extended validation certificate certification practice ... · 2.2 may 1, 2013 changed "4.6...

Extended Validation Certificate Certification Practice Statement Version 3.6

© 2008 Cybertrust Japan Co., Ltd.

Extended Validation Certificate

Certification Practice Statement

Version 3.6

Cybertrust Japan Co., Ltd.


© 2008 Cybertrust Japan Co., Ltd. 1

Revision History

Version Date Reason for Revision

1.0 March 5, 2008 Formulation of initial version

1.1 April 15, 2009

▪ Reviewed "3.2.2 Verification of Subscribers" ▪ Changed acceptance date of renewals and issuance date of

certificates associated with key renewal

▪ Added reason of revocation by the Certification Authority ▪ Changed FIPS 140-2 to 140-1

1.2 July 15, 2009 ▪ Made revision pursuant to start of operation of OCSP server

1.3 September 29, 2009

▪ Added description regarding remote storage locations to "5. Management, Operational, and Physical Controls"

▪ Specified personal information in "9.4.7 Other Cases of Information Disclosure"

1.4 February 18, 2011

▪ Changed "5.1 Physical Security Controls" and "6.2.6 Private Key Transfer" in relation to remote storage locations

▪ Changed "5.1.9 Backup Site" pursuant to change of name of remote storage location to backup site

▪ Changed "1.1 Overview", "2.2 Information to be Published", "6.1.5 Key Length" and "APPENDIX B" due to deletion of descriptions

regarding Cybertrust Japan EV CA G1 associated with termination

of SureServerEV1024 bit service


▪ Included description of Serial Number of Certification Authority Certificate in "1.1 Overview"

▪ Changed "5.4.3 Audit Log Archival Period"

1.6 January 14, 2012 ▪ Changes made pursuant to addition of SubjectAltName extension

1.7 February 27, 2012

▪ Changed URL of "2.2 Information to be Published" ▪ Changed Policies extension of SureServer EV Certificates in

"Appendix B"

1.8 June 29, 2012

▪ Added "Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates" as requirements in "1.1 Overview"

▪ Changed items to be screened in "1.4.1.1 SureServer EV Certificate"

▪ Changed meaning of Organization Unit (OU) of SureServer EV Certificates in "3.1.2 Need for Names to be Meaningful"

▪ Changed "4.9.1.1 Reason of Revocation by Subscriber" ▪ Changed "4.9.1.2 Reason of Revocation by Certification Authority" ▪ Changed "5.5.2 Record Archival Period" ▪ Changed "9.6.3 Representations and Warranties of Subscribers" ▪ Added Baseline Requirements for the Issuance and Management of

Publicly-Trusted Certificates" and "Fully-Qualified Domain Name

(FQDN)" to "Appendix A"

1.9 November 14, 2012 ▪ Changed "6.1.1 Generation of Key Pair"

2.0 December 19, 2012

▪ Added information of certificates of Cybertrust Japan EV CA G2 to "1.1 Overview"

▪ Added profile of Cybertrust Japan EV CA G2 with extended valid term to "Appendix B"

2.1 February 20, 2013 ▪ Changed SHA1" in "Appendix A" to "SHA1/SHA2" ▪ Added SureServer EV[SHA-2] certificate profile to "Appendix B"

2.2 May 1, 2013 ▪ Changed "4.6 Certificate Renewal Not Involving Rekey"

2.3 June 24, 2013 ▪ Changed certificate profile associated with issuance of Japanese

(UTF8String) of the certificate DN information in "Appendix B"

2.4 August 21, 2013

▪ Revised registration contents of Business Category of SureServer EV Certificates according revisions of the EVC Guidelines in

"3.1.2 Need for Names to be Meaningful"

▪ Similarly revised the value of the Business Category of SureServer EV Certificates and SureServer EV[SHA-2] Certificates in



"Appendix B"

2.5 February 10, 2014

▪ Made changes pursuant to the renewal of certificate of Cybertrust Japan EV CA G2

▪ Made other corrections of descriptions and errors

2.6 April 13, 2014



2.7 July 1, 2014 ▪ Change name of building of contact address ▪ Corrected typographical errors

2.8 February 2, 2015

▪ Added profile to "Appendix B" pursuant to dealing with Certificate Transparency


2.9 February 9, 2015 ▪ Changed "3.3.2 Identification and Authentication for Renewal of

Key (Certificate) after Revocation"

3.0 March 30, 2015 ▪ Added "4.2.4 CAA Record (Certification Authority Authorization

Record) Procedures"

3.1 August 29, 2015 ▪ Made changes pursuant to the period for accepting of renewal

request

3.2 June 29, 2016

▪ Changed Business Days in "1.5.2 Contact Point" ▪ Changed keyUsage of SureServer [SHA-2] Certificates (Cybertrust

Japan Public CA G3) in "Appendix B" to TRUE

▪ Made other corrections of descriptions

3.3 March 4, 2017 ▪ Remove annotations on CT certificate of "Appendix B" ▪ Made other corrections of descriptions

3.4 April 28、2017

▪ Made changes pursuant to the values that cannot be specified for the review of the Organization Unit (OU)

▪ "1.4.1.1 SureServer Certificate (iv)" ▪ Meaning of Organization Unit (OU) in DN section of “3.1.2.1

SureServer Certificate”

▪ “4.9.1.1 Reason for Revocation by Subscriber (vi)” ▪ “4.9.1.2 Reason for Revocation by the Certification Authority (vii)” ▪ “9.6.3 Representations and Warranties of Subscribers (iv)”

3.5 May 21, 2017 ▪ Removed "User Notice" of "certificatePolicies" in "Appendix B"


▪ Changed “4.2.4 CAA Record (Certification Authority Authorization Record) Procedures”




Contents

1. INTRODUCTION ................................................................................................................................... 8

1.1 OVERVIEW ............................................................................................................................................... 8 1.2 DOCUMENT NAME AND IDENTIFICATION .................................................................................................. 9 1.3 PKI PARTICIPANTS .................................................................................................................................. 9

1.3.1 Certification Authority ..................................................................................................................... 9 1.3.2 Registration Authority ................................................................................................................... 10 1.3.3 Issuing Authority ............................................................................................................................ 10 1.3.4 Subscriber ....................................................................................................................................... 10 1.3.5 Relying Party .................................................................................................................................. 10 1.3.6 Other Participants .......................................................................................................................... 10

1.4 CERTIFICATE USAGE ............................................................................................................................. 10 1.4.1 Types of Certificates ....................................................................................................................... 10 1.4.2 Appropriate Certificate Uses ......................................................................................................... 11 1.4.3 Prohibited Certificate Uses ............................................................................................................ 11

1.5 POLICY ADMINISTRATION ...................................................................................................................... 11 1.5.1 Organization Administering Documents ....................................................................................... 11 1.5.2 Contact Point .................................................................................................................................. 12 1.5.3 Party to Determine Suitability of CPS .......................................................................................... 12 1.5.4 Suitability Approval Procedures .................................................................................................... 12

1.6 DEFINITIONS AND ACRONYMS ................................................................................................................ 12

2. PUBLICATION AND REPOSITORY RESPONSIBILITIES ................................................................. 13

2.1 ORGANIZATION TO CONTROL REPOSITORIES .......................................................................................... 13 2.2 INFORMATION TO BE PUBLISHED ........................................................................................................... 13 2.3 TIMING AND FREQUENCY OF PUBLICATION ............................................................................................ 13 2.4 ACCESS CONTROL ON REPOSITORIES ..................................................................................................... 13

