8e7d1e719c4d042b297a3bb1c7785f0ff6011fdd
[cacert-devel.git] / www / policy / CertificationPracticeStatement.html
1 <!DOCTYPE html>
2 <html>
3 <head>
4 <meta http-equiv="Content-Type" content="text/html; charset=utf-8" lang="en">
5 <title>Certification Practice Statement (CPS)</title>
6 <style type="text/css">
7 <!--
8 body {
9 font-family : verdana, helvetica, arial, sans-serif;
10 }
11 .comment {
12 color : steelblue;
13 }
14 .figure {
15 text-align : center;
16 color : gray;
17 margin-top : 0.5em;
18 }
19
20 a:hover {
21 color : gray;
22 }
23 -->
24 </style>
25 </head>
26 <body>
27
28 <h1>CAcert CPS and CP</h1>
29 <div class="comment">
30 <table width="100%">
31 <tbody>
32 <tr>
33 <td rowspan="2">
34 Name: CPS <a style="color: steelblue" href="https://svn.cacert.org/CAcert/Policies/ControlledDocumentList.html">COD6</a>
35 <br>
36 Creation Date : 20060726, drafted at 20091108
37 <br>
38 Editor: NN
39 <br>
40 Status: POLICY <a href="https://wiki.cacert.org/PolicyDecisions#p20140731">p20140731</a>
41 <br>
42 Licence: <a style="color: steelblue" href="https://wiki.cacert.org/Policy#Licence" title="this document is Copyright © CAcert Inc., licensed openly under CC-by-sa with all disputes resolved under DRP. More at wiki.cacert.org/Policy">CC-by-sa+DRP</a>
43
44 </td>
45 <td align="right" valign="top">
46 <a href="https://www.cacert.org/policy/PolicyOnPolicy.php">
47 <img src="images/cacert-policy.png" alt="CPS Status - POLICY" style="border-style: none;" height="31" width="88">
48 </a>
49 </td>
50 </tr>
51 </tbody>
52 </table>
53 </div>
54
55
56 <font size="-1">
57
58 <ol>
59
60 <li> <a href="#p1">INTRODUCTION</a>
61
62 <ul>
63
64 <li><a href="#p1.1">1.1. Overview</a></li>
65
66 <li><a href="#p1.2">1.2. Document name and identification</a></li>
67
68 <li><a href="#p1.3">1.3. PKI participants</a> </li>
69
70 <li><a href="#p1.4">1.4. Certificate usage</a> </li>
71
72 <li><a href="#p1.5">1.5. Policy administration</a> </li>
73
74 <li><a href="#p1.6">1.6. Definitions and acronyms</a></li>
75 </ul>
76 </li>
77
78 <li> <a href="#p2">PUBLICATION AND REPOSITORY RESPONSIBILITIES</a>
79
80 <ul>
81
82 <li><a href="#p2.1">2.1. Repositories</a></li>
83
84 <li><a href="#p2.2">2.2. Publication of certification information</a></li>
85
86 <li><a href="#p2.3">2.3. Time or frequency of publication</a></li>
87
88 <li><a href="#p2.4">2.4. Access controls on repositories</a></li>
89 </ul>
90 </li>
91
92 <li> <a href="#p3">IDENTIFICATION AND AUTHENTICATION (I&amp;A)</a>
93
94 <ul>
95
96 <li><a href="#p3.1">3.1. Naming</a> </li>
97
98 <li><a href="#p3.2">3.2. Initial Identity Verification</a> </li>
99
100 <li><a href="#p3.3">3.3. I&amp;A for Re-key Requests</a> </li>
101
102 <li><a href="#p3.4">3.4. I&amp;A for Revocation Request</a></li>
103 </ul>
104 </li>
105
106 <li><a href="#p4">CERTIFICATE LIFE-CYCLE OPERATIONAL REQUIREMENTS</a>
107
108 <ul>
109
110 <li><a href="#p4.1">4.1. Certificate Application</a> </li>
111
112 <li><a href="#p4.2">4.2. Certificate application processing</a> </li>
113
114 <li><a href="#p4.3">4.3. Certificate issuance</a> </li>
115
116 <li><a href="#p4.4">4.4. Certificate acceptance</a> </li>
117
118 <li><a href="#p4.5">4.5. Key pair and certificate usage</a> </li>
119
120 <li><a href="#p4.6">4.6. Certificate renewal</a> </li>
121
122 <li><a href="#p4.7">4.7. Certificate re-key</a> </li>
123
124 <li><a href="#p4.8">4.8. Certificate modification</a> </li>
125
126 <li><a href="#p4.9">4.9. Certificate revocation and suspension</a> </li>
127
128 <li><a href="#p4.10">4.10. Certificate status services</a> </li>
129
130 <li><a href="#p4.11">4.11. End of subscription</a></li>
131
132 <li><a href="#p4.12">4.12. Key escrow and recovery</a> </li>
133 </ul>
134 </li>
135
136 <li><a href="#p5">FACILITY, MANAGEMENT, AND OPERATIONAL CONTROLS</a>
137
138 <ul>
139
140 <li><a href="#p5.1">5.1. Physical controls</a> </li>
141
142 <li><a href="#p5.2">5.2. Procedural controls</a> </li>
143
144 <li><a href="#p5.3">5.3. Personnel controls</a> </li>
145
146 <li><a href="#p5.4">5.4. Audit logging procedures</a> </li>
147
148 <li><a href="#p5.5">5.5. Records archival</a> </li>
149
150 <li><a href="#p5.6">5.6. Key changeover</a></li>
151
152 <li><a href="#p5.7">5.7. Compromise and disaster recovery</a> </li>
153
154 <li><a href="#p5.8">5.8. CA or RA termination</a></li>
155 </ul>
156 </li>
157
158 <li><a href="#p6">TECHNICAL SECURITY CONTROLS</a>
159
160 <ul>
161
162 <li><a href="#p6.1">6.1. Key pair generation and installation</a> </li>
163
164 <li><a href="#p6.2">6.2. Private Key Protection and Cryptographic Module Engineering Controls</a> </li>
165
166 <li><a href="#p6.3">6.3. Other aspects of key pair management</a> </li>
167
168 <li><a href="#p6.4">6.4. Activation data</a> </li>
169
170 <li><a href="#p6.5">6.5. Computer security controls</a> </li>
171
172 <li><a href="#p6.6">6.6. Life cycle technical controls</a> </li>
173
174 <li><a href="#p6.7">6.7. Network security controls</a></li>
175
176 <li><a href="#p6.8">6.8. Time-stamping</a></li>
177 </ul>
178 </li>
179
180 <li><a href="#p7">CERTIFICATE, CRL, AND OCSP PROFILES</a>
181
182 <ul>
183
184 <li><a href="#p7.1">7.1. Certificate profile</a> </li>
185
186 <li><a href="#p7.2">7.2. CRL profile</a> </li>
187
188 <li><a href="#p7.3">7.3. OCSP profile</a> </li>
189 </ul>
190 </li>
191
192 <li><a href="#p8">COMPLIANCE AUDIT AND OTHER ASSESSMENTS</a>
193
194 <ul>
195
196 <li><a href="#p8.1">8.1. Frequency or circumstances of assessment</a></li>
197
198 <li><a href="#p8.2">8.2. Identity/qualifications of assessor</a></li>
199
200 <li><a href="#p8.3">8.3. Assessor's relationship to assessed entity</a></li>
201
202 <li><a href="#p8.4">8.4. Topics covered by assessment</a></li>
203
204 <li><a href="#p8.5">8.5. Actions taken as a result of deficiency</a></li>
205
206 <li><a href="#p8.6">8.6. Communication of results</a></li>
207 </ul>
208 </li>
209
210 <li><a href="#p9">OTHER BUSINESS AND LEGAL MATTERS</a>
211
212 <ul>
213
214 <li><a href="#p9.1">9.1. Fees</a> </li>
215
216 <li><a href="#p9.2">9.2. Financial responsibility</a> </li>
217
218 <li><a href="#p9.3">9.3. Confidentiality of business information</a> </li>
219
220 <li><a href="#p9.4">9.4. Privacy of personal information</a> </li>
221
222 <li><a href="#p9.5">9.5. Intellectual property rights</a></li>
223
224 <li><a href="#p9.6">9.6. Representations and warranties</a> </li>
225
226 <li><a href="#p9.7">9.7. Disclaimers of warranties</a></li>
227
228 <li><a href="#p9.8">9.8. Limitations of liability</a></li>
229
230 <li><a href="#p9.9">9.9. Indemnities</a></li>
231
232 <li><a href="#p9.10">9.10. Term and termination</a> </li>
233
234 <li><a href="#p9.11">9.11. Individual notices and communications with participants</a></li>
235
236 <li><a href="#p9.12">9.12. Amendments</a> </li>
237
238 <li><a href="#p9.13">9.13. Dispute resolution provisions</a></li>
239
240 <li><a href="#p9.14">9.14. Governing law</a></li>
241
242 <li><a href="#p9.15">9.15. Compliance with applicable law</a></li>
243
244 <li><a href="#p9.16">9.16. Miscellaneous provisions</a> </li>
245 </ul>
246 </li>
247 </ol>
248
249 </font>
250
251
252
253 <!-- *************************************************************** -->
254 <h2 id="p1">1. INTRODUCTION</h2>
255
256 <h3 id="p1.1">1.1. Overview</h3>
257
258 <p>
259 This document is the Certification Practice Statement (CPS) of
260 CAcert, the Community Certification Authority (CA).
261 It describes rules and procedures used by CAcert for
262 operating its CA,
263 and applies to all CAcert PKI Participants,
264 including Assurers, Members, and CAcert itself.
265 </p>
266
267 <p>
268 </p>
269
270 <h3 id="p1.2">1.2. Document name and identification</h3>
271
272 <p>
273 This document is the Certification Practice Statement (CPS) of CAcert.
274 The CPS also fulfills the role of the Certificate Policy (CP)
275 for each class of certificate.
276 </p>
277
278 <ul>
279
280 <li>
281 This document is COD6 under CAcert Official Documents numbering scheme.
282 </li>
283
284 <li>
285 The document is structured according to
286 Chokhani, et al,
287 <a href="http://www.ietf.org/rfc/rfc3647.txt">RFC3647</a>,
288 <a href="http://tools.ietf.org/html/rfc3647#section-4">chapter 4</a>.
289 All headings derive from that Chapter.
290 </li>
291
292 <li>
293 It has been improved and reviewed (or will be reviewed)
294 to meet or exceed the criteria of the
295 <cite>Certificate Authority Review Checklist</cite>
296 from <i>David E. Ross</i> ("DRC")
297 and Mozilla Foundation's CA policy.
298 </li>
299
300 <li>
301 OID assigned to this document: 1.3.6.1.4.1.18506.4.4.x (x=approved Version)
302 (<a href="http://www.iana.org/assignments/enterprise-numbers">iana.org</a>)
303
304 </li>
305
306 <li>
307 © CAcert Inc. 2006-2009.
308 <!-- note that CCS policies must be controlled by CAcert Inc. -->
309 </li>
310
311
312 <li>
313 Earlier notes were written by Christian Barmala
314 in a document placed under GNU Free Document License
315 and under FSF copyright.
316 However this clashed with the control provisions of
317 Configuration-Control Specification
318 (COD2) within Audit criteria.
319 </li>
320 </ul>
321
322 <p>
323 The CPS is an authoritive document,
324 and rules other documents
325 except where explicitly deferred to.
326 See also <a href="#p1.5.1">1.5.1 Organisation Administering the Document</a>.
327 </p>
328
329 <h3 id="p1.3">1.3. PKI participants</h3>
330 <p>
331 The CA is legally operated by CAcert Incorporated,
332 an Association registered in 2002 in
333 New South Wales, Australia,
334 on behalf of the wider Community of Members of CAcert.
335 The Association details are at the
336 <a href="http://wiki.cacert.org/wiki/CAcertIncorporated">CAcert wiki</a>.
337 </p>
338
339 <p>
340 CAcert is a Community formed of Members who agree to the
341 <a href="http://www.cacert.org/policy/CAcertCommunityAgreement.php">
342 CAcert Community Agreement</a>.
343 The CA is technically operated by the Community,
344 under the direction of the Board of CAcert Incorporated.
345 (The Members of the Community are not to be confused
346 with the <i>Association Members</i>, which latter are
347 not referred to anywhere in this CPS.)
348 </p>
349
350 <h4 id="p1.3.1">1.3.1. Certification authorities</h4>
351 <p>
352 CAcert does not issue certificates to external
353 intermediate CAs under the present CPS.
354 </p>
355
356 <h4 id="p1.3.2">1.3.2. Registration authorities</h4>
357 <p>
358 Registration Authorities (RAs) are controlled under Assurance Policy
359 (<a href="http://www.cacert.org/policy/AssurancePolicy.php">COD13</a>).
360 </p>
361
362 <h4 id="p1.3.3">1.3.3. Subscribers</h4>
363
364 <p>
365 CAcert issues certificates to Members only.
366 Such Members then become Subscribers.
367 </p>
368
369
370 <h4 id="p1.3.4">1.3.4. Relying parties</h4>
371
372 <p>
373 A relying party is a Member,
374 having agreed to the
375 CAcert Community Agreement
376 (<a href="http://www.cacert.org/policy/CAcertCommunityAgreement.php">COD9</a>),
377 who, in the act of using a CAcert certificate,
378 makes a decision on the basis of that certificate.
379 </p>
380
381 <h4 id="p1.3.5">1.3.5. Other participants</h4>
382
383 <p>
384 <b>Member.</b>
385 Membership of the Community is as defined in the
386 <a href="http://www.cacert.org/policy/CAcertCommunityAgreement.php">COD9</a>.
387 Only Members may RELY or may become Subscribers.
388 Membership is free.
389 </p>
390
391 <p>
392 <b>Arbitrator.</b>
393 A senior and experienced Member of the CAcert Community
394 who resolves disputes between Members, including ones
395 of certificate reliance, under
396 Dispute Resolution Policy
397 (<a href="http://www.cacert.org/policy/DisputeResolutionPolicy.php">COD7</a>).
398 </p>
399
400 <p>
401 <b>Vendor.</b>
402 Software suppliers who integrate the root certificates of CAcert
403 into their software also assume a proxy role of Relying Parties,
404 and are subject to another licence.
405 </p>
406
407 <p>
408 <b>Non-Related Persons</b> (NRPs).
409 These are users of browsers and similar software who are
410 unaware of the CAcert certificates they may use, and
411 are unaware of the ramifications of usage.
412 Their relationship with CAcert
413 is described by the
414 Non-related Persons - Disclaimer and Licence
415 (<a href="http://www.cacert.org/policy/NRPDisclaimerAndLicence.php">COD4</a>).
416 No other rights nor relationship is implied or offered.
417 </p>
418
419
420 <h3 id="p1.4">1.4. Certificate usage</h3>
421
422 <p>CAcert serves as issuer of certificates for
423 individuals, businesses, governments, charities,
424 associations, churches, schools,
425 non-governmental organisations or other groups.
426 CAcert certificates are intended for low-cost
427 community applications especially where volunteers can
428 become Assurers and help CAcert to help the Community.
429 </p>
430
431 <p>
432 Types of certificates and their appropriate and
433 corresponding applications are defined in
434 <a href="#p1.4.1">§1.4.1</a>.
435 Prohibited applications are defined in <a href="#p1.4.2">§1.4.2</a>.
436 Specialist uses may be agreed by contract or within
437 a specific environment, as described in
438 <a href="#p1.4.4">§1.4.4</a>.
