HYDRANTID SSL ISSUING CA CERTIFICATE POLICY/CERTIFICATION PRACTICE STATEMENT

Transcription

1 HYDRANTID SSL ISSUING CA CERTIFICATE POLICY/CERTIFICATION PRACTICE STATEMENT September 15, 2017 Version: 1.1 Copyright HydrantID All rights reserved. This document shall not be duplicated, used, or disclosed in whole or in part for any purposes other than those approved by HydrantID.

2 Important Note About this Document This document is the Certificate Policy/Certification Practice Statement herein after referred to as the Certificate Policy & Certification Practice Statement (CP/CPS), adopted by Avalanche Cloud Corporation, doing business as (DBA) HydrantID and which is a Delaware Corporation ( HydrantID ). The HydrantID CP/CPS contains an overview of the practices and procedures that HydrantID employs for its operation. This document is not intended to create contractual relationships between HydrantID and any other person. Any person seeking to rely on Certificates or participate within the HydrantID PKI must do so pursuant to definitive contractual documentation. This document is intended for use only in connection with HydrantID and its business. This version of the CP/CPS has been approved for use by the HydrantID Policy Management Authority (PMA) and is subject to amendment and change in accordance with the policies and guidelines adopted, from time to time, by the PMA and as otherwise set out herein. The date on which this version of the CP/CPS becomes effective is indicated on this CP/CPS. The most recent effective copy of this CP/CPS supersedes all previous versions. No provision is made for different versions of this CP/ CPS to remain in effect at the same time. Contact Information: Corporate Offices: 2091 East 1300 South #201 Salt Lake City, Utah US Mailing Address: HydrantID 2091 East 1300 South #201 Salt Lake City, Utah US Website: Electronic mail: support@hydrantid.com Copyright HydrantID HydrantID: Public Document p. 2

3 Table of Contents Contact Information: INTRODUCTION Document Name And Identification Revisions: PKI Participants Certification Authority Registration Authorities Subscribers Relying Parties Other Participants Certificate Usage Prohibited Certificate Usage Policy Administration Corporate Offices: Definitions and Acronyms Definitions Acronyms PUBLICATION AND REPOSITORY RESPONSIBILITIES Publication of Information Time or Frequency of Publication Access Controls on Repositories IDENTIFICATION AND AUTHENTICATION Naming Need For Names To Be Meaningful Pseudonymous Subscribers Rules For Interpreting Various Name Forms Uniqueness Of Names Recognition, Authentication, And Role Of Trademarks Verification of Information High Risk Domains Initial Identity Validation Authentication Of Organization Identity Identity DBA/Tradename Verification of Country Authorization by Domain Name Registrant Authentication for an IP Address Wildcard Domain Validation Data Source Accuracy Authentication Of Individual Identity Non-Verified Subscriber Information Validation Of Authority Identification And Authentication For Re-Key Requests Identification and Authentication For Re-Key After Revocation Identification and Authentication For Revocation Requests CERTIFICATE LIFE-CYCLE OPERATION REQUIREMENTS Approval Or Rejection Of Certificate Applications Time To Process Certificate Applications Certificate Authority Authorization (CAA) Certificate Issuance Notification To Subscriber By The CA Of Issuance Of Certificate Certificate Acceptance Publication Of The Certificate By The CA Key Pair And Certificate Usage Relying Party Public Key And Certificate Usage Certificate Renewal Copyright HydrantID HydrantID: Public Document p. 3

4 4.7. Certificate Re-Key Certificate Modification Certificate Revocation And Suspension Who Can Request Revocation Procedure For Revocation Request Revocation Request Grace Period Time Within Which The CA Must Process The Revocation Request Revocation Checking Requirement For Relying Parties CRL Issuance Frequency Maximum Latency For CRL On-Line Revocation/Status Checking Availability On-Line Revocation Checking Requirement Other Forms Of Revocation Advertisements Available Special Requirements For Key Compromise Circumstances For Suspension Who Can Request Suspension Procedure For Suspension Request Limits On Suspension Period Certificate Status Services End Of Subscription Key Escrow And Recovery FACILITY, MANAGEMENT, AND OPERATIONAL CONTROLS Physical Controls Physical Access Power And Air-Conditioning Water Exposures Fire Prevention And Protection Media Storage Waste Disposal Off-Site Backup Procedural Controls Trusted Roles Number Of Persons Required Per Task Identification And Authentication For Each Role Roles Requiring Separation Of Duties Personnel Controls Background Check Procedures Training Requirements Retraining Frequency And Requirements Job Rotation Frequency And Sequence Sanctions For Unauthorized Actions Independent Contractor Requirements Documentation Supplied To Personnel Audit Logging Procedures Frequency Of Processing Log Retention Period For Audit Log Protection Of Audit Log Audit Log Backup Procedures Audit Collection System Notification To Event-Causing Subject Vulnerability Assessment Records Archival Retention Period For Archive Protection Of Archive Archive Backup Procedures Requirements For Time-Stamping Of Records Archive Collection System Procedures To Obtain And Verify Archive Information Copyright HydrantID HydrantID: Public Document p. 4