3. IDENTIFICATION AND AUTHENTICATION .................................................................................... 14

3.1 NAMING ................................................................................................................................................ 14 3.1.1 Types of Names ............................................................................................................................... 14 3.1.2 Need for Names to be Meaningful ................................................................................................. 14 3.1.3 Requirements for Anonymity or Pseudonymity of Subscribers .................................................... 15 3.1.4 Rules for Interpreting Various Name Forms ................................................................................ 15 3.1.5 Uniqueness of Names ..................................................................................................................... 15 3.1.6 Recognition, Authentication, and Role of Trademarks ................................................................. 15

3.2 INITIAL IDENTITY VALIDATION .............................................................................................................. 15 3.2.1 Method to Prove Possession of Private Key................................................................................... 15 3.2.2 Verification of Subscribers ............................................................................................................. 15 3.2.3 Non-verified Subscriber Information ............................................................................................. 15 3.2.4 Verification of Application Supervisor ........................................................................................... 16 3.2.5 Interoperability Standards ............................................................................................................. 16

3.3 IDENTIFICATION AND AUTHENTICATION FOR KEY (CERTIFICATE) RENEWAL REQUEST ........................... 16 3.3.1 Identification and Authentication upon Renewal for Routine Key (Certificate) Renewal .......... 16 3.3.2 Identification and Authentication for Renewal of Key (Certificate) after Revocation ................ 16

3.4 IDENTITY VALIDATION AND AUTHENTICATION UPON REVOCATION REQUEST ......................................... 16

4. CERTIFICATE LIFE-CYCLE OPERATIONAL REQUIREMENTS ..................................................... 17

4.1 CERTIFICATE APPLICATION ................................................................................................................... 17 4.1.1 Persons Who May Apply for Certificates ....................................................................................... 17 4.1.2 Enrollment Process and Responsibilities ...................................................................................... 17

4.2 CERTIFICATE APPLICATION PROCESSING ............................................................................................... 17 4.2.1 Identity Validation and Execution of Certification Operations ................................................... 17 4.2.2 Approval or Rejection of Certificate Application ........................................................................... 17 4.2.3 Time Required for Certificate Application Procedures ................................................................. 17 4.2.4 CAA Record (Certification Authority Authorization Record) Procedures .................................... 18

4.3 CERTIFICATE ISSUANCE ......................................................................................................................... 18 4.3.1 Certificate Issuance Procedures by Certification Authority ......................................................... 18 4.3.2 Notification of Issuance of Certificate to Subscribers ................................................................... 18

4.4 CERTIFICATE ACCEPTANCE ................................................................................................................... 18 4.4.1 Certificate Acceptance Verification Procedures ............................................................................ 18 4.4.2 Publication of Certificate by Certification Authority .................................................................... 18



4.4.3 Notification of Issuance of Certificate by Certification Authority to Other Participants ........... 18 4.5 KEY PAIR AND CERTIFICATE USAGE ...................................................................................................... 18

4.5.1 Use of Private Key and Certificate by Subscriber ......................................................................... 18 4.5.2 Use of Subscriber's Public Key and Certificate by Relying Party ................................................ 19

4.6 CERTIFICATE RENEWAL NOT INVOLVING REKEY ................................................................................... 19 4.6.1 Requirements for Certificate Renewal Not Involving Kew Renewal ........................................... 19 4.6.2 Persons Who May Request Renewal .............................................................................................. 19 4.6.3 Renewal Request Procedures ......................................................................................................... 19 4.6.4 Notification of Issuance of Renewed Certificate............................................................................ 19 4.6.5 Procedures for Accepting Renewed Certificate ............................................................................. 19 4.6.6 Publication of Renewed Certificate ................................................................................................ 19 4.6.7 Notification of Issuance of Certificate by Certification Authority to Other Participants ........... 19

4.7 CERTIFICATE RENEWAL INVOLVING REKEY ........................................................................................... 19 4.7.1 Requirements for Certificate Renewal Involving Rekey ............................................................... 19 4.7.2 Persons Who May Request Renewal .............................................................................................. 19 4.7.3 Rekey Application Procedures ....................................................................................................... 19 4.7.4 Notification of Issuance of Rekeyed Certificate ............................................................................ 19 4.7.5 Procedures for Accepting Rekeyed Certificate .............................................................................. 20 4.7.6 Publication of Rekeyed Certificate ................................................................................................. 20 4.7.7 Notification of Issuance of Rekeyed Certificate to Other Participants ........................................ 20

4.8 MODIFICATION OF CERTIFICATE ............................................................................................................ 20 4.8.1 Requirements for Modification of Certificate ................................................................................ 20 4.8.2 Persons Who May Request Modification of Certificate ................................................................. 20 4.8.3 Certificate Modification Procedures .............................................................................................. 20 4.8.4 Notification of Issuance of Modified Certificate ............................................................................ 20 4.8.5 Procedures for Accepting Modified Certificate .............................................................................. 20 4.8.6 Publication of Modified Certificate ................................................................................................ 20 4.8.7 Notification of Issuance of Modified Certificate to Other Participants ........................................ 20

4.9 CERTIFICATE REVOCATION AND SUSPENSION ........................................................................................ 20 4.9.1 Revocation Requirements ............................................................................................................... 20 4.9.2 Persons Who May Request Revocation .......................................................................................... 21 4.9.3 Revocation Request Procedures ..................................................................................................... 21 4.9.4 Grace Period up to Revocation Request ......................................................................................... 22 4.9.5 Time Required for Certification Authority to Process Revocation ............................................... 22 4.9.6 Verification of Revocation by Relying Parties ............................................................................... 22 4.9.7 CRL Issue Cycle .............................................................................................................................. 22 4.9.8 Maximum Delay Time up to CRL Issue ........................................................................................ 22 4.9.9 Online Verification of Revocation Information ............................................................................. 22 4.9.10 Online Verification of Certificate Status ....................................................................................... 22 4.9.11 Means for Providing Other Available Revocation Information .................................................... 22 4.9.12 Special Requirements for Compromise of Key .............................................................................. 22 4.9.13 Certificate Suspension Requirements ........................................................................................... 22 4.9.14 Persons Who May Request Suspension ......................................................................................... 22 4.9.15 Suspension Application Procedures ............................................................................................... 22 4.9.16 Term of Suspension ........................................................................................................................ 23

4.10 CERTIFICATE STATUS SERVICES ............................................................................................................ 23 4.10.1 Operational Features ..................................................................................................................... 23 4.10.2 Service Level ................................................................................................................................... 23 4.10.3 Other Requirements ....................................................................................................................... 23

4.11 END OF SUBSCRIPTION (REGISTRATION) ................................................................................................ 23 4.12 THIRD PARTY DEPOSIT OF KEY AND KEY RECOVERY.............................................................................. 23

4.12.1 Policy and Procedures for Key Deposit and Key Recovery ........................................................... 23 4.12.2 Policy and Procedures for Capsulization and Recovery of Session Key ....................................... 23