439 Note also the
440 unreliable applications in
441 <a href="#p1.4.3">§1.4.3</a>
442 and risks, liabilities and obligations in
443 <a href="#p9">§9</a>.
444 </p>
445
446
447 <center>
448 <table border="1" cellpadding="5">
449 <tbody>
450 <tr>
451
452 <td colspan="2">
453 <center><i>Type</i></center>
454 </td>
455
456 <td colspan="2">
457 <center><i>Appropriate Certificate uses</i></center>
458 </td>
459 </tr>
460 <tr>
461
462 <th>General</th>
463
464 <th>Protocol</th>
465
466 <th>
467 <center>Description</center>
468 </th>
469
470 <th>
471 <center>Comments</center>
472 </th>
473 </tr>
474 <tr>
475
476 <td rowspan="2">
477 <center>Server</center>
478 </td>
479
480 <td> TLS </td>
481
482 <td> web server encryption </td>
483
484 <td> enables encryption </td>
485 </tr>
486 <tr>
487
488 <td> embedded </td>
489
490 <td> embedded server authentication </td>
491
492 <td> mail servers, IM-servers </td>
493 </tr>
494 <tr>
495
496 <td rowspan="4">
497 <center>Client</center>
498 </td>
499
500 <td> S/MIME </td>
501
502 <td> email encryption </td>
503
504 <td> "digital signatures" employed in S/MIME
505 are not legal / human signatures,
506 but instead enable the encryption mode of S/MIME </td>
507 </tr>
508 <tr>
509
510 <td> TLS </td>
511
512 <td> client authentication </td>
513
514 <td> the nodes must be secure </td>
515 </tr>
516 <tr>
517
518 <td> TLS </td>
519
520 <td> web based signature applications </td>
521
522 <td> the certificate authenticates only. See <a href="#p1.4.3">§1.4.3</a>. </td>
523 </tr>
524 <tr>
525
526 <td> "Digital Signing" </td>
527
528 <td> for human signing over documents </td>
529
530 <td> Only within a wider application and rules
531 such as by separate policy,
532 as agreed by contract, etc.
533 See <a href="#p1.4.4">§1.4.4</a>.
534 </td>
535 </tr>
536 <tr>
537
538 <td>
539 <center>Code</center>
540 </td>
541
542 <td> Authenticode, ElfSign, Java </td>
543
544 <td> Code Signing </td>
545
546 <td> Signatures on packages are evidence of their Membership and indicative of Identity </td>
547 </tr>
548 <tr>
549
550 <td>
551 <center>PGP</center>
552 </td>
553
554 <td> OpenPGP </td>
555
556 <td> Key Signing </td>
557
558 <td> Signatures on Member Keys are evidence of their Membership and indicative of Identity </td>
559 </tr>
560 <tr>
561
562 <td>
563 <center>Special</center>
564 </td>
565
566 <td> X.509 </td>
567
568 <td> OCSP, Timestamping </td>
569
570 <td> Only available to CAcert Systems Administrators, as controlled by Security Policy </td>
571 </tr>
572 </tbody>
573 </table>
574
575 <span class="figure">Table 1.4. Types of Certificate</span>
576 </center>
577
578 <h4 id="p1.4.1">1.4.1. Appropriate certificate uses</h4>
579
580 <p>
581 General uses.
582 </p>
583
584 <ul>
585 <li>
586 CAcert server certificates can be used to enable encryption
587 protection in web servers.
588 Suitable applications include webmail and chat forums.
589 </li>
590 <li>
591 CAcert server certificates can be used to enable encryption
592 in SSL/TLS links in embedded protocols such as mail servers
593 and IM-servers.
594 </li>
595 <li>
596 CAcert client certificates can be used to enable encryption
597 protection in email clients.
598 (See <a href="#p1.4.3">§1.4.3</a> for caveat on signatures.)
599 </li>
600 <li>
601 CAcert client certificates can be used to replace password-based
602 authentication to web servers.
603 </li>
604 <li>
605 OpenPGP keys with CAcert signatures can be used
606 to encrypt and sign files and emails,
607 using software compatible with OpenPGP.
608 </li>
609 <li>
610 CAcert client certificates can be used in web-based
611 authentication applications.
612 </li>
613 <li>
614 CAcert code signing certificates can be used to sign code
615 for distribution to other people.
616 </li>
617 <li>
618 Time stamping can be used to attach a time record
619 to a digital document.
620 </li>
621 </ul>
622
623
624 <h4 id="p1.4.2">1.4.2. Prohibited certificate uses</h4>
625 <p>
626 CAcert certificates are not designed, intended, or authorised for
627 the following applications:
628 </p>
629 <ul>
630 <li>
631 Use or resale as control equipment in hazardous circumstances
632 or for uses requiring fail-safe performance such as the operation
633 of nuclear facilities, aircraft navigation or communication systems,
634 air traffic control systems, or weapons control systems,
635 where failure could lead directly to death, personal injury,
636 or severe environmental damage.
637 </li>
638 </ul>
639
640 <h4 id="p1.4.3">1.4.3. Unreliable Applications</h4>
641
642 <p>
643 CAcert certificates are not designed nor intended for use in
644 the following applications, and may not be reliable enough
645 for these applications:
646 </p>
647
648 <ul>
649 <li>
650 <b>Signing within Protocols.</b>
651 Digital signatures made by CAcert certificates carry
652 <u>NO default legal or human meaning</u>.
653 See <a href="#p9.15.1">§9.15.1</a>.
654 Especially, protocols such as S/MIME commonly will automatically
655 apply digital signatures as part of their protocol needs.
656 The purpose of the cryptographic signature in S/MIME
657 and similar protocols is limited by default to strictly
658 protocol security purposes:
659 to provide some confirmation that a familiar certificate
660 is in use, to enable encryption, and to ensure the integrity
661 of the email in transit.
662 </li>
663 <li>
664 <b>Non-repudiation applications.</b>
665 Non-repudiation is not to be implied from use of
666 CAcert certificates. Rather, certificates may
667 provide support or evidence of actions, but that
668 evidence is testable in any dispute.
669 </li>
670 <li>
671 <b>Ecommerce applications.</b>
672 Financial transactions or payments or valuable e-commerce.
673 </li>
674 <li>
675 Use of anonymous (Class 1 or Member SubRoot) certificates
676 in any application that requires or expects identity.
677 </li>
678 </ul>
679
680
681 <h4 id="p1.4.4">1.4.4. Limited certificate uses</h4>
682
683 <p>
684 By contract or within a specific environment
685 (e.g. internal to a company),
686 CAcert Members are permitted to use Certificates
687 for higher security, customised or experimental applications.
688 Any such usage, however, is limited to such entities
689 and these entities take on the whole responsible for
690 any harm or liability caused by such usage.
691 </p>
692
693 <p>
694 <b>Digital signing applications.</b>
695 CAcert client certificates
696 may be used by Assured Members in
697 applications that provide or support the human signing of documents
698 (known here as "digital signing").
699 This must be part of a wider framework and set of rules.
700 Usage and reliance
701 must be documented either under a separate CAcert digital signing
702 policy or other external regime agreed by the parties.
703 </p>
704
705 <h4 id="p1.4.5">1.4.5. Roots and Names</h4>
706
707 <p>
708 <b>Named Certificates.</b>
709 Assured Members may be issued certificates
710 with their verified names in the certificate. In this role, CAcert
711 operates and supports a network of Assurers who verify the
712 identity of the Members.
713 All Names are verified, either by Assurance or another defined
714 method under policy (c.f. Organisations).
715 </p>
716
717 <p>
718 <b>Anonymous Certificates.</b>
719 Members can be issued certificates that are anonymous,
720 which is defined as the certificate with no Name included,
721 or a shared name such as "Community Member".
722 These may be considered to be somewhere between Named certificates
723 and self-signed certificates. They have serial numbers in them
724 which is ultimately traceable via dispute to a Member, but
725 reliance is undefined.
726 In this role, CAcert provides the
727 infrastructure, saving the Members from managing a difficult
728 and messy process in order to get manufactured certificates.
729 </p>
730
731 <p>
732 <b>Psuedonymous Certificates.</b>
733 Note that CAcert does not currently issue pseudonymous certificates,
734 being those with a name chosen by the Member and not verifiable
735 according to documents.
736 </p>
737
738 <p>
739 <b>Advanced Certificates.</b>
740 Members who are as yet unassured are not permitted to create
741 advanced forms such as wildcard or subjectAltName
742 certificates.
743 </p>
744
745
746 <p>
747 <b> Roots.</b>
748 The CAcert root layout is as below.
749 These roots are pending Audit,
750 and will be submitted to vendors via the (Top-level) Root.
751 </p>
752 <ul>
753 <li>
754 <b>(Top-level) Root.</b>
755 Used to sign on-line CAcert SubRoots only.
756 This Root is kept offline.
757 </li>
758 <li>
759 <b>Member SubRoot.</b>
760 For Community Members who are new and unassured (some restrictions exist).
761 Reliance is undefined.
762 (Replacement for the Class 1 root, matches "Domain Validation" type.)
763 </li>
764 <li>
765 <b>Assured SubRoot.</b>
766 Only available for Assured individual Members,
767 intended to sign certificates with Names.
768 Suitable for Reliance under this and other policies.
769 Approximates the type known as Individual Validation.
770 </li>
771 <li>
772 <b>Organisation SubRoot.</b>
773 Only available for Assured Organisation Members.
774 Suitable for Reliance under this and other policies.
775 Approximates the type known as Organisational Validation.
776
777 </li>
778 </ul>
779
780
781
782 <center>
783 <table border="1" cellpadding="5">
784 <tbody>
785 <tr>
786
787 <td></td>
788
789 <td colspan="5">
790 <center><i>Level of Assurance</i></center>
791 </td>
792
793 <th> </th>
794 </tr>
795 <tr>
796
797 <th></th>
798
799 <th colspan="2">
800 <center> Members † </center>
801 </th>
802
803 <th colspan="2">
804 <center> Assured Members</center>
805 </th>
806
807 <th colspan="1">
808 <center> Assurers </center>
809 </th>
810
811 <th colspan="1">
812 <center> </center>
813 </th>
814 </tr>
815 <tr>
816
817 <td><i>Class of Root</i></td>
818
819 <th>Anon</th>
820
821 <td>Name</td>
822
823 <td>Anon</td>
824
825 <th>Name</th>
826
827 <td>Name+Anon</td>
828
829 <td colspan="1">
830 <center><i>Remarks</i></center>
831 </td>
832 </tr>
833 <tr>
834
835 <td>
836 <center>Top level
837 <br>
838 <big><b>Root</b></big></center>
839 </td>
840
841 <td>
842 <center> <font title="pass." color="green" size="+3"></font> </center>
843 </td>
844 <td>
845 <center> <font title="pass." color="green" size="+3"></font> </center>
846 </td>
847 <td>
848 <center> <font title="pass." color="green" size="+3"></font> </center>
849 </td>
850
851 <td>
852 <center> <font title="pass." color="green" size="+3"></font> </center>
853 </td>
854
855 <td>
856 <center> <font title="pass." color="green" size="+3"></font> </center>
857 </td>
858
859 <td> Signs other CAcert SubRoots only. </td>
860 </tr>
861 <tr>
862
863 <td>
864 <center><big><b>Member</b></big>
865 <br>
866 SubRoot</center>
867 </td>
868
869 <td>
870 <center> <font title="pass." color="green" size="+3"></font> </center>
871 </td>
872
873 <td>
874 <center> <font title="pass." color="red" size="+3"></font> </center>
875 </td>
876 <td>
877 <center> <font title="pass." color="green" size="+3"></font> </center>
878 </td>
879
880 <td>
881 <center> <font title="pass." color="green" size="+3"></font> </center>
882 </td>
883
884 <td>
885 <center> <font title="pass." color="green" size="+3"></font> </center>
886 </td>
887
888 <td> † For Members meeting basic checks in <a href="#p4.2.2">§4.2.2</a>
889 <br>
890 (Reliance is undefined.) </td>
891 </tr>
892 <tr>
893
894 <td>
895 <center><big><b>Assured</b></big>
896 <br>
897 SubRoot</center>
898 </td>
899
900 <td>
901 <center> <font title="pass." color="red" size="+3"></font> </center>
902 </td>
903 <td>
904 <center> <font title="pass." color="red" size="+3"></font> </center>
905 </td>
906 <td>
907 <center> <font title="pass." color="green" size="+3"></font> </center>
908 </td>
909
910 <td>
911 <center> <font title="pass." color="green" size="+3"></font> </center>
912 </td>
913
914 <td>
915 <center> <font title="pass." color="green" size="+3"></font> </center>
916 </td>
917
918 <td> Assured Members only.
919 <br>
920 Fully intended for reliance. </td>
921 </tr>
922 <tr>
923
924 <td>
925 <center><big><b>Organisation</b></big>
926 <br>
927 SubRoot</center>
928 </td>
929
930 <td>
931 <center> <font title="pass." color="red" size="+3"></font> </center>
932 </td>
933 <td>
934 <center> <font title="pass." color="red" size="+3"></font> </center>
935 </td>
936 <td>
937 <center> <font title="pass." color="green" size="+3"></font> </center>
938 </td>
939
940 <td>
941 <center> <font title="pass." color="green" size="+3"></font> </center>
942 </td>
943
944 <td>
945 <center> <font title="pass." color="green" size="+3"></font> </center>
946 </td>
947
948 <td> Assured Organisation Members only.
949 <br>
950 Fully intended for reliance. </td>
951 </tr>
952 <tr>
953
954 <th>Expiry of Certificates</th>
955
956 <td colspan="2">
957 <center>6 months</center>
958 </td>
959 <td colspan="3">
960 <center>24 months</center>
961 </td>
962 </tr>
963 <tr>
964
965 <th>Types</th>
966
967 <td colspan="2">
968 <center>client, server</center>
969 </td>
970 <td colspan="2">
971 <center>wildcard, subjectAltName</center>
972 </td>
973 <td colspan="1">
974 <center>code-signing</center>
975 </td>
976 <td> (Inclusive to the left.) </td>
977 </tr>
978 </tbody>
979 </table>
980
981 <span class="figure">Table 1.4.5.b Certificate under Audit Roots</span>
982 </center>
983
984 <center>
985 <table border="1" cellpadding="5">
986 <tbody>
987 <tr>
988
989 <td></td>
990
991 <td colspan="4">
992 <center><i>Level of Assurance</i></center>
993 </td>
994
995 <th> </th>
996 </tr>
997 <tr>
998
999 <th></th>
1000
1001 <th colspan="2">
1002 <center>Members</center>
1003 </th>
1004
1005 <th colspan="2">
1006 <center>Assured Members</center>
1007 </th>
1008
1009 <th colspan="1">
1010 <center> </center>
1011 </th>
1012 </tr>
1013 <tr>
1014
1015 <td><i>Class of Root</i></td>
1016
1017 <th>Anonymous</th>
1018
1019 <td>Named</td>
1020
1021 <td>Anonymous</td>
1022
1023 <th>Named</th>
1024
1025 <td colspan="1">
1026 <center><i>Remarks</i></center>
1027 </td>
1028 </tr>
1029 <tr>
1030
1031 <td>
1032 <center>Class
1033 <br>
1034 <big><b>1</b></big></center>
1035 </td>
1036
1037 <td>
1038 <center> <font title="pass." color="green" size="+3"></font> </center>
1039 </td>
1040
1041 <td>
1042 <center> <font title="pass." color="red" size="+3"></font> </center>
1043 </td>
1044
1045 <td>
1046 <center> <font title="pass." color="green" size="+3"></font> </center>
1047 </td>
1048
1049 <td>
1050 <center> <font title="pass." color="green" size="+3"></font> </center>
1051 </td>
1052
1053 <td> Available for all Members,
1054 <br>
1055 reliance is undefined.</td>
1056 </tr>
1057 <tr>
1058
1059 <td>
1060 <center>Class
1061 <br>
1062 <big><b>3</b></big></center>
1063 </td>
1064
1065 <td>
1066 <center> <font title="pass." color="red" size="+3"></font> </center>
1067 </td>
1068 <td>
1069 <center> <font title="pass." color="red" size="+3"></font> </center>
1070 </td>
1071 <td>
1072 <center> <font title="pass." color="green" size="+3"></font> </center>
1073 </td>
1074
1075 <td>
1076 <center> <font title="pass." color="green" size="+3"></font> </center>
1077 </td>
1078
1079 <td> Assured Members only.
