="c">client, server</td>
887 <td colspan="2" class="c">wildcard, subjectAltName</td>
888 <td colspan="1" class="c">code-signing</td>
889 <td> (Inclusive to the left.) </td>
890 </tr>
891 </tbody>
892 </table>
893
894 <figcaption>Table 1.4.5.b Certificate under Audit Roots</figcaption>
895 </figure>
896
897 </section>
898
899 </section>
900
901
902 <section id="p1.5">
903 <h3>1.5. Policy administration</h3>
904
905 <p>See <a href="#p1.2">1.2 Document Name and Identification</a>
906 for general scope of this document.</p>
907
908 <section id="p1.5.1">
909 <h4>1.5.1. Organization administering the document</h4>
910
911 <p>
912 This document is administered by the policy group of
913 the CAcert Community under Policy on Policy (<a href="https://www.cacert.org/policy/PolicyOnPolicy.html">COD1</a>).
914 </p>
915 </section>
916
917 <section id="p1.5.2">
918 <h4>1.5.2. Contact person</h4>
919 <p>
920 For questions including about this document:
921 </p>
922 <ul>
923 <li>Join the policy group, by means of the discussion forum at
924 <a href="https://lists.cacert.org/wws/lists">
925 lists.cacert.org</a> . </li>
926 <li>Send email to &lt; support AT cacert DOT org &gt; </li>
927 <li>IRC: irc.cacert.org #CAcert (ssl port 7000, non-ssl port 6667)</li>
928 </ul>
929 </section>
930
931 <section id="p1.5.3">
932 <h4>1.5.3. Person determining CPS suitability for the policy</h4>
933 <p>
934 This CPS and all other policy documents are managed by
935 the policy group, which is a group of Members of the
936 Community found at policy forum. See discussion forums above.
937 </p>
938 </section>
939
940 <section id="p1.5.4">
941 <h4>1.5.4. CPS approval procedures</h4>
942 <p>
943 CPS is controlled and updated according to the
944 Policy on Policy
945 (<a href="https://www.cacert.org/policy/PolicyOnPolicy.html">COD1</a>)
946 which is part of
947 Configuration-Control Specification (<a href="https://svn.cacert.org/CAcert/Policies/ConfigurationControlSpecification.html">COD2</a>).
948 </p>
949
950 <p>
951 In brief, the policy forum prepares and discusses.
952 After a last call, the document moves to DRAFT status
953 for a defined period.
954 If no challenges have been received in the defined period,
955 it moves to POLICY status.
956 The process is modelled after some elements of
957 the RFC process by the IETF.
958 </p>
959 </section>
960
961 <section id="p1.5.5">
962 <h4>1.5.5 CPS updates</h4>
963
964 <p>
965 As per above.
966 </p>
967 </section>
968
969 </section>
970
971
972 <section id="p1.6">
973 <h3>1.6. Definitions and acronyms</h3>
974
975 <dl>
976
977 <dt id="d_cert">Certificate</dt>
978 <dd>
979 A certificate is a piece of cryptographic data used
980 to validate certain statements, especially those of
981 identity and membership.
982 </dd>
983
984 <dt id="d_cacert">CAcert</dt>
985 <dd>
986 CAcert is a Community certificate authority as defined under
987 <a href="#p1.2">&sect;1.2 Identification</a>.
988 </dd>
989
990 <dt id="d_member">Member</dt>
991 <dd>
992 Everyone who agrees to the
993 CAcert Community Agreement
994 (<a href="https://www.cacert.org/policy/CAcertCommunityAgreement.html">COD9</a>).
995 This generally implies having an account registered
996 at CAcert and making use of CAcert's data, programs or services.
997 A Member may be an individual ("natural person")
998 or an organisation (sometimes, "legal person").
999 </dd>
1000
1001 <dt id="d_community">Community</dt>
1002 <dd>
1003 The group of Members who agree to the
1004 CAcert Community Agreement
1005 (<a href="https://www.cacert.org/policy/CAcertCommunityAgreement.html">COD9</a>)
1006 or equivalent agreements.
1007 </dd>
1008
1009 <dt id="d_unassured">Unassured Member</dt>
1010 <dd>
1011 A Member who has not yet been Assured.
1012 </dd>
1013
1014 <dt id="d_subscriber">Subscriber</dt>
1015 <dd>
1016 A Member who requests and receives a certificate.
1017 </dd>
1018
1019 <dt id="d_assured">Assured Member</dt>
1020 <dd>
1021 A Member whose identity has been sufficiently
1022 verified by Assurers or other
1023 approved methods under Assurance Policy.
1024 </dd>
1025
1026 <dt id="d_assurer">Assurer</dt>
1027 <dd>
1028 An Assured Member who is authorised under Assurance Policy
1029 to verify the identity of other Members.
1030 </dd>
1031
1032 <dt id="d_name">Name</dt>
1033 <dd>
1034 As defined in the
1035 Assurance Policy
1036 (<a href="https://www.cacert.org/policy/AssurancePolicy.html">COD13</a>),
1037 to describe a name of a Member
1038 that is verified by the Assurance process.
1039 </dd>
1040
1041 <dt id="d_oadmin">Organisation Administrator</dt>
1042 <dd>
1043 ("O-Admin")
1044 An Assurer who is authorised to act for an Organisation.
1045 The O-Admin is authorised by an organisation
1046 to vouch for the identity of other users of the organisation.
1047 </dd>
1048
1049 <dt id="d_org_ass">Organisation Assurer</dt>
1050 <dd>
1051 An Assurer who is authorised to conduct assurances on
1052 organisations.
1053 </dd>
1054
1055 <dt id="d_user">Non-Related Persons</dt>
1056 <dd>
1057 ("NRPs")
1058 are general users of browsers and similar software.
1059 The NRPs are generally unaware of
1060 CAcert or the certificates that they may use, and
1061 are unaware of the ramifications of usage.
1062 They are not permitted to RELY, but may USE, under the
1063 Root Distribution License (<a href="https://www.cacert.org/policy/RootDistributionLicense.html">COD14</a>).
1064 </dd>
1065
1066 <dt id="d_reliance">Reliance</dt>
1067 <dd>
1068 An industry term referring to
1069 the act of making a decision, including taking a risk,
1070 which decision is in part or in whole
1071 informed or on the basis of the contents of a certificate.
1072 </dd>
1073
1074 <dt id="d_relparty">Relying Party</dt>
1075 <dd>
1076 An industry term refering to someone who relies
1077 (that is, makes decisions or takes risks)
1078 in part or in whole on a certificate.
1079 </dd>
1080
1081 <dt>Subscriber Naming</dt>
1082 <dd>
1083 The term used in this CPS to
1084 describe all naming data within a certificate.
1085 Approximately similar terms from Industry such as
1086 "Subject naming" and "Distinguished Name"
1087 are not used here.
1088 </dd>
1089
1090 <dt id="d_verification">Verification</dt>
1091 <dd>
1092 An industry term referring to
1093 the act of checking and controlling
1094 the accuracy and utility of a single claim.
1095 </dd>
1096
1097 <dt id="d_validation">Validation</dt>
1098 <dd>
1099 An industry term referring to the process of
1100 inspecting and verifying the information and
1101 subsidiary claims behind a claim.
1102 </dd>
1103
1104 <dt id="usage">Usage</dt>
1105 <dd>
1106 The event of allowing a certificate to participate in
1107 a protocol, as decided and facilitated by a user's software.
1108 Generally, Usage does not require significant input, if any,
1109 on the part of the user.
1110 This defers all decisions to the user software,
1111 thus elevating the software as user's only and complete
1112 Validation Authority or Agent.
1113 </dd>
1114
1115 <dt id="drel">CAcert Relying Party</dt>
1116 <dd>
1117 CAcert Members who make decisions based in part or in whole
1118 on a certificate issued by CAcert.
1119 Only CAcert Members are permitted to Rely on CAcert certificates,
1120 subject to the CAcert Community Agreement.
1121 </dd>
1122
1123 <dt id="ddst">Vendors</dt>
1124 <dd>
1125 Non-members who distribute CAcert's root or intermediate certificates
1126 in any way, including but not limited to delivering these
1127 certificates with their products, e.g. browsers, mailers or servers.
1128 Vendors are covered under a separate licence.
1129 </dd>
1130
1131 <dt id="d_ccs">Configuration-Control Specification "CCS"</dt>
1132 <dd>
1133 The audit criteria that controls this CPS.
1134 The CCS is documented in COD2, itself a controlled document under CCS.
1135 </dd>
1136
1137 <dt id="d_cod">CAcert Official Document (COD)</dt>
1138 <dd>
1139 Controlled Documents that are part of the CCS.
1140 </dd>
1141
1142 </dl>
1143 </section>
1144
1145 </section>
1146
1147
1148 <!-- *************************************************************** -->
1149 <section id="p2">
1150 <h2>2. PUBLICATION AND REPOSITORY RESPONSIBILITIES</h2>
1151
1152 <section id="p2.1">
1153 <h3>2.1. Repositories</h3>
1154
1155 <p>
1156 CAcert operates no repositories in the sense
1157 of lookup for non-certificate-related information
1158 for the general public.
1159 </p>
1160
1161 <p>
1162 Under the Assurance Policy (<a href="https://www.cacert.org/policy/AssurancePolicy.html">COD13</a>),
1163 there are means for Members to search, retrieve
1164 and verify certain data about themselves and others.
1165 </p>
1166 </section>
1167
1168 <section id="p2.2">
1169 <h3>2.2. Publication of certification information</h3>
1170
1171 <p>
1172 CAcert publishes:
1173 </p>
1174 <ul>
1175 <li>A repository of CRLs. An OCSP responder is in operation.</li>
1176 <li>The root certificate and intermediate certificates.</li>
1177 </ul>
1178
1179 <p>
1180 CAcert does not expressly publish information on issued certificates.
1181 However, due to the purpose of certificates, and the essential
1182 public nature of Names and email addresses, all information within
1183 certificates is presumed to be public and published, once
1184 issued and delivered to the Member.
1185 </p>
1186 </section>
1187
1188 <section id="p2.3">
1189 <h3>2.3. Time or frequency of publication</h3>
1190
1191 <p>
1192 Root and Intermediate Certificates and CRLs are
1193 made available on issuance.
1194 </p>
1195 </section>
1196
1197 <section id="p2.4">
1198 <h3>2.4. Access controls on repositories</h3>
1199 <p> No stipulation. </p>
1200 </section>
1201
1202 </section>
1203
1204
1205 <!-- *************************************************************** -->
1206 <section id="p3">
1207 <h2>3. IDENTIFICATION AND AUTHENTICATION</h2>
1208
1209 <section id="p3.1">
1210 <h3>3.1. Naming</h3>
1211
1212 <section id="p3.1.1">
1213 <h4>3.1.1. Types of names</h4>
1214
1215 <section id="p3.1.1.1">
1216 <h5>3.1.1.1. Client Certificates</h5>
1217 <p>
1218 The Subscriber Naming consists of:
1219 </p>
1220 <dl>
1221 <dt><code>subjectAltName=</code></dt>
1222 <dd>
1223 One, or more, of the Subscriber's verified email addresses,
1224 in rfc822Name format.
1225 </dd>
1226
1227 <dt><code>EmailAddress=</code></dt>
1228 <dd>
1229 One, or more, of the Subscriber's verified email addresses.
1230 This is deprecated under
1231 <a href="http://tools.ietf.org/html/rfc5280#section-4.2.1.6">RFC5280 4.1.2.6</a>
1232 and is to be phased out. Also includes a SHA1 hash of a random number if
1233 the member selects SSO (Single Sign On ID) during submission of CSR.
1234 </dd>
1235
1236 <dt><code>CN=</code></dt>
1237 <dd>
1238 The common name takes its value from one of:
1239 <ul><li>
1240 For all Members,
1241 the string "<code>CAcert WoT Member</code>" may be used for
1242 anonymous certificates.
1243 </li><li>
1244 For individual Members,
1245 a Name of the Subscriber,
1246 as Assured under AP.
1247 </li><li>
1248 For Organisation Members,
1249 an organisation-chosen name,
1250 as verified under OAP.
1251 </li></ul>
1252 </dd>
1253 </dl>
1254 </section>
1255
1256 <section id="p3.1.1.2">
1257 <h5>3.1.1.2. Individual Server Certificates</h5>
1258 <p>
1259 The Subscriber Naming consists of:
1260 </p>
1261 <dl>
1262 <dt><code>CN=</code></dt>
1263 <dd>
1264 The common name is the host name out of a domain
1265 for which the Member is a domain master.