5. MANAGEMENT, OPERATIONAL, AND PHYSICAL CONTROLS ..................................................... 24

5.1 PHYSICAL SECURITY CONTROLS ............................................................................................................ 24 5.1.1 Site Location and Structure ........................................................................................................... 24 5.1.2 Physical Access ............................................................................................................................... 24 5.1.3 Power and Air-conditioning Equipment ........................................................................................ 24 5.1.4 Flood Control Measures ................................................................................................................. 24 5.1.5 Fire Control Measures .................................................................................................................... 24 5.1.6 Anti-earthquake Measures............................................................................................................. 24 5.1.7 Medium Storage Site ...................................................................................................................... 24 5.1.8 Waste Disposal ............................................................................................................................... 24



5.1.9 Backup Site ..................................................................................................................................... 25 5.2 PROCEDURAL CONTROLS ....................................................................................................................... 25

5.2.1 Relied Roles and Personnel ............................................................................................................ 25 5.2.2 Number of Personnel Required for Each Role ............................................................................... 25 5.2.3 Personal Identification and Validation of Each Role .................................................................... 25 5.2.4 Roles Requiring Segregation of Duties .......................................................................................... 26

5.3 PERSONNEL SECURITY CONTROLS ......................................................................................................... 26 5.3.1 Qualifications, Experience, Clearances ......................................................................................... 26 5.3.2 Background Checks and Clearance Procedures ............................................................................ 26 5.3.3 Training Requirements and Procedures ........................................................................................ 26 5.3.4 Retraining Period and Retraining Procedures .............................................................................. 26 5.3.5 Cycle and Order of Job Rotation .................................................................................................... 26 5.3.6 Sanction against Unauthorized Actions ........................................................................................ 26 5.3.7 Contract Requirements of Contract Employees ............................................................................ 26 5.3.8 Documents Available to Certification Authority Staff .................................................................. 27

5.4 AUDIT LOGGING PROCEDURES ............................................................................................................... 27 5.4.1 Types of Events to be Recorded...................................................................................................... 27 5.4.2 Audit Logging Frequency ............................................................................................................... 27 5.4.3 Audit Log Archival Period .............................................................................................................. 27 5.4.4 Audit Log Protection ....................................................................................................................... 27 5.4.5 Audit Log Backup Procedures ........................................................................................................ 27 5.4.6 Audit Log Collection System .......................................................................................................... 27 5.4.7 Notification to Parties .................................................................................................................... 27 5.4.8 Vulnerability Assessment .............................................................................................................. 27

5.5 RECORDS ARCHIVAL .............................................................................................................................. 28 5.5.1 Records to be Archived ................................................................................................................... 28 5.5.2 Record Archival Period ................................................................................................................... 28 5.5.3 Record Protection ............................................................................................................................ 28 5.5.4 Record Backup Procedures ............................................................................................................. 28 5.5.5 Time-stamping ................................................................................................................................ 28 5.5.6 Record Collecting System ............................................................................................................... 28 5.5.7 Record Acquisition and Validation Procedures ............................................................................. 28

5.6 KEY RENEWAL OF CERTIFICATION AUTHORITY ...................................................................................... 28 5.7 COMPROMISE AND DISASTER RECOVERY ................................................................................................ 29

5.7.1 Compromise and Disaster Recovery Procedures ........................................................................... 29 5.7.2 Procedures upon System Resource Failure ................................................................................... 29 5.7.3 Procedures upon Compromise of Subscriber's Private Key .......................................................... 29 5.7.4 Business Continuity upon Disasters ............................................................................................. 29

5.8 TERMINATION OF CERTIFICATION AUTHORITY OPERATIONS .................................................................. 29

6. TECHNICAL SECURITY CONTROLS................................................................................................. 30

6.1 KEY PAIR GENERATION AND INSTALLATION ........................................................................................... 30 6.1.1 Key Pair Generation ....................................................................................................................... 30 6.1.2 Delivery of Subscriber's Private Key ............................................................................................. 30 6.1.3 Delivery of Subscriber's Private Key to Certification Authority .................................................. 30 6.1.4 Delivery of Certification Authority Private Key to Relying Parties ............................................. 30 6.1.5 Key Length ...................................................................................................................................... 31 6.1.6 Public Key Parameter Generation and Inspection ....................................................................... 31 6.1.7 Key Usage ....................................................................................................................................... 31

6.2 PRIVATE KEY PROTECTION AND CRYPTOGRAPHIC MODULE ENGINEERING CONTROLS ........................... 31 6.2.1 Cryptographic Module Standards and Controls ........................................................................... 31 6.2.2 Private Key Controls by Multiple Persons .................................................................................... 31 6.2.3 Private Key Deposit ........................................................................................................................ 31 6.2.4 Private Key Backup ........................................................................................................................ 32 6.2.5 Private Key Archive ........................................................................................................................ 32 6.2.6 Private Key Transfer ...................................................................................................................... 32 6.2.7 Private Key Storage in Cryptographic Module ............................................................................. 32 6.2.8 Private Key Activation ................................................................................................................... 32 6.2.9 Private Key Non-activation ............................................................................................................ 32 6.2.10 Private Key Destruction ................................................................................................................. 32 6.2.11 Cryptographic Module Assessment ............................................................................................... 32

6.3 OTHER ASPECTS OF KEY PAIR MANAGEMENT ........................................................................................ 32 6.3.1 Storage of Public Key ..................................................................................................................... 32 6.3.2 Valid Term of Key Pair ................................................................................................................... 33



6.4 ACTIVATION DATA ................................................................................................................................. 33 6.4.1 Generation and Setting of Activation Data ................................................................................... 33 6.4.2 Activation Data Protection and Controls ...................................................................................... 33

6.5 COMPUTER SECURITY CONTROLS .......................................................................................................... 33 6.5.1 Technical Requirements of Computer Security............................................................................. 33 6.5.2 Computer Security Assessment ..................................................................................................... 33

6.6 LIFE CYCLE SECURITY CONTROLS ......................................................................................................... 33 6.6.1 System Development Controls ....................................................................................................... 33 6.6.2 Security Operation Controls .......................................................................................................... 33 6.6.3 Life Cycle Security Controls ........................................................................................................... 34

6.7 NETWORK SECURITY CONTROLS ............................................................................................................ 34 6.8 TIME-STAMPING .................................................................................................................................... 34

7. CERTIFICATE, CRL AND OCSP PROFILES ...................................................................................... 35

7.1 CERTIFICATE PROFILE ........................................................................................................................... 35 7.1.1 Version No. ...................................................................................................................................... 35 7.1.2 Certificate Extensions .................................................................................................................... 35 7.1.3 Algorithm Object Identifier ............................................................................................................ 35 7.1.4 Name Format .................................................................................................................................. 35 7.1.5 Name Restrictions .......................................................................................................................... 35 7.1.6 Certificate Policy Object Identifier ................................................................................................ 35 7.1.7 Use of Policy Constraint Extensions .............................................................................................. 35 7.1.8 Construction and Meaning of Policy Modifier ............................................................................... 35 7.1.9 Processing Method of Certificate Policy Extensions ..................................................................... 35

7.2 CRL PROFILE ........................................................................................................................................ 35 7.2.1 Version No. ...................................................................................................................................... 35 7.2.2 CRL, CRL Entry Extension ............................................................................................................ 35

7.3 OCSP PROFILE ..................................................................................................................................... 36 7.3.1 Version No. ...................................................................................................................................... 36 7.3.2 OCSP Extension ............................................................................................................................. 36

