certification practice statement · 4.8.5 procedures for accepting modified certificate..... 25...
TRANSCRIPT
-
CPS (Certification Practice Statement) Version 7.9
© 2009 Cybertrust Japan Co., Ltd.
Certification Practice Statement Version 7.9
Cybertrust Japan Co., Ltd.
-
CPS (Certification Practice Statement) Version 7.9
© 2009 Cybertrust Japan Co., Ltd. 1
Revision History
Version Date Reason for Revision
5.4 April 15, 2009
▪ Completely revised to comply with RFC 3647 ▪ Reviewed legal matters, and followed the “Extended Validation
Certificate Certification Practice Statement” (excluding provisions
that are applied only to the SureServer EV Certificate)
5.5 April 5, 2010 ▪ Added Cybertrust Japan Public CA G1 and Cybertrust Japan Public
CA G2 as certification authorities
5.6 July 1, 2010 ▪ Added description regarding sole proprietors
5.7 February 18, 2011
▪ Changed “5.1 Physical Security Controls” and “6.2.6 Private Key Transfer” in relation to remote storage locations
▪ Changed “5.1.9 Backup Site” pursuant to change of name of remote storage location to backup site
5.8 September 30, 2011
▪ Changes made pursuant to addition of certificate of Cybertrust Japan Public CA G2
▪ Included description of Serial Number of Certification Authority Certificate in “1.1 Overview”
▪ Changed “5.4.3 Audit Log Archival Period”
5.9 January 14, 2012 ▪ Changes made pursuant to addition of SubjectAltName extension
6.0 February 27, 2012
▪ Changed URL of “2.2 Information to be Published” ▪ Changed “6.3.2 Valid Term of Key Pair” ▪ Changed Policies extension of SureServer Certificates in “Appendix
B”
6.1 June 29, 2012
▪ Added “Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates” as requirements in “1.1 Overview”
▪ Changed items to be screened in “1.4.1.1 SureServer Certificate” and “1.4.1.2 SureMail Certificate”
▪ Changed meaning of Organization Unit (OU) in “3.1.2.1 SureServer Certificate”
▪ Changed license of domain name to license of FQDN in “3.2.2.1 SureServer Certificate”
▪ Changed “4.1.1 Persons Who May Apply for Certificates” ▪ Changed “4.9.1.1 Reason of Revocation by Subscriber” ▪ Changed “4.9.1.2 Reason of Revocation by Certification Authority” ▪ Changed “5.4.3 Audit Log Archival Period” ▪ Changed “5.5.2 Record Archival Period” ▪ Changed “6.3.2 Valid Term of Key Pair” ▪ Changed “9.6.3 Representations and Warranties of Subscribers” ▪ Added Baseline Requirements for the Issuance and Management of
Publicly-Trusted Certificates” and “Fully-Qualified Domain Name
(FQDN)” to “Appendix A”
6.2 November 14, 2012 ▪ Changed “6.1.1 Generation of Key Pair”
6.3 December 19, 2012 ▪ Made revision pursuant to start of operation of OCSP server
6.4 February 20, 2013 ▪ Changed SHA1” in “Appendix A” to “SHA1/SHA2” ▪ Added SureServer[SHA-2] certificate profile to “Appendix B”
6.5 May 1, 2013 ▪ Changed “4.6 Certificate Renewal Not Involving Rekey”
6.6 June 24, 2013 ▪ Changed certificate profile associated with issuance of Japanese
(UTF8String) of the certificate DN information in “Appendix B”
6.7 August 2, 2013 ▪ Added Cybertrust Japan Public CA G3 as a certification authority
6.8 November 15, 2013 ▪ Made changes pursuant to termination of Cybertrust Japan Public
CA, which is a certification authority of an older generation
6.9 January 6, 2014
▪ Made changes pursuant to the end of operation of Cybertrust Japan Public CA G1
▪ Made other corrections of descriptions and errors
7.0 April 14, 2014 ▪ Made changes pursuant to the renewal of certificate of Cybertrust
Japan Public CA G3
-
CPS (Certification Practice Statement) Version 7.9
© 2009 Cybertrust Japan Co., Ltd. 2
▪ Made other corrections of descriptions and errors
7.1 July 1, 2014 ▪ Change name of building of contact address ▪ Corrected typographical errors
7.2 February 2, 2015
▪ Added profile to “Appendix B” pursuant to dealing with Certificate Transparency
▪ Made other corrections of descriptions and errors
7.3 February 9, 2015
▪ Changed “3.3.2 Identification and Authentication for Renewal of Key (Certificate) after Revocation”
▪ Corrected error in reference numbers
7.4 March 30, 2015 ▪ Added “4.2.4 CAA Record (Certification Authority Authorization
Record) Procedures”
7.5 August 29, 2015 ▪ Made changes pursuant to the period for accepting of renewal
request
7.6 June 29, 2016
▪ Changed Business Days in "1.5.2 Contact Point" ▪ Changed keyUsage of SureServer [SHA-2] Certificates (Cybertrust
Japan Public CA G3) in "Appendix B" to TRUE
▪ Made other corrections of descriptions
7.7 November 2, 2016
▪ SureMail Certificate Term in "6.3.2 Valid Term of Key Pair" has been changed to "less than 39 months"
▪ Made other corrections of descriptions
7.8 March 4, 2017
▪ Made changes pursuant to the renewal of certificate of Cybertrust Japan Public CA G3
▪ Removed the annotations on CT certificate in "Appendix B" ▪ Made other corrections of descriptions
7.9 April 28, 2017
▪ Made changes pursuant to the values that cannot be specified for the review of the Organization Unit (OU)
▪ "1.4.1.1 SureServer Certificate (iii)" ▪ Meaning of Organization Unit (OU) in DN section of “3.1.2.1
SureServer Certificate” and “3.1.2.2 SureMail Certificate”
▪ “4.9.1.1 Reason for Revocation by Subscriber (vi)” ▪ “4.9.1.2 Reason for Revocation by the Certification Authority (viii)” ▪ “9.6.3 Representations and Warranties of Subscribers (iv)”
-
CPS (Certification Practice Statement) Version 7.9
© 2009 Cybertrust Japan Co., Ltd. 3
Contents
1. INTRODUCTION ................................................................................................................................... 8
1.1 OVERVIEW ............................................................................................................................................... 8 1.2 DOCUMENT NAME AND IDENTIFICATION ................................................................................................ 10 1.3 PKI PARTICIPANTS ................................................................................................................................ 10
1.3.1 Certification Authority ................................................................................................................... 10 1.3.2 Registration Authority ................................................................................................................... 10 1.3.3 Issuing Authority ............................................................................................................................ 10 1.3.4 Subscriber ....................................................................................................................................... 10 1.3.5 Relying Party .................................................................................................................................. 10 1.3.6 Other Participants .......................................................................................................................... 10
1.4 CERTIFICATE USAGE ............................................................................................................................. 11 1.4.1 Types of Certificates ....................................................................................................................... 11 1.4.2 Appropriate Certificate Uses ......................................................................................................... 12 1.4.3 Prohibited Certificate Uses ............................................................................................................ 12
1.5 POLICY ADMINISTRATION ...................................................................................................................... 12 1.5.1 Organization Administering Documents ....................................................................................... 12 1.5.2 Contact Point .................................................................................................................................. 12 1.5.3 Party to Determine Suitability of CPS .......................................................................................... 12 1.5.4 Suitability Approval Procedures .................................................................................................... 13
1.6 DEFINITIONS AND ACRONYMS ................................................................................................................ 13
2. PUBLICATION AND REPOSITORY RESPONSIBILITIES ................................................................. 14
2.1 ORGANIZATION TO CONTROL REPOSITORIES .......................................................................................... 14 2.2 INFORMATION TO BE PUBLISHED ........................................................................................................... 14 2.3 TIMING AND FREQUENCY OF PUBLICATION ............................................................................................ 14 2.4 ACCESS CONTROL ON REPOSITORIES ..................................................................................................... 14
3. IDENTIFICATION AND AUTHENTICATION .................................................................................... 15
3.1 NAMING ................................................................................................................................................ 15 3.1.1 Types of Names ............................................................................................................................... 15 3.1.2 Need for Names to be Meaningful ................................................................................................. 15 3.1.3 Requirements for Anonymity or Pseudonymity of Subscribers .................................................... 16 3.1.4 Rules for Interpreting Various Name Forms ................................................................................ 16 3.1.5 Uniqueness of Names ..................................................................................................................... 16 3.1.6 Recognition, Authentication, and Role of Trademarks ................................................................. 16
3.2 INITIAL IDENTITY VALIDATION .............................................................................................................. 16 3.2.1 Method to Prove Possession of Private Key................................................................................... 16 3.2.2 Verification of Subscribers ............................................................................................................. 16 3.2.3 Non-verified Subscriber Information ............................................................................................. 17 3.2.4 Verification of Application Supervisor ........................................................................................... 17 3.2.5 Interoperability Standards ............................................................................................................. 17
3.3 IDENTIFICATION AND AUTHENTICATION FOR KEY (CERTIFICATE) RENEWAL REQUEST ........................... 17 3.3.1 Identification and Authentication upon Renewal for Routine Key (Certificate) Renewal .......... 17 3.3.2 Identification and Authentication for Renewal of Key (Certificate) after Revocation ................ 17
3.4 IDENTITY VALIDATION AND AUTHENTICATION UPON REVOCATION REQUEST ......................................... 18
4. CERTIFICATE LIFE-CYCLE OPERATIONAL REQUIREMENTS ..................................................... 19
4.1 CERTIFICATE APPLICATION ................................................................................................................... 19 4.1.1 Persons Who May Apply for Certificates ....................................................................................... 19 4.1.2 Enrollment Process and Responsibilities ...................................................................................... 19