1080 <br>
1081 Intended for Reliance. </td>
1082 </tr>
1083 <tr>
1084
1085 <th>Expiry of Certificates</th>
1086
1087 <td colspan="2">
1088 <center>6 months</center>
1089 </td>
1090 <td colspan="2">
1091 <center>24 months</center>
1092 </td>
1093 </tr>
1094 <tr>
1095
1096 <th>Types available</th>
1097
1098 <td colspan="2">
1099 <center>simple only</center>
1100 </td>
1101 <td colspan="2">
1102 <center>wildcard, subjectAltName</center>
1103 </td>
1104 </tr>
1105 </tbody>
1106 </table>
1107
1108 <span class="figure">Table 1.4.5. Certificates under Old Roots - <b>Audit Fail</b> </span>
1109 </center>
1110
1111 <p>
1112 <b> Old Roots.</b>
1113 The old CAcert root layout is as below. These roots are <b>Audit Fail</b>
1114 and will only be used where new roots do not serve:
1115 </p>
1116 <ul>
1117 <li>
1118 (old) <b>Class 1 root.</b>
1119 Used primarily for certificates with no names and by
1120 unassured Members.
1121 For compatibility only,
1122 Assured Members may also use this root.
1123 </li>
1124 <li>
1125 (old) <b>Class 3 root.</b>
1126 Used primarily for certificates including the names
1127 of Assured Members.
1128 Signed by Class 1 root.
1129 Members can decide to rely on these
1130 certificates for Assured Members
1131 by selecting the Class 3 root for
1132 Assured Members as trust anchor.
1133 </li>
1134 </ul>
1135
1136 <h3 id="p1.5">1.5. Policy administration</h3>
1137
1138 <p>See <a href="#p1.2">1.2 Document Name and Identification</a>
1139 for general scope of this document.</p>
1140
1141 <h4 id="p1.5.1">1.5.1. Organization administering the document</h4>
1142
1143 <p>
1144 This document is administered by the policy group of
1145 the CAcert Community under Policy on Policy (<a href="http://www.cacert.org/policy/PolicyOnPolicy.php">COD1</a>).
1146 </p>
1147
1148 <h4 id="p1.5.2">1.5.2. Contact person</h4>
1149 <p>
1150 For questions including about this document:
1151 </p>
1152
1153 <ul>
1154
1155 <li>Join the policy group, by means of the discussion forum at
1156 <a href="http://lists.cacert.org/mailman/listinfo">
1157 lists.cacert.org</a> . </li>
1158
1159 <li>Send email to &lt; support AT cacert DOT org &gt; </li>
1160
1161 <li>IRC: irc.cacert.org #CAcert (ssl port 7000, non-ssl port 6667)</li>
1162 </ul>
1163
1164 <h4 id="p1.5.3">1.5.3. Person determining CPS suitability for the policy</h4>
1165 <p>
1166 This CPS and all other policy documents are managed by
1167 the policy group, which is a group of Members of the
1168 Community found at policy forum. See discussion forums above.
1169 </p>
1170
1171 <h4 id="p1.5.4">1.5.4. CPS approval procedures</h4>
1172 <p>
1173 CPS is controlled and updated according to the
1174 Policy on Policy
1175 (<a href="http://www.cacert.org/policy/PolicyOnPolicy.php">COD1</a>)
1176 which is part of
1177 Configuration-Control Specification (COD2).
1178 </p>
1179
1180 <p>
1181 In brief, the policy forum prepares and discusses.
1182 After a last call, the document moves to DRAFT status
1183 for a defined period.
1184 If no challenges have been received in the defined period,
1185 it moves to POLICY status.
1186 The process is modelled after some elements of
1187 the RFC process by the IETF.
1188 </p>
1189
1190 <h4 id="p1.5.5">1.5.5. CPS updates</h4>
1191
1192 <p>
1193 As per above.
1194 </p>
1195
1196
1197 <h3 id="p1.6">1.6. Definitions and acronyms</h3>
1198 <p>
1199 <b><a name="d_cert" id="d_cert">Certificate</a></b>.
1200 A certificate is a piece of cryptographic data used
1201 to validate certain statements, especially those of
1202 identity and membership.
1203 </p>
1204 <p>
1205 <b><a name="d_cacert" id="d_cacert">CAcert</a></b>.
1206 CAcert is a Community certificate authority as defined under
1207 <a href="#p1.2">§1.2 Identification</a>.
1208 </p>
1209 <p>
1210 <b><a name="d_member" id="d_member">Member</a></b>.
1211 Everyone who agrees to the
1212 CAcert Community Agreement
1213 (<a href="http://www.cacert.org/policy/CAcertCommunityAgreement.php">COD9</a>).
1214 This generally implies having an account registered
1215 at CAcert and making use of CAcert's data, programs or services.
1216 A Member may be an individual ("natural person")
1217 or an organisation (sometimes, "legal person").
1218 </p>
1219 <p>
1220 <b><a name="d_community" id="d_community">Community</a></b>.
1221 The group of Members who agree to the
1222 CAcert Community Agreement
1223 (<a href="http://www.cacert.org/policy/CAcertCommunityAgreement.php">COD9</a>)
1224 or equivalent agreements.
1225 </p>
1226 <p>
1227 <b><a name="d_unassured" id="d_unassured">Unassured Member</a></b>.
1228 A Member who has not yet been Assured.
1229 </p>
1230 <p>
1231 <b><a name="d_subscriber" id="d_subscriber">Subscriber</a></b>.
1232 A Member who requests and receives a certificate.
1233 </p>
1234 <p>
1235 <b><a name="d_assured" id="d_assured">Assured Member</a></b>.
1236 A Member whose identity has been sufficiently
1237 verified by Assurers or other
1238 approved methods under Assurance Policy.</p>
1239 <p></p>
1240 <p>
1241 <b><a name="d_assurer" id="d_assurer">Assurer</a></b>.
1242 An Assured Member who is authorised under Assurance Policy
1243 to verify the identity of other Members.
1244 </p>
1245 <p>
1246 <b><a name="d_name" id="d_name">Name</a></b>.
1247 As defined in the
1248 Assurance Policy
1249 (<a href="http://www.cacert.org/policy/AssurancePolicy.php">COD13</a>),
1250 to describe a name of a Member
1251 that is verified by the Assurance process.
1252 </p>
1253 <p>
1254 <b><a name="d_oadmin" id="d_oadmin">Organisation Administrator</a></b>.
1255 ("O-Admin")
1256 An Assurer who is authorised to act for an Organisation.
1257 The O-Admin is authorised by an organisation
1258 to vouch for the identity of other users of the organisation.
1259 </p>
1260 <p>
1261 <b><a name="d_org_ass" id="d_org_ass">Organisation Assurer</a></b>.
1262 An Assurer who is authorised to conduct assurances on
1263 organisations.
1264 </p>
1265 <p>
1266 <b><a name="d_user" id="d_user">Non-Related Persons</a></b>.
1267 ("NRPs")
1268 are general users of browsers and similar software.
1269 The NRPs are generally unaware of
1270 CAcert or the certificates that they may use, and
1271 are unaware of the ramifications of usage.
1272 They are not permitted to RELY, but may USE, under the
1273 Non-Related Persons - Disclaimer and Licence (<a href="http://www.cacert.org/policy/NRPDisclaimerAndLicence.php">COD4</a>).
1274 </p>
1275 <p>
1276 <b><a name="rel" id="d_reliance">Reliance</a></b>.
1277 An industry term referring to
1278 the act of making a decision, including taking a risk,
1279 which decision is in part or in whole
1280 informed or on the basis of the contents of a certificate.
1281 </p>
1282 <p>
1283 <b><a name="rel" id="rel">Relying Party</a></b>.
1284 An industry term refering to someone who relies
1285 (that is, makes decisions or takes risks)
1286 in part or in whole on a certificate.
1287 </p>
1288 <p>
1289 <b>Subscriber Naming.</b>
1290 The term used in this CPS to
1291 describe all naming data within a certificate.
1292 Approximately similar terms from Industry such as
1293 "Subject naming" and "Distinguished Name"
1294 are not used here.
1295 </p>
1296 <p>
1297 <b><a name="ver" id="d_verification">Verification</a></b>.
1298 An industry term referring to
1299 the act of checking and controlling
1300 the accuracy and utility of a single claim.
1301 </p>
1302 <p>
1303 <b><a name="ver" id="d_validation">Validation</a></b>.
1304 An industry term referring to the process of
1305 inspecting and verifying the information and
1306 subsidiary claims behind a claim.
1307 </p>
1308 <p>
1309 <b><a name="rel" id="rel">Usage</a></b>.
1310 The event of allowing a certificate to participate in
1311 a protocol, as decided and facilitated by a user's software.
1312 Generally, Usage does not require significant input, if any,
1313 on the part of the user.
1314 This defers all decisions to the user software,
1315 thus elevating the software as user's only and complete
1316 Validation Authority or Agent.
1317 </p>
1318 <p>
1319 <b><a name="drel" id="drel">CAcert Relying Party</a></b>.
1320 CAcert Members who make decisions based in part or in whole
1321 on a certificate issued by CAcert.
1322 Only CAcert Members are permitted to Rely on CAcert certificates,
1323 subject to the CAcert Community Agreement.
1324 </p>
1325 <p>
1326 <b><a name="ddst" id="ddst">Vendors</a></b>.
1327 Non-members who distribute CAcert's root or intermediate certificates
1328 in any way, including but not limited to delivering these
1329 certificates with their products, e.g. browsers, mailers or servers.
1330 Vendors are covered under a separate licence.
1331 </p>
1332 <p>
1333 <b><a name="d_ccs" id="d_ccs">Configuration-Control Specification</a></b> "CCS".
1334 The audit criteria that controls this CPS.
1335 The CCS is documented in COD2, itself a controlled document under CCS.
1336 </p>
1337 <p>
1338 </p>
1339 <p>
1340 <b><a name="d_cod" id="d_cod">CAcert Official Document</a></b> (COD).
1341 Controlled Documents that are part of the CCS.
1342 </p>
1343
1344
1345
1346 <!-- *************************************************************** -->
1347 <h2 id="p2">2. PUBLICATION AND REPOSITORY RESPONSIBILITIES</h2>
1348
1349
1350 <h3 id="p2.1">2.1. Repositories</h3>
1351
1352 <p>
1353 CAcert operates no repositories in the sense
1354 of lookup for non-certificate-related information
1355 for the general public.
1356 </p>
1357
1358 <p>
1359 Under the Assurance Policy (<a href="http://www.cacert.org/policy/AssurancePolicy.php">COD13</a>),
1360 there are means for Members to search, retrieve
1361 and verify certain data about themselves and others.
1362 </p>
1363
1364 <h3 id="p2.2">2.2. Publication of certification information</h3>
1365
1366 <p>
1367 CAcert publishes:
1368 </p>
1369
1370 <ul>
1371
1372 <li>A repository of CRLs. An OCSP responder is in operation.</li>
1373
1374 <li>The root certificate and intermediate certificates.</li>
1375 </ul>
1376
1377 <p>
1378 CAcert does not expressly publish information on issued certificates.
1379 However, due to the purpose of certificates, and the essential
1380 public nature of Names and email addresses, all information within
1381 certificates is presumed to be public and published, once
1382 issued and delivered to the Member.
1383 </p>
1384
1385 <h3 id="p2.3">2.3. Time or frequency of publication</h3>
1386
1387 <p>
1388 Root and Intermediate Certificates and CRLs are
1389 made available on issuance.
1390 </p>
1391
1392 <h3 id="p2.4">2.4. Access controls on repositories</h3>
1393 <p> No stipulation. </p>
1394
1395
1396
1397 <!-- *************************************************************** -->
1398 <h2 id="p3">3. IDENTIFICATION AND AUTHENTICATION</h2>
1399
1400 <h3 id="p3.1">3.1. Naming</h3>
1401
1402 <h4 id="p3.1.1">3.1.1. Types of names</h4>
1403
1404 <p>
1405 <b>Client Certificates.</b>
1406 The Subscriber Naming consists of:
1407 </p>
1408 <ul>
1409
1410 <li><tt>subjectAltName=</tt>
1411 One, or more, of the Subscriber's verified email addresses,
1412 in rfc822Name format.
1413
1414 </li>
1415 <li><tt>EmailAddress=</tt>
1416 One, or more, of the Subscriber's verified email addresses.
1417 This is deprecated under
1418 RFC5280 <a href="http://tools.ietf.org/html/rfc5280#section-4.2.1.6">4
1419 .2.1.6</a>
1420 and is to be phased out. Also includes a SHA1 hash of a random number if
1421 the member selects SSO (Single Sign On ID) during submission of CSR.
1422 </li>
1423
1424 <li><tt>CN=</tt> The common name takes its value from one of:
1425
1426 <ul>
1427 <li>
1428 For all Members,
1429 the string "<tt>CAcert WoT Member</tt>" may be used for
1430 anonymous certificates.
1431 </li>
1432 <li>
1433 For individual Members,
1434 a Name of the Subscriber,
1435 as Assured under AP.
1436 </li>
1437 <li>
1438 For Organisation Members,
1439 an organisation-chosen name,
1440 as verified under OAP.
1441 </li>
1442 </ul>
1443 </li>
1444 </ul>
1445
1446 <p>
1447 <b>Individual Server Certificates.</b>
1448 The Subscriber Naming consists of:
1449 </p>
1450 <ul>
1451 <li><tt>CN=</tt>
1452 The common name is the host name out of a domain
1453 for which the Member is a domain master.
1454 </li>
1455 <li>
1456 <tt>subjectAltName=</tt>
1457 Additional host names for which the Member
1458 is a domain master may be added to permit the
1459 certificate to serve multiple domains on one IP number.
1460 </li>
1461 <li>
1462 All other fields are optional and must either match
1463 the CN or they must be empty
1464 </li>
1465 </ul>
1466
1467 <p>
1468 <b>Certificates for Organisations.</b>
1469 In addition to the above, the following applies:
1470 </p>
1471
1472 <ul>
1473
1474 <li><tt>OU=</tt>
1475 organizationalUnitName (set by O-Admin, must be verified by O-Admin).</li>
1476
1477 <li><tt>O=</tt>
1478 organizationName is the fixed name of the Organisation.</li>
1479
1480 <li><tt>L=</tt>
1481 localityName</li>
1482
1483 <li><tt>ST=</tt>
1484 stateOrProvinceName</li>
1485
1486 <li><tt>C=</tt>
1487 countryName</li>
1488
1489 <li><tt>contact=</tt>
1490 EMail Address of Contact.
1491 </li>
1492 </ul>
1493
1494 <p>
1495 Except for the OU and CN, fields are taken from the Member's
1496 account and are as verified by the Organisation Assurance process.
