Exostar Digital Certificate Service (DCS) Service Policy Disclosure Statement

Version 2.0.1

April 30, 2018

XMatthew Williams

Exostar PMA Chair

1

TABLE OF CONTENTS

_Toc452373104

1 TSP CONTACT INFORMATION .......................................................................................................... 2

1.1 QUERIES, COMPLAINTS, TECHNICAL SUPPORT ......................................................................................... 2

2 RELYING PARTY VALIDATION PROCEDURES AND USAGE ................................................................. 2

3 RELIANCE LIMITS ............................................................................................................................. 3

4 OBLIGATIONS OF SUBSCRIBERS ....................................................................................................... 3

5 CHECKING OBLIGATIONS OF RELYING PARTIES ................................................................................ 4

6 LIMITED WARRANTY & DISCLAIMER/LIMITATION OF LIABILITY ....................................................... 4

6.1 DISCLAIMERS OF WARRANTIES ............................................................................................................. 4 6.2 LIMITATIONS OF LIABILITIES .................................................................................................................. 5 6.3 INDEMNITIES ..................................................................................................................................... 5

6.3.1 Indemnification by Entity CAs ................................................................................................... 5 6.3.2 Indemnification by Relying Parties ........................................................................................... 5

7 APPLICABLE AGREEMENTS, SERVICE PRACTICE STATEMENT, SERVICE POLICY ................................. 6

7.1 SUBSCRIBER AGREEMENT ..................................................................................................................... 6 7.2 CERTIFICATE POLICY ........................................................................................................................... 6

7.2.1 Certificate Dissemination .......................................................................................................... 7 7.2.2 Certificate Revocation ............................................................................................................... 7 7.2.3 Secure Signature Creation Devices ........................................................................................... 8 7.2.4 Digital Signature Generation .................................................................................................... 9

8 PRIVACY POLICY .............................................................................................................................. 9

9 REFUND POLICY ............................................................................................................................... 9

10 APPLICABLE LAW AND DISPUTE RESOLUTION .................................................................................. 9

10.1 GOVERNING LAW ............................................................................................................................... 9 10.2 DISPUTE RESOLUTION PROVISIONS ........................................................................................................ 9

10.2.1 Disputes among Exostar and Customers .............................................................................. 9 10.2.2 Alternate Dispute Resolution Provisions............................................................................. 10

11 TSP AND REPOSITORY LICENSE, TRUST MARKS, AND AUDIT .......................................................... 10

12 DCS CA CERTIFICATE THUMBPRINTS .............................................................................................. 11

2

1 TSP CONTACT INFORMATION

Exostar Digital Certificate Service (DCS)

Exostar UK LTD

The Broadgate Tower

Third Floor

20 Primrose Street

London, EC2A 2RS

United Kingdom

+44 0203 3007093

Exostar LLC

2325 Dulles Corner Boulevard

Suite 600

Herndon, VA 20171

United States of America

+1 703 793 7800

info@exostar.com

http://www.exostar.com

1.1 Queries, Complaints, Technical Support

http://www.myexostar.com/Contact-Us/

2 RELYING PARTY VALIDATION PROCEDURES AND USAGE DCS issues RSA 2048 SHA-256 X.509 digital certificates to its subscribers.

Certificates issued to subscribers contain one or more registered certificate policy object identifier (OID), which may be used by a Relying Party to decide whether a certificate should be trusted for a particular purpose. The parties that register the OIDs also publish policies for examination by Relying Parties. The DCS OIDs are enumerated in Table 1 below.

The OIDs represent the medium-software-biopharma, and medium-hardware-biopharma assurance levels for public key certificates as defined by the Exostar CP, which map to respective OIDs of the SAFE-BioPharma Bridge CA via a cross-certificate.

The word “assurance” means how well a Relying Party can be certain of the identity binding between the public key and the individual whose subject name is cited in the certificate. In addition, it also reflects how well the Relying Party can be certain that the

3

individual whose subject name is cited in the certificate is controlling the use of the private key that corresponds to the public key in the certificate, and how securely the system which was used to produce the certificate and (if appropriate) deliver the private key to the Subscriber performs its task.