8. COMPLIANCE AUDIT AND OTHER ASSESSMENT ......................................................................... 37

8.1 AUDIT FREQUENCY AND REQUIREMENTS ............................................................................................... 37 8.2 AUDITOR REQUIREMENTS ...................................................................................................................... 37 8.3 RELATION OF AUDITOR AND AUDITEE .................................................................................................... 37 8.4 SCOPE OF AUDIT ................................................................................................................................... 37 8.5 MEASURES AGAINST IDENTIFIED MATTERS ............................................................................................ 37 8.6 DISCLOSURE OF AUDIT RESULTS ........................................................................................................... 37

9. OTHER BUSINESS AND LEGAL MATTERS ...................................................................................... 38

9.1 FEES ..................................................................................................................................................... 38 9.2 FINANCIAL RESPONSIBILITY .................................................................................................................. 38 9.3 CONFIDENTIALITY OF BUSINESS INFORMATION ..................................................................................... 38

9.3.1 Scope of Confidential Information ................................................................................................. 38 9.3.2 Information Outside Scope of Confidential Information .............................................................. 38 9.3.3 Responsibility of Protecting Confidential Information ................................................................. 39

9.4 PROTECTION OF PERSONAL INFORMATION ............................................................................................. 39 9.4.1 Privacy Policy.................................................................................................................................. 39 9.4.2 Information Handled as Personal Information ............................................................................. 39 9.4.3 Information not Deemed Personal Information ............................................................................ 39 9.4.4 Responsibility of Protecting Personal Information ....................................................................... 39 9.4.5 Notification to and Approval from Individuals on Use of Personal Information ......................... 39 9.4.6 Disclosure based on Judicial or Administrative Procedures ........................................................ 39 9.4.7 Other Cases of Information Disclosure .......................................................................................... 40

9.5 INTELLECTUAL PROPERTY RIGHTS ........................................................................................................ 40 9.6 REPRESENTATIONS AND WARRANTIES ................................................................................................... 40

9.6.1 Representations and Warranties of Issuing Authority ................................................................. 40 9.6.2 Representations and Warranties of Registration Authority ........................................................ 40 9.6.3 Representations and Warranties of Subscribers ........................................................................... 40 9.6.4 Representations and Warranties of Relying Parties ..................................................................... 41 9.6.5 Representations and Warranties of Other Participants ............................................................... 41

9.7 DISCLAIMERS OF WARRANTIES .............................................................................................................. 41 9.8 LIMITATIONS OF LIABILITY .................................................................................................................... 41 9.9 INDEMNITIES ......................................................................................................................................... 42



9.10 TERM OF DOCUMENT AND TERMINATION ............................................................................................... 42 9.10.1 Term of Document .......................................................................................................................... 42 9.10.2 Termination .................................................................................................................................... 42 9.10.3 Influence of Termination and Surviving Provisions ..................................................................... 42

9.11 INDIVIDUAL NOTIFICATIONS AND COMMUNICATIONS WITH PARTICIPANTS ............................................. 43 9.12 AMENDMENTS ....................................................................................................................................... 43

9.12.1 Amendment Procedures ................................................................................................................. 43 9.12.2 Notification Method and Period ..................................................................................................... 43 9.12.3 Modification of Object Identifier .................................................................................................... 43

9.13 DISPUTE RESOLUTION PROCEDURES ..................................................................................................... 43 9.14 GOVERNING LAW ................................................................................................................................... 43 9.15 COMPLIANCE WITH APPLICABLE LAW .................................................................................................... 43 9.16 MISCELLANEOUS PROVISIONS ............................................................................................................... 43

9.16.1 Entire Agreement ........................................................................................................................... 43 9.16.2 Assignment of Rights...................................................................................................................... 43 9.16.3 Severability ..................................................................................................................................... 44 9.16.4 Enforceability .................................................................................................................................. 44 9.16.5 Force Majeure ................................................................................................................................. 44

APPENDIX A: LIST OF DEFINITIONS .................................................................................................... 45

APPENDIX B: PROFILE OF CERTIFICATE ............................................................................................ 48



1. Introduction

1.1 Overview Cybertrust Japan Co., Ltd. ("Cybertrust") will issue SureServer EV Certificates (unless separately

provided for herein, "certificate(s)") in Japan.

The SureServer EV Certificate is an Extended Validation Certificate ("EVC") for use in certifying

servers and network devices upon performing SSL/TLS communication based on the "Guidelines For

The Issuance And Management Of Extended Validation Certificates" ("EVC Guidelines") set forth by

the CA/Browser Forum.

A subscriber's certificate is issued by the certificate authority operated by Cybertrust ("Certification

Authority").

The Certification Authority has been certified by the Root CA operated by DigiCert.

Name of Certification Authority Cybertrust Japan EV CA G2

Serial Number of Certification Authority

Certificate 0aa15896a4d1af800da1690ef4a3afb4

Valid Term of Certification Authority Certificate July 13, 2017 to December 14, 2021

Signature System SHA2 with RSA

Key Length of Certification Authority 2048 bit

Certificates to be Issued SureServer EV Certificate

Root CA Cybertrust Global Root



Certificate 040000000001446e1952e6

Valid Term of Certification Authority Certificate February 26, 2014 to December 10, 2019







Certificate 040000000001437203349a

Valid Term of Certification Authority Certificate January 8, 2014 to December 10, 2019









Certificate 0400000000013ae537ed9e

Valid Term of Certification Authority Certificate November 9, 2012 to December 19, 2019





The Certification Authority is compliant with the following guidelines and laws and ordinances in

order to issue certificates:

(i) EVC Guidelines;

(ii) Baseline Requirements Certificate Policy for the Issuance and Management of Publicly-Trusted Certificates;

(iii) Extended Validation Certificate Certification Practice Statement;

(iv) agreement concerning signature based on DigiCert's Root CA; and

(v) laws of Japan that are applicable to the operations to be performed by the Certification Authority established in Japan.

The Certification Authority is compliant with the latest version of the EVC Guidelines and the

Baseline Requirements Certificate Policy for the Issuance and Management of Publicly-Trusted

Certificates (collectively, "Guidelines, etc.") published in http://www.cabforum.org. If there is any

discrepancy between this "Extended Validation Certificate Certification Practice Statement" (this

"CPS") and the Guidelines, etc., the Guidelines, etc. shall prevail.

This CPS prescribes the requirements for the Certification Authority to issue certificates. The

requirements include obligations of the Certification Authority, obligations of subscribers, and

obligations of relying parties.

Upon specifying the various requirements in this CPS, the Certification Authority shall adopt the

RFC3647 "Certificate Policy and Certification Practices Framework" set forth by the IETF PKIX

Working Group. RFC3647 is an international guideline that sets forth the framework of CPS or CP.

Matters that do not apply to the Certification Authority in the respective provisions of this CPS

provided based on the framework of RFC3647 will be indicated as "Not applicable".

The Certification Authority will not individually prescribe a policy for each subscriber certificate

("CP"), and this CPS shall include the respective CPs.

1.2 Document Name and Identification The official name of this CPS shall be the "Extended Validation Certificate Certification Practice

Statement".

1.3 PKI Participants The PKI Participants described in this CPS are set forth below. Each of the relevant parties must

observe the obligations set forth in this CPS.