5 5.6. Key Changeover Compromise And Disaster Recovery HydrantID Business Continuity Plan CA and/or RA Termination TECHNICAL SECURITY CONTROLS Key Pair Generation And Installation Private Key Delivery To Subscriber Public Key Delivery To Certificate Issuer Certification Authority Public Key To Relying Parties Key Sizes Public Key Parameters Generation And Quality Checking Key Usage Purposes Private Key Protection And Cryptographic Module Engineering Controls Private Key (N Out Of M) Multi-Person Control Private Key Escrow Private Key Backup Private Key Archive Private Key Transfer Into Or From A Cryptographic Module Private Key Storage On Cryptographic Module Activating Private Keys Deactivating Private Keys Destroying Private Keys Cryptographic Module Capabilities Other Aspects Of Key Pair Management Certificate Operational Periods And Key Pair Usage Periods Activation Data Activation Data Protection Other Aspects Of Activation Data Computer Security Controls Specific Computer Secuirty Technical Requirements Computer Security Rating Life Cycle Technical Controls System Development Controls Security Management Controls Life Cycle Security Controls Network Security Controls Time-Stamping CERTIFICATE, CRL, AND OCSP PROFILES Certificate Profile Certificate Extensions Algorithm Object Identifiers Name Forms Name Constraints Certificate Policy Object Identifier Usage Of Policy Constraints Extension Policy Qualifiers Syntax And Semantics Processing Semantics For The Critical Certificate Policies Extension CRL Profile CRL And CRL Entry Extensions Online Certificate Status Protocol Profile Online Certificate Status Protocol Version Numbers Online Certificate Status Protocol Extensions COMPLIANCE AUDIT AND OTHER ASSESSMENTS Frequency, Circumstance and Standards Of Assessment Identity And Qualifications Of Assessor Assessor s Relationship To Assessed Entity Topics Covered By Assessment Actions Taken As A Result Of Deficiency Copyright HydrantID HydrantID: Public Document p. 5

6 8.6. Communication of Results Self Audits OTHER BUSINESS AND LEGAL MATTERS Certificate Access Fees Revocation Or Status Information Access Fees Fees for Other Services Refund Policy Financial Responsibilities No Partnership or Agency Insurance Cover Other Assets Insurance Or Warranty Coverage For End-Entities Confidentiality of Business Information Information Not Within The Scope Of Confidential Information Responsibility To Protect Private Information Privacy Plan Information Treated As Private Information Not Deemed Private Responsibility To Protect Private Information Notice And Consent To Use Private Information Disclosure Pursuant To Judicial Or Administrative Process Intellectual Property Rights Representations And Warranties CA Representations and Warranties RA Representations And Warranties Subscriber Representations And Warranties Relying Parties Representations And Warranties Representations And Warranties Of Other Participants Disclaimers Of Warranties HydrantID Liability Limitations of Liability Exclusions of Liability Certificate Loss Limits Indemnities Term And Termination Termination Effect Of Termination And Survival Individual Notices And Communications With Participants Amendments Notification Mechanism And Period Circumstances Under Which OID Must Be Changed Dispute Resolution Provisions Governing Law Compliance With Applicable Law Miscellaneous Provisions Assignment Severability Enforcement (Waiver Of Rights) Force Majeure Other Provisions APPENDIX A Root and Issuing CA Profiles QuoVadis Root CA HydrantID SSL Issuing CA HydrantID SSL Issuing CA G HydrantID EV SSL Issuing CA G HydrantID SSL Issuing CA G HydrantID EV SSL Issuing CA G Eligible Applicants Verification Requirements Copyright HydrantID HydrantID: Public Document p. 6

7 Application Process Renewal 58 Extended Validation SSL Eligible Applicants Additional Warranties and Representations for EV Certificates Verification Requirements Applicant Contacts Subscriber Agreement Application Process Renewal Copyright HydrantID HydrantID: Public Document p. 7