4.2 CERTIFICATE APPLICATION PROCESSING ............................................................................................... 19 4.2.1 Identity Validation and Execution of Certification Operations ................................................... 19 4.2.2 Approval or Rejection of Certificate Application ........................................................................... 20 4.2.3 Time Required for Certificate Application Procedures ................................................................. 20 4.2.4 CAA Record (Certification Authority Authorization Record) Procedures .................................... 20
4.3 CERTIFICATE ISSUANCE ......................................................................................................................... 20 4.3.1 Certificate Issuance Procedures by Certification Authority ......................................................... 20 4.3.2 Notification of Issuance of Certificate to Subscribers ................................................................... 21
4.4 CERTIFICATE ACCEPTANCE ................................................................................................................... 21 4.4.1 Certificate Acceptance Verification Procedures ............................................................................ 21 4.4.2 Publication of Certificate by Certification Authority .................................................................... 21
-
CPS (Certification Practice Statement) Version 7.9
© 2009 Cybertrust Japan Co., Ltd. 4
4.4.3 Notification of Issuance of Certificate by Certification Authority to Other Participants ........... 21 4.5 KEY PAIR AND CERTIFICATE USAGE ...................................................................................................... 22
4.5.1 Use of Private Key and Certificate by Subscriber ......................................................................... 22 4.5.2 Use of Subscriber's Public Key and Certificate by Relying Party ................................................ 22
4.6 CERTIFICATE RENEWAL NOT INVOLVING REKEY ................................................................................... 22 4.6.1 Requirements for Certificate Renewal Not Involving Kew Renewal ........................................... 22 4.6.2 Persons Who May Request Renewal .............................................................................................. 22 4.6.3 Renewal Request Procedures ......................................................................................................... 22 4.6.4 Notification of Issuance of Renewed Certificate............................................................................ 23 4.6.5 Procedures for Accepting Renewed Certificate ............................................................................. 23 4.6.6 Publication of Renewed Certificate ................................................................................................ 23 4.6.7 Notification of Issuance of Certificate by Certification Authority to Other Participants ........... 23
4.7 CERTIFICATE RENEWAL INVOLVING REKEY ........................................................................................... 23 4.7.1 Requirements for Certificate Renewal Involving Rekey ............................................................... 23 4.7.2 Persons Who May Request Renewal .............................................................................................. 24 4.7.3 Rekey Application Procedures ....................................................................................................... 24 4.7.4 Notification of Issuance of Rekeyed Certificate ............................................................................ 24 4.7.5 Procedures for Accepting Rekeyed Certificate .............................................................................. 24 4.7.6 Publication of Rekeyed Certificate ................................................................................................. 24 4.7.7 Notification of Issuance of Rekeyed Certificate to Other Participants ........................................ 25
4.8 MODIFICATION OF CERTIFICATE ............................................................................................................ 25 4.8.1 Requirements for Modification of Certificate ................................................................................ 25 4.8.2 Persons Who May Request Modification of Certificate ................................................................. 25 4.8.3 Certificate Modification Procedures .............................................................................................. 25 4.8.4 Notification of Issuance of Modified Certificate ............................................................................ 25 4.8.5 Procedures for Accepting Modified Certificate .............................................................................. 25 4.8.6 Publication of Modified Certificate ................................................................................................ 25 4.8.7 Notification of Issuance of Modified Certificate to Other Participants ........................................ 25
4.9 CERTIFICATE REVOCATION AND SUSPENSION ........................................................................................ 25 4.9.1 Revocation Requirements ............................................................................................................... 25 4.9.2 Persons Who May Request Revocation .......................................................................................... 27 4.9.3 Revocation Request Procedures ..................................................................................................... 27 4.9.4 Grace Period up to Revocation Request ......................................................................................... 28 4.9.5 Time Required for Certification Authority to Process Revocation ............................................... 28 4.9.6 Verification of Revocation by Relying Parties ............................................................................... 28 4.9.7 CRL Issue Cycle .............................................................................................................................. 28 4.9.8 Maximum Delay Time up to CRL Issue ........................................................................................ 29 4.9.9 Online Verification of Revocation Information ............................................................................. 29 4.9.10 Online Verification of Certificate Status ....................................................................................... 29 4.9.11 Means for Providing Other Available Revocation Information .................................................... 29 4.9.12 Special Requirements for Compromise of Key .............................................................................. 29 4.9.13 Certificate Suspension Requirements ........................................................................................... 29 4.9.14 Persons Who May Request Suspension ......................................................................................... 29 4.9.15 Suspension Application Procedures ............................................................................................... 29 4.9.16 Term of Suspension ........................................................................................................................ 30
4.10 CERTIFICATE STATUS SERVICES ............................................................................................................ 30 4.10.1 Operational Features ..................................................................................................................... 30 4.10.2 Service Level ................................................................................................................................... 30 4.10.3 Other Requirements ....................................................................................................................... 30
4.11 END OF SUBSCRIPTION (REGISTRATION) ................................................................................................ 30 4.12 THIRD PARTY DEPOSIT OF KEY AND KEY RECOVERY.............................................................................. 30
4.12.1 Policy and Procedures for Key Deposit and Key Recovery ........................................................... 30 4.12.2 Policy and Procedures for Capsulization and Recovery of Session Key ....................................... 30
5. MANAGEMENT, OPERATIONAL, AND PHYSICAL CONTROLS ..................................................... 31
5.1 PHYSICAL SECURITY CONTROLS ............................................................................................................ 31 5.1.1 Site Location and Structure ........................................................................................................... 31 5.1.2 Physical Access ............................................................................................................................... 31 5.1.3 Power and Air-conditioning Equipment ........................................................................................ 31 5.1.4 Flood Control Measures ................................................................................................................. 31 5.1.5 Fire Control Measures .................................................................................................................... 31 5.1.6 Anti-earthquake Measures............................................................................................................. 31 5.1.7 Medium Storage Site ...................................................................................................................... 31 5.1.8 Waste Disposal ............................................................................................................................... 31
-
CPS (Certification Practice Statement) Version 7.9
© 2009 Cybertrust Japan Co., Ltd. 5
5.1.9 Backup Site ..................................................................................................................................... 32 5.2 PROCEDURAL CONTROLS ....................................................................................................................... 32
5.2.1 Relied Roles and Personnel ............................................................................................................ 32 5.2.2 Number of Personnel Required for Each Role ............................................................................... 32 5.2.3 Personal Identification and Validation of Each Role .................................................................... 32 5.2.4 Roles Requiring Segregation of Duties .......................................................................................... 33
5.3 PERSONNEL SECURITY CONTROLS ......................................................................................................... 33 5.3.1 Qualifications, Experience, Clearances ......................................................................................... 33 5.3.2 Background Checks and Clearance Procedures ............................................................................ 33 5.3.3 Training Requirements and Procedures ........................................................................................ 33 5.3.4 Retraining Period and Retraining Procedures .............................................................................. 33 5.3.5 Cycle and Order of Job Rotation .................................................................................................... 33 5.3.6 Sanction against Unauthorized Actions ........................................................................................ 33 5.3.7 Contract Requirements of Contract Employees ............................................................................ 33 5.3.8 Documents Available to Certification Authority Staff .................................................................. 34