1266 </dd>
1267 <dt><code>subjectAltName=</code></dt>
1268 <dd>
1269 Additional host names for which the Member
1270 is a domain master may be added to permit the
1271 certificate to serve multiple domains on one IP number.
1272 </dd>
1273 <dt>Other</dt>
1274 <dd>
1275 All other fields are optional and must either match
1276 the CN or they must be empty
1277 </dd>
1278 </dl>
1279 </section>
1280
1281 <section id="p3.1.1.3">
1282 <h5>3.1.1.3. Certificates for Organisations</h5>
1283 <p>
1284 In addition to the above, the following applies:
1285 </p>
1286 <dl>
1287 <dt><code>OU=</code></dt><dd>organizationalUnitName (set by O-Admin, must be verified by O-Admin).</dd>
1288 <dt><code>O=</code></dt><dd>organizationName is the fixed name of the Organisation.</dd>
1289 <dt><code>L=</code></dt>
1290 <dd>localityName</dd>
1291 <dt><code>ST=</code></dt>
1292 <dd>stateOrProvinceName</dd>
1293 <dt><code>C=</code></dt>
1294 <dd>countryName</dd>
1295 <dt><code>contact=</code></dt>
1296 <dd>
1297 EMail Address of Contact.
1298 <!-- not included in RFC5280 4.1.2.4 list, but list is not restricted -->
1299 </dd>
1300 </dl>
1301
1302 <p>
1303 Except for the OU and CN, fields are taken from the Member's
1304 account and are as verified by the Organisation Assurance process.
1305 Other Subscriber information that is collected and/or retained
1306 does not go into the certificate.
1307 </p>
1308 </section>
1309
1310 </section>
1311
1312 <section id="p3.1.2">
1313 <h4>3.1.2. Need for names to be meaningful</h4>
1314
1315 <p>
1316 Each Member's Name (<code>CN=</code> field);
1317 is assured under the Assurance Policy (<a href="https://www.cacert.org/policy/AssurancePolicy.html">COD13</a>)
1318 or subsidiary policies (such as Organisation Assurance Policy).
1319 Refer to those documents for meanings and variations.
1320 </p>
1321
1322 <p>
1323 Anonymous certificates have the same <code>subject</code>
1324 field common name.
1325 See <a href="#p1.4.5">&sect;1.4.5.</a>.
1326 </p>
1327
1328 <p>
1329 Email addresses are verified according to
1330 <a href="#p4.2.2">&sect;4.2.2.</a>
1331 </p>
1332 </section>
1333
1334 <section id="p3.1.3">
1335 <h4>3.1.3. Anonymity or pseudonymity of subscribers</h4>
1336
1337 <p>
1338 See <a href="#p1.4.5">&sect;1.4.5</a>.
1339 </p>
1340 </section>
1341
1342 <section id="p3.1.4">
1343 <h4>3.1.4. Rules for interpreting various name forms</h4>
1344 <p>
1345 Interpretation of Names is controlled by the Assurance Policy,
1346 is administered by means of the Member's account,
1347 and is subject to change by the Arbitrator.
1348 Changes to the interpretation by means of Arbitration
1349 should be expected as fraud (e.g., phishing)
1350 may move too quickly for policies to fully document rules.
1351 </p>
1352 </section>
1353
1354 <section id="p3.1.5">
1355 <h4>3.1.5. Uniqueness of names</h4>
1356
1357 <p>
1358 Uniqueness of Names within certificates is not guaranteed.
1359 Each certificate has a unique serial number which maps
1360 to a unique account, and thus maps to a unique Member.
1361 See the Assurance Statement within Assurance Policy
1362 (<a href="https://www.cacert.org/policy/AssurancePolicy.html">COD13</a>).
1363 </p>
1364
1365 <p>
1366 Domain names and email address
1367 can only be registered to one Member.
1368 </p>
1369 </section>
1370
1371 <section id="p3.1.6">
1372 <h4>3.1.6. Recognition, authentication, and role of trademarks</h4>
1373
1374 <p>
1375 Organisation Assurance Policy
1376 (<a href="https://www.cacert.org/policy/OrganisationAssurancePolicy.html">COD11</a>)
1377 controls issues such as trademarks where applicable.
1378 A trademark can be disputed by filing a dispute.
1379 See
1380 <a href="#p9.13">&sect;9.13</a>.
1381 </p>
1382 </section>
1383
1384 <section id="p3.1.7">
1385 <h4>3.1.7. International Domain Names</h4>
1386
1387 <p>
1388 Certificates containing International Domain Names, being those containing a
1389 ACE prefix (<a href="http://www.ietf.org/rfc/rfc3490#section-5">RFC3490
1390 Section 5</a>), will only be issued to domains satisfying one or more
1391 of the following conditions:</p>
1392 <ul>
1393 <li>The Top Level Domain (TLD) Registrar associated with the domain has a policy
1394 that has taken measures to prevent two homographic domains being registered to
1395 different entities down to an accepted level.
1396 </li>
1397 <li>Domains contain only code points from a single unicode character script,
1398 excluding the "Common" script, with the additionally allowed numberic
1399 characters [0-9], and an ACSII hyphen '-'.
1400 </li>
1401 </ul>
1402
1403
1404 <p>Email address containing International Domain Names in the domain portion of
1405 the email address will also be required to satisfy one of the above conditions.
1406 </p>
1407
1408 <p>
1409 The following is a list of accepted TLD Registrars:</p>
1410 <table>
1411
1412 <tr>
1413 <td>.ac</td>
1414 <td><a href="http://www.nic.ac/">Registry</a></td>
1415 <td><a href="http://www.nic.ac/pdf/AC-IDN-Policy.pdf">Policy</a></td>
1416 </tr>
1417 <tr>
1418 <td>.ar</td>
1419
1420 <td><a href="http://www.nic.ar/">Registry</a></td>
1421 <td><a href="http://www.nic.ar/616.html">Policy</a></td>
1422 </tr>
1423 <tr>
1424 <td>.at</td>
1425 <td><a href="http://www.nic.at/">Registry</a></td>
1426 <td><a href="http://www.nic.at/en/service/legal_information/registration_guidelines/">Policy</a> (<a href="http://www.nic.at/en/service/technical_information/idn/charset_converter/">character list</a>)</td>
1427
1428 </tr>
1429 <tr>
1430 <td>.biz</td>
1431 <td><a href="http://www.neustarregistry.biz/">Registry</a></td>
1432 <td><a href="http://www.neustarregistry.biz/products/idns">Policy</a></td>
1433 </tr>
1434 <tr>
1435
1436 <td>.br</td>
1437 <td><a href="http://registro.br/">Registry</a></td>
1438 <td><a href="http://registro.br/faq/faq6.html">Policy</a></td>
1439 </tr>
1440 <tr>
1441 <td>.cat</td>
1442 <td><a href="http://www.domini.cat/">Registry</a></td>
1443
1444 <td><a href="http://www.domini.cat/normativa/en_normativa_registre.html">Policy</a></td>
1445 </tr>
1446 <tr>
1447 <td>.ch</td>
1448 <td><a href="http://www.switch.ch/id/">Registry</a></td>
1449 <td><a href="http://www.switch.ch/id/terms/agb.html#anhang1">Policy</a></td>
1450 </tr>
1451
1452 <tr>
1453 <td>.cl</td>
1454 <td><a href="http://www.nic.cl/">Registry</a></td>
1455 <td><a href="http://www.nic.cl/CL-IDN-policy.html">Policy</a></td>
1456 </tr>
1457 <tr>
1458 <td>.cn</td>
1459
1460 <td><a href="http://www.cnnic.net.cn/">Registry</a></td>
1461 <td><a href="http://www.faqs.org/rfcs/rfc3743.html">Policy</a> (JET Guidelines)</td>
1462 </tr>
1463 <tr>
1464 <td>.de</td>
1465 <td><a href="http://www.denic.de/">Registry</a></td>
1466
1467 <td><a href="http://www.denic.de/en/richtlinien.html">Policy</a></td>
1468 </tr>
1469 <tr>
1470 <td>.dk</td>
1471 <td><a href="http://www.dk-hostmaster.dk/">Registry</a></td>
1472 <td><a href="http://www.dk-hostmaster.dk/index.html?id=151">Policy</a></td>
1473 </tr>
1474
1475 <tr>
1476 <td>.es</td>
1477 <td><a href="https://www.nic.es/">Registry</a></td>
1478 <td><a href="https://www.nic.es/media/2008-12/1228818323935.pdf">Policy</a></td>
1479 </tr>
1480 <tr>
1481 <td>.fi</td>
1482
1483 <td><a href="http://www.ficora.fi/">Registry</a></td>
1484 <td><a href="http://www.ficora.fi/en/index/palvelut/fiverkkotunnukset/aakkostenkaytto.html">Policy</a></td>
1485 </tr>
1486 <tr>
1487 <td>.gr</td>
1488 <td><a href="https://grweb.ics.forth.gr/english/index.html">Registry</a></td>
1489 <td><a href="https://grweb.ics.forth.gr/english/ENCharacterTable1.jsp">Policy</a></td>
1490
1491 </tr>
1492 <tr>
1493 <td>.hu</td>
1494 <td><a href="http://www.domain.hu/domain/">Registry</a></td>
1495 <td><a href="http://www.domain.hu/domain/English/szabalyzat.html">Policy</a> (section 2.1.2)</td>
1496 </tr>
1497
1498 <tr>
1499 <td>.info</td>
1500 <td><a href="http://www.afilias.info/">Registry</a></td>
1501 <td><a href="http://www.afilias.info/register/idn/">Policy</a></td>
1502 </tr>
1503 <tr>
1504 <td>.io</td>
1505
1506 <td><a href="http://www.nic.io">Registry</a></td>
1507 <td><a href="http://www.nic.io/IO-IDN-Policy.pdf">Policy</a></td>
1508 </tr>
1509 <tr>
1510 <td>.ir</td>
1511 <td><a href="https://www.nic.ir/">Registry</a></td>
1512 <td><a href="https://www.nic.ir/IDN">Policy</a></td>
1513
1514 </tr>
1515 <tr>
1516 <td>.is</td>
1517 <td><a href="http://www.isnic.is/">Registry</a></td>
1518 <td><a href="http://www.isnic.is/english/domain/rules.html">Policy</a></td>
1519 </tr>
1520 <tr>
1521
1522 <td>.jp</td>
1523 <td><a href="http://jprs.co.jp/">Registry</a></td>
1524 <td><a href="http://www.iana.org/assignments/idn/jp-japanese.html">Policy</a></td>
1525 </tr>
1526 <tr>
1527 <td>.kr</td>
1528 <td><a href="http://domain.nic.or.kr/">Registry</a></td>
1529
1530 <td><a href="http://www.faqs.org/rfcs/rfc3743.html">Policy</a> (JET Guidelines)</td>
1531 </tr>
1532 <tr>
1533 <td>.li</td>
1534 <td><a href="http://www.switch.ch/id/">Registry</a></td>
1535 <td><a href="http://www.switch.ch/id/terms/agb.html#anhang1">Policy</a> (managed by .ch registry)</td>
1536
1537 </tr>
1538 <tr>
1539 <td>.lt</td>
1540 <td><a href="http://www.domreg.lt/public?pg=&amp;sp=&amp;loc=en">Registry</a></td>
1541 <td><a href="http://www.domreg.lt/public?pg=8A7FB6&amp;sp=idn&amp;loc=en">Policy</a> (<a href="http://www.domreg.lt/static/doc/public/idn_symbols-en.pdf">character list</a>)</td>
1542
1543 </tr>
1544 <tr>
1545 <td>.museum</td>
1546 <td><a href="http://about.museum/">Registry</a></td>
1547 <td><a href="http://about.museum/idn/idnpolicy.html">Policy</a></td>
1548 </tr>
1549 <tr>
1550
1551 <td>.no</td>
1552 <td><a href="http://www.norid.no/">Registry</a></td>
1553 <td><a href="http://www.norid.no/domeneregistrering/veiviser.en.html">Policy</a> (section 4)</td>
1554 </tr>
1555 <tr>
1556 <td>.org</td>
1557
1558 <td><a href="http://www.pir.org/">Registry</a></td>
1559 <td><a href="http://pir.org/PDFs/ORG-Extended-Characters-22-Jan-07.pdf">Policy</a></td>
1560 </tr>
1561 <tr>
1562 <td>.pl</td>
1563 <td><a href="http://www.nask.pl/">Registry</a></td>
1564 <td><a href="http://www.dns.pl/IDN/idn-registration-policy.txt">Policy</a></td>
1565
1566 </tr>
1567 <tr>
1568 <td>.pr</td>
1569 <td><a href="https://www.nic.pr/">Registry</a></td>
1570 <td><a href="https://www.nic.pr/idn_rules.asp">Policy</a></td>
1571 </tr>
1572 <tr>
1573
1574 <td>.se</td>
1575 <td><a href="http://www.nic-se.se/">Registry</a></td>
1576 <td><a href="http://www.iis.se/en/domaner/internationaliserad-doman-idn/">Policy</a> (<a href="http://www.iis.se/docs/teckentabell-03.pdf">character list</a>)</td>
1577 </tr>
1578 <tr>
1579
1580 <td>.sh</td>
1581 <td><a href="http://www.nic.sh">Registry</a></td>
1582 <td><a href="http://www.nic.sh/SH-IDN-Policy.pdf">Policy</a></td>
1583 </tr>
1584 <tr>
1585 <td>.th</td>
1586 <td><a href="http://www.thnic.or.th/">Registry</a></td>
1587
1588 <td><a href="http://www.iana.org/assignments/idn/th-thai.html">Policy</a></td>
1589 </tr>
1590 <tr>
1591 <td>.tm</td>
1592 <td><a href="http://www.nic.tm">Registry</a></td>
1593 <td><a href="http://www.nic.tm/TM-IDN-Policy.pdf">Policy</a></td>
1594 </tr>
1595
1596 <tr>
1597 <td>.tw</td>
1598 <td><a href="http://www.twnic.net.tw/">Registry</a></td>
1599 <td><a href="http://www.faqs.org/rfcs/rfc3743.html">Policy</a> (JET Guidelines)</td>
1600 </tr>
1601 <tr>
1602
1603 <td>.vn</td>
1604 <td><a href="http://www.vnnic.net.vn/">Registry</a></td>
1605 <td><a href="http://www.vnnic.vn/english/5-6-300-2-2-04-20071115.htm">Policy</a> (<a href="http://vietunicode.sourceforge.net/tcvn6909.pdf">character list</a>)</td>