8 1. INTRODUCTION 1.1. Overview HydrantID SSL Certificates are issued for use with the SSL 3.0/TLS 1.0 protocol to enable secure transactions of data through privacy, authentication, and data integrity. This Certificate Policy/Certification Practice Statement (CP/CPS) sets out the certification processes that HydrantID uses in the generation, issue, use, and management of Certificates and serves to notify Subscribers and Relying Parties of their roles and responsibilities concerning Certificates. HydrantID ensures the integrity of its Public Key Infrastructure (PKI) operational hierarchy by binding Participants to contractual agreements. This CP/CPS is not intended to create a contractual relationship between HydrantID and any Participant in the HydrantID PKI. Any person seeking to rely on Certificates or participate within the HydrantID PKI must do so pursuant to definitive contractual documentation. HydrantID issues two forms of Certificates according to the terms of this CP/CPS: i. Business SSL Certificates are Certificates for which limited authentication and authorization checks are performed on the Subscriber and the individuals acting for the Subscriber. ii. Extended Validation SSL Certificates are Certificates issued in compliance with the Guidelines for the Issuance and Management of Extended Validation Certificates (EV Guidelines) published by the CA/Browser Forum. The EV Guidelines are intended to provide enhanced assurance of identity of the Subscriber by enforcing uniform and detailed validation procedures across all EV-issuing CAs. HydrantID Certificates comply with Internet standards (x509 v.3) as set out in RFC This CP/CPS follows the IETF PKIX RFC 3647 framework with 9 sections that cover practices and procedures for identifying Certificate applicants; issuing and revoking Certificates; and the security controls related to managing the physical, personnel, technical, and operational components of the CA infrastructure. To preserve the outline specified by RFC 3647, some sections will have the statement "Not applicable" or "No Stipulation." For Business SSL Certificates HydrantID conforms to the current version of the Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates ( Baseline Requirements ) published at In the event of any inconsistency between this document and those Requirements, those Requirements take precedence over this document. For EV SSL Certificates HydrantID conforms to the current version of the CA/Browser Forum Guidelines for the Issuance and Management of Extended Validation Certificates (EV Guidelines) published at In the event of any inconsistency between this document and those Guidelines, those Guidelines take precedence over this document Document Name And Identification This document is the HydrantID SSL Issuing CA CP/CPS which was adopted by the HydrantID Policy Management Authority (PMA). The Object Identifier (OID) assigned to HydrantID is The provisions of this CP/CPS, as amended from time to time, are incorporated by reference into all HydrantID Certificates that are issued on or after the effective date of publication of this CP/CPS. HydrantID shall make amendments to this CP/CPS in accordance with Section Revisions: Author Date Version Comment HydrantID Policy Management Authority (PMA) July 1st Initial Version HydrantID Policy Management Authority (PMA) Sept 15 th, Updated to current Baseline Requirements Copyright HydrantID HydrantID: Public Document p. 8

9 1.3. PKI Participants Participants (Participants) within the HydrantID PKI include: - Certification Authorities (Root and Issuing); - Registration Authorities ( RA ); - Subscribers including Applicants for Certificates prior to Certificate issuance; and - Relying Parties. HydrantID PKI Hierarchy SSL ICA Root CA CN = HydrantID SSL ICA O = HydrantID (Avalanche Cloud Corporation) CAB Forum Domain Validated OID CAB Forum Subject Identity Validated OID (for Business SSL certs) Issuing CA QuoVadis EV SSL OID HydrantID OID End Entity Certificate Profiles Copyright HydrantID HydrantID: Public Document p. 9

10 HydrantID PKI Hierarchy SSL ICA G2 Root CA CN = HydrantID SSL ICA G2 O = HydrantID (Avalanche Cloud Corporation) CAB Forum Domain Validated OID CAB Forum Subject Identity Validated OID (for Business SSL certs) Issuing CA QuoVadis EV SSL OID HydrantID OID End Entity Certificate Profiles Copyright HydrantID HydrantID: Public Document p. 10

11 HydrantID PKI Hierarchy EV SSL ICA G1 Root CA CN = HydrantID EV SSL ICA G1 O = HydrantID (Avalanche Cloud Corporation) CAB Forum Domain Validated OID CAB Forum Subject Identity Validated OID (for Business SSL certs) Issuing CA QuoVadis EV SSL OID HydrantID OID End Entity Certificate Profiles The HydrantID SSL Issuing CA s are signed by QuoVadis. QuoVadis hosts and provides support for the HydrantID PKI. Copyright HydrantID HydrantID: Public Document p. 11

12 Certification Authority The following OIDs are pertinent to this CP/CPS: HydrantID QuoVadis Extended Validation SSL CAB Forum Domain Validated OID CAB Forum Subject Identity Validated OID The HydrantID SSL ICA issues Certificates to Subscribers in accordance with this CP/CPS. In its role as a CA, HydrantID performs functions associated with public key operations that include receiving requests; issuing, revoking and renewing a Certificate; and the maintenance, issuance, and publication of CRLs for users within the PKI. In its capacity as a CA, HydrantID will: - Conform its operations to this CP/CPS (or other relevant business practices); - Issue and publish Certificates in a timely manner; - Perform verification of Subscriber information in accordance with this CP/CPS; - Revoke Certificates upon receipt of a valid request from an authorized person or on its own initiative when circumstances warrant; and - Notify Subscribers of the imminent expiry of their Certificates Registration Authorities HydrantID acts as Registration Authority (RA) for Certificates it issues. An RA is an entity that performs verification of Subscriber information in accordance with this CP/CPS, and revokes Certificates upon receipt of a valid request from an authorized person. HydrantID s Enterprise Management Console is a secure web application that facilitates RAs activities as well as the ongoing management of the SSL Certificates for which they are responsible Subscribers In the context of this CP/CPS, the Subscriber is either the Individual to whom an end user Certificate is issued (referred to as a Registrant in the HydrantID Enterprise Management Console) or the Individual responsible for requesting, installing and maintaining the trusted system for which an SSL Certificate has been issued (referred to as a Subscriber in the HydrantID Enterprise Management Console). Prior to verification of identity and issuance of a Certificate, a Subscriber is an Applicant for HydrantID services. Before accepting and using a Certificate, a Subscriber must: (i) generate its own key pair; (ii) submit an application for a HydrantID Certificate; and (iii) accept and agree to the terms and conditions of the applicable HydrantID Subscriber Agreement. The Subscriber is solely responsible for the generation of the key pair to which its HydrantID Certificate relates and for the protection of the Private Key underlying the HydrantID Certificate. A Subscriber shall immediately notify HydrantID if any information contained in a HydrantID Certificate changes or becomes false or misleading, or in the event that its private key has been compromised or the Subscriber suspects that it has been compromised. A Subscriber must immediately stop using a Certificate and delete it from the Subscriber's server upon revocation or expiration Relying Parties Relying Parties are Individuals or Organizations who reasonably rely on HydrantID Certificates in accordance with the terms and conditions of this CP/CPS and all applicable laws and regulations. Before relying on or using a HydrantID Certificate, Relying Parties are advised to: (i) read this CP/CPS in its entirety; (ii) visit the HydrantID Repository to determine whether the Certificate has expired or been revoked and to find out more information concerning the Certificate; and (iii) make their own judgment as to whether and to what degree to rely upon a Certificate Other Participants No Stipulation 1.4 Certificate Usage Appropriate Certificate Uses Copyright HydrantID HydrantID: Public Document p. 12