5.4 AUDIT LOGGING PROCEDURES ............................................................................................................... 34 5.4.1 Types of Events to be Recorded...................................................................................................... 34 5.4.2 Audit Logging Frequency ............................................................................................................... 34 5.4.3 Audit Log Archival Period .............................................................................................................. 34 5.4.4 Audit Log Protection ....................................................................................................................... 34 5.4.5 Audit Log Backup Procedures ........................................................................................................ 34 5.4.6 Audit Log Collection System .......................................................................................................... 34 5.4.7 Notification to Parties .................................................................................................................... 34 5.4.8 Vulnerability Assessment .............................................................................................................. 34
5.5 RECORDS ARCHIVAL .............................................................................................................................. 35 5.5.1 Records to be Archived ................................................................................................................... 35 5.5.2 Record Archival Period ................................................................................................................... 35 5.5.3 Record Protection ............................................................................................................................ 35 5.5.4 Record Backup Procedures ............................................................................................................. 35 5.5.5 Time-stamping ................................................................................................................................ 35 5.5.6 Record Collecting System ............................................................................................................... 35 5.5.7 Record Acquisition and Validation Procedures ............................................................................. 35
5.6 KEY RENEWAL OF CERTIFICATION AUTHORITY ...................................................................................... 35 5.7 COMPROMISE AND DISASTER RECOVERY ................................................................................................ 36
5.7.1 Compromise and Disaster Recovery Procedures ........................................................................... 36 5.7.2 Procedures upon System Resource Failure ................................................................................... 36 5.7.3 Procedures upon Compromise of Subscriber's Private Key .......................................................... 36 5.7.4 Business Continuity upon Disasters ............................................................................................. 36
5.8 TERMINATION OF CERTIFICATION AUTHORITY OPERATIONS .................................................................. 36
6. TECHNICAL SECURITY CONTROLS................................................................................................. 37
6.1 KEY PAIR GENERATION AND INSTALLATION ........................................................................................... 37 6.1.1 Key Pair Generation ....................................................................................................................... 37 6.1.2 Delivery of Subscriber's Private Key ............................................................................................. 37 6.1.3 Delivery of Subscriber's Private Key to Certification Authority .................................................. 37 6.1.4 Delivery of Certification Authority Private Key to Relying Parties ............................................. 37 6.1.5 Key Length ...................................................................................................................................... 38 6.1.6 Public Key Parameter Generation and Inspection ....................................................................... 38 6.1.7 Key Usage ....................................................................................................................................... 38
6.2 PRIVATE KEY PROTECTION AND CRYPTOGRAPHIC MODULE ENGINEERING CONTROLS ........................... 39 6.2.1 Cryptographic Module Standards and Controls ........................................................................... 39 6.2.2 Private Key Controls by Multiple Persons .................................................................................... 39 6.2.3 Private Key Deposit ........................................................................................................................ 39 6.2.4 Private Key Backup ........................................................................................................................ 39 6.2.5 Private Key Archive ........................................................................................................................ 39 6.2.6 Private Key Transfer ...................................................................................................................... 39 6.2.7 Private Key Storage in Cryptographic Module ............................................................................. 39 6.2.8 Private Key Activation ................................................................................................................... 39 6.2.9 Private Key Non-activation ............................................................................................................ 39 6.2.10 Private Key Destruction ................................................................................................................. 40 6.2.11 Cryptographic Module Assessment ............................................................................................... 40
6.3 OTHER ASPECTS OF KEY PAIR MANAGEMENT ........................................................................................ 40 6.3.1 Storage of Public Key ..................................................................................................................... 40 6.3.2 Valid Term of Key Pair ................................................................................................................... 40
-
CPS (Certification Practice Statement) Version 7.9
© 2009 Cybertrust Japan Co., Ltd. 6
6.4 ACTIVATION DATA ................................................................................................................................. 40 6.4.1 Generation and Setting of Activation Data ................................................................................... 40 6.4.2 Activation Data Protection and Controls ...................................................................................... 40
6.5 COMPUTER SECURITY CONTROLS .......................................................................................................... 40 6.5.1 Technical Requirements of Computer Security............................................................................. 40 6.5.2 Computer Security Assessment ..................................................................................................... 41
6.6 LIFE CYCLE SECURITY CONTROLS ......................................................................................................... 41 6.6.1 System Development Controls ....................................................................................................... 41 6.6.2 Security Operation Controls .......................................................................................................... 41 6.6.3 Life Cycle Security Controls ........................................................................................................... 41
6.7 NETWORK SECURITY CONTROLS ............................................................................................................ 41 6.8 TIME-STAMPING .................................................................................................................................... 41
7. CERTIFICATE, CRL AND OCSP PROFILES ...................................................................................... 42
7.1 CERTIFICATE PROFILE ........................................................................................................................... 42 7.1.1 Version No. ...................................................................................................................................... 42 7.1.2 Certificate Extensions .................................................................................................................... 42 7.1.3 Algorithm Object Identifier ............................................................................................................ 42 7.1.4 Name Format .................................................................................................................................. 42 7.1.5 Name Restrictions .......................................................................................................................... 42 7.1.6 Certificate Policy Object Identifier ................................................................................................ 42 7.1.7 Use of Policy Constraint Extensions .............................................................................................. 42 7.1.8 Construction and Meaning of Policy Modifier ............................................................................... 42 7.1.9 Processing Method of Certificate Policy Extensions ..................................................................... 42
7.2 CRL PROFILE ........................................................................................................................................ 42 7.2.1 Version No. ...................................................................................................................................... 42 7.2.2 CRL, CRL Entry Extension ............................................................................................................ 42
7.3 OCSP PROFILE ..................................................................................................................................... 43 7.3.1 Version No. ...................................................................................................................................... 43 7.3.2 OCSP Extension ............................................................................................................................. 43
8. COMPLIANCE AUDIT AND OTHER ASSESSMENT ......................................................................... 44
8.1 AUDIT FREQUENCY AND REQUIREMENTS ............................................................................................... 44 8.2 AUDITOR REQUIREMENTS ...................................................................................................................... 44 8.3 RELATION OF AUDITOR AND AUDITEE .................................................................................................... 44 8.4 SCOPE OF AUDIT ................................................................................................................................... 44 8.5 MEASURES AGAINST IDENTIFIED MATTERS ............................................................................................ 44 8.6 DISCLOSURE OF AUDIT RESULTS ........................................................................................................... 44
9. OTHER BUSINESS AND LEGAL MATTERS ...................................................................................... 45