1.3.1 Certification Authority

The Certification Authority set forth in "1.1 Overview" of this CPS. The Certification Authority is

composed from an Issuing Authority and a Registration Authority. The Certification Authority shall

be governed by the Certification Authority Supervisor set forth in "5.2.1 Relied Roles and Personnel"

of this CPS, and approve this CPS.



1.3.2 Registration Authority

The Registration Authority is operated by Cybertrust, and accepts applications for certificates from

subscribers, and screens the applications based on this CPS. Based on the screening results, the

Registration Authority instructs the Issuing Authority to issue or revoke the certificates of subscribers,

or dismisses the applications.

1.3.3 Issuing Authority

The Issuing Authority is operated by Cybertrust, and issues or revokes certificates of subscribers

based on instructions from the Registration Authority. The Issuing Authority also controls the private

key of the Certification Authority based on this CPS.

1.3.4 Subscriber

A subscriber is an organization that applies for a certificate with the Certification Authority and uses

the certificate based on this CPS and the subscriber agreement, and is a corporation registered in

Japan or a Japanese administrative agency.

A person who is responsible for applying for a subscriber's certificate is referred to as an application

supervisor. A subscriber must appoint an application supervisor among persons affiliated with the

subscriber's organization.

Persons affiliated with the subscriber who may apply for a certificate with the Certification Authority

shall be limited to the application supervisor, or a procedural manager who is authorized by the

application supervisor to submit an application. The procedural manager may be appointed among

persons inside or outside the subscriber's organization. When the procedural manager is to be

appointed from the outside, the procedural manager may be an individual or an organization. The

procedural manager appointed among persons outside the subscriber's organization may be defined as

the "Applicant's Agent" in the subscriber agreement, etc.

1.3.5 Relying Party

A relying party is an organization or an individual that verifies the validity of the certificates of the

Certification Authority and subscribers, and relies on the certificates the Certification Authority and

subscribers based on one's own judgment.

1.3.6 Other Participants

Not applicable.

1.4 Certificate Usage

1.4.1 Types of Certificates

The Certification Authority will issue the following certificates to subscribers.

1.4.1.1 SureServer EV Certificate

A certificate certifies a subscriber's server or network device, and realizes the SSL/TLS encrypted

communication between such server or network device and a relying party's client device. Upon

issuing a certificate, the Registration Authority shall screen the following matters based on this CPS:

(i) legal and physical existence of subscribers;

(ii) existence of the subscriber's business (provided, however, that this shall be implemented when 3 years have not elapsed from the establishment of the subscriber's organization, and

its physical existence cannot be verified in the screening);

(iii) a subscriber has the right to use the Fully-Qualified Domain Name ("FQDN") included in the SureServer EV Certificate;

(iv) any of the following information is not included in the organizational unit (OU) :

(a) FQDN;

(b) a value containing a character string that indicates the corporate status such as "CO.,

Ltd." or "Co. Ltd.";



(c) address (i.e., the value indicating a location);

(d) a name, company name, or trademark that belongs to other party but not to the

Applicant;

(e) symbols including a dot, hyphen, space, and the equivalent as well as a character string

consisting solely of spaces or combination of symbols and/or spaces; or,

(f) a character string to indicate "not applicable," "incomplete," "blank,” and the equivalent

indicated by "NULL," "unknown," or "N/A";

(v) name, title and authority of an application supervisor;

(vi) acceptance of the subscriber agreement;

(vii) approval of the application supervisor for the procedural manager to submit an application.; and

(viii) high risk status, etc.*

*The following will be surveyed as the high risk status, etc.:

▪ past fishing cases;

▪ records of applications that were dismissed or records of certificates that were revoked by the Certification Authority in the past due to suspicion of fishing and

other fraudulent acts; and

▪ punishment by an administrative agency against a subscriber (trade embargo).

If there is suspicion of fraudulent use of a certificate for which an application was submitted

with the Certification Authority based on the foregoing survey, the Certification Authority

shall perform additional screening that it deems appropriate as needed.

1.4.2 Appropriate Certificate Uses

Uses of a subscriber's certificate shall be as set forth below.

(i) Certification of devices (server, network device, etc.) in which the SureServer EV Certificate is to be used; and

(ii) SSL or TLS encrypted communication.

1.4.3 Prohibited Certificate Uses

The Certification Authority prohibits the use of certificates for any purpose other than as set forth in

"1.4.2 Appropriate Certificate Uses" of this CPS.

1.5 Policy Administration

1.5.1 Organization Administering Documents

This CPS and the subscriber agreement will be administered by the Certification Authority.



1.5.2 Contact Point

The Certification Authority will accept inquiries related to the services provided by Cybertrust and

this CPS at the following contact information.

1.5.3 Party to Determine Suitability of CPS

Certificates of the Certification Authority will be issued by the Root CA operated by DigiCert. In

order to receive the issuance of a certificate from the Root CA, this CPS must comply with the

matters requested by DigiCert. DigiCert will assess and determine the suitability of this CPS.

1.5.4 Suitability Approval Procedures

The suitability described in "1.5.3 Party to Determine Suitability of CPS" of this CPS shall go

through an external audit, and then be approved by DigiCert.

1.6 Definitions and Acronyms As prescribed in Appendix A of this CPS.

Contact Information

Cybertrust Japan Co., Ltd. SureServer EV Section

Address: 13F SE Sapporo Bldg., 1-1-2 Kita 7-jo Nishi, Kita-ku, Sapporo-shi 060-0807

Tel: 011-708-5283

Business Days: Monday to Friday (excluding national holidays and December 29 to January 4)

Business Hours: 9:00 to 18:00

Inquiries and complaints: As indicated below

Description Address

▪ Inquiries regarding the application process for issuance and technical inquiries

▪ Other inquiries regarding this CPS, etc.

[email protected]

▪ Inquiries regarding revocation requests and application process

▪ Inquiries regarding problems with certificates or

upon discovery of fraudulent certificates

▪ Communication of other complaints

[email protected]



2. Publication and Repository Responsibilities

2.1 Organization to Control Repositories Repositories of the Certification Authority will be controlled by Cybertrust.

2.2 Information to be Published

The Certification Authority will publish the repositories as follows.

Publish the following information on https://www.cybertrust.ne.jp/ssl/repository/index.html:

▪ this CPS;

▪ subscriber agreement; and

▪ other terms and conditions regarding the services of the Certification Authority (the

"Related Rules")

Publish the following information on:

http://sureseries-crl.cybertrust.ne.jp/SureServer/2021_ev/cdp.crl.

▪ CRL issued by Cybertrust Japan EV CA G2

Publish the following information on:

https://www.cybertrust.ne.jp/sureserver/support/download_ca.html.

▪ Certificates of the Certification Authority

2.3 Timing and Frequency of Publication The timing and frequency of publication regarding the information to be published by the

Certification Authority shall be as follows; save for cases where repository maintenance or the like is

required, but CRL shall be published 24 hours:

(i) this CPS, the subscriber agreement, and other terms and conditions regarding the services of the Certification Authority shall be published each time they are amended;

(ii) this CRL shall be renewed according to the cycle prescribed in "4.9.7 CRL Issue Cycle" of this CPS and the published; and

(iii) the certificates of the Certification Authority shall be published at least during the effective period.

2.4 Access Control on Repositories The Certification Authority shall not perform special access control on the repositories.