13 Certificates issued pursuant to this CP/CPS may be used for all legal authentication, encryption, access control, and digital signature purposes, as designated by the key usage and extended key usage fields found within the Certificate Prohibited Certificate Usage HydrantID Certificates may not be used and no participation is permitted in the HydrantID PKI (i) in circumstances that breach, contravene, or infringe the rights of others; or (ii) in circumstances that offend, breach, or contravene any applicable law, statute, regulation, order, decree, or judgment of a court of competent jurisdiction or governmental order; or (iii) in connection with fraud, pornography, obscenity, hate, defamation, harassment, or other activity that is contrary to public policy. No reliance may be placed on Certificates and Certificates may not be used in circumstances (i) where applicable law or regulation prohibits their use; (ii) in breach of this CP/CPS or the relevant Subscriber Agreement; (iii) in any circumstances where the use of Certificates could lead to death, injury, or damage to property; or (iv) as otherwise may be prohibited by the terms of issue Policy Administration Organization Administering the CP/CPS This CP/CPS and related agreements and security policy documents referenced within this document are administered by the HydrantID Policy Management Authority (PMA). Corporate Offices: HydrantID 2091 East 1300 South #201 Salt Lake City, Utah US Mailing Address: HydrantID 2091 East 1300 South #201 Salt Lake City, Utah US Contact Person The Contact Person for the HydrantID CP/CPS is HydrantID s Chief Authentication Officer (CAO): Mailing Address: HydrantID Attn: Chief Authentication Officer 2091 East 1300 South #201 Salt Lake City, Utah US Person determining CPS suitability for the policy The person that determines the suitability of the HydrantID CP/CPS is, HydrantID s Chief Executive Officer (CEO): Mailing Address: HydrantID Attn: Chief Executive Officer 2091 East 1300 South #201 Salt Lake City, Utah US CP/CPS Approval Procedures Approval of this CP/CPS and any amendments hereto is by the HydrantID PMA. Amendments may be made by updating this entire document or by addendum. The HydrantID PMA, at its sole discretion, determines whether changes to this CP/CPS require notice or any change in the OID of a Certificate issued pursuant to this CP/CPS. Copyright HydrantID HydrantID: Public Document p. 13

14 1.6. Definitions and Acronyms Definitions Applicant: The Applicant is an entity applying for a Certificate. Application Software Vendors: Mean those developers of Internet browser software or other software that displays or uses Certificates and distribute Root Certification Authority Certificates embedded in their software, including but not limited to KDE, Microsoft Corporation, Mozilla Corporation, Opera Software ASA, Red Hat, Inc., Adobe, etc. Attestation Letter: A letter attesting that Subject Information is correct written by an accountant, lawyer, government official, or other reliable third party customarily relied upon for such information. Authority Letter: The Authority Letter is a signed by a Confirming Person acting for the Applicant for EV Certificates to establish the authority of individuals to act as the Subscriber's agents. Certificate Approver: A Certificate Approver is a natural person who is employed by the Applicant, or an authorized agent who has express authority to represent the Applicant to: (i) act as a Certificate Requester and to authorize other employees or third parties to act as a Certificate Requesters, and (ii) to approve Certificate Requests submitted by other Certificate Requesters. Certificate Application: Any of several forms completed by Applicant or HydrantID and used to process the request for an EV Certificate, including but not limited to agreements signed by Contract Signers and online forms submitted by Certificate Requesters. Certificate Problem Report: Complaint of suspected Key Compromise, Certificate misuse, or other types of fraud, compromise, misuse, or inappropriate conduct related to Certificates. Certificate Requester: A Certificate Requester is a natural person who is employed by the Applicant, or an authorized agent who has express authority to represent the Applicant or a third party (such as an ISP or hosting company), and who completes and submits a Certificate Request on behalf of the Applicant. Certification Authority Authorization (CAA): The DNS Resource Record allows a DNS domain name holder to specify the Certification Authorities (CAs) authorized to issue certificates for that domain. Publication of CAA Resource Records allows a public Certification Authority to implement additional controls to reduce the risk of unintended certificate mis issue. (From RFC 6844) Confirming Person: A confirming Person is a natural person who must be a senior officer of the Applicant (e.g., Secretary, President, CEO, CFO, COO, CIO, CSO, Director, etc.) who has express authority to sign the HydrantID Authority Letter on behalf of the Applicant. Contract Signer: A Contract Signer is a natural person who is employed by the Applicant and who has express authority to sign Subscriber Agreements on behalf of the Applicant. Domain Authorization Document: Documentation provided by, or a CA s documentation of a communication with, a Domain Name Registrar, the Domain Name Registrant, or the person or entity listed in WHOIS as the Domain Name Registrant (including any private, anonymous, or proxy registration service) attesting to the authority of an Applicant to request a Certificate for a specific Domain Namespace. Domain Name: The label assigned to a node in the Domain Name System. Domain Namespace: The set of all possible Domain Names that are subordinate to a single node in the Domain Name System. Domain Name Registrant: Sometimes referred to as the owner of a Domain Name, but more properly the person(s) or entity(ies) registered with a Domain Name Registrar as having the right to control how a Domain Name is used, such as the natural person or Legal Entity that is listed as the Registrant by WHOIS or the Domain Name Registrar. Copyright HydrantID HydrantID: Public Document p. 14