9.1 FEES ..................................................................................................................................................... 45 9.2 FINANCIAL RESPONSIBILITY .................................................................................................................. 45 9.3 CONFIDENTIALITY OF BUSINESS INFORMATION ..................................................................................... 45
9.3.1 Scope of Confidential Information ................................................................................................. 45 9.3.2 Information Outside Scope of Confidential Information .............................................................. 45 9.3.3 Responsibility of Protecting Confidential Information ................................................................. 46
9.4 PROTECTION OF PERSONAL INFORMATION ............................................................................................. 46 9.4.1 Privacy Policy.................................................................................................................................. 46 9.4.2 Information Handled as Personal Information ............................................................................. 46 9.4.3 Information not Deemed Personal Information ............................................................................ 46 9.4.4 Responsibility of Protecting Personal Information ....................................................................... 46 9.4.5 Notification to and Consent from Individuals on Use of Personal Information .......................... 46 9.4.6 Disclosure based on Judicial or Administrative Procedures ........................................................ 46 9.4.7 Other Cases of Information Disclosure .......................................................................................... 47
9.5 INTELLECTUAL PROPERTY RIGHTS ........................................................................................................ 47 9.6 REPRESENTATIONS AND WARRANTIES ................................................................................................... 47
9.6.1 Representations and Warranties of Issuing Authority ................................................................. 47 9.6.2 Representations and Warranties of Registration Authority ........................................................ 47 9.6.3 Representations and Warranties of Subscribers ........................................................................... 47 9.6.4 Representations and Warranties of Relying Parties ..................................................................... 48 9.6.5 Representations and Warranties of Other Participants ............................................................... 48
9.7 DISCLAIMERS OF WARRANTIES .............................................................................................................. 48 9.8 LIMITATIONS OF LIABILITY .................................................................................................................... 48 9.9 INDEMNITIES ......................................................................................................................................... 49
-
CPS (Certification Practice Statement) Version 7.9
© 2009 Cybertrust Japan Co., Ltd. 7
9.10 TERM OF DOCUMENT AND TERMINATION ............................................................................................... 49 9.10.1 Term of Document .......................................................................................................................... 49 9.10.2 Termination .................................................................................................................................... 49 9.10.3 Influence of Termination and Surviving Provisions ..................................................................... 49
9.11 INDIVIDUAL NOTIFICATIONS AND COMMUNICATIONS WITH PARTICIPANTS ............................................. 50 9.12 AMENDMENTS ....................................................................................................................................... 50
9.12.1 Amendment Procedures ................................................................................................................. 50 9.12.2 Notification Method and Period ..................................................................................................... 50 9.12.3 Modification of Object Identifier .................................................................................................... 50
9.13 DISPUTE RESOLUTION PROCEDURES ..................................................................................................... 50 9.14 GOVERNING LAW ................................................................................................................................... 50 9.15 COMPLIANCE WITH APPLICABLE LAW .................................................................................................... 50 9.16 MISCELLANEOUS PROVISIONS ............................................................................................................... 50
9.16.1 Entire Agreement ........................................................................................................................... 50 9.16.2 Assignment of Rights...................................................................................................................... 50 9.16.3 Severability ..................................................................................................................................... 50 9.16.4 Enforceability .................................................................................................................................. 51 9.16.5 Force Majeure ................................................................................................................................. 51
APPENDIX A: LIST OF DEFINITIONS .................................................................................................... 52
APPENDIX B: PROFILE OF CERTIFICATE ............................................................................................ 55
-
CPS (Certification Practice Statement) Version 7.9
© 2009 Cybertrust Japan Co., Ltd. 8
1. Introduction
1.1 Overview Cybertrust Japan Co., Ltd. ("Cybertrust") will issue SureServer Certificates and SureMail Certificates
(unless separately provided for herein, "certificate(s)").
The SureServer Certificate is an SSL server certificate for use in certifying servers and network devices
upon performing SSL/TLS communication.
The SureMail Certificate is a certificate for S/MIME signatures for use in certifying organizations
sending emails.
A subscriber's certificate is issued by the certificate authority operated by Cybertrust. Unless separately
provided for herein, the term "Certification Authority" as used herein shall include Cybertrust Japan
Public CA G3 and Cybertrust Japan Public CA G2.
The Certification Authority has been certified by the Root CA operated by DigiCert.
Name of Certification Authority Cybertrust Japan Public CA G3
Serial Number of Certification Authority
Certificate 054340d0a2c4cc8111faa8377d46e06f
Valid Term of Certification Authority Certificate November 15, 2016 to May 10, 2025
Signature System SHA2 with RSA
Key Length of Certification Authority 2048 bit
Certificates to be Issued to Subscriber SureServer Certificate
Root CA Baltimore CyberTrust Root
Name of Certification Authority Cybertrust Japan Public CA G3
Serial Number of Certification Authority
Certificate 0727a276
Valid Term of Certification Authority Certificate February 28, 2014 to June 10, 2020
Signature System SHA2 with RSA
Key Length of Certification Authority 2048 bit
Certificates to be Issued to Subscriber SureServer Certificate, SureMail Certificate
Root CA Baltimore CyberTrust Root
Name of Certification Authority Cybertrust Japan Public CA G3
Serial Number of Certification Authority
Certificate 07279ca5
Valid Term of Certification Authority Certificate January 23, 2014 to June 10, 2020
Signature System SHA1 with RSA
Key Length of Certification Authority 2048 bit
Certificates to be Issued to Subscriber SureServer Certificate, SureMail Certificate
Root CA Baltimore CyberTrust Root
-
CPS (Certification Practice Statement) Version 7.9
© 2009 Cybertrust Japan Co., Ltd. 9
Name of Certification Authority Cybertrust Japan Public CA G3
Serial Number of Certification Authority
Certificate 07278728
Valid Term of Certification Authority Certificate May 9, 2013 to June 9, 2020
Signature System SHA1 with RSA
Key Length of Certification Authority 2048 bit
Certificates to be Issued to Subscriber SureServer Certificate, SureMail Certificate
Root CA Baltimore CyberTrust Root
Name of Certification Authority Cybertrust Japan Public CA G2
Serial Number of Certification Authority
Certificate 07275c26
Valid Term of Certification Authority Certificate August 19, 2011 to August 10, 2018
Signature System SHA1 with RSA
Key Length of Certification Authority 2048 bit
Certificates to be Issued to Subscriber SureServer Certificate, SureMail Certificate
Root CA Baltimore CyberTrust Root
Name of Certification Authority Cybertrust Japan Public CA G2
Serial Number of Certification Authority
Certificate 0727238d
Valid Term of Certification Authority Certificate March 4, 2010 to March 25, 2017
Signature System SHA1 with RSA
Key Length of Certification Authority 2048 bit
Certificates to be Issued to Subscriber SureServer Certificate, SureMail Certificate
Root CA Baltimore CyberTrust Root
The Certification Authority is compliant with the following rules and laws and ordinances in order to
issue certificates:
(i) Baseline Requirements Certificate Policy for the Issuance and Management of Publicly-Trusted Certificates;
(ii) Certification Practice Statement;
(iii) agreement concerning signature based on DigiCert's Root CA; and
(iv) laws of Japan that are applicable to the operations to be performed by the Certification Authority established in Japan.
The Certification Authority is compliant with the latest version of the Baseline Requirements
Certificate Policy for the Issuance and Management of Publicly-Trusted Certificates (the "Baseline
Requirements") published in http://www.cabforum.org. If there is any discrepancy between this
"Certification Practice Statement" (this "CPS") and the Baseline Requirements, the Baseline
Requirements shall prevail.
This CPS prescribes the requirements for the Certification Authority to issue certificates. The
requirements include obligations of the Certification Authority, obligations of subscribers, and
obligations of relying parties.
-
CPS (Certification Practice Statement) Version 7.9
© 2009 Cybertrust Japan Co., Ltd. 10
Upon specifying the various requirements in this CPS, the Certification Authority shall adopt the
RFC3647 "Certificate Policy and Certification Practices Framework" set forth by the IETF PKIX
Working Group. RFC3647 is an international guideline that sets forth the framework of CPS or CP.
Matters that do not apply to the Certification Authority in the respective provisions of this CPS provided
based on the framework of RFC3647 will be indicated as "Not applicable".
The Certification Authority will not individually prescribe a policy for each subscriber certificate
("CP"), and this CPS shall include the respective CPs.
1.2 Document Name and Identification The official name of this CPS shall be the "Certification Practice Statement".
1.3 PKI Participants The PKI Participants described in this CPS are set forth below. Each of the relevant parties must observe
the obligations set forth in this CPS.
1.3.1 Certification Authority
The Certification Authority set forth in "1.1 Overview" of this CPS. The Certification Authority is
composed from an Issuing Authority and a Registration Authority. The Certification Authority shall be
governed by the Certification Authority Supervisor set forth in "5.2.1 Relied Roles and Personnel" of
this CPS, and approve this CPS.