Table 1 - DCS Issuing CA Certificate Policy OIDs

OID Description

id-mediumSoftware-BioPharma-sha2

{1.3.6.1.4.1.13948.1.1.1.23}

Exostar id-mediumSoftware-sha2 for SAFE-

BioPharma issuance

id-mediumHardware-BioPharma-sha2

{1.3.6.1.4.1.13948.1.1.1.24}

Exostar id-mediumHardware-sha2 for SAFE

BioPharma issuance

DCS issue digital certificates to the general public. Prior to issuance of digital certificates at the medium-software-biopharma or medium-hardware-biopharma levels of assurance, subscribers are required to verify their identity to the Registration Authority (RA) using a process aligned with the requirements of Level 3 within US National Institute of Standards and Technology (NIST) in Special Publication (SP) 800-63 and its respective derivative specifications.

3 RELIANCE LIMITS None specified

4 OBLIGATIONS OF SUBSCRIBERS A Subscriber shall be required to sign or electronically agree to a document (e.g., a subscriber agreement) containing the requirements the Subscriber shall meet respecting protection of the private key and use of the certificate before being issued the certificate.

In signing or electronically agreeing to the document described above, each Subscriber shall agree to the following:

• Subscriber shall accurately represent itself in all communications with the PKI authorities.

• Subscriber shall protect their private keys at all times, in accordance with the CP, as stipulated in their certificate acceptance agreements, and local procedures; and

• Subscriber shall promptly notify the appropriate CA upon suspicion of loss or compromise of their private keys. Such notification shall be made directly or indirectly through mechanisms consistent with the CA’s CPS.

• Subscriber shall abide by all the terms, conditions, and restrictions levied on the use of their private keys and certificates.

This subscriber agreement is reproduced in Section 7.1 below.

For more information, see the CP at http://www.myexostar.com/Exostar_FIS_Certificate_Policy.pdf

4

5 CHECKING OBLIGATIONS OF RELYING PARTIES Parties who rely upon the certificates issued under a policy defined in this document shall:

• use the certificate for the purpose for which it was issued, as indicated in the certificate information (e.g., the key usage extension);

• check each certificate for validity, using procedures described in the X.509 standard [ISO 9594-8], prior to reliance;

• establish trust in the CA who issued a certificate by verifying the certificate path in accordance with the guidelines set by the X.509 Version 3 Amendment;

• preserve original signed data, the applications necessary to read and process that data, and the cryptographic applications needed to verify the digital signatures on that data for as long as it may be necessary to verify the signature on that data. Note: data format changes associated with application upgrades will often invalidate digital signatures and shall be avoided.

Please also see Section 7.2.2 below regarding the DCS Certificate Revocation List

repository and its availability.

For more information, see the CP at http://www.myexostar.com/Exostar_FIS_Certificate_Policy.pdf

6 LIMITED WARRANTY & DISCLAIMER/LIMITATION OF LIABILITY

6.1 Disclaimers of Warranties

To the extent permitted by applicable law, Policy Mapping Agreements, Memorandums of Agreement, and any other related agreements may contain disclaimers of all warranties (other than any express warranties contained in such agreements or set forth in this CP).

TO THE EXTENT PERMITTED BY APPLICABLE LAW, CAS MAY DISCLAIM ANY EXPRESS OR IMPLIED WARRANTIES, OTHER THAN THOSE EXPRESS WARRANTIES CONTAINED IN THIS CP.