15 Domain Name Registrar: A person or entity that registers Domain Names under the auspices of or by agreement with: (i) the Internet Corporation for Assigned Names and Numbers (ICANN), (ii) a national Domain Name authority/registry, or (iii) a Network Information Center (including their affiliates, contractors, delegates, successors, or assigns). Internal Server Name: A Server Name (which may or may not include an Unregistered Domain Name) that is not resolvable using the public DNS. Participants: A Participant is an individual or entity within the HydrantID PKI and may include: CAs and their Subsidiaries and Holding Companies; Subscribers including Applicants; and Relying Parties. Reliable Data Source: An identification document or source of data used to verify Subject Identity Information that is generally recognized among commercial enterprises and governments as reliable, and which was created by a third party for a purpose other than the Applicant obtaining a Certificate. Reliable Method of Communication: A method of communication, such as a postal/courier delivery address, telephone number, or address, that was verified using a third-party source other than the Applicant Representative. Relying Party: The Relying Party is an individual or entity that relies upon the information contained within the Certificate. Relying Party Agreement: The Relying Party Agreement is an agreement which must be read and accepted by a Relying Party prior to validating, relying on or using a Certificate or accessing or using the HydrantID Repository. Repository: The Repository refers to the CRL, OCSP, and other directory services provided by HydrantID containing issued and revoked Certificates. Reserved IP Address: An IPv4 or IPv6 address that the IANA has marked as reserved: address-space/ipv6-address-space.xml Subject: The natural person, device, system, unit, or Legal Entity identified in a Certificate as the Subject. The Subject is either the Subscriber or a device under the control and operation of the Subscriber. Subject Identity Information: Information that identifies the Certificate Subject. Subject Identity Information does not include a domain name listed in the subjectaltname extension or the Subject commonname field. Subscriber: Means either the Individual to whom an end user Certificate is issued, referred to as a Registrant in the HydrantID Enterprise Management Console or the Individual responsible for requesting, installing and maintaining the trusted system for which an SSL Certificate has been issued, referred to as a Subscriber in the HydrantID Enterprise Management Console. Subscriber Agreement: Is the agreement executed between a Subscriber and HydrantID relating to the provision of designated Certificate-related services that governs the Subscriber s rights and obligations related to the Certificate Acronyms CA Certificate Authority or Certification Authority CAA Certification Authority Authorization CP/CPS Certificate Policy & Certification Practice Statement CRL Certificate Revocation List CSR Certificate Signing Request CT Certificate Transparency PMA HydrantID Policy Management Authority EV Extended Validation FIPS Federal Information Processing Standard Copyright HydrantID HydrantID: Public Document p. 15