1.3.2 Registration Authority
The Registration Authority is operated by Cybertrust, and accepts applications for certificates from
subscribers, and screens the applications based on this CPS. Based on the screening results, the
Registration Authority instructs the Issuing Authority to issue or revoke the certificates of subscribers,
or dismisses the applications.
1.3.3 Issuing Authority
The Issuing Authority is operated by Cybertrust, and issues or revokes certificates of subscribers based
on instructions from the Registration Authority. The Issuing Authority also controls the private key of
the Certification Authority based on this CPS.
1.3.4 Subscriber
A subscriber is an organization or a sole proprietor that applies for a certificate with the Certification
Authority, and uses the certificate based on this CPS and the subscriber agreement.
A person who is responsible for applying for a subscriber's certificate is referred to as an application
supervisor. A subscriber must appoint an application supervisor among persons affiliated with the
subscriber's organization.
Persons affiliated with the subscriber who may apply for a certificate with the Certification Authority
shall be limited to the application supervisor, or a procedural manager who is authorized by the
application supervisor to submit an application. The procedural manager may be appointed among
persons inside or outside the subscriber's organization. When the procedural manager is to be appointed
from the outside, the procedural manager may be an individual or an organization. The procedural
manager appointed among persons outside the subscriber's organization may be defined as the
"Applicant's Agent" in the subscriber agreement and other rules.
1.3.5 Relying Party
A relying party is an organization or an individual that verifies the validity of the certificates of the
Certification Authority and subscribers, and relies on the certificates the Certification Authority and
subscribers based on one's own judgment.
1.3.6 Other Participants
Not applicable.
-
CPS (Certification Practice Statement) Version 7.9
© 2009 Cybertrust Japan Co., Ltd. 11
1.4 Certificate Usage
1.4.1 Types of Certificates
The Certification Authority will issue the following certificates to subscribers.
1.4.1.1 SureServer Certificate
The SureServer Certificate certifies a subscriber's server or network device, and realizes the SSL/TLS
encrypted communication between such server or network device and a relying party's client device.
Upon issuing a SureServer Certificate, the Registration Authority shall screen the following matters
based on this CPS:
(i) legal or physical existence of subscribers;
(ii) a subscriber has the right to use the Fully-Qualified Domain Name ("FQDN") included in the SureServer Certificate;
(iii) any of the following information is not included in the organizational unit (OU):
(a) FQDN;
(b) a value containing a character string that indicates the corporate status such as "CO.,
Ltd." or "Co. Ltd.";
(c) address (i.e., the value indicating a location);
(d) a name, company name, or trademark that belongs to other party but not to the
Applicant;
(e) symbols including a dot, hyphen, space, and the equivalent as well as a character string
consisting solely of spaces or combination of symbols and/or spaces; or,
(f) a character string to indicate "not applicable," "incomplete," "blank,” and the equivalent
indicated by "NULL," "unknown," or "N/A";
(iv) employment of an application supervisor;
(v) acceptance of the subscriber agreement;
(vi) approval of the application supervisor for the procedural manager to submit an application; and
(vii) high risk status, etc.*
*The following will be surveyed as the high risk status, etc.:
▪ past fishing cases; and
▪ records of applications that were dismissed or records of certificates that were revoked by the Certification Authority in the past due to suspicion of fishing and other
fraudulent acts.
If there is suspicion of fraudulent use of a certificate for which an application was submitted
with the Certification Authority based on the foregoing survey, the Certification Authority
shall perform additional screening that it deems appropriate as needed.
1.4.1.2 SureMail Certificate
The SureMail Certificate certifies organizations sending emails, and realizes S/MIME signatures. Upon
issuing a SureMail Certificate, the Registration Authority shall survey the following matters based on
this CPS:
(i) legal or physical existence of subscribers;
(ii) a subscriber has the right to use the domain name included in the SureMail Certificate;
(iii) value described in "1.4.1.1 SureServer Certificate (iii)" in this CPS is not included in the organization unit (OU) of the certificate;
(iv) employment of application supervisor;
(v) acceptance of the subscriber agreement; and
-
CPS (Certification Practice Statement) Version 7.9
© 2009 Cybertrust Japan Co., Ltd. 12
(vi) approval of the application supervisor for the procedural manager to submit an application.
1.4.2 Appropriate Certificate Uses
Uses of a subscriber's certificate shall be as set forth below.
1.4.2.1 SureServer Certificate
(i) Certification of devices (server, network device, etc.) in which the SureServer Certificate is to be used; and
(ii) SSL or TLS encrypted communication.
1.4.2.2 SureMail Certificate
(i) Certification of organizations using the SureMail Certificate; and
(ii) S/MIME signature.
1.4.3 Prohibited Certificate Uses
The Certification Authority prohibits the use of certificates for any purpose other than as set forth in
"1.4.2 Appropriate Certificate Uses" of this CPS.
1.5 Policy Administration
1.5.1 Organization Administering Documents
This CPS and the subscriber agreement will be administered by the Certification Authority.
1.5.2 Contact Point
The Certification Authority will accept inquiries related to the services provided by Cybertrust and this
CPS at the following contact information.
Contact Information
Cybertrust Japan Co., Ltd. SureServer Section or SureMail Section
Address: 13F SE Sapporo Bldg., 1-1-2 Kita 7-jo Nishi, Kita-ku, Sapporo-shi 060-0807
Tel: 011-708-5283
Business Days: Monday to Friday (excluding national holidays and December 29 to January 4)
Business Hours: 9:00 to 18:00
Inquiries and complaints: As indicated below
Description Address
▪ Inquiries regarding the application process for issuance and technical inquiries
▪ Inquiries regarding revocation requests and application process
▪ Inquiries regarding problems with certificates or upon discovery of fraudulent
certificates
▪ Communication of other complaints
▪ Other inquiries regarding this CPS, etc.
SureServer: [email protected]
SureMail: [email protected]
1.5.3 Party to Determine Suitability of CPS
Certificates of the Certification Authority will be issued by the Root CA operated by DigiCert. In order
to receive the issuance of a certificate from the Root CA, this CPS must comply with the matters
requested by DigiCert. DigiCert will assess and determine the suitability of this CPS.
-
CPS (Certification Practice Statement) Version 7.9
© 2009 Cybertrust Japan Co., Ltd. 13
1.5.4 Suitability Approval Procedures
The suitability described in "1.5.3 Party to Determine Suitability of CPS" of this CPS shall go through
an external audit, and then be approved by DigiCert.
1.6 Definitions and Acronyms
As prescribed in Appendix A of this CPS.
-
CPS (Certification Practice Statement) Version 7.9
© 2009 Cybertrust Japan Co., Ltd. 14
2. Publication and Repository Responsibilities
2.1 Organization to Control Repositories Repositories of the Certification Authority will be controlled by Cybertrust.
2.2 Information to be Published The Certification Authority will publish the repositories as follows.
Publish the following information on https://www.cybertrust.ne.jp/ssl/repository/index.html:
▪ this CPS;
▪ subscriber agreement; and
▪ other terms and conditions regarding the services of the Certification Authority (the "Related
Rules")
Publish the following information on:
http://sureseries-crl.cybertrust.ne.jp/SureServer/ctjpubcag2/cdp.crl and
http://sureseries-crl.cybertrust.ne.jp/SureServer/ctjpubcag3/cdp.crl.
▪ Certificate revocation list ("CRL") of the SureServer Certificates issued by the Certification Authority
Publish the following information on:
http://sureseries-crl.cybertrust.ne.jp/SureMail/ctjpubcag2/cdp.crl and
http://sureseries-crl.cybertrust.ne.jp/SureMail/ctjpubcag3/cdp.crl.
▪ CRL of the SureMail Certificates issued by the Certification Authority
Publish the following information on:
https://www.cybertrust.ne.jp/sureserver/support/download_ca.html.