1497 Other Subscriber information that is collected and/or retained
1498 does not go into the certificate.
1499 </p>
1500
1501 <h4 id="p3.1.2">3.1.2. Need for names to be meaningful</h4>
1502
1503 <p>
1504 Each Member's Name (<tt>CN=</tt> field)
1505 is assured under the Assurance Policy (<a href="http://www.cacert.org/policy/AssurancePolicy.php">COD13</a>)
1506 or subsidiary policies (such as Organisation Assurance Policy).
1507 Refer to those documents for meanings and variations.
1508 </p>
1509
1510 <p>
1511 Anonymous certificates have the same <code>subject</code>
1512 field common name.
1513 See <a href="#p1.4.5">§1.4.5.</a>.
1514 </p>
1515
1516 <p>
1517 Email addresses are verified according to
1518 <a href="#p4.2.2">§4.2.2.</a>
1519 </p>
1520
1521 <h4 id="p3.1.3">3.1.3. Anonymity or pseudonymity of subscribers</h4>
1522
1523 <p>
1524 See <a href="#p1.4.5">§1.4.5</a>.
1525 </p>
1526
1527 <h4 id="p3.1.4">3.1.4. Rules for interpreting various name forms</h4>
1528 <p>
1529 Interpretation of Names is controlled by the Assurance Policy,
1530 is administered by means of the Member's account,
1531 and is subject to change by the Arbitrator.
1532 Changes to the interpretation by means of Arbitration
1533 should be expected as fraud (e.g., phishing)
1534 may move too quickly for policies to fully document rules.
1535 </p>
1536
1537 <h4 id="p3.1.5">3.1.5. Uniqueness of names</h4>
1538
1539 <p>
1540 Uniqueness of Names within certificates is not guaranteed.
1541 Each certificate has a unique serial number which maps
1542 to a unique account, and thus maps to a unique Member.
1543 See the Assurance Statement within Assurance Policy
1544 (<a href="http://www.cacert.org/policy/AssurancePolicy.php">COD13</a>).
1545 </p>
1546
1547 <p>
1548 Domain names and email address
1549 can only be registered to one Member.
1550 </p>
1551
1552 <h4 id="p3.1.6">3.1.6. Recognition, authentication, and role of trademarks</h4>
1553
1554 <p>
1555 Organisation Assurance Policy
1556 (<a href="http://www.cacert.org/policy/OrganisationAssurancePolicy.php">COD11</a>)
1557 controls issues such as trademarks where applicable.
1558 A trademark can be disputed by filing a dispute.
1559 See
1560 <a href="#adr">§9.13</a>.
1561 </p>
1562
1563 <h4 id="p3.1.7">3.1.7. International Domain Names</h4>
1564
1565 <p>
1566 Certificates containing International Domain Names, being those containing a
1567 ACE prefix (<a href="http://www.ietf.org/rfc/rfc3490#section-5">RFC3490
1568 Section 5</a>), will only be issued to domains satisfying one or more
1569 of the following conditions:
1570 </p>
1571 <ul>
1572 <li>The Top Level Domain (TLD) Registrar associated with the domain has a policy
1573 that has taken measures to prevent two homographic domains being registered to
1574 different entities down to an accepted level.
1575 </li>
1576 <li>Domains contain only code points from a single unicode character script,
1577 excluding the "Common" script, with the additionally allowed numberic
1578 characters [0-9], and an ACSII hyphen '-'.
1579 </li>
1580 </ul>
1581 <p></p>
1582
1583 <p>Email address containing International Domain Names in the domain portion of
1584 the email address will also be required to satisfy one of the above conditions.
1585 </p>
1586
1587 <p>
1588 The following is a list of accepted TLD Registrars:
1589
1590 </p>
1591
1592 <table>
1593 <tbody>
1594
1595 <tr>
1596 <td>.ac</td>
1597
1598 <td><a href="http://www.nic.ac/">Registry</a></td>
1599
1600 <td><a href="http://www.nic.ac/pdf/AC-IDN-Policy.pdf">Policy</a></td>
1601 </tr>
1602
1603 <tr>
1604 <td>.ar</td>
1605
1606 <td><a href="http://www.nic.ar/">Registry</a></td>
1607
1608 <td><a href="http://www.nic.ar/616.html">Policy</a></td>
1609 </tr>
1610
1611 <tr>
1612 <td>.at</td>
1613
1614 <td><a href="http://www.nic.at/">Registry</a></td>
1615
1616 <td><a href="http://www.nic.at/en/service/legal_information/registration_guidelines/">Policy</a> (<a href="http://www.nic.at/en/service/technical_information/idn/charset_converter/">character list</a>)</td>
1617 </tr>
1618
1619 <tr>
1620 <td>.biz</td>
1621
1622 <td><a href="http://www.neustarregistry.biz/">Registry</a></td>
1623
1624 <td><a href="http://www.neustarregistry.biz/products/idns">Policy</a></td>
1625 </tr>
1626
1627 <tr>
1628 <td>.br</td>
1629
1630 <td><a href="http://registro.br/">Registry</a></td>
1631
1632 <td><a href="http://registro.br/faq/faq6.html">Policy</a></td>
1633 </tr>
1634
1635 <tr>
1636 <td>.cat</td>
1637
1638 <td><a href="http://www.domini.cat/">Registry</a></td>
1639
1640 <td><a href="http://www.domini.cat/normativa/en_normativa_registre.html">Policy</a></td>
1641 </tr>
1642
1643 <tr>
1644 <td>.ch</td>
1645
1646 <td><a href="http://www.switch.ch/id/">Registry</a></td>
1647
1648 <td><a href="http://www.switch.ch/id/terms/agb.html#anhang1">Policy</a></td>
1649 </tr>
1650
1651 <tr>
1652 <td>.cl</td>
1653
1654 <td><a href="http://www.nic.cl/">Registry</a></td>
1655
1656 <td><a href="http://www.nic.cl/CL-IDN-policy.html">Policy</a></td>
1657 </tr>
1658
1659 <tr>
1660 <td>.cn</td>
1661
1662 <td><a href="http://www.cnnic.net.cn/">Registry</a></td>
1663
1664 <td><a href="http://www.faqs.org/rfcs/rfc3743.html">Policy</a> (JET Guidelines)</td>
1665 </tr>
1666
1667 <tr>
1668 <td>.de</td>
1669
1670 <td><a href="http://www.denic.de/">Registry</a></td>
1671
1672 <td><a href="http://www.denic.de/en/richtlinien.html">Policy</a></td>
1673 </tr>
1674
1675 <tr>
1676 <td>.dk</td>
1677
1678 <td><a href="http://www.dk-hostmaster.dk/">Registry</a></td>
1679
1680 <td><a href="http://www.dk-hostmaster.dk/index.php?id=151">Policy</a></td>
1681 </tr>
1682
1683 <tr>
1684 <td>.es</td>
1685
1686 <td><a href="https://www.nic.es/">Registry</a></td>
1687
1688 <td><a href="https://www.nic.es/media/2008-12/1228818323935.pdf">Policy</a></td>
1689 </tr>
1690
1691 <tr>
1692 <td>.fi</td>
1693
1694 <td><a href="http://www.ficora.fi/">Registry</a></td>
1695
1696 <td><a href="http://www.ficora.fi/en/index/palvelut/fiverkkotunnukset/aakkostenkaytto.html">Policy</a></td>
1697 </tr>
1698
1699 <tr>
1700 <td>.gr</td>
1701
1702 <td><a href="https://grweb.ics.forth.gr/english/index.html">Registry</a></td>
1703
1704 <td><a href="https://grweb.ics.forth.gr/english/ENCharacterTable1.jsp">Policy</a></td>
1705 </tr>
1706
1707 <tr>
1708 <td>.hu</td>
1709
1710 <td><a href="http://www.domain.hu/domain/">Registry</a></td>
1711
1712 <td><a href="http://www.domain.hu/domain/English/szabalyzat.html">Policy</a> (section 2.1.2)</td>
1713 </tr>
1714
1715 <tr>
1716 <td>.info</td>
1717
1718 <td><a href="http://www.afilias.info/">Registry</a></td>
1719
1720 <td><a href="http://www.afilias.info/register/idn/">Policy</a></td>
1721 </tr>
1722
1723 <tr>
1724 <td>.io</td>
1725
1726 <td><a href="http://www.nic.io/">Registry</a></td>
1727
1728 <td><a href="http://www.nic.io/IO-IDN-Policy.pdf">Policy</a></td>
1729 </tr>
1730
1731 <tr>
1732 <td>.ir</td>
1733
1734 <td><a href="https://www.nic.ir/">Registry</a></td>
1735
1736 <td><a href="https://www.nic.ir/IDN">Policy</a></td>
1737 </tr>
1738
1739 <tr>
1740 <td>.is</td>
1741
1742 <td><a href="http://www.isnic.is/">Registry</a></td>
1743
1744 <td><a href="http://www.isnic.is/english/domain/rules.php">Policy</a></td>
1745 </tr>
1746
1747 <tr>
1748 <td>.jp</td>
1749
1750 <td><a href="http://jprs.co.jp/">Registry</a></td>
1751
1752 <td><a href="http://www.iana.org/assignments/idn/jp-japanese.html">Policy</a></td>
1753 </tr>
1754
1755 <tr>
1756 <td>.kr</td>
1757
1758 <td><a href="http://domain.nic.or.kr/">Registry</a></td>
1759
1760 <td><a href="http://www.faqs.org/rfcs/rfc3743.html">Policy</a> (JET Guidelines)</td>
1761 </tr>
1762
1763 <tr>
1764 <td>.li</td>
1765
1766 <td><a href="http://www.switch.ch/id/">Registry</a></td>
1767
1768 <td><a href="http://www.switch.ch/id/terms/agb.html#anhang1">Policy</a> (managed by .ch registry)</td>
1769 </tr>
1770
1771 <tr>
1772 <td>.lt</td>
1773
1774 <td><a href="http://www.domreg.lt/public?pg=&amp;sp=&amp;loc=en">Registry</a></td>
1775
1776 <td><a href="http://www.domreg.lt/public?pg=8A7FB6&amp;sp=idn&amp;loc=en">Policy</a> (<a href="http://www.domreg.lt/static/doc/public/idn_symbols-en.pdf">character list</a>)</td>
1777 </tr>
1778
1779 <tr>
1780 <td>.museum</td>
1781
1782 <td><a href="http://about.museum/">Registry</a></td>
1783
1784 <td><a href="http://about.museum/idn/idnpolicy.html">Policy</a></td>
1785 </tr>
1786
1787 <tr>
1788 <td>.no</td>
1789
1790 <td><a href="http://www.norid.no/">Registry</a></td>
1791
1792 <td><a href="http://www.norid.no/domeneregistrering/veiviser.en.html">Policy</a> (section 4)</td>
1793 </tr>
1794
1795 <tr>
1796 <td>.org</td>
1797
1798 <td><a href="http://www.pir.org/">Registry</a></td>
1799
1800 <td><a href="http://pir.org/PDFs/ORG-Extended-Characters-22-Jan-07.pdf">Policy</a></td>
1801 </tr>
1802
1803 <tr>
1804 <td>.pl</td>
1805
1806 <td><a href="http://www.nask.pl/">Registry</a></td>
1807
1808 <td><a href="http://www.dns.pl/IDN/idn-registration-policy.txt">Policy</a></td>
1809 </tr>
1810
1811 <tr>
1812 <td>.pr</td>
1813
1814 <td><a href="https://www.nic.pr/">Registry</a></td>
1815
1816 <td><a href="https://www.nic.pr/idn_rules.asp">Policy</a></td>
1817 </tr>
1818
1819 <tr>
1820 <td>.se</td>
1821
1822 <td><a href="http://www.nic-se.se/">Registry</a></td>
1823
1824 <td><a href="http://www.iis.se/en/domaner/internationaliserad-doman-idn/">Policy</a> (<a href="http://www.iis.se/docs/teckentabell-03.pdf">character list</a>)</td>
1825 </tr>
1826
1827 <tr>
1828 <td>.sh</td>
1829
1830 <td><a href="http://www.nic.sh/">Registry</a></td>
1831
1832 <td><a href="http://www.nic.sh/SH-IDN-Policy.pdf">Policy</a></td>
1833 </tr>
1834
1835 <tr>
1836 <td>.th</td>
1837
1838 <td><a href="http://www.thnic.or.th/">Registry</a></td>
1839
1840 <td><a href="http://www.iana.org/assignments/idn/th-thai.html">Policy</a></td>
1841 </tr>
1842
1843 <tr>
1844 <td>.tm</td>
1845
1846 <td><a href="http://www.nic.tm/">Registry</a></td>
1847
1848 <td><a href="http://www.nic.tm/TM-IDN-Policy.pdf">Policy</a></td>
1849 </tr>
1850
1851 <tr>
1852 <td>.tw</td>
1853
1854 <td><a href="http://www.twnic.net.tw/">Registry</a></td>
1855
1856 <td><a href="http://www.faqs.org/rfcs/rfc3743.html">Policy</a> (JET Guidelines)</td>
1857 </tr>
1858
1859 <tr>
1860 <td>.vn</td>
1861
1862 <td><a href="http://www.vnnic.net.vn/">Registry</a></td>
1863
1864 <td><a href="http://www.vnnic.vn/english/5-6-300-2-2-04-20071115.htm">Policy</a> (<a href="http://vietunicode.sourceforge.net/tcvn6909.pdf">character list</a>)</td>
1865 </tr>
1866
1867 </tbody>
1868 </table>
1869 <p></p>
1870
1871 <p>
1872 This criteria will apply to the email address and server host name fields for all certificate types.
1873 </p>
1874
1875 <p>
1876 The CAcert Inc. Board has the authority to decide to add or remove accepted TLD Registrars on this list.
1877 </p>
1878
1879 <h3 id="p3.2">3.2. Initial Identity Verification</h3>
1880
1881 <p>
1882 Identity verification is controlled by the
1883 <a href="http://svn.cacert.org/CAcert/Policies/AssurancePolicy.html">
1884 Assurance Policy</a> (<a href="http://www.cacert.org/policy/AssurancePolicy.php">COD13</a>).
1885 The reader is refered to the Assurance Policy,
1886 the following is representative and brief only.
1887 </p>
1888
1889
1890 <h4 id="p3.2.1">3.2.1. Method to prove possession of private key</h4>
1891
1892 <p>
1893 CAcert uses industry-standard techniques to
1894 prove the possession of the private key.
1895 </p>
1896
1897 <p>
1898 For X.509 server certificates,
1899 the stale digital signature of the CSR is verified.
1900 For X.509 client certificates for "Netscape" browsers,
1901 SPKAC uses a challenge-response protocol
1902 to check the private key dynamically.
1903 For X.509 client certificates for "explorer" browsers,
1904 ActiveX uses a challenge-response protocol
1905 to check the private key dynamically.
1906 </p>
1907
1908 <h4 id="p3.2.2">3.2.2. Authentication of Individual Identity</h4>
1909
1910 <p>
1911 <b>Agreement.</b>
1912 An Internet user becomes a Member by agreeing to the
1913 CAcert Community Agreement
1914 (<a href="http://www.cacert.org/policy/CAcertCommunityAgreement.php">COD9</a>)
1915 and registering an account on the online website.