1606 </tr>
1607 </table>
1608
1609
1610 <p>
1611 This criteria will apply to the email address and server host name fields for all certificate types.
1612 </p>
1613
1614 <p>
1615 The CAcert Inc. Board has the authority to decide to add or remove accepted TLD Registrars on this list.
1616 </p>
1617 </section>
1618
1619 </section>
1620
1621
1622 <section id="p3.2">
1623 <h3>3.2. Initial Identity Verification</h3>
1624
1625 <p>
1626 Identity verification is controlled by the
1627 Assurance Policy (<a href="https://www.cacert.org/policy/AssurancePolicy.html">COD13</a>).
1628 The reader is refered to the Assurance Policy,
1629 the following is representative and brief only.
1630 </p>
1631
1632
1633 <section id="p3.2.1">
1634 <h4>3.2.1. Method to prove possession of private key</h4>
1635
1636 <p>
1637 CAcert uses industry-standard techniques to
1638 prove the possession of the private key.
1639 </p>
1640
1641 <p>
1642 For X.509 server certificates,
1643 the stale digital signature of the CSR is verified.
1644 For X.509 client certificates for "Netscape" browsers,
1645 SPKAC uses a challenge-response protocol
1646 to check the private key dynamically.
1647 For X.509 client certificates for "explorer" browsers,
1648 ActiveX uses a challenge-response protocol
1649 to check the private key dynamically.
1650 </p>
1651 </section>
1652
1653 <section id="p3.2.2">
1654 <h4>3.2.2. Authentication of Individual Identity</h4>
1655
1656 <dl>
1657
1658 <dt>Agreement</dt>
1659 <dd>
1660 An Internet user becomes a Member by agreeing to the
1661 CAcert Community Agreement
1662 (<a href="https://www.cacert.org/policy/CAcertCommunityAgreement.html">COD9</a>)
1663 and registering an account on the online website.
1664 During the registration process Members are asked to
1665 supply information about themselves:
1666 <ul>
1667 <li>A valid working email.
1668 </li>
1669 <li>Full Name and Date of Birth such as is
1670 found on Identity documents.
1671 </li>
1672 <li>Personal Questions used only for Password Retrieval.</li>
1673 </ul>
1674
1675 <p>
1676 The online account establishes the method of authentication
1677 for all service requests such as certificates.
1678 </p>
1679 </dd>
1680
1681 <dt>Assurance</dt>
1682 <dd>
1683 Each Member is assured according to Assurance Policy
1684 (<a href="https://www.cacert.org/policy/AssurancePolicy.html">COD13</a>).
1685 </dd>
1686
1687 <dt>Certificates</dt>
1688 <dd>
1689 Based on the total number of Assurance Points
1690 that a Member (Name) has, the Member
1691 can get different levels of certificates.
1692 See <a href="#p1.4.5">&sect;1.4.5</a>.
1693 See Table 3.2.b.
1694 When Members have 50 or more points, they
1695 become <em>Assured Members</em> and may then request
1696 certificates that state their Assured Name(s).
1697 </dd>
1698
1699 </dl>
1700
1701 <figure id="t3.2.b">
1702 <table border="1" class="parentC">
1703 <thead>
1704 <tr>
1705 <th class="b">Assurance Points</th>
1706 <th class="b">Level</th>
1707 <th class="b">Service</th>
1708 <th class="b">Comments</th>
1709 </tr>
1710 </thead>
1711 <tbody>
1712 <tr>
1713 <th scope="row">0</th>
1714 <td>Unassured Member</td>
1715 <td>Anonymous</td>
1716 <td>Certificates with no Name, under Class 1 Root. Limited to 6 months expiry.</td>
1717 </tr>
1718 <tr>
1719 <th scope="row">1-49</th>
1720 <td>Unassured Member</td>
1721 <td>Anonymous</td>
1722 <td>Certificates with no Name under Member SubRoot. Limited to 6 months expiry.</td>
1723 </tr>
1724 <tr>
1725 <th scope="row">50-99</th>
1726 <td>Assured Member</td>
1727 <td>Verified</td>
1728 <td>Certificates with Verified Name for S/MIME, web servers, "digital signing."
1729 Expiry after 24 months is available.</td>
1730 </tr>
1731 <tr>
1732 <th scope="row">100++</th>
1733 <td>Assurer</td>
1734 <td>Code-signing</td>
1735 <td>Can create Code-signing certificates </td>
1736 </tr>
1737 </tbody>
1738 </table>
1739
1740 <figcaption>Table 3.2.b - How Assurance Points are used in Certificates</figcaption>
1741 </figure>
1742
1743 </section>
1744
1745
1746 <section id="p3.2.3">
1747 <h4>3.2.3. Authentication of organization identity</h4>
1748
1749 <p>
1750 Verification of organisations is delegated by
1751 the Assurance Policy to the
1752 Organisation Assurance Policy
1753 (<a href="https://www.cacert.org/policy/OrganisationAssurancePolicy.html">COD11</a>).
1754 The reader is refered to the Organisation Assurance Policy,
1755 the following is representative and brief only.
1756 </p>
1757
1758 <p>
1759 Organisations present special challenges.
1760 The Assurance process for Organisations is
1761 intended to permit the organisational Name to
1762 appear in certificates.
1763 The process relies heavily on the Individual
1764 process described above.
1765 </p>
1766
1767 <p>
1768 Organisation Assurance achieves the standard
1769 stated in the OAP, briefly presented here:
1770 </p>
1771 <ol style="list-style: lower-alpha;"><li>
1772 the organisation exists,
1773 </li><li>
1774 the organisation name is correct and consistent,
1775 </li><li>
1776 signing rights: requestor can sign on behalf of the organisation, and
1777 </li><li>
1778 the organisation has agreed to the terms of the
1779 CAcert Community Agreement
1780 (<a href="https://www.cacert.org/policy/CAcertCommunityAgreement.html">COD9</a>),
1781 and is therefore subject to Arbitration.
1782 </li></ol>
1783 </section>
1784
1785
1786 <section id="p3.2.4">
1787 <h4>3.2.4. Non-verified subscriber information</h4>
1788
1789 <p>
1790 All information in the certificate is verified,
1791 see Relying Party Statement, <a href="#p4.5.2">&sect;4.5.2</a>.
1792 </p>
1793 </section>
1794
1795
1796 <section id="p3.2.5">
1797 <h4>3.2.5. Validation of authority</h4>
1798
1799 <p>
1800 The authorisation to obtain a certificate is established as follows:
1801 </p>
1802 <dl>
1803
1804 <dt>Addresses</dt>
1805 <dd>
1806 The member claims authority over a domain or email address
1807 when adding the address, <a href="#p4.1.2">&sect;4.1.2</a>.
1808 (Control is tested by means described in <a href="#p4.2.2">&sect;4.2.2</a>.)
1809 </dd>
1810
1811 <dt>Individuals</dt>
1812 <dd>
1813 The authority to participate as a Member is established
1814 by the CAcert Community Agreement
1815 (<a href="https://www.cacert.org/policy/CAcertCommunityAgreement.html">COD9</a>).
1816 Assurances are requested by means of the signed CAP form.
1817 </dd>
1818
1819 <dt>Organisations</dt>
1820 <dd>
1821 The authority for Organisation Assurance is established
1822 in the COAP form, as signed by an authorised representative
1823 of the organisation.
1824 The authority for the
1825 Organisation Administrator
1826 (O-Admin) is also established on the
1827 COAP form.
1828 See Organisation Assurance Policy.
1829 </dd>
1830
1831 </dl>
1832 </section>
1833
1834
1835 <section id="p3.2.6">
1836 <h4>3.2.6. Criteria for interoperation</h4>
1837
1838 <p>
1839 CAcert does not currently issue certificates to subordinate CAs
1840 or other PKIs.
1841 Other CAs may become Members, and are then subject to the
1842 same reliance provisions as all Members.
1843 </p>
1844 </section>
1845
1846 </section>
1847
1848
1849 <section id="p3.3">
1850 <h3>3.3. Re-key Requests</h3>
1851
1852 <p>
1853 Via the Member's account.
1854 </p>
1855 </section>
1856
1857 <section id="p3.4">
1858 <h3>3.4. Revocations Requests</h3>
1859
1860 <p>
1861 Via the Member's account.
1862 In the event that the Member has lost the password,
1863 or similar, the Member emails the support team who
1864 either work through the lost-password questions
1865 process or file a dispute.
1866 </p>
1867 </section>
1868
1869 </section>
1870
1871
1872 <!-- *************************************************************** -->
1873 <section id="p4">
1874 <h2>4. CERTIFICATE LIFE-CYCLE OPERATIONAL REQUIREMENTS</h2>
1875
1876 <p>
1877 The general life-cycle for a new certificate for an Individual Member is:</p>
1878 <ol><li>
1879 Member adds claim to an address (domain/email).
1880 </li><li>
1881 System probes address for control.
1882 </li><li>
1883 Member creates key pair.
1884 </li><li>
1885 Member submits CSR with desired options (Anonymous Certificate, SSO, Root Certificate) .
1886 </li><li>
1887 System validates and accepts CSR based on
1888 known information: claims, assurance, controls, technicalities.
1889 </li><li>
1890 System signs certificate.
1891 </li><li>
1892 System makes signed certificate available to Member.
1893 </li><li>
1894 Member accepts certificate.
1895 </li></ol>
1896
1897
1898
1899 <p>
1900 (Some steps are not applicable, such as anonymous certificates.)
1901 </p>
1902
1903
1904 <section id="p4.1">
1905 <h3>4.1. Certificate Application</h3>
1906
1907 <section id="p4.1.1">
1908 <h4>4.1.1. Who can submit a certificate application</h4>
1909
1910 <p>
1911 Members may submit certificate applications.
1912 On issuance of certificates, Members become Subscribers.
1913 </p>
1914 </section>
1915
1916 <section id="p4.1.2">
1917 <h4>4.1.2. Adding Addresses</h4>
1918
1919 <p>
1920 The Member can claim ownership or authorised control of
1921 a domain or email address on the online system.
1922 This is a necessary step towards issuing a certificate.
1923 There are these controls:</p>
1924 <ul><li>
1925 The claim of ownership or control is legally significant
1926 and may be referred to dispute resolution.