▪ Certificates of the Certification Authority
2.3 Timing and Frequency of Publication The timing and frequency of publication regarding the information to be published by the Certification
Authority shall be as follows; save for cases where repository maintenance or the like is required, but
CRL shall be published 24 hours:
(i) this CPS, the subscriber agreement, and the Related Rules shall be published each time they are amended;
(ii) this CRL shall be renewed according to the cycle prescribed in "4.9.7 CRL Issue Cycle" of this CPS and the published; and
(iii) the certificates of the Certification Authority shall be published at least during the effective period.
2.4 Access Control on Repositories The Certification Authority shall not perform special access control on the repositories.
-
CPS (Certification Practice Statement) Version 7.9
© 2009 Cybertrust Japan Co., Ltd. 15
3. Identification and Authentication
3.1 Naming
3.1.1 Types of Names
Subscribers will be identified based on the X.500 Distinguished Name ("DN") in the certificate.
3.1.2 Need for Names to be Meaningful
The name included in the DN of the certificate shall have the meaning of the subsequent paragraph.
3.1.2.1 SureServer Certificate
DN Item Meaning
Common Name Complete host name of server or network device to use the certificate
Organization Name of organization of subscriber or name of sole proprietor
Organization Unit
*(voluntary item)
Business division, service, trade name (for sole proprietors), etc.
*Any of the values described in "1.4.1.1 SureServer Certificate (iii)" in
this CPS must not be included
Locality Address of business location or address of sole proprietor (locality)
State or Province Address of business location or address of sole proprietor (state or
province)
Country Address of business location or address of sole proprietor (country)
3.1.2.2 SureMail Certificate
DN Item Meaning
Common Name
Name in which the values (text, numbers, symbols, etc.) on the left of @
of the email address to use the certificate are added to the subscriber's
name
Organization Name of organization of subscriber or name of sole proprietor
Organization Unit
*(voluntary item)
Business division, service, trade name, etc.
*Same as SureServer Certificate
Locality Address of business location or address of sole proprietor (locality)
State or Province Address of business location or address of sole proprietor (state or
province)
Country Address of business location or address of sole proprietor (country)
-
CPS (Certification Practice Statement) Version 7.9
© 2009 Cybertrust Japan Co., Ltd. 16
3.1.3 Requirements for Anonymity or Pseudonymity of Subscribers
Not applicable.
3.1.4 Rules for Interpreting Various Name Forms
Rules for interpreting the DN form of certificates issued by the Certification Authority shall be pursuant
to X.500.
3.1.5 Uniqueness of Names
The certificates issued by the Certification Authority can uniquely identify a subscriber based on the
DN.
3.1.6 Recognition, Authentication, and Role of Trademarks
The Certification Authority does not verify, via screening, the copyrights, trade secrets, trademark
rights, utility model rights, patent rights and other intellectual property rights (including, but not limited
to, rights for obtaining patents and other intellectual properties; simply "Intellectual Property Rights")
upon issuing a subscriber's certificate.
3.2 Initial Identity Validation
3.2.1 Method to Prove Possession of Private Key
3.2.1.1 SureServer Certificate
A certificate issuance request ("CSR") which constitutes a part of the application information from a
subscriber includes a digital signature encrypted with a public key and a private key corresponding to
the public key.
The Certification Authority will verify the digital signature by using the public key included in the CSR
and thereby validate that the digital signature was signed using the subscriber's private key, and
determine that the subscriber is in possession of the private key.
3.2.1.2 SureMail Certificate
The Certification Authority shall generate a subscriber's private key on behalf of the subscriber. As set
forth in "6.1.2.2 SureMail Certificate" of this CPS, ownership of the private key will be transferred
from the Certification Authority to the subscriber at the time that the Certification Authority delivers
the private key to the subscriber and the subscriber accepts the private key.
3.2.2 Verification of Subscribers
3.2.2.1 SureServer Certificate
The Certification Authority shall screen and verify the matters set forth in "1.4.1.1 SureServer
Certificate" of this CPS.
Upon verifying the subscriber, the Certification Authority shall use public documents and data,
documents and data provided by a third party that is deemed reliable by the Certification Authority, or
documents and data provided by the subscriber, as well as make inquiries to an appropriate individual
affiliated with the subscriber or the organization configuring the subscriber. Moreover, the Certification
Authority shall visit the subscriber and conduct an on-site survey as needed.
However, when there are documents or data that were received from the subscriber or documents or
data that were independently obtained by the Certification Authority during the period that was posted
on the website by Cybertrust or the period notified to the subscriber, and such documents or data have
been screened by the Certification Authority, the Certification Authority shall not request the
resubmission of such documents or data.
Moreover, when a subscriber is to apply for a SureServer Certificate with a domain name owned by a
third party, the Certification Authority shall verify with the organization or individual that owns the
domain name regarding whether the FQDN has been licensed to the subscriber.
-
CPS (Certification Practice Statement) Version 7.9
© 2009 Cybertrust Japan Co., Ltd. 17
Details regarding the verification procedures to be requested to subscribers shall be posted on
Cybertrust's website or notified individually to the subscribers.
3.2.2.2 SureMail Certificate
The Certification Authority shall screen and verify the matters set forth in "1.4.1.2 SureMail Certificate"
of this CPS. The provisions of "3.2.2.1 SureServer Certificate" of this CPS shall apply correspondingly
to the verification method.
3.2.3 Non-verified Subscriber Information
3.2.3.1 SureServer Certificate
The Certificate Authority will not verify the truthfulness and accuracy of the information described in
the subscriber's organization unit (OU).
3.2.3.2 SureMail Certificate
The same as "3.2.3.1 SureServer Certificate" of this CPS.
3.2.4 Verification of Application Supervisor
3.2.4.1 SureServer Certificate
The Certification Authority shall verify the employment of the application supervisor and the authority
to submit an application on behalf of the subscriber. The Certification Authority shall additionally
verify that the application supervisor has accepted the subscriber agreement and approved the filing of
an application by the procedural manager by way of callback or means equivalent to callback. The
phone number to be used for the callback shall be a number provided by a third party or a number
included in the documents or data which were provided by the subscriber and have been deemed to be
reliable by the Certification Authority.
3.2.4.2 SureMail Certificate
The same as "3.2.4.1 SureServer Certificate" of this CPS.
3.2.5 Interoperability Standards
Not applicable.
3.3 Identification and Authentication for Key (Certificate) Renewal Request
3.3.1 Identification and Authentication upon Renewal for Routine Key (Certificate) Renewal
3.3.1.1 SureServer Certificate
The provisions of "3.2 Initial Identity Validation" of this CPS shall apply correspondingly.
3.3.1.2 SureMail Certificate
The provisions of "3.2 Initial Identity Validation" of this CPS shall apply correspondingly.
3.3.2 Identification and Authentication for Renewal of Key (Certificate) after Revocation
3.3.2.1 SureServer Certificate
To be performed based on the same procedures as "3.2 Initial Identity Validation" of this CPS.
-
CPS (Certification Practice Statement) Version 7.9
© 2009 Cybertrust Japan Co., Ltd. 18
However, when it is verified that the public key, certification information and expiration date included
in the CSR of the re-issuance application coincide with the certificate of the re-issuer, verification based
on "3.2 Initial Identity Validation" of this CPS will not be performed, and a certificate shall be issued
based on the verification of the foregoing coincidence.
3.3.2.2 SureMail Certificate
The same as "3.3.2.1SureServer Certificate" of this CPS.
3.4 Identity Validation and Authentication upon Revocation Request
3.4.1.1 SureServer Certificate
When the Certification Authority receives a revocation request from a subscriber via email, the
Certification Authority shall verify the identity of the person who submitted the application, that such
person is authorized to submit an application, and the reason of revocation. As the verification method,
the Certification Authority shall compare the information notified to the Certification Authority upon
application for issuance of a SureServer Certificate and the information only known to the Certification
Authority and the subscriber.
Upon receiving a revocation request for a SureServer Certificate of a specific subscriber other than the
subscriber of that SureServer Certificate, the Certification Authority shall survey the reason of
revocation and verify with the subscriber.
When the reason for revocation in the revocation request from a subscriber or a party other than that
subscriber corresponds to a revocation event set forth in the subscriber agreement of the SureServer
Certificate, the Certification Authority shall revoke the SureServer Certificate upon notifying the
subscriber.