3. Identification and Authentication

3.1 Naming

3.1.1 Types of Names

Subscribers will be identified based on the X.500 Distinguished Name ("DN") in the certificate.

3.1.2 Need for Names to be Meaningful

The name included in the DN of the certificate shall have the meaning of the subsequent paragraph.

3.1.2.1 SureServer EV Certificate

DN Item Meaning

Common Name Complete host name of server or network device to use the certificate

Organization Name of organization of subscriber

Organization Unit

*(voluntary item)

Business division, service, etc.

*Any of the values described in "1.4.1.1 SureServer Certificate (iii)" in

this CPS must not be included.

Locality Address of business location (locality)

State or Province Address of business location (state or province)

Country Address of business location (country)

Business Category

Information for identifying form of organization set forth in the EVC

Guidelines

Private Organization

Government Entity

Business Entity

Non-Commercial Entity

Serial Number For private organizations, indicate the corporate registration number

For government entities, indicate "The Subject is a Government Entity"

Jurisdiction of

Incorporation State

or Province

Jurisdiction of Incorporation State or Province

Jurisdiction of

Incorporation

Country

Jurisdiction of Incorporation Country



3.1.3 Requirements for Anonymity or Pseudonymity of Subscribers

Not applicable.

3.1.4 Rules for Interpreting Various Name Forms

Rules for interpreting the DN form of certificates issued by the Certification Authority shall be

pursuant to X.500.

3.1.5 Uniqueness of Names

The certificates issued by the Certification Authority can uniquely identify a subscriber based on the

DN.

3.1.6 Recognition, Authentication, and Role of Trademarks

The Certification Authority does not verify, via screening, the copyrights, trade secrets, trademark

rights, utility model rights, patent rights and other intellectual property rights (including, but not

limited to, rights for obtaining patents and other intellectual properties; simply "Intellectual Property

Rights") upon issuing a subscriber's certificate.

3.2 Initial Identity Validation

3.2.1 Method to Prove Possession of Private Key

A certificate issuance request ("CSR") which constitutes a part of the application information from a

subscriber includes a digital signature encrypted with a public key and a private key corresponding to

the public key.

The Certification Authority will verify the digital signature by using the public key included in the

CSR and thereby validate that the digital signature was signed using the subscriber's private key, and

determine that the subscriber is in possession of the private key.

3.2.2 Verification of Subscribers

The Certification Authority shall screen and verify the matters set forth in "1.4.1.1 SureServer EV

Certificate" of this CPS.

Upon verifying the subscriber, the Certification Authority shall use public documents and data,

documents and data provided by a third party that is deemed reliable by the Certification Authority,

and documents provided by the subscriber based on the EVC Guidelines, as well as make inquiries to

an appropriate individual affiliated with the subscriber.

However, when there are documents or data that were received from the subscriber or documents or

data that were independently obtained by the Certification Authority during the period that was

posted on the website by Cybertrust or the period notified to the subscriber, and such documents or

data have been screened by the Certification Authority, the Certification Authority shall not request

the resubmission of such documents or data.

Moreover, when a subscriber is to apply for a certificate with a domain name owned by a third party,

the Certification Authority shall verify with the organization or individual that owns the domain name

regarding whether the FQDN has been exclusively licensed to the subscriber.

Details regarding the verification procedures to be requested to subscribers shall be posted on

Cybertrust's website or notified individually to the subscribers.

3.2.3 Non-verified Subscriber Information

The Certificate Authority will not verify the truthfulness and accuracy of the information described in

the subscriber's organization unit (OU).



3.2.4 Verification of Application Supervisor

The Certification Authority shall verify the name and title of the application supervisor and the

authority to submit an application on behalf of the subscriber. The Certification Authority shall

additionally verify that the application supervisor has accepted the subscriber agreement and

approved the filing of an application by the procedural manager by way of callback. The phone

number to be used for the callback shall be a number provided by a third party.

3.2.5 Interoperability Standards

Not applicable.

3.3 Identification and Authentication for Key (Certificate) Renewal Request

3.3.1 Identification and Authentication upon Renewal for Routine Key (Certificate) Renewal

The provisions of "3.2 Initial Identity Validation" of this CPS shall apply correspondingly.

3.3.2 Identification and Authentication for Renewal of Key (Certificate) after Revocation

To be performed based on the same procedures as "3.2 Initial Identity Validation" of this CPS.

However, when it is verified that the public key, certification information and expiration date

included in the CSR of the re-issuance application coincide with the certificate of the re-issuer,

verification based on "3.2 Initial Identity Validation" of this CPS will not be performed, and a

certificate shall be issued based on the verification of the foregoing coincidence.

3.4 Identity Validation and Authentication upon Revocation Request

When the Certification Authority receives a revocation request from a subscriber via email, the

Certification Authority shall verify the identity of the person who submitted the application, that such

person is authorized to submit an application, and the reason of revocation. As the verification

method, the Certification Authority shall compare the information notified to the Certification

Authority upon application for issuance of a certificate and the information only known to the

Certification Authority and the subscriber.

Upon receiving a revocation request for a certificate of a specific subscriber other than the subscriber

of that certificate, the Certification Authority shall survey the reason of revocation and verify with the

subscriber.

When the reason for revocation in the revocation request from a subscriber or a party other than that

subscriber corresponds to a revocation event set forth in the subscriber agreement of the certificate,

the Certification Authority shall revoke the certificate upon notifying the subscriber.

The email address to be used for the revocation request is indicated in "1.5.2 Contact Point" and

Cybertrust's website.



4. Certificate Life-Cycle Operational Requirements

4.1 Certificate Application

4.1.1 Persons Who May Apply for Certificates

Persons who may apply for a certificate with the Certification Authority shall only be the application

supervisor, or a procedural manager who was authorized by the application supervisor submit an

application.

Appointment of the application supervisor or the procedural manager shall be pursuant to the

provisions of "1.3.4 Subscriber" of this CPS.

The Certification Authority's verification of a subscriber's intent to submit an application shall be

answered by the application supervisor.

4.1.2 Enrollment Process and Responsibilities

A subscriber shall apply for a certificate upon accepting this CPS and the subscriber agreement. Upon

filing an application, a subscriber is responsible for providing true and accurate information to the

Certification Authority.

The method of applying for a certificate will be posted on Cybertrust's website. Moreover, the method

of applying for a certificate based on SureHandsOn provided by Cybertrust will be explained

individually to subscribers.

4.2 Certificate Application Processing

4.2.1 Identity Validation and Execution of Certification Operations

To be performed by the Registration Authority of the Certification Authority based on the same

procedures as "3.2 Initial Identity Validation" of this CPS.

4.2.2 Approval or Rejection of Certificate Application

When all requirements prescribed in "3.2 Initial Identity Validation" of this CPS are confirmed, the

Registration Authority of the Certification Authority shall approve the application, and instruct the

Issuing Authority to issue a certificate. The Certification Authority will never notify the subscriber of

such issuance in advance.

Meanwhile, when the requirements prescribed in "3.2 Initial Identity Validation" of this CPS are not

satisfied, the Certification Authority shall dismiss the application for issuing a certificate, and reject

issuance. In the foregoing case, the Certification Authority shall notify the reason of such rejection to

the application supervisor or the procedural manager who submitted the application. The Certification

Authority will not return the information and data obtained from the application supervisor or the

procedural manager during the application process.