16 ICANN Internet Corporation for Assigned Names and Numbers IETF Internet Engineering Task Force ITU International Telecommunication Union OID Object Identifier PKI Public Key Infrastructure PKIX IETF Working Group on Public Key Infrastructure PKCS Public Key Cryptography Standard RA Registration Authority SSL Secure Sockets Layer TLS Transaction Layer Security X.509 The ITU-T standard for Certificates and their corresponding authentication framework 2. PUBLICATION AND REPOSITORY RESPONSIBILITIES 2.1. Repositories The HydrantID Repository serves as the primary repository for revocation data on issued Certificates. However, copies of HydrantID directories may be published at such other locations as required for efficient operation of the HydrantID PKI Publication of Information HydrantID operates and maintains its Repository with resources sufficient to provide a commercially reasonable response time for the number of queries generated by all of the Certificates issued by its CAs. HydrantID publishes Certificate Revocation Lists (CRL) and Online Certificate Status Protocol (OCSP) resources to allow Relying Parties to determine the validity of a HydrantID Certificate. Each CRL contains entries for all revoked un-expired Certificates issued. HydrantID maintains revocation entries on its CRLs, or makes Certificate status information available via OCSP, until after the expiration date of the revoked Certificate. To ensure SSL Certificates function properly throughout their lifecycle, HydrantID may log SSL Certificates with a Certificate Transparency database ( CT Log ). CT Log information is publicly accessible. Once submitted, Certificate information cannot be removed from a CT Log Time or Frequency of Publication HydrantID issues a new CRL at least every twelve (12) hours and prior to the expiration of the current CRL. HydrantID also provides an OCSP resource that is updated at least every twelve (12) hours. Certificate information is published promptly following generation and issue, and within 20 minutes of revocation Access Controls on Repositories Participants (including Subscribers and Relying Parties) accessing the HydrantID Repository and other HydrantID directory resources are deemed to have agreed with the provisions of this CP/CPS and any other conditions of usage that HydrantID may make available. Participants demonstrate acceptance of the conditions of usage of this CP/CPS by using a HydrantID Certificate. Failure to comply with the conditions of usage of the HydrantID Repository and web site may result in termination of the relationship between HydrantID and the party, at HydrantID s sole discretion, and any unauthorized reliance on a Certificate shall be at that party's risk. HydrantID is the only entity that has write access to Repositories. 3. IDENTIFICATION AND AUTHENTICATION The identification and authentication procedures used by HydrantID depend on the class of Certificate being issued. See Appendix B for Certificate Profiles and the relevant verification requirements Naming Types Of Names All Subscribers require a distinguished name that complies with the ITU X.500 standard for Distinguished Names (DN). SSL Certificates are issued using the Fully Qualified Domain Name (FQDN) name of the server, service, or application that has been confirmed with the Subscriber. HydrantID does not issue publicly-trusted certificates containing Internal Server Names or Reserved IP Addresses. Copyright HydrantID HydrantID: Public Document p. 16

17 Wildcard SSL Certificates have a wildcard asterisk character for the server name in the Subject field. Wildcard EV Certificates may not be issued under the EV Guidelines. The FQDN or authenticated domain name is placed in the Common Name (CN) attribute of the Subject field and, when applicable, the Subject Alternative Name extension Need For Names To Be Meaningful Distinguished names must be meaningful, unambiguous, and unique. HydrantID ensures that the Organization (O) and Organizational Unit (OU) attributes in the Subject field accurately identify the legal entity that is the subject of the Certificate. Similarly, HydrantID uses non-ambiguous designations in the Issuer field to identify itself as the Issuer of a Certificate Pseudonymous Subscribers HydrantID does not issue anonymous or pseudonymous Certificates Rules For Interpreting Various Name Forms Distinguished Names in Certificates shall be interpreted using X.500 standards and ASN.1 syntax. See RFC 2253 and RFC 2616 for further information on how X.500 distinguished names in Certificates are interpreted as Uniform Resource Identifiers and HTTP references. In addition, see the Certificate Profiles detailed in Appendix B Uniqueness Of Names Name uniqueness is ensured through the use of the Common Name attribute of the Subject Field, which contains the authenticated domain name, which is controlled under the auspices of the Internet Corporation for Assigned Names and Numbers (ICANN) Recognition, Authentication, And Role Of Trademarks Subscribers shall solely be responsible for the legality of the information they present for use in Certificates issued under this CP/CPS in any jurisdiction in which such content may be used or viewed. Subscribers represent and warrant that when submitting Certificate Requests to HydrantID and using a domain and distinguished name (and all other Certificate Application information) they do not interfere with or infringe upon the rights of any third parties in any jurisdiction with respect to their trademarks, service marks, trade names, company names, or any other intellectual property right, and that they are not seeking to use the domain and distinguished names for any unlawful purpose, including, without limitation, tortious interference with contract or prospective business advantage, unfair competition, injuring the reputation of another, or to confuse or mislead any person, whether natural or corporate. Subscribers shall defend, indemnify, and hold HydrantID harmless for any loss or damage resulting from any such interference or infringement and shall be responsible for defending all actions against HydrantID Verification of Information For each FQDN listed in a Certificate, HydrantID confirms that, as of the date the Certificate was issued, the Applicant either is the Domain Name Registrant or has control over the FQDN by one of the following methods: 1. Confirming the Applicant as the Domain Name Registrant directly with the Domain Name Registrar; 2. Communicating directly with the Domain Name Registrant using an address, , or telephone number provided by the Domain Name Registrar; 3. Communicating directly with the Domain Name Registrant using the contact information listed in the WHOIS record s registrant, technical, or administrative field or DNS SOA Record; 4. Communicating with the Domain s administrator using an address created by pre-pending admin, administrator, webmaster, hostmaster, or postmaster to the FQDN; 5. Relying upon a Domain Authorization Document; 6. Confirming the Applicant's control over the requested FQDN by confirming the presence of Required Website Content under the "/.well known/pki validation" directory, or another path registered with IANA for the purpose of Domain Validation. The entire Required Website Content, Request Token, or Random Value MUST NOT appear in the request used to retrieve the file or web page. 7. Confirming the Applicant's control over the requested FQDN by confirming the presence of a Random Value within a Digital Certificate accessible by the CA via HTTPS on an authorized port. Note: For purposes of determining the appropriate domain name level or Domain Namespace, the registerable Domain Name is the second-level domain for generic top-level domains (gtld) such as.com,.net, or.org, or, if the Fully Qualified Domain Name contains a 2 letter Country Code Top-Level Domain (cctld), then the domain level is whatever is allowed for registration according to the rules of that cctld. Within 30 days after ICANN has approved a new gtld for operation, HydrantID (1) compares the new gtld against Copyright HydrantID HydrantID: Public Document p. 17