1916 During the registration process Members are asked to
1917 supply information about themselves:
1918 </p>
1919
1920 <ul>
1921
1922 <li>A valid working email.
1923 </li>
1924
1925 <li>Full Name and Date of Birth such as is
1926 found on Identity documents.
1927 </li>
1928
1929 <li>Personal Questions used only for Password Retrieval.</li>
1930 </ul>
1931
1932 <p>
1933 The online account establishes the method of authentication
1934 for all service requests such as certificates.
1935 </p>
1936
1937 <p>
1938 <b>Assurance.</b>
1939 Each Member is assured according to Assurance Policy
1940 (<a href="http://www.cacert.org/policy/AssurancePolicy.php">COD13</a>).
1941 </p>
1942
1943 <p>
1944 <b>Certificates.</b>
1945 Based on the total number of Assurance Points
1946 that a Member (Name) has, the Member
1947 can get different levels of certificates.
1948 See <a href="#p1.4.5">§1.4.5</a>.
1949 See Table 3.2.b.
1950 When Members have 50 or more points, they
1951 become <i>Assured Members</i> and may then request
1952 certificates that state their Assured Name(s).
1953 </p>
1954
1955
1956 <br>
1957
1958 <br>
1959 <center>
1960
1961 <table border="1" cellpadding="5">
1962 <tbody>
1963 <tr>
1964
1965 <th>Assurance Points</th>
1966
1967 <th>Level</th>
1968
1969 <th>Service</th>
1970
1971 <th>Comments</th>
1972 </tr>
1973 <tr>
1974
1975 <td>0</td>
1976
1977 <td>Unassured Member</td>
1978
1979 <td>Anonymous</td>
1980
1981 <td>Certificates with no Name, under Class 1 Root. Limited to 6 months expiry.</td>
1982 </tr>
1983 <tr>
1984
1985 <td>1-49</td>
1986
1987 <td>Unassured Member</td>
1988
1989 <td>Anonymous</td>
1990
1991 <td>Certificates with no Name under Member SubRoot. Limited to 6 months expiry.</td>
1992 </tr>
1993 <tr>
1994
1995 <td rowspan="1">50-99</td>
1996
1997 <td>Assured Member</td>
1998
1999 <td>Verified</td>
2000
2001 <td>Certificates with Verified Name for S/MIME, web servers, "digital signing."
2002 Expiry after 24 months is available.</td>
2003 </tr>
2004 <tr>
2005
2006 <td rowspan="2">100++</td>
2007
2008 <td rowspan="2">Assurer</td>
2009
2010 <td>Code-signing</td>
2011
2012 <td>Can create Code-signing certificates </td>
2013 </tr>
2014 </tbody>
2015 </table>
2016
2017 <span class="figure">Table 3.2.b - How Assurance Points are used in Certificates</span>
2018
2019 </center>
2020 <br>
2021
2022
2023
2024 <h4 id="p3.2.3">3.2.3. Authentication of organization identity</h4>
2025
2026
2027 <p>
2028 Verification of organisations is delegated by
2029 the Assurance Policy to the
2030 Organisation Assurance Policy
2031 (<a href="http://www.cacert.org/policy/OrganisationAssurancePolicy.php">COD11</a>).
2032 The reader is refered to the Organisation Assurance Policy,
2033 the following is representative and brief only.
2034 </p>
2035
2036 <p>
2037 Organisations present special challenges.
2038 The Assurance process for Organisations is
2039 intended to permit the organisational Name to
2040 appear in certificates.
2041 The process relies heavily on the Individual
2042 process described above.
2043 </p>
2044
2045 <p>
2046 Organisation Assurance achieves the standard
2047 stated in the OAP, briefly presented here:
2048 </p>
2049
2050 <ol type="a">
2051 <li>
2052 the organisation exists,
2053 </li>
2054 <li>
2055 the organisation name is correct and consistent,
2056 </li>
2057 <li>
2058 signing rights: requestor can sign on behalf of the organisation, and
2059 </li>
2060 <li>
2061 the organisation has agreed to the terms of the
2062 CAcert Community Agreement
2063 (<a href="http://www.cacert.org/policy/CAcertCommunityAgreement.php">COD9</a>),
2064 and is therefore subject to Arbitration.
2065 </li>
2066 </ol>
2067
2068 <h4 id="p3.2.4">3.2.4. Non-verified subscriber information</h4>
2069
2070 <p>
2071 All information in the certificate is verified,
2072 see Relying Party Statement, §4.5.2.
2073 </p>
2074
2075
2076 <h4 id="p3.2.5">3.2.5. Validation of authority</h4>
2077
2078 <p>
2079 The authorisation to obtain a certificate is established as follows:
2080 </p>
2081
2082 <p>
2083 <b>Addresses.</b>
2084 The member claims authority over a domain or email address
2085 when adding the address, <a href="#p4.1.2">§4.1.2</a>.
2086 (Control is tested by means described in <a href="#p4.2.2">§4.2.2</a>.)
2087 </p>
2088
2089 <p>
2090 <b>Individuals.</b>
2091 The authority to participate as a Member is established
2092 by the CAcert Community Agreement
2093 (<a href="http://www.cacert.org/policy/CAcertCommunityAgreement.php">COD9</a>).
2094 Assurances are requested by means of the signed CAP form.
2095 </p>
2096
2097 <p>
2098 <b>Organisations.</b>
2099 The authority for Organisation Assurance is established
2100 in the COAP form, as signed by an authorised representative
2101 of the organisation.
2102 The authority for the
2103 Organisation Administrator
2104 (O-Admin) is also established on the
2105 COAP form.
2106 See Organisation Assurance Policy.
2107 </p>
2108
2109
2110 <h4 id="p3.2.6">3.2.6. Criteria for interoperation</h4>
2111
2112 <p>
2113 CAcert does not currently issue certificates to subordinate CAs
2114 or other PKIs.
2115 Other CAs may become Members, and are then subject to the
2116 same reliance provisions as all Members.
2117 </p>
2118
2119 <h3 id="p3.3">3.3. Re-key Requests</h3>
2120
2121 <p>
2122 Via the Member's account.
2123 </p>
2124
2125 <h3 id="p3.4">3.4. Revocations Requests</h3>
2126
2127 <p>
2128 Via the Member's account.
2129 In the event that the Member has lost the password,
2130 or similar, the Member emails the support team who
2131 either work through the lost-password questions
2132 process or file a dispute.
2133 </p>
2134
2135
2136
2137 <!-- *************************************************************** -->
2138 <h2 id="p4">4. CERTIFICATE LIFE-CYCLE OPERATIONAL REQUIREMENTS</h2>
2139
2140 <p>
2141 The general life-cycle for a new certificate for an Individual Member is:
2142
2143 </p>
2144 <ol>
2145 <li>
2146 Member adds claim to an address (domain/email).
2147 </li>
2148 <li>
2149 System probes address for control.
2150 </li>
2151 <li>
2152 Member creates key pair.
2153 </li>
2154 <li>
2155 Member submits CSR with desired options (Anonymous Certificate, SSO, Root Certificate) .
2156 </li>
2157 <li>
2158 System validates and accepts CSR based on
2159 known information: claims, assurance, controls, technicalities.
2160 </li>
2161 <li>
2162 System signs certificate.
2163 </li>
2164 <li>
2165 System makes signed certificate available to Member.
2166 </li>
2167 <li>
2168 Member accepts certificate.
2169 </li>
2170 </ol>
2171
2172 <p></p>
2173
2174 <p>
2175 (Some steps are not applicable, such as anonymous certificates.)
2176 </p>
2177
2178
2179 <h3 id="p4.1">4.1. Certificate Application</h3>
2180
2181 <h4 id="p4.1.1">4.1.1. Who can submit a certificate application</h4>
2182
2183 <p>
2184 Members may submit certificate applications.
2185 On issuance of certificates, Members become Subscribers.
2186 </p>
2187
2188 <h4 id="p4.1.2">4.1.2. Adding Addresses</h4>
2189
2190 <p>
2191 The Member can claim ownership or authorised control of
2192 a domain or email address on the online system.
2193 This is a necessary step towards issuing a certificate.
2194 There are these controls:
2195 </p>
2196 <ul>
2197 <li>
2198 The claim of ownership or control is legally significant
2199 and may be referred to dispute resolution.
2200 </li>
2201 <li>
2202 Each unique address can be handled by one account only.
2203 </li>
2204 <li>
2205 When the Member makes the claim,
2206 the certificate application system automatically initiates the
2207 check of control, as below.
2208 </li>
2209 </ul>
2210 <p></p>
2211
2212 <h4 id="p4.1.3">4.1.3. Preparing CSR </h4>
2213
2214 <p>
2215 Members generate their own key-pairs.
2216 The CAcert Community Agreement
2217 (<a href="http://www.cacert.org/policy/CAcertCommunityAgreement.php">COD9</a>)
2218 obliges the Member as responsible for security.
2219 See CCA2.5, §9.6.
2220 </p>
2221
2222 <p>
2223 The Certificate Signing Request (CSR) is prepared by the
2224 Member for presentation to the automated system.
2225 </p>
2226
2227 <h3 id="p4.2">4.2. Certificate application processing</h3>
2228
2229 <!-- states what a CA does on receipt of the request -->
2230
2231 <p>
2232 The CA's certificate application process is completely automated.
2233 Requests, approvals and rejections are handled by the website system.
2234 Each application should be processed in less than a minute.
2235 </p>
2236 <p>
2237 Where certificates are requested for more than one
2238 purpose, the requirements for each purpose must be
2239 fulfilled.
2240 </p>
2241
2242 <!-- all sub headings in 4.2 are local, not from Chokhani. -->
2243
2244 <h4 id="p4.2.1">4.2.1. Authentication </h4>
2245
2246 <p>
2247 The Member logs in to her account on the CAcert website
2248 and thereby authenticates herself with username
2249 and passphrase or with her CAcert client-side digital certificate.
2250 </p>
2251
2252 <h4 id="p4.2.2">4.2.2. Verifying Control</h4>
2253
2254 <p>
2255 In principle, at least two controls are placed on each address.
2256 </p>
2257
2258 <p>
2259 <b><a name="ping">Email-Ping</a>.</b>
2260 Email addresses are verified by means of an
2261 <i><a name="ping">Email-Ping test</a></i>:
2262 </p>
2263
2264 <ul>
2265 <li>
2266 The system generates a cookie
2267 (a random, hard-to-guess code)
2268 and formats it as a string.
2269 </li>
2270 <li>
2271 The system sends the cookie
2272 to the Member in an email.
2273 </li>
2274 <li>
2275 Once the Member receives the email,
2276 she enters the cookie into the website.
2277 </li>
2278 <li>
2279 The entry of the code verifies
2280 control of that email account.
2281 </li>
2282 </ul>
2283
2284 <p>
2285 <b><a name="email">Email Control</a>.</b>
2286 Email addresses for client certificates are verified by passing the
2287 following checks:
2288 </p>
2289 <ol>
2290
2291 <li>An Email-ping test
2292 is done on the email address.
2293 </li>
2294
2295 <li>The Member must have signed a CAP form or equivalent,
2296 and been awarded at least one Assurance point.
2297 </li>
2298 </ol>
2299
2300 <p>
2301 <b><a name="domain">Domain Control</a>.</b>
2302 Domains addresses for server certificates are verified by passing two of the
2303 following checks:
2304 </p>
2305 <ol>
2306 <li>
2307 An Email-ping test
2308 is done on an email address chosen from <i>whois</i>
2309 or interpolated from the domain name.
2310 </li>
2311 <li>
2312 The system generates a cookie
2313 which is then placed in DNS
2314 by the Member.
2315 </li>
2316 <li>
2317 The system generates a cookie
2318 which is then placed in HTTP headers or a text file on the website
2319 by the Member.
2320 </li>
2321 <li>
2322 Statement by at least 2 Assurers about
2323 ownership/control of the domain name.
2324 </li>
2325 <li>
2326 The system generates a cookie
2327 which is then placed in whois registry information
2328 by the Member.
2329 </li>
2330 </ol>
2331
2332 <p>
2333 Notes.
2334 </p>
2335 <ul>
2336 <li>
2337 Other methods can be added from time to time by CAcert.
2338 </li>
2339 <li>
2340 Static cookies should remain for the duration of a certificate
2341 for occasional re-testing.
2342 </li>
2343 <li>
2344 Dynamic tests can be repeated at a later time of CAcert's choosing.
2345 </li>
2346 <li>
2347 Domain control checks may be extended to apply to email control
2348 in the future.
2349 </li>
2350 </ul>
2351 <p></p>
2352
2353
2354
2355 <h4 id="p4.2.3">4.2.3. Options Available</h4>
2356
2357 <p>
2358 The Member has options available:
2359 </p>
2360
2361 <ul>
2362
2363 <li>Each Email address that is verified
2364 is available for Client Certificates.
2365 </li>
2366
2367 <li>Each Domain address that is verified
2368 is available for Server Certificates.
2369 </li>
2370
2371 <li>If the Member is unassured then only the Member SubRoot is available.
2372 </li>
2373
2374 <li>If the Member is Assured then both Assured Member and Member SubRoots
2375 are available.
2376 </li>
2377
2378 <li>If a Name is Assured then it may be
2379 put in a client certificate or an OpenPGP signature.
2380 </li>
2381 </ul>
2382
2383 <h4 id="p4.2.4">4.2.4. Client Certificate Procedures</h4>
2384
2385 <p>
2386 For an individual client certificate, the following is required.
2387 </p>
2388 <ul>
2389
2390 <li>The email address is claimed and added. </li>
2391
2392 <li>The email address is ping-tested. </li>
2393
2394 <li>For the Member Subroot, the Member must have
2395 at least one point of Assurance and have signed a CAP form.</li>
2396
2397 <li>For the Assured Subroot, the Member must have
2398 at least fifty points of Assurance. </li>
2399
2400 <li>To include a Name, the Name must be assured to at least fifty points. </li>
2401
2402 </ul>
2403 <p></p>
2404
2405 <h4 id="p4.2.5">4.2.5. Server Certificate Procedures</h4>
2406
2407 <p>
2408 For a server certificate, the following is required:
2409 </p>
2410 <ul>
2411
2412 <li>The domain is claimed and added. </li>
2413
2414 <li>The domain is checked twice as above. </li>
2415
2416 <li>For the Member SubRoot, the Member must have
2417 at least one point of Assurance and have signed a CAP form.</li>
2418
2419 <li>For the Assured SubRoot, the Member must have
2420 at least fifty points of Assurance. </li>
2421 </ul>
2422
2423 <p></p>
2424
2425 <h4 id="p4.2.6">4.2.6. Code-signing Certificate Procedures</h4>
2426
2427 <p>
2428 Code-signing certificates are made available to Assurers only.
2429 They are processed in a similar manner to client certificates.
2430 </p>
2431
2432 <h4 id="p4.2.7">4.2.7. Organisation Domain Verification</h4>
2433
2434 <p>
2435 Organisation Domains are handled under the Organisation Assurance Policy
2436 and the Organisation Handbook.