1927 </li><li>
1928 Each unique address can be handled by one account only.
1929 </li><li>
1930 When the Member makes the claim,
1931 the certificate application system automatically initiates the
1932 check of control, as below.
1933 </li></ul>
1934 </section>
1935
1936
1937 <section id="p4.1.3">
1938 <h4>4.1.3. Preparing CSR </h4>
1939
1940 <p>
1941 Members generate their own key-pairs.
1942 The CAcert Community Agreement
1943 (<a href="https://www.cacert.org/policy/CAcertCommunityAgreement.html">COD9</a>)
1944 obliges the Member as responsible for security.
1945 See <a href="https://www.cacert.org/policy/CAcertCommunityAgreement.html#s2.5">CCA 2.5</a>, <a href="#p9.6">&sect;9.6</a>.
1946 </p>
1947
1948 <p>
1949 The Certificate Signing Request (CSR) is prepared by the
1950 Member for presentation to the automated system.
1951 </p>
1952 </section>
1953
1954 </section>
1955
1956
1957 <section id="p4.2">
1958 <h3>4.2. Certificate application processing</h3>
1959
1960 <p>
1961 The CA's certificate application process is completely automated.
1962 Requests, approvals and rejections are handled by the website system.
1963 Each application should be processed in less than a minute.
1964 </p>
1965 <p>
1966 Where certificates are requested for more than one
1967 purpose, the requirements for each purpose must be
1968 fulfilled.
1969 </p>
1970
1971 <section id="p4.2.1">
1972 <h4>4.2.1. Authentication </h4>
1973
1974 <p>
1975 The Member logs in to her account on the CAcert website
1976 and thereby authenticates herself with username
1977 and passphrase or with her CAcert client-side digital certificate.
1978 </p>
1979 </section>
1980
1981 <section id="p4.2.2">
1982 <h4>4.2.2. Verifying Control</h4>
1983
1984 <p>
1985 In principle, at least two controls are placed on each address.
1986 </p>
1987
1988 <dl>
1989
1990 <dt id="ping">Email-Ping</dt>
1991 <dd>
1992 Email addresses are verified by means of an
1993 <em><a id="pingtest">Email-Ping test</a></em>:
1994 <ul><li>
1995 The system generates a cookie
1996 (a random, hard-to-guess code)
1997 and formats it as a string.
1998 </li><li>
1999 The system sends the cookie
2000 to the Member in an email.
2001 </li><li>
2002 Once the Member receives the email,
2003 she enters the cookie into the website.
2004 </li><li>
2005 The entry of the code verifies
2006 control of that email account.
2007 </li></ul>
2008 </dd>
2009
2010 <dt id="email">Email Control</dt>
2011 <dd>
2012 Email addresses for client certificates are verified by passing the
2013 following checks:
2014 <ol>
2015 <li>An Email-ping test
2016 is done on the email address.
2017 </li>
2018 <li>The Member must have signed a CAP form or equivalent,
2019 and been awarded at least one Assurance point.
2020 </li>
2021 </ol>
2022 </dd>
2023
2024 <dt id="domain">Domain Control</dt>
2025 <dd>
2026 Domains addresses for server certificates are verified by passing two of the
2027 following checks:
2028 <ol> <li>
2029 An Email-ping test
2030 is done on an email address chosen from <em>whois</em>
2031 or interpolated from the domain name.
2032 </li> <li>
2033 The system generates a cookie
2034 which is then placed in DNS
2035 by the Member.
2036 </li> <li>
2037 The system generates a cookie
2038 which is then placed in HTTP headers or a text file on the website
2039 by the Member.
2040 </li> <li>
2041 Statement by at least 2 Assurers about
2042 ownership/control of the domain name.
2043 </li> <li>
2044 The system generates a cookie
2045 which is then placed in whois registry information
2046 by the Member.
2047 </li> </ol>
2048 </dd>
2049
2050 </dl>
2051
2052 <p>
2053 Notes.</p>
2054 <ul><li>
2055 Other methods can be added from time to time by CAcert.
2056 </li><li>
2057 Static cookies should remain for the duration of a certificate
2058 for occasional re-testing.
2059 </li><li>
2060 Dynamic tests can be repeated at a later time of CAcert's choosing.
2061 </li><li>
2062 Domain control checks may be extended to apply to email control
2063 in the future.
2064 </li></ul>
2065 </section>
2066
2067 <section id="p4.2.3">
2068 <h4>4.2.3. Options Available</h4>
2069
2070 <p>
2071 The Member has options available:
2072 </p>
2073 <ul>
2074 <li>Each Email address that is verified
2075 is available for Client Certificates.
2076 </li>
2077 <li>Each Domain address that is verified
2078 is available for Server Certificates.
2079 </li>
2080 <li>If the Member is unassured then only the Member SubRoot is available.
2081 </li>
2082 <li>If the Member is Assured then both Assured Member and Member SubRoots
2083 are available.
2084 </li>
2085 <li>If a Name is Assured then it may be
2086 put in a client certificate or an OpenPGP signature.
2087 </li>
2088 </ul>
2089 </section>
2090
2091 <section id="p4.2.4">
2092 <h4>4.2.4. Client Certificate Procedures</h4>
2093
2094 <p>
2095 For an individual client certificate, the following is required.</p>
2096 <ul>
2097 <li>The email address is claimed and added. </li>
2098 <li>The email address is ping-tested. </li>
2099 <li>For the Member Subroot, the Member must have
2100 at least one point of Assurance and have signed a CAP form.</li>
2101 <li>For the Assured Subroot, the Member must have
2102 at least fifty points of Assurance. </li>
2103 <li>To include a Name, the Name must be assured to at least fifty points. </li>
2104
2105 </ul>
2106 </section>
2107
2108 <section id="p4.2.5">
2109 <h4>4.2.5. Server Certificate Procedures</h4>
2110
2111 <p>
2112 For a server certificate, the following is required:</p>
2113 <ul>
2114 <li>The domain is claimed and added. </li>
2115 <li>The domain is checked twice as above. </li>
2116 <li>For the Member SubRoot, the Member must have
2117 at least one point of Assurance and have signed a CAP form.</li>
2118 <li>For the Assured SubRoot, the Member must have
2119 at least fifty points of Assurance. </li>
2120 </ul>
2121 </section>
2122
2123 <section id="p4.2.6">
2124 <h4>4.2.6. Code-signing Certificate Procedures</h4>
2125
2126 <p>
2127 Code-signing certificates are made available to Assurers only.
2128 They are processed in a similar manner to client certificates.
2129 </p>
2130 </section>
2131
2132 <section id="p4.2.7">
2133 <h4>4.2.7. Organisation Domain Verification</h4>
2134
2135 <p>
2136 Organisation Domains are handled under the Organisation Assurance Policy
2137 and the Organisation Handbook.
2138 </p>
2139 </section>
2140
2141 </section>
2142
2143
2144 <section id="p4.3">
2145 <h3>4.3. Certificate issuance</h3>
2146
2147 <section id="p4.3.1">
2148 <h4>4.3.1. CA actions during certificate issuance</h4>
2149
2150 <section id="p4.3.1.1">
2151 <h5>4.3.1.1. Key Sizes</h5>
2152 <p>
2153 Members may request keys of any size permitted by the key algorithm.
2154 Many older hardware devices require small keys.
2155 </p>
2156 </section>
2157
2158 <section id="p4.3.1.2">
2159 <h5>4.3.1.2. Algorithms</h5>
2160 <p>
2161 CAcert currently only supports the RSA algorithm for X.509 keys.
2162 X.509 signing uses the SHA-1 message digest algorithm.
2163 OpenPGP Signing uses RSA signing over RSA and DSA keys.
2164 </p>
2165 </section>
2166
2167 <section id="p4.3.1.3">
2168 <h5>4.3.1.3. Process for Certificates</h5>
2169 <p>
2170 All details in each certificate are verified
2171 by the website issuance system.
2172 Issuance is based on a 'template' system that selects
2173 profiles for certificate lifetime, size, algorithm.
2174 </p>
2175 <ol><li>
2176 The CSR is verified.
2177 </li><li>
2178 Data is extracted from CSR and verified:
2179 <ul>
2180 <li> Name <a href="#p3.1">&sect;3.1</a>, </li>
2181 <li> Email address <a href="#p4.2.2">&sect;4.2.2</a>, </li>
2182 <li> Domain address <a href="#p4.2.2">&sect;4.2.2</a>. </li>
2183 </ul>
2184 </li><li>
2185 Certificate is generated from template.
2186 </li><li>
2187 Data is copied from CSR.
2188 </li><li>
2189 Certificate is signed.
2190 </li><li>
2191 Certificate is stored as well as mailed.
2192 </li></ol>
2193 </section>
2194
2195 <section id="p4.3.1.4">
2196 <h5>4.3.1.4. Process for OpenPGP key signatures</h5>
2197 <p>
2198 All details in each Sub-ID are verified
2199 by the website issuance system.
2200 Issuance is based on the configuration that selects
2201 the profile for signature lifetime, size,
2202 algorithm following the process:
2203 </p>
2204 <ol><li>
2205 The public key is verified.
2206 </li><li>
2207 Data is extracted from the key and verified (Name, Emails).
2208 Only the combinations of data in Table 4.3.1 are permitted.
2209 </li><li>
2210 OpenPGP Key Signature is generated.
2211 </li><li>
2212 Key Signature is applied to the key.
2213 </li><li>
2214 The signed key is stored as well as mailed.
2215 </li></ol>
2216
2217 <figure id="t4.3.1">
2218 <table class="parentC">
2219 <thead>
2220 <tr>
2221 <th></th>
2222 <th>Verified Name</th>
2223 <th>Unverified Name</th>
2224 <th>Empty Name</th>
2225 </tr>
2226 </thead>
2227 <tbody>
2228 <tr>
2229 <th scope="row" class="r">Verified email</th>
2230 <td title="pass" class="c clrGreen size3">&#10004;</td>
2231 <td title="fail" class="c clrRed size3">&#10008;</td>
2232 <td title="pass" class="c clrGreen size3">&#10004;</td>
2233 </tr>
2234 <tr>
2235 <th scope="row" class="r">Unverified email</th>
2236 <td title="fail" class="c clrRed size3">&#10008;</td>
2237 <td title="fail" class="c clrRed size3">&#10008;</td>
2238 <td title="fail" class="c clrRed size3">&#10008;</td>
2239 </tr>
2240 <tr>
2241 <th scope="row" class="r">Empty email</th>
2242 <td title="pass" class="c clrGreen size3">&#10004;</td>
2243 <td title="fail" class="c clrRed size3">&#10008;</td>
2244 <td title="fail" class="c clrRed size3">&#10008;</td>
2245 </tr>
2246 </tbody>
2247 </table>
2248
2249 <figcaption>Table 4.3.1. Permitted Data in Signed OpenPgp Keys</figcaption>
2250 </figure>
2251 </section>
2252
2253 </section>
2254
2255
2256 <section id="p4.3.2">
2257 <h4>4.3.2. Notification to subscriber by the CA of issuance of certificate</h4>
2258
2259 <p>
2260 Once signed, the certificate is
2261 made available via the Member's account,
2262 and emailed to the Member.
2263 It is also archived internally.
2264 </p>
2265 </section>
2266
2267 </section>
2268
2269 <section id="p4.4">
2270 <h3>4.4. Certificate acceptance</h3>
2271
2272 <section id="p4.4.1">
2273 <h4>4.4.1. Conduct constituting certificate acceptance</h4>
2274
2275 <p>
2276 There is no need for the Member to explicitly accept the certificate.
2277 In case the Member does not accept the certificate,
2278 the certificate has to be revoked and made again.
2279 </p>
2280 </section>
2281
2282 <section id="p4.4.2">
2283 <h4>4.4.2. Publication of the certificate by the CA</h4>
2284
2285 <p>
2286 CAcert does not currently publish the issued certificates
2287 in any repository.
2288 In the event that CAcert will run a repository,
2289 the publication of certificates and signatures
2290 there will be at the Member's options.
2291 However note that certificates that are issued
2292 and delivered to the Member are presumed to be
2293 published. See <a href="#p2.2">&sect;2.2</a>.