The email address to be used for the revocation request is indicated in "1.5.2 Contact Point" and
Cybertrust's website.
3.4.1.2 SureMail Certificate
The provisions of "3.4.1.1 SureServer Certificate" of this CPS shall apply correspondingly.
-
CPS (Certification Practice Statement) Version 7.9
© 2009 Cybertrust Japan Co., Ltd. 19
4. Certificate Life-Cycle Operational Requirements
4.1 Certificate Application
4.1.1 Persons Who May Apply for Certificates
4.1.1.1 SureServer Certificate
Persons who may apply for a SureServer Certificate with the Certification Authority shall only be the
application supervisor, or a procedural manager who was authorized by the application supervisor
submit an application.
Appointment of the application supervisor or the procedural manager shall be pursuant to the provisions
of "1.3.4 Subscriber" of this CPS.
The Certification Authority's verification of a subscriber's intent to submit an application shall be
answered by the application supervisor or a person affiliated with the subscriber who was authorized
by the application supervisor.
4.1.1.2 SureMail Certificate
The provisions of "4.1.1.1 SureServer Certificate" of this CPS shall apply correspondingly.
4.1.2 Enrollment Process and Responsibilities
4.1.2.1 SureServer Certificate
A subscriber shall apply for a SureServer Certificate upon accepting this CPS and the subscriber
agreement. Upon filing an application, a subscriber is responsible for providing true and accurate
information to the Certification Authority.
The method of applying for a certificate will be posted on Cybertrust's website. Moreover, the method
of applying for a SureServer Certificate based on SureHandsOn provided by Cybertrust will be posted
on its website or explained individually to subscribers.
4.1.2.2 SureMail Certificate
A subscriber shall apply for a SureMail Certificate upon accepting this CPS and the subscriber
agreement. Upon filing an application, a subscriber is responsible for providing true and accurate
information to the Certification Authority.
The method of applying for a SureMail Certificate will be explained individually to subscribers.
4.2 Certificate Application Processing
4.2.1 Identity Validation and Execution of Certification Operations
4.2.1.1 SureServer Certificate
To be performed by the Registration Authority of the Certification Authority based on the same
procedures as "3.2 Initial Identity Validation" of this CPS.
4.2.1.2 SureMail Certificate
The same as "4.2.1.1 SureServer Certificate" of this CPS.
-
CPS (Certification Practice Statement) Version 7.9
© 2009 Cybertrust Japan Co., Ltd. 20
4.2.2 Approval or Rejection of Certificate Application
4.2.2.1 SureServer Certificate
When all requirements prescribed in "3.2 Initial Identity Validation" of this CPS are confirmed, the
Registration Authority of the Certification Authority shall approve the application, and instruct the
Issuing Authority to issue a SureServer Certificate. The Certification Authority will never notify the
subscriber of such issuance in advance.
Meanwhile, when the requirements prescribed in "3.2 Initial Identity Validation" of this CPS are not
satisfied, the Certification Authority shall dismiss the application for issuing a SureServer Certificate,
and reject issuance. In the foregoing case, the Certification Authority shall notify the reason of such
rejection to the application supervisor or the procedural manager who submitted the application. The
Certification Authority will not return the information and data obtained from the application supervisor
or the procedural manager during the application process.
When the application supervisor or the procedural manager withdraws the submitted application, the
Certification Authority shall dismiss such application. The Certification Authority will not return the
information and data obtained from the application supervisor or the procedural manager during the
application process.
4.2.2.2 SureMail Certificate
The provisions of "4.2.2.1 SureServer Certificate" of this CPS shall apply correspondingly.
4.2.3 Time Required for Certificate Application Procedures
4.2.3.1 SureServer Certificate
After the Registration Authority of the Certification Authority processes the application based on the
provisions of "4.2 Certificate Application Procedures" of this CPS, the Issuing Authority shall promptly
issue a SureServer Certificate.
4.2.3.2 SureMail Certificate
The provisions of "4.2.3.1 SureServer Certificate" of this CPS shall apply correspondingly.
4.2.4 CAA Record (Certification Authority Authorization Record) Procedures
The Certification Authority will not verify the CAA Record defined in RFC6844, and reserves the right
to verify the CAA Record in the future.
4.3 Certificate Issuance
4.3.1 Certificate Issuance Procedures by Certification Authority
4.3.1.1 SureServer Certificate
After completing the application procedures based on "3.2 Initial Identity Validation" of this CPS, the
Registration Authority of the Certification Authority shall instruct the Issuing Authority to issue the
subscriber's SureServer Certificate. Simultaneously with issuing the certificate, the Issuing Authority
shall send to the subscriber the notice set forth in "4.3.2 Notification of Issuance of SureServer
Certificate to Subscriber" of this CPS.
Note that the subscriber agreement of the SureServer Certificate between Cybertrust and the subscriber
shall come into force from the time that the subscriber applies for the issuance of a SureServer
Certificate.
4.3.1.2 SureMail Certificate
The provisions of "4.3.1.1 SureServer Certificate" of this CPS shall apply correspondingly.
-
CPS (Certification Practice Statement) Version 7.9
© 2009 Cybertrust Japan Co., Ltd. 21
4.3.2 Notification of Issuance of Certificate to Subscribers
4.3.2.1 SureServer Certificate
Promptly after the SureServer Certificate is issued, the Certification Authority shall send an email to
the email address designated by the subscriber at the time of application to the effect that the SureServer
Certificate has been issued, and the procedures required for the subscriber to accept the certificate.
4.3.2.2 SureMail Certificate
Promptly after the SureMail Certificate is issued, the Certification Authority shall send an email to the
email address designated by the subscriber at the time of application to the effect that the SureMail
Certificate has been issued, and the procedures required for the subscriber to accept the certificate and
private key.
4.4 Certificate Acceptance
4.4.1 Certificate Acceptance Verification Procedures
4.4.1.1 SureServer Certificate
A subscriber shall accept a SureServer Certificate according to the notified contents recorded in the
email sent from the Certification Authority based on the provisions of "4.3.2 Notification of Issuance
of SureServer Certificate to Subscriber" of this CPS. The Certification Authority shall deem that a
subscriber has accepted the certificate when the subscriber downloads the certificate from Cybertrust's
prescribed website.
4.4.1.2 SureMail Certificate
A subscriber shall accept a SureMail Certificate and a private key according to the notified contents
recorded in the email sent from the Certification Authority based on the provisions of "4.3.2
Notification of Issuance of SureServer Certificate to Subscriber" of this CPS. The Certification
Authority shall deem that a subscriber has accepted the certificate and private key when the foregoing
email is sent to the subscriber.
4.4.2 Publication of Certificate by Certification Authority
4.4.2.1 SureServer Certificate
The Certification Authority shall not publish a subscriber's certificate.
4.4.2.2 SureMail Certificate
The same as "4.4.2.1 SureServer Certificate" of this CPS.
4.4.3 Notification of Issuance of Certificate by Certification Authority to Other Participants
4.4.3.1 SureServer Certificate
The Certification Authority shall not notify the issuance of the SureServer Certificate based on "4.3.2
Notification of Issuance of Certificate to Subscribers" of this CPS other than to the email address
designated by the subscriber.
4.4.3.2 SureMail Certificate
The provisions of "4.4.3.1 SureServer Certificate" of this CPS shall apply correspondingly.
-
CPS (Certification Practice Statement) Version 7.9
© 2009 Cybertrust Japan Co., Ltd. 22
4.5 Key Pair and Certificate Usage
4.5.1 Use of Private Key and Certificate by Subscriber
4.5.1.1 SureServer Certificate
A subscriber shall use its private key and SureServer Certificate only for the usage set forth in "1.4.2
Appropriate Certificate Uses" of this CPS, and use for any other usage is not allowed. Moreover, a
subscriber's private key and SureServer Certificate may only be used by the subscriber, and the
subscriber must not license the use thereof to a third party. Other obligations of a subscriber regarding
the use of its private key and SureServer Certificate are set forth in "9.6.3 Representations and
Warranties of Subscribers" of this CPS.