2437 </p>
2438
2439 <h3 id="p4.3">4.3. Certificate issuance</h3>
2440
2441
2442 <h4 id="p4.3.1">4.3.1. CA actions during certificate issuance</h4>
2443
2444 <p>
2445 <b>Key Sizes.</b>
2446 Members may request keys of any size permitted by the key algorithm.
2447 Many older hardware devices require small keys.
2448 </p>
2449
2450 <p>
2451 <b>Algorithms.</b>
2452 CAcert currently only supports the RSA algorithm for X.509 keys.
2453 X.509 signing uses the SHA-1 message digest algorithm.
2454 OpenPGP Signing uses RSA signing over RSA and DSA keys.
2455
2456 </p>
2457
2458 <p>
2459 <b>Process for Certificates:</b>
2460 All details in each certificate are verified
2461 by the website issuance system.
2462 Issuance is based on a 'template' system that selects
2463 profiles for certificate lifetime, size, algorithm.
2464 </p>
2465
2466
2467 <ol>
2468 <li>
2469 The CSR is verified.
2470 </li>
2471 <li>
2472 Data is extracted from CSR and verified:
2473
2474 <ul>
2475
2476 <li> Name §3.1, </li>
2477
2478 <li> Email address <a href="#p4.2.2">§4.2.2</a>, </li>
2479
2480 <li> Domain address <a href="#p4.2.2">§4.2.2</a>. </li>
2481 </ul>
2482 </li>
2483 <li>
2484 Certificate is generated from template.
2485 </li>
2486 <li>
2487 Data is copied from CSR.
2488 </li>
2489 <li>
2490 Certificate is signed.
2491 </li>
2492 <li>
2493 Certificate is stored as well as mailed.
2494 </li>
2495 </ol>
2496
2497
2498 <p>
2499 <b>Process for OpenPGP key signatures:</b>
2500 All details in each Sub-ID are verified
2501 by the website issuance system.
2502 Issuance is based on the configuration that selects
2503 the profile for signature lifetime, size,
2504 algorithm following the process:
2505 </p>
2506
2507 <ol>
2508 <li>
2509 The public key is verified.
2510 </li>
2511 <li>
2512 Data is extracted from the key and verified (Name, Emails).
2513 Only the combinations of data in Table 4.3.1 are permitted.
2514 </li>
2515 <li>
2516 OpenPGP Key Signature is generated.
2517 </li>
2518 <li>
2519 Key Signature is applied to the key.
2520 </li>
2521 <li>
2522 The signed key is stored as well as mailed.
2523 </li>
2524 </ol>
2525
2526 <center>
2527 <table valign="top" border="1" cellpadding="5" align="center">
2528 <tbody>
2529
2530 <tr>
2531
2532 <td>
2533 <br>
2534 </td>
2535
2536 <td>Verified Name</td>
2537
2538 <td valign="top">Unverified Name
2539 <br>
2540 </td>
2541
2542 <td>Empty Name
2543 <br>
2544 </td>
2545 </tr>
2546
2547 <tr>
2548
2549 <td>Verified email
2550 <br>
2551 </td>
2552
2553 <td>
2554 <center> <font title="pass." color="green" size="+3"></font> </center>
2555 </td>
2556
2557 <td valign="top">
2558 <center> <font title="pass." color="red" size="+3"></font> </center>
2559 </td>
2560
2561 <td>
2562 <center> <font title="pass." color="green" size="+3"></font> </center>
2563 </td>
2564 </tr>
2565
2566 <tr>
2567
2568 <td>Unverified email</td>
2569
2570 <td>
2571 <center> <font title="pass." color="red" size="+3"></font> </center>
2572 </td>
2573
2574 <td valign="top">
2575 <center> <font title="pass." color="red" size="+3"></font> </center>
2576 </td>
2577
2578 <td>
2579 <center> <font title="pass." color="red" size="+3"></font> </center>
2580 </td>
2581 </tr>
2582 <tr>
2583 <td valign="top">Empty email
2584 <br>
2585 </td>
2586
2587 <td valign="top">
2588 <center> <font title="pass." color="green" size="+3"></font> </center>
2589 </td>
2590
2591 <td valign="top">
2592 <center> <font title="pass." color="red" size="+3"></font> </center>
2593 </td>
2594
2595 <td valign="top">
2596 <center> <font title="pass." color="red" size="+3"></font> </center>
2597 </td>
2598 </tr>
2599 </tbody>
2600 </table>
2601 <br>
2602
2603 <span class="figure">Table 4.3.1. Permitted Data in Signed OpenPgp Keys</span>
2604 </center>
2605
2606 <h4 id="p4.3.2">4.3.2. Notification to subscriber by the CA of issuance of certificate</h4>
2607
2608 <p>
2609 Once signed, the certificate is
2610 made available via the Member's account,
2611 and emailed to the Member.
2612 It is also archived internally.
2613 </p>
2614
2615 <h3 id="p4.4">4.4. Certificate acceptance</h3>
2616
2617 <h4 id="p4.4.1">4.4.1. Conduct constituting certificate acceptance</h4>
2618
2619 <p>
2620 There is no need for the Member to explicitly accept the certificate.
2621 In case the Member does not accept the certificate,
2622 the certificate has to be revoked and made again.
2623 </p>
2624
2625 <h4 id="p4.4.2">4.4.2. Publication of the certificate by the CA</h4>
2626
2627 <p>
2628 CAcert does not currently publish the issued certificates
2629 in any repository.
2630 In the event that CAcert will run a repository,
2631 the publication of certificates and signatures
2632 there will be at the Member's options.
2633 However note that certificates that are issued
2634 and delivered to the Member are presumed to be
2635 published. See §2.2.
2636 </p>
2637
2638 <h4 id="p4.4.3">4.4.3. Notification of certificate issuance by the CA to other entities</h4>
2639
2640 <p>
2641 There are no external entities that are notified about issued certificates.
2642 </p>
2643
2644 <h3 id="p4.5">4.5. Key pair and certificate usage</h3>
2645
2646 <p>
2647 All Members (subscribers and relying parties)
2648 are obliged according to the
2649 CAcert Community Agreement
2650 (<a href="http://www.cacert.org/policy/CAcertCommunityAgreement.php">COD9</a>)
2651 See especially 2.3 through 2.5.
2652 </p>
2653 <h4 id="p4.5.1">4.5.1. Subscriber Usage and Responsibilities</h4>
2654
2655 <p>
2656 Subscribers should use keys only for their proper purpose,
2657 as indicated by the certificate, or by wider agreement with
2658 others.
2659 </p>
2660
2661 <h4 id="p4.5.2">4.5.2. Relying Party Usage and Responsibilities</h4>
2662
2663
2664 <p>
2665 Relying parties (Members) may rely on the following.
2666 </p>
2667
2668 <center>
2669
2670 <table border="1" cellpadding="25">
2671 <tbody>
2672 <tr>
2673 <td>
2674
2675 <p align="center">
2676 <big><b>Relying Party Statement</b></big>
2677 </p>
2678 <p>
2679 Certificates are issued to Members only.
2680 <br>
2681
2682 <br>
2683 All information in a certificate is verified.
2684 </p>
2685 </td>
2686 </tr>
2687 </tbody>
2688 </table>
2689 </center>
2690
2691
2692 <p>
2693 The following notes are in addition to the Relying Party Statement,
2694 and can be seen as limitations on it.
2695 </p>
2696
2697 <h5 id="p4.5.2.1">4.5.2.a Methods of Verification </h5>
2698 <p>
2699 The term Verification as used in the Relying Party Statement means one of
2700 </p>
2701 <table border="1" cellpadding="5">
2702 <tbody>
2703 <tr>
2704
2705 <th>Type</th>
2706 <th>How</th>
2707 <th>Authority</th>
2708 <th>remarks</th>
2709 </tr>
2710 <tr>
2711
2712 <th>Assurance</th>
2713 <td>under CAcert Assurance Programme (CAP)</td>
2714
2715 <td>Assurance Policy</td>
2716
2717 <td>only information assured to 50 points under CAP is placed in the certificate </td>
2718 </tr>
2719 <tr>
2720
2721 <th>Evaluation</th>
2722 <td>under automated domain and email checks </td>
2723
2724 <td>this CPS</td>
2725
2726 <td>see §4.2.2</td>
2727 </tr>
2728 <tr>
2729
2730 <th>Controlled</th>
2731 <td>programs or "profiles" that check the information within the CSR </td>
2732
2733 <td>this CPS</td>
2734
2735 <td>see §7.1</td>
2736 </tr>
2737 </tbody>
2738 </table>
2739
2740 <h5 id="p4.5.2.2">4.5.2.b Who may rely</h5>
2741 <p>
2742 <b>Members may rely.</b>
2743 Relying parties are Members,
2744 and as such are bound by this CPS and the
2745 CAcert Community Agreement
2746 (<a href="http://www.cacert.org/policy/CAcertCommunityAgreement.php">COD9</a>).
2747 The licence and permission to rely is not assignable.
2748 </p>
2749
2750 <p>
2751 <b>Suppliers of Software.</b>
2752 CAcert roots may be distributed in software,
2753 and those providers may
2754 enter into agreement with CAcert by means of the
2755 Third Party Vendor - Disclaimer and Licence
2756 (wip).
2757 This licence brings the supplier in to the Community
2758 to the extent that
2759 they agree to dispute resolution
2760 within CAcert's forum.
2761 </p>
2762
2763 <p>
2764 <b>NRPs may not rely.</b>
2765 If not related to CAcert by means of an agreement
2766 that binds the parties to dispute resolution within CAcert's forum,
2767 a person is a Non-Related-Person (NRP).
2768 An NRP is not permitted to rely and is not a Relying Party.
2769 For more details, see the
2770 NRP - Disclaimer and Licence (<a href="http://www.cacert.org/policy/NRPDisclaimerAndLicence.php">COD4</a>).
2771 </p>
2772
2773 <h5 id="p4.5.2.3">4.5.2.c The Act of Reliance </h5>
2774
2775 <p>
2776 <b>Decision making.</b>
2777 Reliance means taking a decision that is in part or in whole
2778 based on the information in the certificate.
2779
2780 A Relying Party may incorporate
2781 the information in the certificate,
2782 and the implied information such as Membership,
2783 into her decision-making.
2784 In making a decision,
2785 a Relying Party should also:
2786 </p>
2787
2788 <ul>
2789 <li>
2790 include her own overall risk equation,
2791 </li>
2792 <li>
2793 include the general limitations of the Assurance process,
2794 certificates, and wider security considerations,
2795 </li>
2796 <li>
2797 make additional checks to provide more information,
2798 </li>
2799 <li>
2800 consider any wider agreement with the other Member, and
2801 </li>
2802 <li>
2803 use an appropriate protocol or custom of reliance (below).
2804 </li>
2805 </ul>
2806
2807 <p>
2808 <b>Examining the Certificate.</b>
2809 A Relying Party must make her own decision in using
2810 each certificate. She must examine the certificate,
2811 a process called <i>validation</i>.
2812 Certificate-related information includes,
2813 but is not limited to:
2814 </p>
2815 <ul>
2816 <li>
2817 Name,
2818 </li>
2819 <li>
2820 expiry time of certificate,
2821 </li>
2822 <li>
2823 current certificate revocation list (CRL),
2824 </li>
2825 <li>
2826 certificate chain and
2827 the validity check of the certificates in the chain,
2828 </li>
2829 <li>
2830 issuer of certificate (CAcert),
2831 </li>
2832 <li>
2833 SubRoot is intended for reliance (Assured, Organisation and Class 3)
2834 </li>
2835 <li>
2836 purpose of certificate.
2837 </li>
2838 </ul>
2839
2840 <p>
2841 <b>Keeping Records.</b>
2842 Records should be kept, appropriate to the import of the decision.
2843 The certificate should be preserved.
2844 This should include sufficient
2845 evidence to establish who the parties are
2846 (especially, the certificate relied upon),
2847 to establish the transaction in question,
2848 and to establish the wider agreement that
2849 defines the act.
2850 </p>
2851
2852 <p>
2853 <b>Wider Protocol.</b>
2854 In principle, reliance will be part of a wider protocol
2855 (customary method in reaching and preserving agreement)
2856 that presents and preserves sufficient of the evidence
2857 for dispute resolution under CAcert's forum of Arbitration.
2858 The protocol should be agreed amongst the parties,
2859 and tuned to the needs.
2860 This CPS does not define any such protocol.
2861 In the absence of such a protocol, reliance will be weakened;
2862 a dispute without sufficient evidence may be dismissed by an Arbitrator.
2863 </p>
2864
2865 <p>
2866 <b>As Compared to Usage</b>.
2867 Reliance goes beyond Usage. The latter is limited to
2868 letting the software act as the total and only Validation
2869 Authority. When relying, the Member also augments
2870 the algorithmic processing of the software with her own
2871 checks of the business, technical and certificate aspect.
2872 </p>
2873
2874 <h5 id="p4.5.2.4">4.5.2.d Risks and Limitations of Reliance </h5>
2875 <p>
2876 <b>Roots and Naming.</b>
2877 Where the Class 1 root is used,
2878 this Subscriber may be a new Member
2879 including one with zero points.
2880 Where the Name is not provided,
2881 this indicates it is not available.
2882 In these circumstances,
2883 reliance is not defined,
2884 and Relying parties should take more care.
2885 See Table 4.5.2.
2886 </p>
2887
2888 <center>
2889 <table border="1" cellpadding="5">
2890 <tbody>
2891 <tr>
2892
2893 <td></td>
2894
2895 <td colspan="4">
2896 <center><i>Statements of Reliance for Members</i></center>
2897 </td>
2898 </tr>
2899 <tr>
2900
2901 <td><i>Class of Root</i></td>
2902
2903 <td>
2904 <center><b>Anonymous</b>
2905 <br>
2906 (all Members)</center>
2907 </td>
2908
2909 <td>
2910 <center><b>Named</b>
2911 <br>
2912 (Assured Members only)</center>
2913 </td>
2914 </tr>
2915 <tr>
2916
2917 <td>
2918 <center>Class
2919 <br>
2920 <big><b>1</b></big></center>
2921 </td>
2922
2923 <td rowspan="2" bgcolor="red">
2924 <b>Do not rely.</b>
2925 <br>
2926 Relying party must use other methods to check. </td>
2927
2928 <td rowspan="2" bgcolor="orange">
2929 Do not rely.
2930 Although the named Member has been Assured by CAcert,
2931 reliance is not defined with Class 1 root.
2932 <br>
2933 (issued for compatibility only).</td>
2934 </tr>
2935 <tr>
2936
2937 <td>
2938 <center><big><b>Member</b></big>
2939 <br>
2940 SubRoot</center>
2941 </td>
2942 </tr>
2943 <tr>
2944
2945 <td>
2946 <center>Class
2947 <br>
2948 <big><b>3</b></big></center>
2949 </td>
2950
2951 <td rowspan="2" bgcolor="orange">
2952 Do not rely on the Name (being available).
2953 The Member has been Assured by CAcert,
2954 but reliance is undefined.</td>
2955
2956 <td rowspan="2">
2957 The Member named in the certificate has been Assured by CAcert.</td>
2958 </tr>
2959 <tr>
2960
2961 <td>
2962 <center><big><b>Assured</b></big>
2963 <br>
2964 SubRoot</center>
2965 </td>
2966 </tr>
2967 </tbody>
2968 </table>
2969
2970 <span class="figure">Table 4.5.2. Statements of Reliance</span>
2971 </center>
2972
2973 <p>
2974 <b>Software Agent.</b>
2975 When relying on a certificate, relying parties should
2976 note that your software is responsible for the way it
2977 shows you the information in a certificate.
2978 If your software agent hides parts of the information,
2979 your sole remedy may be to choose another software agent.