EXCEPT FOR THE EXPLICIT REPRESENTATIONS, WARRANTIES, AND CONDITIONS PROVIDED IN THIS CP OR THOSE BETWEEN EXOSTAR AND ITS CUSTOMERS UNDER SEPARATE AGREEMENTS, (A) CERTIFICATES ISSUED BY EXOSTAR AND THE EXOSTAR PKI ARE PROVIDED "AS IS", AND EXOSTAR, ITS EMPLOYEES, OFFICERS, AGENTS, REPRESENTATIVES, AND DIRECTORS DISCLAIM ALL OTHER WARRANTIES, CONDITIONS AND OBLIGATIONS OF EVERY TYPE (INCLUDING, WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, NON-INFRINGEMENT, TITLE, SECURITY, SATISFACTORY QUALITY, OR FITNESS FOR A PARTICULAR PURPOSE, OR ACCURACY OF INFORMATION PROVIDED), AND FURTHER DISCLAIM ANY AND ALL LIABILITY FOR NEGLIGENCE, FAILURE TO WARN, OR LACK OF REASONABLE CARE AND (B) THE ENTIRE RISK OF THE USE OF ANY EXOSTAR CERTIFICATES, ANY SERVICES PROVIDED BY EXOSTAR, OR THE VALIDATION OF ANY DIGITAL SIGNATURES LIES WITH THE APPLICABLE PARTICIPANT.

5

6.2 Limitations of Liabilities

The liability (and/or limitation thereof) of Exostar to CAs to which Exostar issues certificates shall be set forth in the applicable agreements.

OTHER THAN THE ABOVE DESCRIBED LIMITATIONS OF LIABILITY, TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, IN NO EVENT SHALL EXOSTAR BE LIABLE FOR ANY INDIRECT DAMAGES OF ANY KIND, INCLUDING CONSEQUENTIAL, INCIDENTAL, SPECIAL, PUNITIVE, OR OTHER DAMAGES WHATSOEVER ARISING OUT OF OR RELATED TO THIS CP, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. THE TOTAL, AGGREGATE LIABILITY OF EACH EXOSTAR CA ARISING OUT OF OR RELATED TO IMPROPER ACTIONS BY THE EXOSTAR CA SHALL BE LIMITED TO ONE THOUSAND DOLLARS ($1,000 USD) PER TRANSACTION AND ONE MILLION DOLLARS ($1 MILLION USD) PER INCIDENT).

6.3 Indemnities

The indemnity requirement of 9.9.1 and 9.9.2 shall not apply when the entity/relying party is an instrumentality of the US Government. Recourse against the United States shall proceed under the Contract Disputes Act or Federal Tort Claims Act as applicable.

6.3.1 Indemnification by Entity CAs

To the extent permitted by applicable law, each Entity CA shall indemnify Exostar and its contractors, agents, assigns, employees, officers, and directors from and against any third party claims, liabilities, damages, costs and expenses (including reasonable attorney’s fees), relating to or arising out of any certificates issued by Exostar, including, without limitation, for:

Falsehood or misrepresentation of fact by the Entity CA in the applicable contractual agreements.

Failure by the Entity CA to disclose a material fact in any applicable contractual agreement, if the misrepresentation or omission was made negligently or with intent to deceive any party,

The Entity CA’s failure to protect the Entity CA private key, to use a Trustworthy System, or to otherwise take the precautions necessary to prevent the compromise, loss, disclosure, modification, or unauthorized use of the Entity CA private key, or

The Entity CA’s use of a name (including without limitation within a common name, domain name, or e-mail address) that infringes upon the Intellectual Property Rights of a third party.

Any applicable contractual agreement between Exostar and an Entity CA that is a customer of Exostar within the Exostar PKI may include additional indemnity obligations, but these would not apply to cross-certified CAs that are not customers of Exostar.

6.3.2 Indemnification by Relying Parties

To the extent permitted by applicable law, each Relying Party shall indemnify Exostar and its contractors, agents, assigns, employees, officers, and directors from and against any third party claims, liabilities, damages, costs and expenses (including reasonable attorney’s fees), relating to or arising out of use of or reliance by Relying Party on any certificates issued by Exostar, including, without limitation, for:

The Relying Party’s improper, illegal, or unauthorized use of a certificate (including use of any expired, revoked, or unvalidated certificate);

6

The Relying Party’s unreasonable reliance on a certificate, under the circumstances, or

The Relying Party’s failure to check the status of a certificate on which it relies to determine if the certificate is expired or revoked.