2294 </p>
2295 </section>
2296
2297 <section id="p4.4.3">
2298 <h4>4.4.3. Notification of certificate issuance by the CA to other entities</h4>
2299
2300 <p>
2301 There are no external entities that are notified about issued certificates.
2302 </p>
2303 </section>
2304
2305 </section>
2306
2307 <section id="p4.5">
2308 <h3>4.5. Key pair and certificate usage</h3>
2309
2310 <p>
2311 All Members (subscribers and relying parties)
2312 are obliged according to the
2313 CAcert Community Agreement
2314 (<a href="https://www.cacert.org/policy/CAcertCommunityAgreement.html">COD9</a>)
2315 See especially <a href="https://www.cacert.org/policy/CAcertCommunityAgreement.html#s2.3">2.3</a> through <a href="https://www.cacert.org/policy/CAcertCommunityAgreement.html#s2.5">2.5</a>.
2316 </p>
2317
2318 <section id="p4.5.1">
2319 <h4>4.5.1. Subscriber Usage and Responsibilities</h4>
2320
2321 <p>
2322 Subscribers should use keys only for their proper purpose,
2323 as indicated by the certificate, or by wider agreement with
2324 others.
2325 </p>
2326 </section>
2327
2328 <section id="p4.5.2">
2329 <h4>4.5.2. Relying Party Usage and Responsibilities</h4>
2330
2331 <p>
2332 Relying parties (Members) may rely on the following.
2333 </p>
2334
2335 <div class="importend">
2336 <div class="c">
2337 <strong class="size1">Relying Party Statement</strong>
2338 <p class="c">
2339 Certificates are issued to Members only.<br /><br />
2340 All information in a certificate is verified.
2341 </p>
2342 </div>
2343 </div>
2344
2345 <p>
2346 The following notes are in addition to the Relying Party Statement,
2347 and can be seen as limitations on it.
2348 </p>
2349
2350 <section id="p4.5.2.a">
2351 <h5>4.5.2.a Methods of Verification </h5>
2352 <p>
2353 The term Verification as used in the Relying Party Statement means one of
2354 </p>
2355 <table border="1" class="parentC">
2356 <thead>
2357 <tr>
2358 <th>Type</th><th>How</th><th>Authority</th><th>remarks</th>
2359 </tr>
2360 </thead>
2361 <tbody>
2362 <tr>
2363 <th scope="row">Assurance</th>
2364 <td>under CAcert Assurance Programme (CAP)</td>
2365 <td>Assurance Policy</td>
2366 <td>only information assured to 50 points under CAP is placed in the certificate </td>
2367 </tr>
2368 <tr>
2369 <th scope="row">Evaluation</th>
2370 <td>under automated domain and email checks </td>
2371 <td>this CPS</td>
2372 <td>see <a href="#p4.2.2">&sect;4.2.2</a></td>
2373 </tr>
2374 <tr>
2375 <th scope="row">Controlled</th>
2376 <td>programs or "profiles" that check the information within the CSR </td>
2377 <td>this CPS</td>
2378 <td>see <a href="#p4.2.2">&sect;7.1</a></td>
2379 </tr>
2380 </tbody>
2381 </table>
2382
2383 </section>
2384
2385 <section id="p4.5.2.b">
2386 <h5>4.5.2.b Who may rely</h5>
2387
2388 <dl>
2389
2390 <dt>Members may rely.</dt>
2391 <dd>
2392 Relying parties are Members,
2393 and as such are bound by this CPS and the
2394 CAcert Community Agreement
2395 (<a href="https://www.cacert.org/policy/CAcertCommunityAgreement.html">COD9</a>).
2396 The licence and permission to rely is not assignable.
2397 </dd>
2398
2399 <dt>Suppliers of Software</dt>
2400 <dd>
2401 CAcert roots may be distributed in software,
2402 and those providers may
2403 enter into agreement with CAcert by means of the
2404 Third Party Vendor - Disclaimer and Licence
2405 (wip).
2406 This licence brings the supplier in to the Community
2407 to the extent that
2408 they agree to dispute resolution
2409 within CAcert's forum.
2410 </dd>
2411
2412 <dt>NRPs may not rely.</dt>
2413 <dd>
2414 If not related to CAcert by means of an agreement
2415 that binds the parties to dispute resolution within CAcert's forum,
2416 a person is a Non-Related-Person (NRP).
2417 An NRP is not permitted to rely and is not a Relying Party.
2418 For more details, see the
2419 Root Distribution License (<a href="https://www.cacert.org/policy/RootDistributionLicense.html">COD14</a>).
2420 </dd>
2421
2422 </dl>
2423 </section>
2424
2425 <section id="p4.5.2.c">
2426 <h5>4.5.2.c The Act of Reliance </h5>
2427
2428 <dl>
2429
2430 <dt>Decision making</dt>
2431 <dd>
2432 Reliance means taking a decision that is in part or in whole
2433 based on the information in the certificate.
2434
2435 A Relying Party may incorporate
2436 the information in the certificate,
2437 and the implied information such as Membership,
2438 into her decision-making.
2439 In making a decision,
2440 a Relying Party should also:
2441 <ul><li>
2442 include her own overall risk equation,
2443 </li><li>
2444 include the general limitations of the Assurance process,
2445 certificates, and wider security considerations,
2446 </li><li>
2447 make additional checks to provide more information,
2448 </li><li>
2449 consider any wider agreement with the other Member, and
2450 </li><li>
2451 use an appropriate protocol or custom of reliance (below).
2452 </li></ul>
2453 </dd>
2454
2455 <dt>Examining the Certificate</dt>
2456 <dd>
2457 A Relying Party must make her own decision in using
2458 each certificate. She must examine the certificate,
2459 a process called <em>validation</em>.
2460 Certificate-related information includes,
2461 but is not limited to:
2462 <ul><li>
2463 Name,
2464 </li><li>
2465 expiry time of certificate,
2466 </li><li>
2467 current certificate revocation list (CRL),
2468 </li><li>
2469 certificate chain and
2470 the validity check of the certificates in the chain,
2471 </li><li>
2472 issuer of certificate (CAcert),
2473 </li><li>
2474 SubRoot is intended for reliance (Assured, Organisation and Class 3)
2475 </li><li>
2476 purpose of certificate.
2477 </li></ul>
2478 </dd>
2479
2480 <dt>Keeping Records</dt>
2481 <dd>
2482 Records should be kept, appropriate to the import of the decision.
2483 The certificate should be preserved.
2484 This should include sufficient
2485 evidence to establish who the parties are
2486 (especially, the certificate relied upon),
2487 to establish the transaction in question,
2488 and to establish the wider agreement that
2489 defines the act.
2490 </dd>
2491
2492 <dt>Wider Protocol</dt>
2493 <dd>
2494 In principle, reliance will be part of a wider protocol
2495 (customary method in reaching and preserving agreement)
2496 that presents and preserves sufficient of the evidence
2497 for dispute resolution under CAcert's forum of Arbitration.
2498 The protocol should be agreed amongst the parties,
2499 and tuned to the needs.
2500 This CPS does not define any such protocol.
2501 In the absence of such a protocol, reliance will be weakened;
2502 a dispute without sufficient evidence may be dismissed by an Arbitrator.
2503 </dd>
2504
2505 <dt>As Compared to Usage</dt>
2506 <dd>
2507 Reliance goes beyond Usage. The latter is limited to
2508 letting the software act as the total and only Validation
2509 Authority. When relying, the Member also augments
2510 the algorithmic processing of the software with her own
2511 checks of the business, technical and certificate aspect.
2512 </dd>
2513
2514 </dl>
2515 </section>
2516
2517 <section id="p4.5.2.d">
2518 <h5>4.5.2.d Risks and Limitations of Reliance </h5>
2519
2520 <dl>
2521
2522 <dt>Roots and Naming</dt>
2523 <dd>
2524 <p>Where the Class 1 root is used,
2525 this Subscriber may be a new Member
2526 including one with zero points.
2527 Where the Name is not provided,
2528 this indicates it is not available.
2529 In these circumstances,
2530 reliance is not defined,
2531 and Relying parties should take more care.
2532 See Table 4.5.2.
2533 </p>
2534
2535 <figure id="t4.5.2">
2536 <table border="1" class="parentC">
2537 <caption class="i">Statements of Reliance for Members</caption>
2538 <thead>
2539 <tr>
2540 <th class="i">Class of Root</th>
2541 <th><strong>Anonymous</strong><br>(all Members)</th>
2542 <th><strong>Named</strong><br>(Assured Members only)</th>
2543 </tr>
2544 </thead>
2545 <tbody>
2546 <tr>
2547 <th scope="row">Class<br><strong>1</strong></th>
2548 <td rowspan="2" class="bgClrRed">
2549 <strong>Do not rely.</strong><br>
2550 Relying party must use other methods to check. </td>
2551 <td rowspan="2" class="bgClrOrange">
2552 Do not rely.
2553 Although the named Member has been Assured by CAcert,
2554 reliance is not defined with Class 1 root.<br>
2555 (issued for compatibility only).</td>
2556 </tr>
2557 <tr>
2558 <th scope="row"><strong>Member</strong><br>SubRoot</th>
2559 </tr>
2560 <tr>
2561 <th scope="row">Class<br><strong>3</strong></th >
2562 <td rowspan="2" class="bgClrOrange">
2563 Do not rely on the Name (being available).
2564 The Member has been Assured by CAcert,
2565 but reliance is undefined.</td>
2566 <td rowspan="2">
2567 The Member named in the certificate has been Assured by CAcert.</td>
2568 </tr>
2569 <tr>
2570 <th scope="row"><strong>Assured</strong><br>SubRoot</th>
2571 </tr>
2572 </tbody>
2573 </table>
2574
2575 <figcaption>Table 4.5.2. Statements of Reliance</figcaption>
2576 </figure>
2577 </dd>
2578
2579 <dt>Software Agent</dt>
2580 <dd>
2581 When relying on a certificate, relying parties should
2582 note that your software is responsible for the way it
2583 shows you the information in a certificate.
2584 If your software agent hides parts of the information,
2585 your sole remedy may be to choose another software agent.
2586 </dd>
2587
2588 <dt>Malware</dt>
2589 <dd>
2590 When relying on a certificate, relying parties should
2591 note that platforms that are vulnerable to viruses or
2592 trojans or other weaknesses may not process any certificates
2593 properly and may give deceptive or fraudulent results.
2594 It is your responsibility to ensure you are using a platform
2595 that is secured according to the needs of the application.
2596 </dd>
2597
2598 </dl>
2599 </section>
2600
2601 <section id="p4.5.2.e">
2602 <h5>4.5.2.e When something goes wrong </h5>
2603 <p>
2604 In the event that an issue arises out of the Member's reliance,
2605 her sole avenue is <strong>to file dispute under DRP</strong>.
2606 See <a href="#p9.13">&sect;9.13</a>.
2607 <!-- DRC_A&sect;A.4.d -->
2608 For this purpose, the certificate (and other evidence) should be preserved.
2609 </p>
2610 <dl>
2611
2612 <dt>Which person?</dt>
2613 <dd>
2614 Members may install certificates for other individuals or in servers,
2615 but the Member to whom the certificate is issued
2616 remains the responsible person.
2617 E.g., under Organisation Assurance, an organisation is issued
2618 a certificate for the use by individuals
2619 or servers within that organisation,
2620 but the Organisation is the responsible person.
2621 </dd>
2622
2623 <dt>Software Agent</dt>
2624 <dd>
2625 If a Member is relying on a CAcert root embedded in
2626 the software as supplied by a vendor,
2627 the risks, liabilities and obligations of the Member
2628 do not automatically transfer to the vendor.
2629 </dd>
2630
2631 </dl>
2632 </section>
2633
2634 </section>
2635 </section>
2636
2637
2638 <section id="p4.6">
2639 <h3>4.6. Certificate renewal</h3>
2640
2641 <p>
2642 A certificate can be renewed at any time.
2643 The procedure of certificate renewal is the same
2644 as for the initial certificate issuance.
2645 </p>
2646 </section>
2647
2648 <section id="p4.7">
2649 <h3>4.7. Certificate re-key</h3>
2650
2651 <p>
2652 Certificate "re-keyings" are not offered nor supported.
2653 A new certificate with a new key has to be requested and issued instead,
2654 and the old one revoked.
2655 </p>
2656 </section>
2657
2658 <section id="p4.8">
2659 <h3>4.8. Certificate modification</h3>
2660
2661 <p>
2662 Certificate "modifications" are not offered nor supported.
2663 A new certificate has to be requested and issued instead.
2664 </p>
2665 </section>
2666
2667 <section id="p4.9">
2668 <h3>4.9. Certificate revocation and suspension</h3>
2669
2670 <section id="p4.9.1">
2671 <h4>4.9.1. Circumstances for revocation</h4>
2672 <p>
2673 Certificates may be revoked under the following circumstances:
2674 </p>
2675 <ol><li>
2676 As initiated by the Subscriber through her online account.
2677 </li><li>
2678 As initiated in an emergency action by a
2679 support team member.