2980 </p>
2981
2982 <p>
2983 <b>Malware.</b>
2984 When relying on a certificate, relying parties should
2985 note that platforms that are vulnerable to viruses or
2986 trojans or other weaknesses may not process any certificates
2987 properly and may give deceptive or fraudulent results.
2988 It is your responsibility to ensure you are using a platform
2989 that is secured according to the needs of the application.
2990 </p>
2991
2992 <h5 id="p4.5.2.5">4.5.2.e When something goes wrong </h5>
2993 <p>
2994 In the event that an issue arises out of the Member's reliance,
2995 her sole avenue is <b>to file dispute under DRP</b>.
2996 See <a href="#p9.13">§9.13</a>.
2997
2998 For this purpose, the certificate (and other evidence) should be preserved.
2999 </p>
3000
3001 <p>
3002 <b>Which person?</b>
3003 Members may install certificates for other individuals or in servers,
3004 but the Member to whom the certificate is issued
3005 remains the responsible person.
3006 E.g., under Organisation Assurance, an organisation is issued
3007 a certificate for the use by individuals
3008 or servers within that organisation,
3009 but the Organisation is the responsible person.
3010 </p>
3011
3012 <p>
3013 <b>Software Agent.</b>
3014 If a Member is relying on a CAcert root embedded in
3015 the software as supplied by a vendor,
3016 the risks, liabilities and obligations of the Member
3017 do not automatically transfer to the vendor.
3018 </p>
3019
3020 <h3 id="p4.6">4.6. Certificate renewal</h3>
3021
3022 <p>
3023 A certificate can be renewed at any time.
3024 The procedure of certificate renewal is the same
3025 as for the initial certificate issuance.
3026 </p>
3027
3028 <h3 id="p4.7">4.7. Certificate re-key</h3>
3029
3030 <p>
3031 Certificate "re-keyings" are not offered nor supported.
3032 A new certificate with a new key has to be requested and issued instead,
3033 and the old one revoked.
3034 </p>
3035
3036 <h3 id="p4.8">4.8. Certificate modification</h3>
3037
3038 <p>
3039 Certificate "modifications" are not offered nor supported.
3040 A new certificate has to be requested and issued instead.
3041 </p>
3042
3043 <h3 id="p4.9">4.9. Certificate revocation and suspension</h3>
3044
3045 <h4 id="p4.9.1">4.9.1. Circumstances for revocation</h4>
3046 <p>
3047 Certificates may be revoked under the following circumstances:
3048 </p>
3049
3050 <ol>
3051 <li>
3052 As initiated by the Subscriber through her online account.
3053 </li>
3054 <li>
3055 As initiated in an emergency action by a
3056 support team member.
3057 Such action will immediately be referred to dispute resolution
3058 for ratification.
3059 </li>
3060 <li>
3061 Under direction from the Arbitrator in a duly ordered ruling
3062 from a filed dispute.
3063 </li>
3064 </ol>
3065
3066 <p>
3067 These are the only three circumstances under which a
3068 revocation occurs.
3069 </p>
3070
3071 <h4 id="p4.9.2">4.9.2. Who can request revocation</h4>
3072
3073 <p>
3074 As above.
3075 </p>
3076
3077 <h4 id="p4.9.3">4.9.3. Procedure for revocation request</h4>
3078 <p>
3079 The Subscriber logs in to her online account through
3080 the website at http://www.cacert.org/ .
3081 </p>
3082
3083 <p>
3084 In any other event such as lost passwords or fraud,
3085 a dispute should be filed
3086 by email at
3087 &lt; support AT cacert DOT org &gt;
3088 </p>
3089
3090 <h4 id="p4.9.4">4.9.4. Revocation request grace period</h4>
3091
3092 <p>No stipulation.</p>
3093
3094 <h4 id="p4.9.5">4.9.5. Time within which CA must process the revocation request</h4>
3095
3096 <p>
3097 The revocation automated in the Web Interface for subscribers,
3098 and is handled generally in less than a minute.
3099 </p>
3100
3101 <p>
3102 A filed dispute that requests a revocation should be handled
3103 within a five business days, however the Arbitrator has discretion.
3104 </p>
3105
3106 <h4 id="p4.9.6">4.9.6. Revocation checking requirement for relying parties</h4>
3107
3108 <p>
3109 Each revoked certificate is recorded in the
3110 certificate revocation list (CRL).
3111 Relying Parties must check a certificate against
3112 the most recent CRL issued, in order to validate
3113 the certificate for the intended reliance.
3114 </p>
3115
3116 <h4 id="p4.9.7">4.9.7. CRL issuance frequency (if applicable)</h4>
3117
3118 <p>
3119 A new CRL is issued after every certificate revocation.
3120 </p>
3121
3122 <h4 id="p4.9.8">4.9.8. Maximum latency for CRLs (if applicable)</h4>
3123
3124 <p>
3125 The maximum latency between revocation and issuance of the CRL is 1 hour.
3126 </p>
3127
3128 <h4 id="p4.9.9">4.9.9. On-line revocation/status checking availability</h4>
3129
3130 <p>
3131 OCSP is available at
3132 http://ocsp.cacert.org/ .
3133 </p>
3134
3135 <h4 id="p4.9.10">4.9.10. On-line revocation checking requirements</h4>
3136 <p>
3137 Relying parties must check up-to-date status before relying.
3138 </p>
3139
3140 <h4 id="p4.9.11">4.9.11. Other forms of revocation advertisements available</h4>
3141 <p>
3142 None.
3143 </p>
3144
3145 <h4 id="p4.9.12">4.9.12. Special requirements re key compromise</h4>
3146 <p>
3147 Subscribers are obliged to revoke certificates at the earliest opportunity.
3148 </p>
3149
3150 <h4 id="p4.9.13">4.9.13. Circumstances for suspension</h4>
3151
3152 <p>
3153 Suspension of certificates is not available.
3154 </p>
3155
3156 <h4 id="p4.9.14">4.9.14. Who can request suspension</h4>
3157 <p>
3158 Not applicable.
3159 </p>
3160
3161 <h4 id="p4.9.15">4.9.15. Procedure for suspension request</h4>
3162 <p>
3163 Not applicable.
3164 </p>
3165
3166 <h4 id="p4.9.16">4.9.16. Limits on suspension period</h4>
3167 <p>
3168 Not applicable.
3169 </p>
3170
3171
3172
3173 <h3 id="p4.10">4.10. Certificate status services</h3>
3174
3175 <h4 id="p4.10.1">4.10.1. Operational characteristics</h4>
3176 <p>
3177 OCSP is available
3178 at http://ocsp.cacert.org/ .
3179 </p>
3180
3181 <h4 id="p4.10.2">4.10.2. Service availability</h4>
3182
3183 <p>
3184 OCSP is made available on an experimental basis.
3185 </p>
3186
3187 <h4 id="p4.10.3">4.10.3. Optional features</h4>
3188
3189 <p>
3190 No stipulation.
3191 </p>
3192
3193 <h3 id="p4.11">4.11. End of subscription</h3>
3194
3195 <p>
3196 Certificates include expiry dates.
3197 </p>
3198
3199 <h3 id="p4.12">4.12. Key escrow and recovery</h3>
3200
3201 <h4 id="p4.12.1">4.12.1. Key escrow and recovery policy and practices</h4>
3202
3203 <p>
3204 CAcert does not generate nor escrow subscriber keys.
3205 </p>
3206
3207 <h4 id="p4.12.2">4.12.2. Session key encapsulation and recovery policy and practices</h4>
3208
3209 <p>
3210 No stipulation.
3211 </p>
3212
3213
3214
3215 <!-- *************************************************************** -->
3216 <h2 id="p5">5. FACILITY, MANAGEMENT, AND OPERATIONAL CONTROLS</h2>
3217
3218 <!-- <a href="http://xkcd.com/87/">
3219 <img align="right" src="http://imgs.xkcd.com/comics/velociraptors.jpg">
3220 </a> -->
3221
3222 <h3 id="p5.1">5.1. Physical controls</h3>
3223
3224 <p>
3225 Refer to Security Policy (<a href="http://svn.cacert.org/CAcert/Policies/SecurityPolicy.html">COD8</a>)
3226 </p>
3227 <ul>
3228 <li>
3229 Site location and construction - SP2.1
3230 </li>
3231 <li>
3232 Physical access - SP2.3
3233 </li>
3234 </ul>
3235 <p></p>
3236
3237
3238 <h4 id="p5.1.1">5.1.1. Power and air conditioning</h4>
3239 <p>
3240 Refer to Security Policy 2.1.2 (<a href="http://svn.cacert.org/CAcert/Policies/SecurityPolicy.html">COD8</a>)
3241 </p>
3242 <h4 id="p5.1.2">5.1.2. Water exposures</h4>
3243 <p>
3244 Refer to Security Policy 2.1.4 (<a href="http://svn.cacert.org/CAcert/Policies/SecurityPolicy.html">COD8</a>)
3245 </p>
3246 <h4 id="p5.1.3">5.1.3. Fire prevention and protection</h4>
3247 <p>
3248 Refer to Security Policy 2.1.4 (<a href="http://svn.cacert.org/CAcert/Policies/SecurityPolicy.html">COD8</a>)
3249 </p>
3250 <h4 id="p5.1.4">5.1.4. Media storage</h4>
3251 <p>
3252 Refer to Security Policy 4.3 (<a href="http://svn.cacert.org/CAcert/Policies/SecurityPolicy.html">COD8</a>)
3253 </p>
3254 <h4 id="p5.1.5">5.1.5. Waste disposal</h4>
3255 <p>
3256 No stipulation.
3257 </p>
3258 <h4 id="p5.1.6">5.1.6. Off-site backup</h4>
3259 <p>
3260 Refer to Security Policy 4.3 (<a href="http://svn.cacert.org/CAcert/Policies/SecurityPolicy.html">COD8</a>)
3261 </p>
3262
3263 <h3 id="p5.2">5.2. Procedural controls</h3>
3264
3265 <h4 id="p5.2.1">5.2.1. Trusted roles</h4>
3266
3267 <ul>
3268
3269 <li><b> Technical teams:</b>
3270
3271 <ul>
3272
3273 <li>User support personnel</li>
3274
3275 <li>Systems Administrators -- critical and non-critical</li>
3276
3277 <li>Softare Developers</li>
3278
3279 <li>controllers of keys</li>
3280 </ul>
3281 Refer to Security Policy 9.1 (<a href="http://svn.cacert.org/CAcert/Policies/SecurityPolicy.html">COD8</a>)
3282
3283 </li>
3284
3285
3286 <li><b>Assurance:</b>
3287
3288 <ul>
3289
3290 <li>Assurers</li>
3291
3292 <li> Any others authorised under COD13 </li>
3293 </ul>
3294 Refer to Assurance Policy (<a href="http://www.cacert.org/policy/AssurancePolicy.php">COD13</a>)
3295 </li>
3296
3297
3298 <li><b>Governance:</b>
3299
3300 <ul>
3301
3302 <li>Directors (members of the CAcert Inc. committee, or "Board") </li>
3303
3304 <li>Internal Auditor</li>
3305
3306 <li>Arbitrator</li>
3307 </ul>
3308 </li>
3309 </ul>
3310
3311
3312 <h4 id="p5.2.2">5.2.2. Number of persons required per task</h4>
3313 <p>
3314 CAcert operates to the principles of <i>four eyes</i> and <i>dual control</i>.
3315 All important roles require a minimum of two persons.
3316 The people may be tasked to operate
3317 with an additional person observing (<i>four eyes</i>),
3318 or with two persons controlling (<i>dual control</i>).
3319 </p>
3320
3321 <h4 id="p5.2.3">5.2.3. Identification and authentication for each role</h4>
3322
3323 <p>
3324 All important roles are generally required to be assured
3325 at least to the level of Assurer, as per AP.
3326 Refer to Assurance Policy (<a href="http://www.cacert.org/policy/AssurancePolicy.php">COD13</a>).
3327 </p>
3328
3329 <p>
3330 <b>Technical.</b>
3331 Refer to Security Policy 9.1 (<a href="http://svn.cacert.org/CAcert/Policies/SecurityPolicy.html">COD8</a>).
3332 </p>
3333
3334 <h4 id="p5.2.4">5.2.4. Roles requiring separation of duties</h4>
3335
3336 <p>
3337 Roles strive in general for separation of duties, either along the lines of
3338 <i>four eyes principle</i> or <i>dual control</i>.
3339 </p>
3340
3341 <h3 id="p5.3">5.3. Personnel controls</h3>
3342
3343 <h4 id="p5.3.1">5.3.1. Qualifications, experience, and clearance requirements</h4>
3344
3345 <center>
3346 <table border="1" cellpadding="5">
3347 <tbody>
3348 <tr>
3349
3350 <td><b>Role</b></td>
3351 <td><b>Policy</b></td>
3352 <td><b>Comments</b></td>
3353 </tr>
3354 <tr>
3355
3356 <td>Assurer</td>
3357
3358 <td><a href="http://www.cacert.org/policy/AssurancePolicy.php"> COD13</a></td>
3359
3360 <td>
3361 Passes Challenge, Assured to 100 points.
3362 </td>
3363 </tr>
3364 <tr>
3365
3366 <td>Organisation Assurer</td>
3367
3368 <td><a href="http://www.cacert.org/policy/OrganisationAssurancePolicy.php">COD11</a></td>
3369
3370 <td>
3371 Trained and tested by two supervising OAs.
3372 </td>
3373 </tr>
3374 <tr>
3375
3376 <td>Technical</td>
3377
3378 <td>SM =&gt; COD08</td>
3379
3380 <td>
3381 Teams responsible for testing.
3382 </td>
3383 </tr>
3384 <tr>
3385
3386 <td>Arbitrator</td>
3387
3388 <td><a href="http://www.cacert.org/policy/DisputeResolutionPolicy.php">COD7</a></td>
3389
3390 <td>
3391 Experienced Assurers.
3392 </td>
3393 </tr>
3394 </tbody>
3395 </table>
3396
3397 <span class="figure">Table 5.3.1. Controls on Roles</span>
3398 </center>
3399
3400
3401 <h4 id="p5.3.2">5.3.2. Background check procedures</h4>
3402
3403 <p>
3404 Refer to Security Policy 9.1.3 (<a href="http://svn.cacert.org/CAcert/Policies/SecurityPolicy.html">COD8</a>).
3405 </p>
3406
3407 <h4 id="p5.3.3">5.3.3. Training requirements</h4>
3408 <p>No stipulation.</p>
3409 <h4 id="p5.3.4">5.3.4. Retraining frequency and requirements</h4>
3410 <p>No stipulation.</p>
3411
3412 <h4 id="p5.3.5">5.3.5. Job rotation frequency and sequence</h4>
3413 <p>No stipulation.</p>
3414
3415 <h4 id="p5.3.6">5.3.6. Sanctions for unauthorized actions</h4>
3416 <p>
3417 Any actions that are questionable
3418 - whether uncertain or grossly negligent -
3419 may be filed as a dispute.
3420 The Arbitrator has wide discretion in
3421 ruling on loss of points, retraining,
3422 or termination of access or status.