When the application supervisor or the procedural manager withdraws the submitted application, the

Certification Authority shall dismiss such application. The Certification Authority will not return the

information and data obtained from the application supervisor or the procedural manager during the

application process.

4.2.3 Time Required for Certificate Application Procedures

After the Registration Authority of the Certification Authority processes the application based on the

provisions of "4.2 Certificate Application Procedures" of this CPS, the Issuing Authority shall

promptly issue a SureServer EV Certificate.



4.2.4 CAA Record (Certification Authority Authorization Record) Procedures

The Certification Authority will verify the CAA Record defined in RFC6844（DNS Certification

Authority Authorization (CAA) Resource Record）

If the CAA record (issue / issuewild) contains any of the following values, the Certification Authority

recognizeｓ that it is designated as a certificate authority that permits issuance of the certificates.

・cybertrust.ne.jp

・digicert.ne.jp

・digicert.com

4.3 Certificate Issuance

4.3.1 Certificate Issuance Procedures by Certification Authority

After completing the application procedures based on "3.2 Initial Identity Validation" of this CPS, the

Registration Authority of the Certification Authority shall instruct the Issuing Authority to issue the

subscriber's certificate. Simultaneously with issuing the certificate, the Issuing Authority shall send to

the subscriber the notice set forth in "4.3.2 Notification of Issuance of certificate to Subscriber" of this

CPS.

Note that the subscriber agreement of the certificate between Cybertrust and the subscriber shall come

into force from the time that the subscriber applies for the issuance of a certificate.

4.3.2 Notification of Issuance of Certificate to Subscribers

Promptly after the certificate is issued, the Certification Authority shall send an email to the email

address designated by the subscriber at the time of application to the effect that the certificate has

been issued, and the procedures required for the subscriber to accept the certificate.

4.4 Certificate Acceptance

4.4.1 Certificate Acceptance Verification Procedures

A subscriber shall accept a certificate according to the notified contents recorded in the email sent

from the Certification Authority based on the provisions of "4.3.2 Notification of Issuance of

certificate to Subscriber" of this CPS. The Certification Authority shall deem that a subscriber has

accepted the certificate when the subscriber downloads the certificate from Cybertrust's prescribed

website.

4.4.2 Publication of Certificate by Certification Authority

The Certification Authority shall not publish a subscriber's certificate.

4.4.3 Notification of Issuance of Certificate by Certification Authority to Other Participants

The Certification Authority shall not notify the issuance of the certificate based on "4.3.2 Notification

of Issuance of Certificate to Subscribers" of this CPS other than to the email address designated by

the subscriber.

4.5 Key Pair and Certificate Usage

4.5.1 Use of Private Key and Certificate by Subscriber

A subscriber shall use its private key and certificate only for the usage set forth in "1.4.2 Appropriate

Certificate Uses" of this CPS, and use for any other usage is not allowed. Moreover, a subscriber's

private key and certificate may only be used by the subscriber, and the subscriber must not license the

use thereof to a third party. Other obligations of a subscriber regarding the use of its private key and

certificate are set forth in "9.6.3 Representations and Warranties of Subscribers" of this CPS.



4.5.2 Use of Subscriber's Public Key and Certificate by Relying Party

A relying party shall confirm, under its own responsibility, the validity of the certificate that is used

by a subscriber for the usage set forth in "1.4.2 Appropriate Certificate Uses" of this CPS.

Other obligations of a relying party regarding the use of a subscriber's public key and certificate are

set forth in "9.6.4 Representations and Warranties of Relying Parties".

4.6 Certificate Renewal Not Involving Rekey

4.6.1 Requirements for Certificate Renewal Not Involving Kew Renewal

The Certification Authority shall accept a renewal request pursuant to the expiration of the valid term

of the certificate used by a subscriber.

4.6.2 Persons Who May Request Renewal

The provisions of "4.1.1 Persons Who May Apply for Certificates" of this CPS shall apply

correspondingly.

4.6.3 Renewal Request Procedures

The provisions of "4.2 Certificate Application Procedures" of this CPS shall apply correspondingly.

4.6.4 Notification of Issuance of Renewed Certificate

The provisions of "4.3.2 Notification of Issuance of Certificate to Subscribers" of this CPS shall apply

correspondingly.

4.6.5 Procedures for Accepting Renewed Certificate

The provisions of "4.4.1 Certificate Acceptance Verification Procedures" of this CPS shall apply

correspondingly.

4.6.6 Publication of Renewed Certificate

The provisions of "4.4.2 Publication of Certificate by Certification Authority" of this CPS shall apply

correspondingly.

4.6.7 Notification of Issuance of Certificate by Certification Authority to Other Participants

The provisions of "4.4.3 Notification of Issuance of Certificate by Certification Authority to Other

Participants" of this CPS shall apply correspondingly.

4.7 Certificate Renewal Involving Rekey

4.7.1 Requirements for Certificate Renewal Involving Rekey

The Certification Authority shall accept a renewal request pursuant to the expiration of the valid term

of the certificate used by a subscriber.

4.7.2 Persons Who May Request Renewal

The provisions of "4.1.1 Persons Who May Apply for Certificates" of this CPS shall apply

correspondingly.

4.7.3 Rekey Application Procedures

The provisions of "4.2 Certificate Application Procedures" of this CPS shall apply correspondingly.

4.7.4 Notification of Issuance of Rekeyed Certificate

The provisions of "4.3.2 Notification of Issuance of Certificate to Subscribers" of this CPS shall apply

correspondingly.



4.7.5 Procedures for Accepting Rekeyed Certificate

The provisions of "4.4.1 Certificate Acceptance Verification Procedures" of this CPS shall apply

correspondingly.

4.7.6 Publication of Rekeyed Certificate

The provisions of "4.4.2 Publication of Certificate by Certification Authority" of this CPS shall apply

correspondingly.

4.7.7 Notification of Issuance of Rekeyed Certificate to Other Participants

The provisions of "4.7.7 Notification of Issuance of Certificate by Certification Authority to Other

Participants" of this CPS shall apply correspondingly.

4.8 Modification of Certificate

4.8.1 Requirements for Modification of Certificate

The Certification Authority shall not accept a request for modifying a previously issued certificate.

If there is any modification to the certificate information, a subscriber must promptly submit an

application to the Certification Authority for revoking the corresponding certificate.

4.8.2 Persons Who May Request Modification of Certificate

Not applicable.

4.8.3 Certificate Modification Procedures

Not applicable.

4.8.4 Notification of Issuance of Modified Certificate

Not applicable.

4.8.5 Procedures for Accepting Modified Certificate

Not applicable.

4.8.6 Publication of Modified Certificate

Not applicable.

4.8.7 Notification of Issuance of Modified Certificate to Other Participants

Not applicable.

4.9 Certificate Revocation and Suspension

4.9.1 Revocation Requirements

4.9.1.1 Reason of Revocation by Subscriber

In the occurrence of any one of the following events, a subscriber must submit a request to the

Certification Authority for revoking the corresponding certificate:

(i) a subscriber discovers a certificate that was issued based on an application for issuance that was not approved by the subscriber;

(ii) a subscriber learns that it's private key has been compromised or there is a possibility thereof;

(iii) a subscriber learns of the unauthorized use of its private key or certificate or the possibility thereof;



(iv) there is modification to the contents of a subscriber's certificate;

(v) a subscriber loses its right to exclusively use the FQDN included in the certificate;

(vi) a subscriber discovers that any of the following items described in “1.4.1.1 SureServer Certificate (iv)” in this CPS are included in the organization unit (OU) of the certificate;

(vii) a subscriber wishes to cancel the subscriber agreement; or

(viii) a subscriber wishes to request the free reissuance of a certificate set forth in "9.1 Fees" of this CPS.