2680 Such action will immediately be referred to dispute resolution
2681 for ratification.
2682 </li><li>
2683 Under direction from the Arbitrator in a duly ordered ruling
2684 from a filed dispute.
2685 </li></ol>
2686
2687 <p>
2688 These are the only three circumstances under which a
2689 revocation occurs.
2690 </p>
2691 </section>
2692
2693 <section id="p4.9.2">
2694 <h4>4.9.2. Who can request revocation</h4>
2695
2696 <p>
2697 As above.
2698 </p>
2699 </section>
2700
2701 <section id="p4.9.3">
2702 <h4>4.9.3. Procedure for revocation request</h4>
2703 <p>
2704 The Subscriber logs in to her online account through
2705 the website at http://www.cacert.org/ .
2706 </p>
2707
2708 <p>
2709 In any other event such as lost passwords or fraud,
2710 a dispute should be filed
2711 by email at
2712 &lt; support AT cacert DOT org &gt;
2713 </p>
2714 </section>
2715
2716 <section id="p4.9.4">
2717 <h4>4.9.4. Revocation request grace period</h4>
2718
2719 <p>No stipulation.</p>
2720 </section>
2721
2722 <section id="p4.9.5">
2723 <h4>4.9.5. Time within which CA must process the revocation request</h4>
2724
2725 <p>
2726 The revocation automated in the Web Interface for subscribers,
2727 and is handled generally in less than a minute.
2728 </p>
2729
2730 <p>
2731 A filed dispute that requests a revocation should be handled
2732 within a five business days, however the Arbitrator has discretion.
2733 </p>
2734 </section>
2735
2736 <section id="p4.9.6">
2737 <h4>4.9.6. Revocation checking requirement for relying parties</h4>
2738
2739 <p>
2740 Each revoked certificate is recorded in the
2741 certificate revocation list (CRL).
2742 Relying Parties must check a certificate against
2743 the most recent CRL issued, in order to validate
2744 the certificate for the intended reliance.
2745 </p>
2746 </section>
2747
2748 <section id="p4.9.7">
2749 <h4>4.9.7. CRL issuance frequency (if applicable)</h4>
2750
2751 <p>
2752 A new CRL is issued after every certificate revocation.
2753 </p>
2754 </section>
2755
2756 <section id="p4.9.8">
2757 <h4>4.9.8. Maximum latency for CRLs (if applicable)</h4>
2758
2759 <p>
2760 The maximum latency between revocation and issuance of the CRL is 1 hour.
2761 </p>
2762 </section>
2763
2764 <section id="p4.9.9">
2765 <h4>4.9.9. On-line revocation/status checking availability</h4>
2766
2767 <p>
2768 OCSP is available at
2769 http://ocsp.cacert.org/ .
2770 </p>
2771 </section>
2772
2773 <section id="p4.9.10">
2774 <h4>4.9.10. On-line revocation checking requirements</h4>
2775 <p>
2776 Relying parties must check up-to-date status before relying.
2777 </p>
2778 </section>
2779
2780 <section id="p4.9.11">
2781 <h4>4.9.11. Other forms of revocation advertisements available</h4>
2782 <p>
2783 None.
2784 </p>
2785 </section>
2786
2787 <section id="p4.9.12">
2788 <h4>4.9.12. Special requirements re key compromise</h4>
2789 <p>
2790 Subscribers are obliged to revoke certificates at the earliest opportunity.
2791 </p>
2792 </section>
2793
2794 <section id="p4.9.13">
2795 <h4>4.9.13. Circumstances for suspension</h4>
2796
2797 <p>
2798 Suspension of certificates is not available.
2799 </p>
2800 </section>
2801
2802 <section id="p4.9.14">
2803 <h4>4.9.14. Who can request suspension</h4>
2804 <p>
2805 Not applicable.
2806 </p>
2807 </section>
2808
2809 <section id="p4.9.15">
2810 <h4>4.9.15. Procedure for suspension request</h4>
2811 <p>
2812 Not applicable.
2813 </p>
2814 </section>
2815
2816 <section id="p4.9.16">
2817 <h4>4.9.16. Limits on suspension period</h4>
2818 <p>
2819 Not applicable.
2820 </p>
2821 </section>
2822
2823 </section>
2824
2825
2826 <section id="p4.10">
2827 <h3>4.10. Certificate status services</h3>
2828
2829 <section id="p4.10.1">
2830 <h4>4.10.1. Operational characteristics</h4>
2831 <p>
2832 OCSP is available
2833 at http://ocsp.cacert.org/ .
2834 </p>
2835 </section>
2836
2837 <section id="p4.10.2">
2838 <h4>4.10.2. Service availability</h4>
2839
2840 <p>
2841 OCSP is made available on an experimental basis.
2842 </p>
2843 </section>
2844
2845 <section id="p4.10.3">
2846 <h4>4.10.3. Optional features</h4>
2847
2848 <p>
2849 No stipulation.
2850 </p>
2851 </section>
2852
2853 </section>
2854
2855
2856 <section id="p4.11">
2857 <h3>4.11. End of subscription</h3>
2858
2859 <p>
2860 Certificates include expiry dates.
2861 </p>
2862 </section>
2863
2864 <section id="p4.12">
2865 <h3>4.12. Key escrow and recovery</h3>
2866
2867 <section id="p4.12.1">
2868 <h4>4.12.1. Key escrow and recovery policy and practices</h4>
2869
2870 <p>
2871 CAcert does not generate nor escrow subscriber keys.
2872 </p>
2873 </section>
2874
2875 <section id="p4.12.2">
2876 <h4>4.12.2. Session key encapsulation and recovery policy and practices</h4>
2877
2878 <p>
2879 No stipulation.
2880 </p>
2881 </section>
2882
2883 </section>
2884 </section>
2885
2886
2887 <!-- *************************************************************** -->
2888 <section id="p5">
2889 <h2>5. FACILITY, MANAGEMENT, AND OPERATIONAL CONTROLS</h2>
2890
2891 <section id="p5.1">
2892 <h3>5.1. Physical controls</h3>
2893
2894 <p>
2895 Refer to Security Policy (<a href="https://svn.cacert.org/CAcert/Policies/SecurityPolicy.html">COD8</a>)</p>
2896 <ul><li>
2897 Site location and construction - <a href="https://svn.cacert.org/CAcert/Policies/SecurityPolicy.html#s2.1">SP2.1</a>
2898 </li><li>
2899 Physical access - <a href="https://svn.cacert.org/CAcert/Policies/SecurityPolicy.html#s2.3">SP2.3</a>
2900 </li></ul>
2901
2902
2903 <section id="p5.1.3">
2904 <h4>5.1.3. Power and air conditioning</h4>
2905 <p>
2906 Refer to Security Policy 2.1.2 (<a href="https://svn.cacert.org/CAcert/Policies/SecurityPolicy.html">COD8</a>)
2907 </p>
2908 </section>
2909 <section id="p5.1.4">
2910 <h4>5.1.4. Water exposures</h4>
2911 <p>
2912 Refer to Security Policy 2.1.4 (<a href="https://svn.cacert.org/CAcert/Policies/SecurityPolicy.html">COD8</a>)
2913 </p>
2914 </section>
2915 <section id="p5.1.5">
2916 <h4>5.1.5. Fire prevention and protection</h4>
2917 <p>
2918 Refer to Security Policy 2.1.4 (<a href="https://svn.cacert.org/CAcert/Policies/SecurityPolicy.html">COD8</a>)
2919 </p>
2920 </section>
2921 <section id="p5.1.6">
2922 <h4>5.1.6. Media storage</h4>
2923 <p>
2924 Refer to Security Policy 4.3 (<a href="https://svn.cacert.org/CAcert/Policies/SecurityPolicy.html">COD8</a>)
2925 </p>
2926 </section>
2927 <section id="p5.1.7">
2928 <h4>5.1.7. Waste disposal</h4>
2929 <p>
2930 No stipulation.
2931 </p>
2932 </section>
2933 <section id="p5.1.8">
2934 <h4>5.1.8. Off-site backup</h4>
2935 <p>
2936 Refer to Security Policy 4.3 (<a href="https://svn.cacert.org/CAcert/Policies/SecurityPolicy.html#s4.3">COD8</a>)
2937 </p>
2938 </section>
2939
2940 </section>
2941
2942
2943 <section id="p5.2">
2944 <h3>5.2. Procedural controls</h3>
2945
2946 <section id="p5.2.1">
2947 <h4>5.2.1. Trusted roles</h4>
2948
2949 <dl>
2950 <dt>Technical teams</dt>
2951 <dd>
2952 <ul>
2953 <li>User support personnel</li>
2954 <li>Systems Administrators -- critical and non-critical</li>
2955 <li>Softare Developers</li>
2956 <li>controllers of keys</li>
2957 </ul>
2958 Refer to Security Policy 9.1 (<a href="https://svn.cacert.org/CAcert/Policies/SecurityPolicy.html#s9.1">COD8</a>)
2959
2960 </dd>
2961
2962 <dt>Assurance</dt>
2963 <dd>
2964 <ul>
2965 <li>Assurers</li>
2966 <li> Any others authorised under COD13 </li>
2967 </ul>
2968 Refer to Assurance Policy (<a href="https://www.cacert.org/policy/AssurancePolicy.html">COD13</a>)
2969 </dd>
2970
2971 <dt>Governance</dt>
2972 <dd>
2973 <ul>
2974 <li>Directors (members of the CAcert Inc. committee, or "Board") </li>
2975 <li>Internal Auditor</li>
2976 <li>Arbitrator</li>
2977 </ul>
2978 </dd>
2979 </dl>
2980 </section>
2981
2982 <section id="p5.2.2">
2983 <h4>5.2.2. Number of persons required per task</h4>
2984 <p>
2985 CAcert operates to the principles of <em>four eyes</em> and <em>dual control</em>.
2986 All important roles require a minimum of two persons.
2987 The people may be tasked to operate
2988 with an additional person observing (<em>four eyes</em>),
2989 or with two persons controlling (<em>dual control</em>).
2990 </p>
2991 </section>
2992
2993 <section id="p5.2.3">
2994 <h4>5.2.3. Identification and authentication for each role</h4>
2995
2996 <p>
2997 All important roles are generally required to be assured
2998 at least to the level of Assurer, as per AP.
2999 Refer to Assurance Policy (<a href="https://www.cacert.org/policy/AssurancePolicy.html">COD13</a>).
3000 </p>
3001
3002 <section>
3003 <h5>Technical</h5>
3004 <p>
3005 Refer to Security Policy 9.1 (<a href="https://svn.cacert.org/CAcert/Policies/SecurityPolicy.html#s9.1">COD8</a>).
3006 </p>
3007 </section>
3008
3009 </section>
3010
3011 <section id="p5.2.4">
3012 <h4>5.2.4. Roles requiring separation of duties</h4>
3013
3014 <p>
3015 Roles strive in general for separation of duties, either along the lines of
3016 <em>four eyes principle</em> or <em>dual control</em>.
3017 </p>
3018 </section>
3019
3020 </section>
3021
3022 <section id="p5.3">
3023 <h3>5.3. Personnel controls</h3>
3024
3025 <section id="p5.3.1">
3026 <h4>5.3.1. Qualifications, experience, and clearance requirements</h4>
3027
3028 <figure id="t5.3.1">
3029 <table border="1" class="parentC">
3030 <thead>
3031 <tr>
3032 <th class="b">Role</th><th class="b">Policy</th><th class="b">Comments</th>
3033 </tr>
3034 </thead>
3035 <tbody>
3036 <tr>
3037 <th scope="row" class="l">Assurer</th>
3038 <td><a href="https://www.cacert.org/policy/AssurancePolicy.html"> COD13</a></td>
3039 <td>
3040 Passes Challenge, Assured to 100 points.
3041 </td>
3042 </tr><tr>
3043 <th scope="row" class="l">Organisation Assurer</th>
3044 <td><a href="https://www.cacert.org/policy/OrganisationAssurancePolicy.html">COD11</a></td>
3045 <td>
3046 Trained and tested by two supervising OAs.
3047 </td>
3048 </tr><tr>
3049 <th scope="row" class="l">Technical</th>
3050 <td>SM =&gt; <a href="https://svn.cacert.org/CAcert/Policies/SecurityPolicy.html">COD8</a></td>
3051 <td>
3052 Teams responsible for testing.
3053 </td>
3054 </tr><tr>
3055 <th scope="row" class="l">Arbitrator</th>
3056 <td><a href="https://www.cacert.org/policy/DisputeResolutionPolicy.html">COD7</a></td>
3057 <td>
3058 Experienced Assurers.
3059 </td>
3060 </tr>
3061 </tbody>
3062 </table>
3063 <figcaption>Table 5.3.1. Controls on Roles</figcaption>
3064 </figure>
3065
3066 </section>
3067
3068 <section id="p5.3.2">
3069 <h4>5.3.2. Background check procedures</h4>
3070
3071 <p>
3072 Refer to Security Policy 9.1.3 (<a href="https://svn.cacert.org/CAcert/Policies/SecurityPolicy.html#s9.1.3">COD8</a>).