3423 Refer to DRP.
3424 </p>
3425
3426 <h4 id="p5.3.7">5.3.7. Independent contractor requirements</h4>
3427 <p>No stipulation.</p>
3428
3429 <h4 id="p5.3.8">5.3.8. Documentation supplied to personnel</h4>
3430 <p>No stipulation.</p>
3431
3432 <h3 id="p5.4">5.4. Audit logging procedures</h3>
3433
3434 <p>
3435 Refer to Security Policy 4.2, 5 (<a href="http://svn.cacert.org/CAcert/Policies/SecurityPolicy.html">COD8</a>).
3436 </p>
3437
3438 <h3 id="p5.5">5.5. Records archival</h3>
3439 <p>
3440 The standard retention period is 7 years.
3441 Once archived, records can only be obtained and verified
3442 by means of a filed dispute.
3443 Following types of records are archived:
3444 </p>
3445
3446 <center>
3447 <table border="1" cellpadding="5">
3448 <tbody>
3449 <tr>
3450
3451 <td><b>Record</b></td>
3452
3453 <td><b>Nature</b></td>
3454
3455 <td><b>Exceptions</b></td>
3456
3457 <td><b>Documentation</b></td>
3458 </tr>
3459 <tr>
3460
3461 <td>Member</td>
3462
3463 <td>username, primary and added addresses, security questions, Date of Birth</td>
3464
3465 <td>resigned non-subscribers: 0 years.</td>
3466
3467 <td>Security Policy and Privacy Policy</td>
3468 </tr>
3469 <tr>
3470
3471 <td>Assurance</td>
3472
3473 <td>CAP forms</td>
3474
3475 <td>"at least 7 years."
3476 <br>
3477 as per subsidiary policies</td>
3478
3479 <td>Assurance Policy 4.5</td>
3480 </tr>
3481 <tr>
3482
3483 <td>Organisation Assurance</td>
3484
3485 <td>COAP forms</td>
3486
3487 <td>as per subsidiary policies</td>
3488
3489 <td>Organisation Assurance Policy</td>
3490 </tr>
3491 <tr>
3492
3493 <td>certificates and revocations</td>
3494
3495 <td> for reliance </td>
3496
3497 <td> 7 years after termination </td>
3498
3499 <td>this CPS</td>
3500 </tr>
3501 <tr>
3502
3503 <td>critical roles</td>
3504
3505 <td>background check worksheets</td>
3506
3507 <td>under direct Arbitrator control</td>
3508
3509 <td>Security Policy 9.1.3</td>
3510 </tr>
3511 </tbody>
3512 </table>
3513
3514 <span class="figure">Table 5.5. Documents and Retention </span>
3515 </center>
3516
3517
3518 <h3 id="p5.6">5.6. Key changeover</h3>
3519
3520 <p>
3521 Refer to Security Policy 9.2 (<a href="http://svn.cacert.org/CAcert/Policies/SecurityPolicy.html">COD8</a>).
3522 </p>
3523
3524 <h3 id="p5.7">5.7. Compromise and disaster recovery</h3>
3525
3526 <p>
3527 Refer to Security Policy 5, 6 (<a href="http://svn.cacert.org/CAcert/Policies/SecurityPolicy.html">COD8</a>).
3528 (Refer to <a href="#p1.4">§1.4</a> for limitations to service.)
3529 </p>
3530
3531 <p></p>
3532
3533 <h3 id="p5.8">5.8. CA or RA termination</h3>
3534
3535 <h4 id="p5.8.1">5.8.1. CA termination</h4>
3536
3537 <p>
3538 In the event of operational termination, the
3539 Roots (including SubRoots)
3540 and all private Member information will be secured.
3541 The Roots will be handed over to a responsible
3542 party for the sole purpose of issuing revocations.
3543 Member information will be securely destroyed.
3544 </p>
3545
3546
3547 <h4 id="p5.8.2">5.8.2. RA termination</h4>
3548
3549 <p>
3550 When an Assurer desires to voluntarily terminates
3551 her responsibilities, she does this by filing a dispute,
3552 and following the instructions of the Arbitrator.
3553 </p>
3554
3555 <p>
3556 In the case of involuntary termination, the process is
3557 the same, save for some other party filing the dispute.
3558 </p>
3559
3560
3561 <!-- *************************************************************** -->
3562 <h2 id="p6">6. TECHNICAL SECURITY CONTROLS</h2>
3563
3564 <h3 id="p6.1">6.1. Key Pair Generation and Installation</h3>
3565
3566 <h4 id="p6.1.1">6.1.1. Key Pair Generation</h4>
3567
3568 <p>
3569 Subscribers generate their own Key Pairs.
3570 </p>
3571
3572 <h4 id="p6.1.2">6.1.2. Subscriber Private key security</h4>
3573
3574 <p>
3575 There is no technical stipulation on how Subscribers generate
3576 and keep safe their private keys,
3577 however, CCA 2.5 provides for general security obligations.
3578 See <a href="#p9.6">§9.6</a>.
3579 </p>
3580
3581 <h4 id="p6.1.3">6.1.3. Public Key Delivery to Certificate Issuer</h4>
3582
3583 <p>
3584 Members login to their online account.
3585 Public Keys are delivered by cut-and-pasting
3586 them into the appropriate window.
3587 Public Keys are delivered in signed-CSR form
3588 for X.509 and in self-signed form for OpenPGP.
3589 </p>
3590
3591 <h4 id="p6.1.4">6.1.4. CA Public Key delivery to Relying Parties</h4>
3592
3593 <p>
3594 The CA root certificates are distributed by these means:
3595 </p>
3596
3597 <ul>
3598 <li>
3599 Published on the website of CAcert,
3600 in both HTTP and HTTPS.
3601 </li>
3602 <li>
3603 Included in Third-Party Software such as
3604 Browsers, Email-Clients.
3605 Such suppliers are subject to the Third Party Vendor Agreement.
3606 </li>
3607 </ul>
3608
3609 <h4 id="p6.1.5">6.1.5. Key sizes</h4>
3610
3611 <p>
3612 No limitation is placed on Subscriber key sizes.
3613 </p>
3614
3615 <p>
3616 CAcert X.509 root and intermediate keys are currently 4096 bits.
3617 X.509 roots use RSA and sign with the SHA-1 message digest algorithm.
3618 See <a href="#p4.3.1">§4.3.1</a>.
3619 </p>
3620
3621 <p>
3622 OpenPGP Signing uses both RSA and DSA (1024 bits).
3623 </p>
3624
3625 <p>
3626 CAcert adds larger keys and hashes
3627 in line with general cryptographic trends,
3628 and as supported by major software suppliers.
3629 </p>
3630
3631
3632 <h4 id="p6.1.6">6.1.6. Public key parameters generation and quality checking</h4>
3633
3634 <p>
3635 No stipulation.
3636 </p>
3637
3638 <h4 id="p6.1.7">6.1.7. Key Usage Purposes</h4>
3639
3640
3641 <p>
3642 CAcert roots are general purpose.
3643 Each root key may sign all of the general purposes
3644 - client, server, code.
3645 </p>
3646
3647 <p>
3648 The website controls the usage purposes that may be signed.
3649 This is effected by means of the 'template' system.
3650 </p>
3651
3652
3653 <h3 id="p6.2">6.2. Private Key Protection and Cryptographic Module Engineering Controls</h3>
3654
3655
3656
3657
3658 <h4 id="p6.2.1">6.2.1. Cryptographic module standards and controls</h4>
3659
3660 <p>
3661 SubRoot keys are stored on a single machine which acts
3662 as a Cryptographic Module, or <i>signing server</i>.
3663 It operates a single daemon for signing only.
3664 The signing server has these security features:
3665 </p>
3666
3667 <ul>
3668 <li>
3669 It is connected only by one
3670 dedicated (serial USB) link
3671 to the online account server.
3672 It is not connected to the network,
3673 nor to any internal LAN (ethernet),
3674 nor to a console switch.
3675 </li>
3676 <li>
3677 The protocol over the dedicated link is a custom, simple
3678 request protocol that only handles certificate signing requests.
3679 </li>
3680 <li>
3681 The daemon is designed not to reveal the key.
3682 </li>
3683 <li>
3684 The daemon incorporates a dead-man switch that monitors
3685 the one webserver machine that requests access.
3686 </li>
3687 <li>
3688 The daemon shuts down if a bad request is detected.
3689 </li>
3690 <li>
3691 The daemon resides on an encrypted partition.
3692 </li>
3693 <li>
3694 The signing server can only be (re)started with direct
3695 systems administration access.
3696 </li>
3697 <li>
3698 Physical Access to the signing server is under dual control.
3699 </li>
3700 </ul>
3701
3702 <p>
3703 See §5. and the Security Policy 9.3.1.
3704 </p>
3705
3706 <p>
3707 (Hardware-based, commercial and standards-based cryptographic
3708 modules have been tried and tested, and similar have been tested,
3709 but have been found wanting, e.g., for short key lengths and
3710 power restrictions.)
3711 </p>
3712
3713
3714 <h3 id="p6.3">6.3. Other aspects of key pair management</h3>
3715 <h4 id="p6.3.1">6.3.1. Public key archival</h4>
3716
3717 <p>
3718 Subscriber certificates, including public keys,
3719 are stored in the database backing the online system.
3720 They are not made available in a public- or subscriber-accessible
3721 archive, see §2.
3722 They are backed-up by CAcert's normal backup procedure,
3723 but their availability is a subscriber responsibility.
3724 </p>
3725
3726 <h4 id="p6.3.2">6.3.2. Certificate operational periods and key pair usage periods</h4>
3727
3728 <p>
3729 The operational period of a certificate and its key pair
3730 depends on the Assurance status of the Member,
3731 see <a href="#p1.4.5">§1.4.5</a> and Assurance Policy (<a href="http://www.cacert.org/policy/AssurancePolicy.php">COD13</a>).
3732 </p>
3733
3734 <p>
3735 The CAcert (top-level) Root certificate
3736 has a 30 year expiry.
3737 SubRoots have 10 years, and are to be rolled over more quickly.
3738 The keysize of the root certificates are chosen
3739 in order to ensure an optimum security to CAcert
3740 Members based on current recommendations from the
3741 <a href="http://www.keylength.com/">cryptographic community</a>
3742 and maximum limits in generally available software.
3743 At time of writing this is 4096 bits.
3744 </p>
3745
3746 <h3 id="p6.4">6.4. Activation data</h3>
3747 <p> No stipulation. </p>
3748
3749 <h3 id="p6.5">6.5. Computer security controls</h3>
3750 <p>
3751 Refer to Security Policy.
3752 </p>
3753
3754 <h3 id="p6.6">6.6. Life cycle technical controls</h3>
3755 <p>
3756 Refer to SM7 "Software Development".
3757 </p>
3758
3759 <h3 id="p6.7">6.7. Network security controls</h3>
3760 <p>
3761 Refer to SM3.1 "Logical Security - Network".
3762 </p>
3763
3764 <h3 id="p6.8">6.8. Time-stamping</h3>
3765 <p>
3766 Each server synchronises with NTP.
3767 No "timestamping" service is currently offered.
3768 </p>
3769
3770 <!-- *************************************************************** -->
3771 <h2 id="p7">CERTIFICATE, CRL, AND OCSP PROFILES</h2>
3772
3773 <p>
3774 CAcert defines all the meanings, semantics and profiles
3775 applicable to issuance of certificates and signatures
3776 in its policies, handbooks and other documents.
3777 Meanings that may be written in external standards or documents
3778 or found in wider conventions are not
3779 incorporated, are not used by CAcert, and must not be implied
3780 by the Member or the Non-related Person.
3781 </p>
3782
3783 <h3 id="p7.1">7.1. Certificate profile</h3>
3784 <h4 id="p7.1.1">7.1.1. Version number(s)</h4>
3785
3786 <p>
3787 Issued X.509 certificates are of v3 form.
3788 The form of the PGP signatures depends on several factors, therefore no stipulation.
3789 </p>
3790
3791 <h4 id="p7.1.2">7.1.2. Certificate extensions</h4>
3792
3793 <p>
3794 Client certificates include the following extensions:
3795 </p>
3796 <ul>
3797
3798 <li>basicConstraints=CA:FALSE (critical)</li>
3799
3800 <li>keyUsage=digitalSignature,keyEncipherment,keyAgreement (critical)</li>
3801
3802 <li>extendedKeyUsage=emailProtection,clientAuth,msEFS,msSGC,nsSGC</li>
3803
3804 <li>authorityInfoAccess = OCSP;URI:http://ocsp.cacert.org</li>
3805
3806 <li>crlDistributionPoints=URI:&lt;crlUri&gt; where &lt;crlUri&gt; is replaced
3807 with the URI where the certificate revocation list relating to the
3808 certificate is found</li>
3809
3810 <li>subjectAltName=(as per <a href="#p3.1.1">§3.1.1.</a>).</li>
3811 </ul>
3812
3813
3814 <p>
3815 Server certificates include the following extensions:
3816 </p>
3817 <ul>
3818
3819 <li>basicConstraints=CA:FALSE (critical)</li>
3820
3821 <li>keyUsage=digitalSignature,keyEncipherment,keyAgreement (critical)</li>
3822
3823 <li>extendedKeyUsage=clientAuth,serverAuth,nsSGC,msSGC</li>
3824
3825 <li>authorityInfoAccess = OCSP;URI:http://ocsp.cacert.org</li>
3826
3827 <li>crlDistributionPoints=URI:&lt;crlUri&gt; where &lt;crlUri&gt; is replaced
3828 with the URI where the certificate revocation list relating to the
3829 certificate is found</li>
3830
3831 <li>subjectAltName=(as per <a href="#p3.1.1">§3.1.1.</a>).</li>
3832 </ul>
3833
3834 <p>
3835 Code-Signing certificates include the following extensions:
3836 </p>
3837 <ul>
3838
3839 <li>basicConstraints=CA:FALSE (critical)</li>
3840
3841 <li>keyUsage=digitalSignature,keyEncipherment,keyAgreement (critical)</li>
3842
3843 <li>extendedKeyUsage=emailProtection,clientAuth,codeSigning,msCodeInd,msCodeCom,msEFS,msSGC,nsSGC</li>
3844
3845 <li>authorityInfoAccess = OCSP;URI:http://ocsp.cacert.org</li>
3846
3847 <li>crlDistributionPoints=URI:&lt;crlUri&gt; where &lt;crlUri&gt; is replaced
3848 with the URI where the certificate revocation list relating to the
3849 certificate is found</li>
3850
3851 <li>subjectAltName=(as per <a href="#p3.1.1">§3.1.1.</a>).</li>
3852 </ul>
3853
3854 <p>
3855 OpenPGP key signatures currently do not include extensions.
3856 In the future, a serial number might be included as an extension.
3857 </p>
3858
3859
3860 <h4 id="p7.1.3">7.1.3. Algorithm object identifiers</h4>
3861 <p>
3862 No stipulation.
3863 </p>
3864
3865 <h4 id="p7.1.4">7.1.4. Name forms</h4>
3866 <p>
3867 Refer to <a href="#p3.1.1">§3.1.1</a>.
3868 </p>
3869
3870 <h4 id="p7.1.5">7.1.5. Name constraints</h4>
3871 <p>
3872 Refer to <a href="#p3.1.1">§3.1.1</a>.
3873 </p>
3874
3875 <h4 id="p7.1.6">7.1.6. Certificate policy object identifier</h4>
3876 <p>
3877 The following OIDs are defined and should be incorporated
3878 into certificates:
3879 </p>
3880
3881 <table border="1" cellpadding="5">
3882 <tbody>
3883 <tr>
3884
3885 <td>
3886 OID
3887 </td>
3888
3889 <td>
3890 Type/Meaning
3891 </td>
3892
3893 <td>
3894 Comment
3895 </td>
3896