Any applicable contractual agreement between Exostar and a Relying Party within the Exostar PKI may include additional indemnity obligations, but these would not apply to relying parties that are not customers of Exostar.

For more information, see the CP at http://www.myexostar.com/Exostar_FIS_Certificate_Policy.pdf

7 APPLICABLE AGREEMENTS, SERVICE PRACTICE STATEMENT, SERVICE

POLICY

7.1 Subscriber agreement

I attest that I am the person I claim to be through presentation of information. As a condition of receiving a digital certificate from the Digital Certificate Service, I agree to the following obligations:

I have accurately represented myself and will continue to accurately represent myself in all communications with the Digital Certificate Service or individuals supporting the Digital Certificate Service.

I will use the Digital Certificate Service in a manner compliant with the Exostar FIS and DCS Certificate Policy (http://www.myexostar.com/Exostar_FIS_Certificate_Policy.pdf)

I will protect my private keys at all times, in accordance with Digital Certificate Service requirements and internal corporate policy:

o I will not share my private keys with any other person under any circumstances.

o I will limit the number of backups of my private keys and will protect any such backup(s) to the same level as the original.

I will notify the Digital Certificate Service (or the person authorized by internal corporate policy to receive such notification) in a timely manner if I suspect that my private keys have been compromised or lost, and that I or an Administrator must immediately revoke my certificates.

If I am no longer affiliated with the organization of which I am a member in the Digital Certificate Service, I agree to immediately cease use my certificates, return all hardware tokens in my possession, and acknowledge that my certificates will be revoked.

As evidenced by my indication that I have read, understand, and agree to these terms

7.2 Certificate Policy

The latest version of the Exostar CP is available at:

http://www.myexostar.com/Exostar_FIS_Certificate_Policy.pdf

This is further refined with regard to the Digital Certificate Service by the subsections below:

7

7.2.1 Certificate Dissemination

DCS RA - Standard/Premium

at Medium

Prompts the user for required credentials, verifies credentials meet

LOA 3

DCS RAUpon successful verification of the request, the DCS RA countersigns

the certificate request using its own certificate

DCS Signing CAPrior to Certificate Issuance, the DCS CA verifies that the certificate

request was countersigned by the DCS RA

DCS RA - Standard/Premium Models at Medium

RA workflow approved due to possession of non-PKI LOA 3

Credential

Figure 1 - Certificate Issuance Workflow

In order to establish a binding between the applicant and the certificate request for new certificates, the registration component requires that the applicant complete the certificate issuance process within the same SSL session within which the applicant authenticates to the Digital Certificate Service using a Level 3 credential issued by a FICAM-approved Credential Service Provider.

Using DCS client-side software developed by the TSP, the subscriber’s RSA 2048-bit private keys and public keys are generated locally by the subscriber, either using operating system libraries or a hardware PKI token depending on the OID selected (see Table 1 and Error! Reference source not found. Error! Reference source not found.). The client-side software also generates an X.509 Certificate Signing Request, signs it using the newly generated private key at RSA 2048 SHA 256, and transmits it to DCS over a secure, authenticated channel.

Prior to certificate issuance, the Digital Certificate Service ensures that the CSR submitted by the applicant is properly formatted and that the application has been approved.

The CA immediately responds to the applicant upon successful certificate issuance as part of the synchronous CSR / certificate issuance process, the issued certificate is delivered to the applicant over the same SSL channel, and is installed using the DCS client-side software.

Certificates issued to Subscribers by the Digital Certificate Service are not published in a publically accessible repository, and cannot be pulled by the relying community.

7.2.2 Certificate Revocation

Certificate Revocation takes place as described in Section 4.9 of the Certificate Policy. When revoking a certificate, the user or administrator performing the revocation must authenticate to DCS using an LOA3 credential from a supported CSP, select the certificate to revoke, and pick one of the four below statues in the RA system.