3073 </p>
3074 </section>
3075
3076 <section id="p5.3.3">
3077 <h4>5.3.3. Training requirements</h4>
3078 <p>No stipulation.</p>
3079 </section>
3080
3081 <section id="p5.3.4">
3082 <h4>5.3.4. Retraining frequency and requirements</h4>
3083 <p>No stipulation.</p>
3084 </section>
3085
3086 <section id="p5.3.5">
3087 <h4>5.3.5. Job rotation frequency and sequence</h4>
3088 <p>No stipulation.</p>
3089 </section>
3090
3091 <section id="p5.3.6">
3092 <h4>5.3.6. Sanctions for unauthorized actions</h4>
3093 <p>
3094 Any actions that are questionable
3095 - whether uncertain or grossly negligent -
3096 may be filed as a dispute.
3097 The Arbitrator has wide discretion in
3098 ruling on loss of points, retraining,
3099 or termination of access or status.
3100 Refer to DRP (<a href="https://www.cacert.org/policy/DisputeResolutionPolicy.html">COD7</a>).
3101 </p>
3102 </section>
3103
3104 <section id="p5.3.7">
3105 <h4>5.3.7. Independent contractor requirements</h4>
3106 <p>No stipulation.</p>
3107 </section>
3108
3109 <section id="p5.3.8">
3110 <h4>5.3.8. Documentation supplied to personnel</h4>
3111 <p>No stipulation.</p>
3112 </section>
3113
3114 </section>
3115
3116 <section id="p5.4">
3117 <h3>5.4. Audit logging procedures</h3>
3118
3119 <p>
3120 Refer to Security Policy <a href="https://svn.cacert.org/CAcert/Policies/SecurityPolicy.html#s4.2">4.2</a>, <a href="https://svn.cacert.org/CAcert/Policies/SecurityPolicy.html#s5">5</a> (<a href="https://svn.cacert.org/CAcert/Policies/SecurityPolicy.html">COD8</a>).
3121 </p>
3122 </section>
3123
3124 <section id="p5.5">
3125 <h3>5.5. Records archival</h3>
3126 <p>
3127 The standard retention period is 7 years.
3128 Once archived, records can only be obtained and verified
3129 by means of a filed dispute.
3130 Following types of records are archived:
3131 </p>
3132
3133 <figure>
3134 <table border="1" class="parentC">
3135 <thead>
3136 <tr>
3137 <th class="b">Record</th>
3138 <th class="b">Nature</th>
3139 <th class="b">Exceptions</th>
3140 <th class="b">Documentation</th>
3141 </tr>
3142 </thead>
3143 <tbody>
3144 <tr>
3145 <th scope="row">Member</th>
3146 <td>username, primary and added addresses, security questions, Date of Birth</td>
3147 <td>resigned non-subscribers: 0 years.</td>
3148 <td>Security Policy and Privacy Policy</td>
3149 </tr>
3150 <tr>
3151 <th scope="row">Assurance</th>
3152 <td>CAP forms</td>
3153 <td>"at least 7 years."<br> as per subsidiary policies</td>
3154 <td>Assurance Policy 4.5</td>
3155 </tr>
3156 <tr>
3157 <th scope="row">Organisation Assurance</th>
3158 <td>COAP forms</td>
3159 <td>as per subsidiary policies</td>
3160 <td>Organisation Assurance Policy</td>
3161 </tr>
3162 <tr>
3163 <th scope="row">certificates and revocations</th>
3164 <td> for reliance </td>
3165 <td> 7 years after termination </td>
3166 <td>this CPS</td>
3167 </tr>
3168 <tr>
3169 <th scope="row">critical roles</th>
3170 <td>background check worksheets</td>
3171 <td>under direct Arbitrator control</td>
3172 <td>Security Policy 9.1.3</td>
3173 </tr>
3174 </tbody>
3175 </table>
3176 <figcaption>Table 5.5. Documents and Retention</figcaption>
3177 </figure>
3178 </section>
3179
3180 <section id="p5.6">
3181 <h3>5.6. Key changeover</h3>
3182
3183 <p>
3184 Refer to Security Policy <a href="https://svn.cacert.org/CAcert/Policies/SecurityPolicy.html#s9.2">9.2</a> (<a href="https://svn.cacert.org/CAcert/Policies/SecurityPolicy.html">COD8</a>).
3185 </p>
3186 </section>
3187
3188 <section id="p5.7">
3189 <h3>5.7. Compromise and disaster recovery</h3>
3190
3191 <p>
3192 Refer to Security Policy <a href="https://svn.cacert.org/CAcert/Policies/SecurityPolicy.html#s5">5</a>, <a href="https://svn.cacert.org/CAcert/Policies/SecurityPolicy.html#s6">6</a> (<a href="https://svn.cacert.org/CAcert/Policies/SecurityPolicy.html">COD8</a>).
3193 (Refer to <a href="#p1.4">&sect;1.4</a> for limitations to service.)
3194 </p>
3195 </section>
3196
3197 <section id="p5.8">
3198 <h3>5.8. CA or RA termination</h3>
3199
3200 <section id="p5.8.1">
3201 <h4>5.8.1 CA termination</h4>
3202
3203 <p>
3204 In the event of operational termination, the
3205 Roots (including SubRoots)
3206 and all private Member information will be secured.
3207 The Roots will be handed over to a responsible
3208 party for the sole purpose of issuing revocations.
3209 Member information will be securely destroyed.
3210 </p>
3211
3212 <p>
3213 The CA cannot be transferrred to another organisation.
3214 </p>
3215 </section>
3216
3217 <section id="p5.8.2">
3218 <h4>5.8.2 RA termination</h4>
3219
3220 <p>
3221 When an Assurer desires to voluntarily terminates
3222 her responsibilities, she does this by filing a dispute,
3223 and following the instructions of the Arbitrator.
3224 </p>
3225
3226 <p>
3227 In the case of involuntary termination, the process is
3228 the same, save for some other party filing the dispute.
3229 </p>
3230 </section>
3231
3232 </section>
3233 </section>
3234
3235
3236 <!-- *************************************************************** -->
3237 <section id="p6">
3238 <h2>6. TECHNICAL SECURITY CONTROLS</h2>
3239
3240
3241 <section id="p6.1">
3242 <h3>6.1. Key Pair Generation and Installation</h3>
3243
3244 <section id="p6.1.1">
3245 <h4>6.1.1. Key Pair Generation</h4>
3246
3247 <p>
3248 Subscribers generate their own Key Pairs.
3249 </p>
3250 </section>
3251
3252 <section id="p6.1.2">
3253 <h4>6.1.2. Subscriber Private key security</h4>
3254
3255 <p>
3256 There is no technical stipulation on how Subscribers generate
3257 and keep safe their private keys,
3258 however, CCA 2.5 provides for general security obligations.
3259 See <a href="#p9.6">&sect;9.6</a>.
3260 </p>
3261 </section>
3262
3263 <section id="p6.1.3">
3264 <h4>6.1.3. Public Key Delivery to Certificate Issuer</h4>
3265
3266 <p>
3267 Members login to their online account.
3268 Public Keys are delivered by cut-and-pasting
3269 them into the appropriate window.
3270 Public Keys are delivered in signed-CSR form
3271 for X.509 and in self-signed form for OpenPGP.
3272 </p>
3273 </section>
3274
3275 <section id="p6.1.4">
3276 <h4>6.1.4. CA Public Key delivery to Relying Parties</h4>
3277
3278 <p>
3279 The CA root certificates are distributed by these means:
3280 </p>
3281 <ul><li>
3282 Published on the website of CAcert,
3283 in both HTTP and HTTPS.
3284 </li><li>
3285 Included in Third-Party Software such as
3286 Browsers, Email-Clients.
3287 Such suppliers are subject to the Third Party Vendor Agreement.
3288 </li></ul>
3289 </section>
3290
3291 <section id="p6.1.5">
3292 <h4>6.1.5. Key sizes</h4>
3293
3294 <p>
3295 No limitation is placed on Subscriber key sizes.
3296 </p>
3297
3298 <p>
3299 CAcert X.509 root and intermediate keys are currently 4096 bits.
3300 X.509 roots use RSA and sign with the SHA-1 message digest algorithm.
3301 See <a href="#p4.3.1">&sect;4.3.1</a>.
3302 </p>
3303
3304 <p>
3305 OpenPGP Signing uses both RSA and DSA (1024 bits).
3306 </p>
3307
3308 <p>
3309 CAcert adds larger keys and hashes
3310 in line with general cryptographic trends,
3311 and as supported by major software suppliers.
3312 </p>
3313 </section>
3314
3315 <section id="p6.1.6">
3316 <h4>6.1.6. Public key parameters generation and quality checking</h4>
3317
3318 <p>
3319 No stipulation.
3320 </p>
3321 </section>
3322
3323 <section id="p6.1.7">
3324 <h4>6.1.7. Key Usage Purposes</h4>
3325
3326 <p>
3327 CAcert roots are general purpose.
3328 Each root key may sign all of the general purposes
3329 - client, server, code.
3330 </p>
3331
3332 <p>
3333 The website controls the usage purposes that may be signed.
3334 This is effected by means of the 'template' system.
3335 </p>
3336 </section>
3337
3338 </section>
3339
3340
3341 <section id="p6.2">
3342 <h3>6.2. Private Key Protection and Cryptographic Module Engineering Controls</h3>
3343
3344 <section id="p6.2.1">
3345 <h4>6.2.1. Cryptographic module standards and controls</h4>
3346
3347 <p>
3348 SubRoot keys are stored on a single machine which acts
3349 as a Cryptographic Module, or <em>signing server</em>.
3350 It operates a single daemon for signing only.
3351 The signing server has these security features:
3352 </p>
3353 <ul><li>
3354 It is connected only by one
3355 dedicated (serial USB) link
3356 to the online account server.
3357 It is not connected to the network,
3358 nor to any internal LAN (ethernet),
3359 nor to a console switch.
3360 </li><li>
3361 The protocol over the dedicated link is a custom, simple
3362 request protocol that only handles certificate signing requests.
3363 </li><li>
3364 The daemon is designed not to reveal the key.
3365 </li><li>
3366 The daemon incorporates a dead-man switch that monitors
3367 the one webserver machine that requests access.
3368 </li><li>
3369 The daemon shuts down if a bad request is detected.
3370 </li><li>
3371 The daemon resides on an encrypted partition.
3372 </li><li>
3373 The signing server can only be (re)started with direct
3374 systems administration access.
3375 </li><li>
3376 Physical Access to the signing server is under dual control.
3377 </li></ul>
3378
3379 <p>
3380 See <a href="#p5">&sect;5.</a> and the Security Policy 9.3.1.
3381 </p>
3382
3383 <p>
3384 (Hardware-based, commercial and standards-based cryptographic
3385 modules have been tried and tested, and similar have been tested,
3386 but have been found wanting, e.g., for short key lengths and
3387 power restrictions.)
3388 </p>
3389 </section>
3390
3391 </section>
3392
3393
3394 <section id="p6.3">
3395 <h3>6.3. Other aspects of key pair management</h3>
3396
3397 <section id="p6.3.1">
3398 <h4>6.3.1. Public key archival</h4>
3399
3400 <p>
3401 Subscriber certificates, including public keys,
3402 are stored in the database backing the online system.
3403 They are not made available in a public- or subscriber-accessible
3404 archive, see <a href="#p2">&sect;2</a>.
3405 They are backed-up by CAcert's normal backup procedure,
3406 but their availability is a subscriber responsibility.