4.9.1.2 Reason of Revocation by Certification Authority

In the occurrence of any one of the following events, the Certification Authority may revoke a

subscriber's certificate, without having to go through "4.9.3 Revocation Request Procedures" of this

CPS, at the time that such event is discovered; provided, however, that, with regard to (xi) below, the

Certification Authority may revoke the certificate on a day that is separately notified by the

Certification Authority before termination of operations:

(i) a subscriber breaches this CPS or the subscriber agreement and, even after the Certification Authority sends a notice to the subscriber demanding the correction of said breach, the

subscriber fails to correct the breach after the lapse of seven (7) days after the dispatch of

the foregoing notice;

(ii) a subscriber fails to pay the fee of the certificate in breach of Cybertrust's prescribed billing conditions;

(iii) the Certification Authority learns, based on reasonable evidence, that a subscriber's private key has been compromised or there is a possibility thereof;

(iv) the Certification Authority learns, based on reasonable evidence, that the contents of a subscriber's certificate are contrary to facts;

(v) Cybertrust cancels the subscriber agreement with a subscriber based on the subscriber agreement;

(vi) the Certification Authority learns, based on reasonable evidence, that a subscriber lost its right to exclusively use the FQDN included in the SureServer EV Certificate;

(vii) the Certification Authority learns that, based on reasonable evidence, any of the following items described in “1.4.1.1 SureServer Certificate (iv)” in this CPS are included in the

organization unit (OU) of the certificate;

(viii) the Certification Authority learns, based on reasonable evidence, that a subscriber's certificate is being used without authorization;

(ix) Cybertrust learns, based on reasonable evidence, that Subscriber was subject to a trade embargo by an administrative organ;

(x) the Certification Authority learns that the private key of the Certification Authority and the Root CA has been compromised or there is a possibility thereof;

(xi) the Certification Authority issues a certificate without conforming to this CPS or the EVC Guidelines (provided, however, that in the foregoing case, the Certification Authority shall

reissue an official certificate free of charge); or

(xii) the Certification Authority terminates its certification operations.

4.9.2 Persons Who May Request Revocation

Persons who may request revocation shall be the application supervisor, the procedural manager, or

an agent who is duly authorized by the subscriber and who knows information that was notified by

the Certification Authority when the issuance application of the certificate was submitted and which

is shared only between the Certification Authority and the subscriber.

4.9.3 Revocation Request Procedures

A subscriber shall submit a revocation request via email. The email must include information that is

known only to the Certification Authority and the subscriber, reason of revocation, contact

information and so on in accordance with instructions of the Certification Authority. The Certification

Authority shall verify the reason of revocation as prescribed in "3.4 Identity Validation and

Authentication upon Revocation Request" of this CPS.



After revoking the certificate, the Certification Authority shall promptly notify the subscriber to such

effect. For revocations that involve the free reissuance of a certificate set forth in "9.1 Fees" of this

CPS, there may be cases where the notice of revocation is given together with the notice of free

reissuance of a certificate.

4.9.4 Grace Period up to Revocation Request

In the occurrence of an event corresponding to "4.9.1.1 Reason of Revocation by Subscriber" of this

CPS, a subscriber shall promptly submit a revocation request.

4.9.5 Time Required for Certification Authority to Process Revocation

The Certification Authority will accept the revocation request 24/7.

The Registration Authority of the Certification Authority shall receive the revocation request, take the

procedures based on the provisions of "4.9.3 Revocation Request Procedures" of this CPS, and

thereafter promptly instruct the Issuing Authority to revoke the target certificate. After receiving the

revocation instruction, the Issuing Authority shall promptly revoke the relevant certificate.

4.9.6 Verification of Revocation by Relying Parties

The relying parties shall verify the certificate revocation with the CRL issued by the Certification

Authority or the OCSP (Online Certificate Status Protocol).

4.9.7 CRL Issue Cycle

The Certification Authority will issue the CRL in a cycle of less than 24 hours.

4.9.8 Maximum Delay Time up to CRL Issue

The valid term of the Certification Authority's CRL is 120 hours.

The Certification Authority shall publish the certificate in the repository no later than one (1) hour

after the issuance thereof.

4.9.9 Online Verification of Revocation Information

The Certification Authority shall provide revocation information based on OCSP, in addition to CRL.

The Certification Authority shall renew the OCSP response, which has a valid term of 124 hours, in a

cycle of less than 24 hours.

4.9.10 Online Verification of Certificate Status

Not applicable.

4.9.11 Means for Providing Other Available Revocation Information

Not applicable.

4.9.12 Special Requirements for Compromise of Key

When the Certification Authority learns that a subscriber's private key has been compromised, or

there is a possibility thereof, the Certification Authority will take revocation procedures based on

"4.9.3 Revocation Request Procedures" of this CPS.

4.9.13 Certificate Suspension Requirements

The Certification Authority will not accept applications for suspending the certificates.

4.9.14 Persons Who May Request Suspension

Not applicable.

4.9.15 Suspension Application Procedures

Not applicable.



4.9.16 Term of Suspension

Not applicable.

4.10 Certificate Status Services The Certification Authority shall not provide services that will enable the verification of the

certificate status other than by way of CRL and OCSP

4.10.1 Operational Features

Not applicable.

4.10.2 Service Level

Not applicable.

4.10.3 Other Requirements

Not applicable.

4.11 End of Subscription (Registration) The reasons for ending the use of a subscriber's certificate shall be set forth in the subscriber

agreement. Moreover, if a subscriber wishes to terminate the subscriber agreement midway during the

valid term of the certificate, the subscriber must submit a certificate revocation request with the

Certification Authority based on "4.9.3 Revocation Request Procedures" of this CPS.

4.12 Third Party Deposit of Key and Key Recovery

4.12.1 Policy and Procedures for Key Deposit and Key Recovery

Not applicable.

4.12.2 Policy and Procedures for Capsulization and Recovery of Session Key

Not applicable.



5. Management, Operational, And Physical Controls

5.1 Physical Security Controls

5.1.1 Site Location and Structure

The Certification Authority system shall be installed in a facility that is not easily affected by

earthquakes, fires, floods and other disasters (the "Facility"; unless separately prescribed herein, the

term "Facility" as used herein shall include the main site and the backup site set forth in "5.1.9

Backup Site" of this CPS). The Facility shall undergo architectural measures for preventing

earthquakes, fires, floods and other disasters as well as preventing unauthorized invasion. Information

regarding the location of the Certification Authority shall not be indicated outside or inside the

building where the Facility is located.

5.1.2 Physical Access

The Facility and the respective rooms where certification operations are performed in the Facility

shall be set with a security level according to the importance of the operation, and suitable

entrance/exit control shall be performed. For authentication upon entering/existing the room, an

entrance/exit card or biometric identification or other implementable technological means shall be

used in accordance with the security level. For entry into particularly important rooms and one or

both doors of the safe used for storing the Certification Authority's system and other important assets

i