8

Alternatively, the subscriber or his/her administrator may request revocation using additional methods as described in Section 4.0 of the Certificate Policy. Whereas a subscriber’s administrator, or Exostar administrators, may revoke a subset of certificates issued to a subscriber, the subscriber him/herself must revoke all of his/her certificates issued.

The corresponding X.509 v2 CRL reason code is also shown.

RA Menu Entry X.509 v2 CRL Reason Code

Certificate Compromised keyCompromise

User no longer affiliated with Organization

affiliationChanged

Certificates Replaced by New Certificates superseded

Other unspecified

A user may view the status of any of their own previously issued certificates in the DCS web application.

The Digital Certificate Service issues CRLs every 12 hours. The nextUpdate time in the CRL is 18 hours after the thisUpdate time. The CRL is posted automatically to the repository immediately upon issuance. The maximum delay between the CA receiving a revocation request and relying parties being notified is 12 hours. The CRL repository is available 24 hours a day, 365 days a year1 via unauthenticated HTTP request worldwide. DCS does not support the Online Certificate Status Protocol (OCSP).

Upon revocation by any party, All DCS Administrators within the user’s organization are notified via email. Once revoked, DCS does not allow certificates to be removed from the CRL. DCS does not support certificate suspension.

7.2.3 Secure Signature Creation Devices

Exostar supports the Gemalto (fka SafeNet) eToken series of PKI hardware tokens and others upon request and explicit approval by Exostar. Provisioning of hardware ptokens requires Subscribers to install the SafeNet Authentication Client, and the proprietary DCS client-side software from Exostar onto a Windows workstation prior to activation.

For more detailed system requirements, see the Exostar Federated Identity Service system requirements on Page 2 of the document linked below.

http://www.myexostar.com/FISDownloadReqs.pdf

Hardware tokens are acquired directly from the manufacturer and stored in a secured facility at Exostar. Hardware tokens are shipped by Exostar directly to subscribers, or when commercial arrangements allow, in bulk to subscribers’ organizations, using trusted carriers (e.g. FedEx). Tracking information is supplied.

1 Note: Continuity of the Digital Certificate Service is maintained in accordance with the Exostar Master Service Level

Agreement and applicable addenda. While the CRL repository is hosted by redundant, high availability servers within a

facility exhibiting redundant power, cooling, and data services, as of the date of this SPDS, the Recovery Point Objective

for DCS is 24 hours, and the Recovery Time Objective is 72 hours / best effort. In the event of a catastrophic failure

within the production facility requiring Exostar to implement its Disaster Recovery Plan, it is possible that DCS will not be

able to publish a CRL before the nextUpdate time of the previous CRL has passed, or that the published CRL will not be

accessible via the internet.

9

Hardware tokens are shipped to subscribers with no key material and a default PIN, which accompanies the token in the package. Subscribers are required to change the PIN when initialized, and are required to enter the PIN when attempting to activate the private key.

Hardware tokens contain secure cryptographic modules which do not permit private keys to be exported from the module at any time.

7.2.4 Digital Signature Generation

Subscribers may obtain multiple X.509 signature certificates from DCS in accordance with commercial arrangements. All certificates issued to a Subscriber are available using Operating System specific key stores. When undertaking operations requiring use of a DCS certificate or private key, Subscribers are responsible for selecting the appropriate certificate, which can be differentiated by Certificate Serial Number. As all signature generation takes place solely within the Subscriber’s workstation, DCS is not aware when signatures are generated and no logging of signature-level events is supported.

8 PRIVACY POLICY An Exostar CA collects, stores, processes and discloses personally identifiable information in accordance with the Exostar Privacy Policy.

http://www.exostar.com/Privacy-Policy/

9 REFUND POLICY None Specified.

10 APPLICABLE LAW AND DISPUTE RESOLUTION

10.1 Governing Law

Subject to any limits appearing in applicable law, the federal laws of the United States and/or the laws State of New York, shall govern the enforceability, construction, interpretation, and validity of the CP and SPDS, irrespective of contract or other choice of law provisions and without the requirement to establish a commercial nexus in the State of New York. This choice of law is made to ensure uniform procedures and interpretation for all Exostar Customers and Entity CAs, no matter where they are located.