18 the its records of valid certificates, (2) ceases issuing Certificates containing a Domain Name that includes the new gtld until HydrantID has first verified the Applicant s control over or exclusive right to use the Domain Name, and (3) revoke the Certificate within 120 days if the Applicant cannot demonstrate control over or exclusive right to use the Domain Name. Where HydrantID relies upon a Domain Authorization Document to confirm the Applicant s control over a FQDN, HydrantID verifies that the communication came from either the Domain Name Registrant (including any private, anonymous, or proxy registration service) or the Domain Name Registrar listed in the WHOIS. HydrantID verifies that the Domain Authorization Document was either (i) dated on or after the certificate request date or (ii) used by HydrantID to verify a previously issued certificate and that the Domain Name s WHOIS record has not been modified since the previous certificate s issuance High Risk Domains HydrantID maintains a list of High Risk Domains and has implemented technical controls to prevent the issuance of Certificates to certain domains. HydrantID follows documented procedures that identify and require additional verification activity for High Risk Certificate Requests prior to the Certificate s approval Initial Identity Validation Method To Prove Possession Of Private Key The Applicant must submit a digitally signed PKCS#10 Certificate Signing Request (CSR) to establish that it holds the private key corresponding to the public key to be included in a Certificate. HydrantID parses the PKCS#10 CSR submitted by the Applicant in a secure manner and verifies that the Applicant s digital signature on the PKCS#10 was created by the private key corresponding to the public key in the PKCS#10 CSR. If any doubt exists, HydrantID will not perform certification of the key Authentication Of Organization Identity Authentication of Organization identity is conducted in compliance with this CP/CPS and the Certificate Profiles detailed in Appendix B Identity For Subject Identity Information that includes the name or location of an organization, HydrantID verifies the identity and address of the organization and that the address is the Applicant s address of existence or operation. HydrantID verifies the identity and address of the Applicant using documentation provided by, or through communication with, at least one of the following: 1. A government agency in the jurisdiction of the Applicant s legal creation, existence, or recognition; 2. A third party database that is periodically updated and considered by HydrantID to be a Reliable Data Source; 3. A site visit by HydrantID personnel or a third party who is acting as an agent for HydrantID; or 4. An Attestation Letter attesting that Subject Information is correct, signed by an accountant, lawyer, government official, or other reliable third party customarily relied upon for such information DBA/Tradename If the Subject Identity Information is to include a DBA or tradename, HydrantID verifies the Applicant s right to use the DBA/tradename using at least one of the following: 1. Documentation provided by, or communication with, a government agency in the jurisdiction of the Applicant s legal creation, existence, or recognition; 2. A Reliable Data Source; 3. Communication with a government agency responsible for the management of such DBAs or tradenames; 4. An Attestation Letter accompanied by documentary support; or 5. A utility bill, bank statement, credit card statement, government issued tax document, or other form of identification that HydrantID determines to be reliable Verification of Country If the subject:countryname field is present, then HydrantID verifies the country associated with the Subject using one of the following: 1. the IP Address range assignment by country for either the web site s IP address (as indicated by the DNS record for the web site) or the Applicant s IP address; 2. the cctld of the requested Domain Name; Copyright HydrantID HydrantID: Public Document p. 18