4.5.1.2 SureMail Certificate
The provisions of "4.5.1.1 SureServer Certificate" of this CPS shall apply correspondingly.
4.5.2 Use of Subscriber's Public Key and Certificate by Relying Party
4.5.2.1 SureServer Certificate
A relying party shall confirm, under its own responsibility, the validity of the SureServer Certificate
that is used by a subscriber for the usage set forth in "1.4.2 Appropriate Certificate Uses" of this CPS.
Other obligations of a relying party regarding the use of a subscriber's public key and SureServer
Certificate are set forth in "9.6.4 Representations and Warranties of Relying Parties".
4.5.2.2 SureMail Certificate
The provisions of "4.5.2.1 SureServer Certificate" of this CPS shall apply correspondingly.
4.6 Certificate Renewal Not Involving Rekey
4.6.1 Requirements for Certificate Renewal Not Involving Kew Renewal
4.6.1.1 SureServer Certificate
The Certification Authority shall accept a renewal request pursuant to the expiration of the valid term
of the SureServer Certificate used by a subscriber.
4.6.1.2 SureMail Certificate
The Certification Authority shall accept a renewal request pursuant to the expiration of the valid term
of the SureMail Certificate used by a subscriber.
4.6.2 Persons Who May Request Renewal
4.6.2.1 SureServer Certificate
The provisions of "4.1.1 Persons Who May Apply for Certificates" of this CPS shall apply
correspondingly.
4.6.2.2 SureMail Certificate
The same as "4.6.2.1 SureServer Certificate" of this CPS.
4.6.3 Renewal Request Procedures
4.6.3.1 SureServer Certificate
The provisions of "4.2 Certificate Application Procedures" of this CPS shall apply correspondingly.
-
CPS (Certification Practice Statement) Version 7.9
© 2009 Cybertrust Japan Co., Ltd. 23
4.6.3.2 SureMail Certificate
The same as "4.6.3.1 SureServer Certificate" of this CPS.
4.6.4 Notification of Issuance of Renewed Certificate
4.6.4.1 SureServer Certificate
The provisions of "4.3.2 Notification of Issuance of Certificate to Subscribers" of this CPS shall apply
correspondingly.
4.6.4.2 SureMail Certificate
The same as "4.6.4.1 SureMail Certificate" of this CPS.
4.6.5 Procedures for Accepting Renewed Certificate
4.6.5.1 SureServer Certificate
The provisions of "4.4.1 Certificate Acceptance Verification Procedures" of this CPS shall apply
correspondingly.
4.6.5.2 SureMail Certificate
The same as "4.6.5.1 SureServer Certificate" of this CPS.
4.6.6 Publication of Renewed Certificate
4.6.6.1 SureServer Certificate
The provisions of "4.4.2 Publication of Certificate by Certification Authority" of this CPS shall apply
correspondingly.
4.6.6.2 SureMail Certificate
The same as "4.6.6.1 SureServer Certificate" of this CPS.
4.6.7 Notification of Issuance of Certificate by Certification Authority to Other Participants
4.6.7.1 SureServer Certificate
The provisions of "4.4.3 Notification of Issuance of Certificate by Certification Authority to Other
Participants" of this CPS shall apply correspondingly.
4.6.7.2 SureMail Certificate
The same as "4.6.7.1 SureServer Certificate" of this CPS.
4.7 Certificate Renewal Involving Rekey
4.7.1 Requirements for Certificate Renewal Involving Rekey
4.7.1.1 SureServer Certificate
The Certification Authority shall accept a renewal request pursuant to the expiration of the valid term
of the SureServer Certificate used by a subscriber.
-
CPS (Certification Practice Statement) Version 7.9
© 2009 Cybertrust Japan Co., Ltd. 24
4.7.1.2 SureMail Certificate
The certificate renewal request shall be accepted from ninety (90) days before the expiration of the
valid term of the certificate, and the issuance of a renewed certificate shall be made from ninety (90) in
advance.
4.7.2 Persons Who May Request Renewal
4.7.2.1 SureServer Certificate
The provisions of "4.1.1 Persons Who May Apply for Certificates" of this CPS shall apply
correspondingly.
4.7.2.2 SureMail Certificate
The same as "4.7.2.1 SureServer Certificate" of this CPS.
4.7.3 Rekey Application Procedures
4.7.3.1 SureServer Certificate
The provisions of "4.2 Certificate Application Procedures" of this CPS shall apply correspondingly.
4.7.3.2 SureMail Certificate
The same as "4.7.3.1 SureServer Certificate" of this CPS.
4.7.4 Notification of Issuance of Rekeyed Certificate
4.7.4.1 SureServer Certificate
The provisions of "4.3.2 Notification of Issuance of Certificate to Subscribers" of this CPS shall apply
correspondingly.
4.7.4.2 SureMail Certificate
The same as "4.7.4.1 SureServer Certificate" of this CPS.
4.7.5 Procedures for Accepting Rekeyed Certificate
4.7.5.1 SureServer Certificate
The provisions of "4.4.1 Certificate Acceptance Verification Procedures" of this CPS shall apply
correspondingly.
4.7.5.2 SureMail Certificate
The same as "4.7.5.1 SureServer Certificate" of this CPS.
4.7.6 Publication of Rekeyed Certificate
4.7.6.1 SureServer Certificate
The provisions of "4.4.2 Publication of Certificate by Certification Authority" of this CPS shall apply
correspondingly.
4.7.6.2 SureMail Certificate
The same as "4.7.6.1 SureServer Certificate" of this CPS.
-
CPS (Certification Practice Statement) Version 7.9
© 2009 Cybertrust Japan Co., Ltd. 25
4.7.7 Notification of Issuance of Rekeyed Certificate to Other Participants
4.7.7.1 SureServer Certificate
The provisions of "4.4.3 Notification of Issuance of Certificate by Certification Authority to Other
Participants" of this CPS shall apply correspondingly.
4.7.7.2 SureMail Certificate
The same as "4.7.7.1 SureServer Certificate" of this CPS.
4.8 Modification of Certificate
4.8.1 Requirements for Modification of Certificate
4.8.1.1 SureServer Certificate
The Certification Authority shall not accept a request for modifying a previously issued SureServer
Certificate.
If there is any modification to the certificate information, a subscriber must promptly submit an
application to the Certification Authority for revoking the corresponding certificate.
4.8.1.2 SureMail Certificate
The provisions of "4.8.1.1 SureServer Certificate" of this CPS shall apply correspondingly.
4.8.2 Persons Who May Request Modification of Certificate
Not applicable.
4.8.3 Certificate Modification Procedures
Not applicable.
4.8.4 Notification of Issuance of Modified Certificate
Not applicable.
4.8.5 Procedures for Accepting Modified Certificate
Not applicable.
4.8.6 Publication of Modified Certificate
Not applicable.
4.8.7 Notification of Issuance of Modified Certificate to Other Participants
Not applicable.
4.9 Certificate Revocation and Suspension
4.9.1 Revocation Requirements
4.9.1.1 Reason of Revocation by Subscriber
(1) SureServer Certificate
In the occurrence of any one of the following events, a subscriber must submit a request to the
Certification Authority for revoking the corresponding SureServer Certificate:
-
CPS (Certification Practice Statement) Version 7.9
© 2009 Cybertrust Japan Co., Ltd. 26
(i) a subscriber discovers a SureServer Certificate that was issued based on an application for issuance that was not approved by the subscriber;
(ii) a subscriber learns that it's private key has been compromised or there is a possibility thereof;
(iii) a subscriber learns of the unauthorized use of its private key or SureServer Certificate or the possibility thereof;
(iv) there is modification to the contents of a subscriber's SureServer Certificate;
(v) a subscriber loses its right to exclusively use the FQDN included in the SureServer Certificate;
(vi) a subscriber discovers that any of the items described in “1.4.1.1 SureServer Certificate (iii)” in this CPS are included in the organization unit (OU) of the Certificate t:
(vii) a subscriber wishes to cancel the subscriber agreement; or
(viii) a subscriber wishes to request the free reissuance of a SureServer Certificate set forth in "9.1 Fees" of this CPS.
(2) Su