3407 </p>
3408 </section>
3409
3410 <section id="p6.3.2">
3411 <h4>6.3.2. Certificate operational periods and key pair usage periods</h4>
3412
3413 <p>
3414 The operational period of a certificate and its key pair
3415 depends on the Assurance status of the Member,
3416 see <a href="#p1.4.5">&sect;1.4.5</a> and Assurance Policy (<a href="https://www.cacert.org/policy/AssurancePolicy.html">COD13</a>).
3417 </p>
3418
3419 <p>
3420 The CAcert (top-level) Root certificate
3421 has a 30 year expiry.
3422 SubRoots have 10 years, and are to be rolled over more quickly.
3423 The keysize of the root certificates are chosen
3424 in order to ensure an optimum security to CAcert
3425 Members based on current recommendations from the
3426 <a href="http://www.keylength.com/">cryptographic community</a>
3427 and maximum limits in generally available software.
3428 At time of writing this is 4096 bits.
3429 </p>
3430 </section>
3431
3432 </section>
3433
3434
3435 <section id="p6.4">
3436 <h3>6.4. Activation data</h3>
3437 <p> No stipulation. </p>
3438 </section>
3439
3440 <section id="p6.5">
3441 <h3>6.5. Computer security controls</h3>
3442 <p>
3443 Refer to Security Policy.
3444 </p>
3445 </section>
3446
3447 <section id="p6.6">
3448 <h3>6.6. Life cycle technical controls</h3>
3449 <p>
3450 Refer to <a href="https://wiki.cacert.org/SecurityManual#SOFTWARE_DEVELOPMENT">SM7 "Software Development"</a>.
3451 </p>
3452 </section>
3453
3454 <section id="p6.7">
3455 <h3>6.7. Network security controls</h3>
3456 <p>
3457 Refer to <a href="https://wiki.cacert.org/SecurityManual#Network">SM3.1 "Logical Security - Network"</a>.
3458 </p>
3459 </section>
3460
3461 <section id="p6.8">
3462 <h3>6.8. Time-stamping</h3>
3463 <p>
3464 Each server synchronises with NTP.
3465 No "timestamping" service is currently offered.
3466 </p>
3467 </section>
3468
3469 </section>
3470
3471
3472 <!-- *************************************************************** -->
3473 <section id="p7">
3474 <h2>7. CERTIFICATE, CRL, AND OCSP PROFILES</h2>
3475
3476 <p>
3477 CAcert defines all the meanings, semantics and profiles
3478 applicable to issuance of certificates and signatures
3479 in its policies, handbooks and other documents.
3480 Meanings that may be written in external standards or documents
3481 or found in wider conventions are not
3482 incorporated, are not used by CAcert, and must not be implied
3483 by the Member or the Non-related Person.
3484 </p>
3485
3486 <section id="p7.1">
3487 <h3>7.1. Certificate profile</h3>
3488
3489 <section id="p7.1.1">
3490 <h4>7.1.1. Version number(s)</h4>
3491
3492 <p>
3493 Issued X.509 certificates are of v3 form.
3494 The form of the PGP signatures depends on several factors, therefore no stipulation.
3495 </p>
3496 </section>
3497
3498 <section id="p7.1.2">
3499 <h4>7.1.2. Certificate extensions</h4>
3500
3501 <p>
3502 Client certificates include the following extensions:
3503 </p>
3504 <ul>
3505 <li>basicConstraints=CA:FALSE (critical)</li>
3506 <li>keyUsage=digitalSignature,keyEncipherment,keyAgreement (critical)</li>
3507 <li>extendedKeyUsage=emailProtection,clientAuth,msEFS,msSGC,nsSGC</li>
3508 <li>authorityInfoAccess = OCSP;URI:http://ocsp.cacert.org</li>
3509 <li>crlDistributionPoints=URI:&lt;crlUri&gt; where &lt;crlUri&gt; is replaced
3510 with the URI where the certificate revocation list relating to the
3511 certificate is found</li>
3512 <li>subjectAltName=(as per <a href="#p3.1.1">&sect;3.1.1.</a>).</li>
3513 </ul>
3514
3515 <p>
3516 Server certificates include the following extensions:
3517 </p>
3518 <ul>
3519 <li>basicConstraints=CA:FALSE (critical)</li>
3520 <li>keyUsage=digitalSignature,keyEncipherment,keyAgreement (critical)</li>
3521 <li>extendedKeyUsage=clientAuth,serverAuth,nsSGC,msSGC</li>
3522 <li>authorityInfoAccess = OCSP;URI:http://ocsp.cacert.org</li>
3523 <li>crlDistributionPoints=URI:&lt;crlUri&gt; where &lt;crlUri&gt; is replaced
3524 with the URI where the certificate revocation list relating to the
3525 certificate is found</li>
3526 <li>subjectAltName=(as per <a href="#p3.1.1">&sect;3.1.1.</a>).</li>
3527 </ul>
3528
3529 <p>
3530 Code-Signing certificates include the following extensions:
3531 </p>
3532 <ul>
3533 <li>basicConstraints=CA:FALSE (critical)</li>
3534 <li>keyUsage=digitalSignature,keyEncipherment,keyAgreement (critical)</li>
3535 <li>extendedKeyUsage=emailProtection,clientAuth,codeSigning,msCodeInd,msCodeCom,msEFS,msSGC,nsSGC</li>
3536 <li>authorityInfoAccess = OCSP;URI:http://ocsp.cacert.org</li>
3537 <li>crlDistributionPoints=URI:&lt;crlUri&gt; where &lt;crlUri&gt; is replaced
3538 with the URI where the certificate revocation list relating to the
3539 certificate is found</li>
3540 <li>subjectAltName=(as per <a href="#p3.1.1">&sect;3.1.1.</a>).</li>
3541 </ul>
3542
3543 <p>
3544 OpenPGP key signatures currently do not include extensions.
3545 In the future, a serial number might be included as an extension.
3546 </p>
3547 </section>
3548
3549 <section id="p7.1.3">
3550 <h4>7.1.3. Algorithm object identifiers</h4>
3551 <p>
3552 No stipulation.
3553 </p>
3554 </section>
3555
3556 <section id="p7.1.4">
3557 <h4>7.1.4. Name forms</h4>
3558 <p>
3559 Refer to <a href="#p3.1.1">&sect;3.1.1</a>.
3560 </p>
3561 </section>
3562
3563 <section id="p7.1.5">
3564 <h4>7.1.5. Name constraints</h4>
3565 <p>
3566 Refer to <a href="#p3.1.1">&sect;3.1.1</a>.
3567 </p>
3568 </section>
3569
3570 <section id="p7.1.6">
3571 <h4>7.1.6. Certificate policy object identifier</h4>
3572 <p>
3573 The following OIDs are defined and should be incorporated
3574 into certificates:
3575 </p>
3576 <table border="1">
3577 <thead>
3578 <tr>
3579 <th>
3580 OID
3581 </th>
3582 <th>
3583 Type/Meaning
3584 </th>
3585 <th>
3586 Comment
3587 </th>
3588 </tr>
3589 </thead>
3590 <tbody>
3591 <tr>
3592 <th scope="row" class="l">
3593 1.3.6.1.4.1.18506.4.4
3594 </th>
3595 <td>
3596 Certification Practice Statement
3597 </td>
3598 <td>
3599 (this present document)
3600 </td>
3601 </tr>
3602 </tbody>
3603 </table>
3604
3605 <p>
3606 Versions are defined by additional numbers appended such as .1.
3607 </p>
3608 </section>
3609
3610 <section id="p7.1.7">
3611 <h4>7.1.7. Usage of Policy Constraints extension</h4>
3612 <p>
3613 No stipulation.
3614 </p>
3615 </section>
3616
3617 <section id="p7.1.8">
3618 <h4>7.1.8. Policy qualifiers syntax and semantics</h4>
3619 <p>
3620 No stipulation.
3621 </p>
3622 </section>
3623
3624 <section id="p7.1.9">
3625 <h4>7.1.9. Processing semantics for the critical Certificate Policies extension</h4>
3626 <p>
3627 No stipulation.
3628 </p>
3629 </section>
3630
3631 </section>
3632
3633
3634 <section id="p7.2">
3635 <h3>7.2. CRL profile</h3>
3636
3637 <section id="p7.2.1">
3638 <h4>7.2.1. Version number(s)</h4>
3639 <p>
3640 CRLs are created in X.509 v2 format.
3641 </p>
3642 </section>
3643
3644 <section id="p7.2.2">
3645 <h4>7.2.2. CRL and CRL entry extensions</h4>
3646
3647 <p>
3648 No extensions.
3649 </p>
3650 </section>
3651
3652 </section>
3653
3654
3655 <section id="p7.3">
3656 <h3>7.3. OCSP profile</h3>
3657
3658 <section id="p7.3.1">
3659 <h4>7.3.1. Version number(s)</h4>
3660 <p>
3661 The OCSP responder operates in Version 1.
3662 </p>
3663 </section>
3664
3665 <section id="p7.3.2">
3666 <h4>7.3.2. OCSP extensions</h4>
3667 <p>
3668 No stipulation.
3669 </p>
3670 </section>
3671
3672 </section>
3673 </section>
3674
3675
3676 <!-- *************************************************************** -->
3677 <section id="p8">
3678 <h2>8. COMPLIANCE AUDIT AND OTHER ASSESSMENTS</h2>
3679
3680 <p>
3681 There are two major threads of assessment:
3682 </p>
3683 <dl>
3684 <dt>Systems Audit</dt>
3685 <dd>
3686 Analyses the CA for business and operations security.
3687 This is conducted in two phases: documents for compliance
3688 with criteria, and operations for compliance with documentation.
3689 </dd>
3690
3691 <dt>Code Audit</dt>
3692 <dd>
3693 Analyses the source code.
3694 This is conducted at two levels:
3695 Security concepts at the web applications level,
3696 and source code security and bugs review.
3697 </dd>
3698 </dl>
3699
3700 <p>
3701 See the Audit page at
3702 <a href="https://wiki.cacert.org/Audit/">
3703 wiki.cacert.org/Audit/</a>
3704 for more information.
3705 </p>
3706
3707 <section id="p8.1">
3708 <h3>8.1. Frequency or circumstances of assessment</h3>
3709 <p>
3710 The first audits started in late 2005,
3711 and since then, assessments have been an
3712 ongoing task.
3713 Even when completed, they are expected to
3714 be permanent features.
3715 </p>
3716
3717 <ul><li>
3718 <strong>Systems Audit</strong>.
3719 </li><li>
3720 <strong>Code Audit</strong>.
3721 </li></ul>
3722 </section>
3723
3724 <section id="p8.2">
3725 <h3>8.2. Identity/qualifications of assessor</h3>
3726
3727 <dl>
3728
3729 <dt>Systems Auditors</dt>
3730 <dd>
3731 CAcert uses business systems auditors with broad experience
3732 across the full range of business, information systems
3733 and security fields.
3734 In selecting a business systems auditor, CAcert looks for
3735 experience that includes but is not limited to
3736 cryptography, PKI, governance, auditing,
3737 compliance and regulatory environments,
3738 business strategy, software engineering,
3739 networks, law (including multijurisdictional issues),
3740 identity systems, fraud, IT management.
3741 </dd>
3742
3743 <dt>Code Auditors</dt>
3744 <dd>
3745 See Security Policy, sections <a href="https://svn.cacert.org/CAcert/Policies/SecurityPolicy.html#s7">7</a>, <a href="https://svn.cacert.org/CAcert/Policies/SecurityPolicy.html#s9.1">9.1</a>.
3746 </dd>
3747
3748 </dl>
3749 </section>
3750
3751 <section id="p8.3">
3752 <h3>8.3. Assessor's relationship to assessed entity</h3>
3753
3754 <p>
3755 Specific internal restrictions on audit personnel:
3756 </p>
3757 <ul><li>
3758 Must be Assured by CAcert Assurers
3759 and must be background checked.
3760 </li><li>
3761 Must not have been active in any (other) role in CAcert.
3762 Specifically, must not be an Assurer, a member of the association,
3763 or in any other defined role or office.
3764 </li><li>
3765 Although the Auditor may be expected to undertake various
3766 of the activities (Assurance, Training)
3767 during the process of the audit, any results are frozen
3768 until resignation as auditor is effected.
3769 </li><li>
3770 The Auditor is required to declare to CAcert all
3771 potential conflicts of interest on an ongoing basis.
3772 </li></ul>
3773
3774 <p>
3775 Specific external restrictions on audit personnel:
3776 </p>