19 3. information provided by the Domain Name Registrar; or 4. a method identified in Section Authorization by Domain Name Registrant For each Fully Qualified Domain Name (FQDN) listed in a Certificate, HydrantID confirms that, as of the date the Certificate was issued, the Applicant (or the Applicant s Parent Company, Subsidiary Company, or Affiliate, collectively referred to as Applicant for the purposes of this section) either is the Domain Name Registrant or has control over the FQDN by: 1. Confirming the Applicant as the Domain Name Registrant directly with the Domain Name Registrar; 2. Communicating directly with the Domain Name Registrant using an address, , or telephone number provided by the Domain Name Registrar; 3. Communicating directly with the Domain Name Registrant using the contact information listed in the WHOIS record s registrant, technical, or administrative field; 4. Communicating with the Domain s administrator using an address created by pre pending admin, administrator, webmaster, hostmaster, or postmaster in the local part, followed by the at sign ), followed by the Domain Name, which may be formed by pruning zero or more components from the requested FQDN; 5. Relying upon a Domain Authorization Document; 6. Having the Applicant demonstrate practical control over the FQDN by making an agreed upon change to information found on an online Web page identified by a uniform resource identifier containing the FQDN; or 7. Using any other method of confirmation, provided that the CA maintains documented evidence that the method of confirmation establishes that the Applicant is the Domain Name Registrant or has control over the FQDN to at least the same level of assurance as those methods previously described. Note: For purposes of determining the appropriate domain name level or Domain Namespace, the registerable Domain Name is the second level domain for generic top level domains (gtld) such as.com,.net, or.org, or, if the Fully Qualified Domain Name contains a 2 letter Country Code Top Level Domain (cctld), then the domain level is whatever is allowed for registration according to the rules of that cctld. If HydrantID relies upon a Domain Authorization Document to confirm the Applicant s control over a FQDN, then HydrantID will substantiate that the communication came from either the Domain Name Registrant (including any private, anonymous, or proxy registration service) or the Domain Name Registrar listed in the WHOIS. HydrantID will verify that the Domain Authorization Document was either dated on or after the certificate request date or used by HydrantID to verify a previously issued certificate and that the Domain Name s WHOIS record has not been modified since the previous certificate s issuance Authentication for an IP Address For each IP Address listed in a Certificate, HydrantID will confirm that, as of the date the Certificate was issued, the Applicant has control over the IP Address by: 1. Having the Applicant demonstrate practical control over the IP Address by making an agreed upon change to information found on an online Web page identified by a uniform resource identifier containing the IP Address; 2. Obtaining documentation of IP address assignment from the Internet Assigned Numbers Authority (IANA) or a Regional Internet Registry (RIPE, APNIC, ARIN, AfriNIC, LACNIC); 3. Performing a reverse IP address lookup and then verifying control over the resulting Domain Name under Section ; or 4. Using any other method of confirmation determined by HydrantID that establishes that the Applicant has control over the IP Address to at least the same level of assurance as the methods previously described. Note: IPAddresses may be listed in Subscriber Certificates using IPAddress in the subjectaltname extension or in Subordinate CA Certificates via IPAddress in permittedsubtrees within the Name Constraints extension Wildcard Domain Validation Before issuing a certificate with a wildcard character (*) in a CN or subjectaltname of type DNS ID, HydrantID follow a documented procedure that determines if the wildcard character occurs in the first label position to the left of a registry controlled label or public suffix (e.g. *.com, *.co.uk, see RFC 6454 Section 8.2 for further explanation). If a wildcard would fall within the label immediately to the left of a registry controlled or public suffix, HydrantID will reject the certificate request, unless the applicant proves its rightful control of the entire Domain Namespace. (e.g. HydrantID will not issue *.com or *.local, but would issue *.example.com to Example Co.). Copyright HydrantID HydrantID: Public Document p. 19

20 HydrantID determines what is registry controlled by consulting a public suffix list (e.g., and reviewing the "ICANN DOMAINS" section Data Source Accuracy Prior to using any data source as a Reliable Data Source, HydrantID evaluates the source for its reliability, accuracy, and resistance to alteration or falsification. HydrantID considers the following during its evaluation: 1. The age of the information provided, 2. The frequency of updates to the information source, 3. The data provider and purpose of the data collection, 4. The public accessibility of the data availability, and 5. The relative difficulty in falsifying or altering the data. HydrantID does not rely on databases it, its owner or its affiliated companies maintains for the primary purpose of collecting information for the purpose of fulfilling the validation requirements under this Section Authentication Of Individual Identity Where applicable, authentication of Individual identity is conducted in compliance with this CP/CPS and the Certificate Profiles detailed in Appendix B. If an Applicant subject to this Section is a natural person, then HydrantID verifies the Applicant s name, Applicant s address, and the authenticity of the certificate request. HydrantID verifies the Applicant s name using a legible copy, which discernibly shows the Applicant s face, of at least one currently valid government issued photo ID (passport, drivers license, military ID, national ID, or equivalent document type). HydrantID inspects the copy for any indication of alteration or falsification. HydrantID verifies the Applicant s address using a form of identification that HydrantID determines to be reliable, such as a government ID, utility bill, or bank or credit card statement. HydrantID may rely on the same governmentissued ID that was used to verify the Applicant s name to verify the Applicant s address. HydrantID uses a Reliable Method of Communication to verify the certificate request with the Applicant Non-Verified Subscriber Information HydrantID does not verify information contained in the Organization Unit (OU) field in Certificates. Other information may be designated as non-verified in specific Certificate Profiles Validation Of Authority Validation of authority is conducted in compliance with this CP/CPS and the Certificate Profiles detailed in Appendix B. For Certificates issued at the request of a Subscriber's Agent, both the Agent and the Subscriber shall jointly and severally indemnify and hold harmless HydrantID, and its parent companies, subsidiaries, directors, officers, and employees. The Subscriber shall control and be responsible for the data that an Agent of the Subscriber supplies to HydrantID. The Subscriber must promptly notify HydrantID of any misrepresentations and omissions made by an Agent of the Subscriber. If the Applicant for a Certificate containing Subject Identity Information is an organization, HydrantID uses a Reliable Method of Communication to verify the authenticity of the Applicant Representative s certificate request. HydrantID may use the sources listed in section to verify the Reliable Method of Communication. Using a Reliable Method of Communication, HydrantID establishes the authenticity of the certificate request directly with the Applicant Representative or with an authoritative source within the Applicant s organization, such as the Applicant s main business offices, corporate offices, human resource offices, information technology offices, or other department that the CA deems appropriate. In addition, HydrantID allows an Applicant to specify the individuals who may request Certificates. If an Applicant specifies, in writing, the individuals who may request a Certificate, then the CA SHALL NOT accept any certificate Copyright HydrantID HydrantID: Public Document p. 20