This governing law provision applies only to the CP and SPDS. Agreements incorporating the CP or SPDS by reference may have their own governing law provisions, provided that Section 9.14 of the CP governs the enforceability, construction, interpretation, and validity of the terms of the CP separate and apart from the terms of such other agreements, subject to any limitations appearing in applicable law.

10.2 Dispute Resolution Provisions

10.2.1 Disputes among Exostar and Customers

Provisions for resolving disputes between Exostar and its Customers shall be set forth in the applicable agreements between the parties.

10

10.2.2 Alternate Dispute Resolution Provisions

Except as otherwise agreed (e.g., under an agreement under Section 10.2.1 above), any dispute under this CP shall be resolved by binding arbitration in accordance with the commercial rules (or international rules, if the other party to the dispute is a non-US entity) of the American Arbitration Association then in effect. The arbitration panel shall consist of one (1) neutral arbitrator if the amount in controversy is less than $10,000, otherwise the panel shall consist of three (3) neutral arbitrators, each an attorney with five (5) or more years of experience in computer and technology law and/or the primary area of law as to which the dispute relates. The arbitrator(s) shall have never been employed (either as an employee or as an independent consultant) by either of the Parties, or any parent, subsidiary or affiliate thereof. The Parties shall have the right to take discovery of the other Party by any or all methods provided in the Federal Rules of Civil Procedure. The arbitrator(s) may upon request exclude from being used in the arbitration proceeding any evidence not made available to the other Party pursuant to a proper discovery request. The arbitrator(s) shall apply federal law of the United States and/or the law of the State of New York, and the arbitration proceeding shall be held in New York City, New York, USA or in such other location as is mutually agreed upon. The cost of the arbitration shall be borne equally by the Parties, unless the arbitrator(s) awards costs and attorneys fees to the prevailing Party. Notwithstanding the choice of law provision in this Agreement, the Federal Arbitration Act, except as modified herein, shall govern the interpretation and enforcement of this provision. All arbitration proceedings shall be conducted in English. Any claim, dispute and controversy shall be arbitrated on an individual basis and not aggregated with the claims of any third party class action arbitration is prohibited. The arbitrator(s) shall have no discretion to award punitive damages. Notwithstanding the foregoing dispute resolution procedures, either Party may apply to any court having jurisdiction to (i) enforce the agreement to arbitrate, (ii) seek provisional injunctive relief so as to maintain the status quo until the arbitration award is rendered or the dispute in otherwise resolved, or to otherwise prevent irreparable harm, (iii) avoid the expiration of any applicable limitation period, (iv) preserve a superior position with respect to creditors, or (v) challenge or vacate any final decision or award of the arbitration panel that does not comport with the express provisions of CP.

For more information, see the CP at http://www.myexostar.com/Exostar_FIS_Certificate_Policy.pdf

11 TSP AND REPOSITORY LICENSE, TRUST MARKS, AND AUDIT The Digital Certificate Service PKI consists of one or more Issuing CAs which are subordinate to the Exostar Federated Identity Service Root CA (FISRCA). The FISRCA is cross-certified by:

US Federal Bridge CA (https://www.idmanagement.gov/IDM/s/article_content_old?tag=a0Gt0000000SfwR)

SAFE-BioPharma Association Bridge CA (http://www.safe-biopharma.org/crosscertification.html)

11

12 DCS CA CERTIFICATE THUMBPRINTS Exostar FIS Root CA 2:

Thumbprint Algorithm – SHA1

c6 b4 f6 d0 b8 6e ee 2c 02 96 0c ea 8a f4 29 37 e8 66 87 ec

Exostar DCS Signing CA 1:

Thumbprint Algorithm – SHA1

83 b5 23 77 58 12 24 2d 5e 3b ff 87 11 28 95 65 b3 dc a7 d7