Summary of Updates CPS Revision 7 (Amendment from CPS Revision 6) 15 June 2018 Section CPS Revision 6 CPS Revision 7 Reasoning / Notes 1.4.2 Prohibited certificate uses: 1.4.2 Prohibited certificate uses: For server certificates, if the domain names are related to either gambling / prostitution / terrorism / pornography it will be considered as High Risk by POS DIGICERT. If the domain names are within the High Risk definition, the application for the certificate shall be rejected. To define the high risk usage of the certificates. 3.2.3 Authentication of Individual Identity, Class 1 Certificate: 3.2.3 Authentication of Individual Identity, Class 1 Certificate: Confirmation is based upon simple email validation to establish the validity of the email address supplied in the application details received from the subscriber. CA / RA could request for the submission of official identification document issued by government agencies (e.g.: National Registration Identity Card / Passport) for the purpose of online registration via portal. To detail out the standard validation process for Class 1 Certificate. 3.2.3 Authentication of Individual Identity, Class 2 Certificate (Individual): 3.2.3 Authentication of Individual Identity, Class 2 Certificate (Individual): Additionally, wherever applicable, a letter of authorisation from the relevant agency that the certificate is to be used for, shall be provided by the applicant. To detail out the standard validation process for Class 2 Certificate (Individuals). Page 1 of 6
All affected pages Pos Digicert Digisign ID (Basic) G2 Replaced with Pos Digicert Digisign ID (Basic) G3 Product updates All affected pages Pos Digicert Digisign ID (Enhanced) Replaced with Pos Digicert Digisign ID (Enhanced) G3 Product updates G2 All affected pages Pos Digicert Server ID G3 Replaced with Pos Digicert Server ID G3 Product updates 3.2.6 Criteria for In Section 3.2.6 Criteria for, Class 1 [Pos Digicert Digisign ID G2 & Digisign ID 2048]: This information has been removed. Available to all Malaysian and foreign individuals. Authorisation letter is required if a representative / agent is appointed to apply for the certificate. 3.2.6 Criteria for In section 3.2.6 Criteria for, Class 2 [Pos Digicert Digisign ID (Basic) G2; Digisign ID (Basic) 2048; Pos Digicert Digisign ID (Enhanced) G2); & Digisign ID (Enhanced) 2048]: This information has been removed. Identification documents required to accompany the applications is either; copy of NRC or passport. Meanwhile for offline (walk n via agent / dispatch) photocopy of NRIC / Passport supplied with the applications MUST be certified true copy by the organisation s Head of Department / Director. Page 2 of 6
Available to all Malaysian and foreign individuals who are 18 years and above. An authorisation letter is required if a representative / agent s appointed to apply for the certificate. 3.2.6 Criteria for In section 3.2.6 Criteria for, Class 2 [Pos Digicert Server ID G2 & Pos Digicert Server ID G3] The information has been removed. Certificate of Incorporation OR Certificate of Registration should accompany the application. For Private Sectors documents supplied for the applicants MUST be certified by the Company Secretary / Director of the Organisation. For Government agencies the documents need to be certified true copy by the respective Head of the Departments. In addition, an authorisation letter from the management is required to allow a representative of the organisation to submit this application. Available to all Malaysian and foreign legal entities (except individuals). Page 3 of 6
3.2.6 Criteria for Nil 3.2.6 Criteria for, Class 2 [Pos Digicert Server ID G2 & Pos Digicert Server ID G3]: letter of authorisation from the government agency allowing for the applicant to apply for the digital certificate. name of the applicant s organisation to match as per the Suruhanjaya Syarikat Malaysia s SSM official record. (POS DIGICERT to perform validation with SSM s registry) 3.2.7 Authentication of Domain Name and Country Name Nil This section has been added: 3.2.7 Authentication of Domain Name and Country Name For all Pos Digicert Server ID G2 Certificates, authentication of the Applicant s Country Name ownership or control of all requested Domain Name(s) is done by POS DIGICERT confirming that the WHOIS data for the Domain Name matches with the application details submitted. If the WHOIS data for the Domain Name and the Country Name does not match POS DIGICERT will not issue the certificate. POS DIGICERT does not accept IP addresses as a replacement of Domain Name. These requirements shall similarly apply to all Sub CA Certificates issued under Pos Digicert Server ID G2 Certificates. However, the restrictions above do not apply to Pos Digicert Server ID G3 Certificates. 4.2.1 Performing Identification and 4.2.1 Performing Identification and Authentication Functions: Page 4 of 6
Authentication Functions: CAA checking will be performed by POS DIGICERT (wherever applicable e.g.: for Pos Digicert Server ID G2 applications). If no CAA record is present, POS DIGICERT is allowed to issue a certificate for the application. If CAA record exists and if it lists other than POS DIGICERT as an authorized CA, POS DIGICERT will not issue the certificate. Further to this, certificate application processing shall be performed as per the stipulation in CPS Part 3.2.6 4.9.9 On-Line Revocation/Status Checking Availability 4.9.9 On-Line Revocation/Status Checking Availability POS DIGICERT also operates an Online Certificate Status Profile (OCSP) responder in compliance with RFC 2560. 7.1.3 Algorithm Object Identifiers: In section 7.1.3 Algorithm Object Identifiers: Algorithm SHA 1 with RSA encryption SHA 256 with RSA encryption SHA 512 with RSA encryption Object Identifier 1.2.840.113549.1.1.13 1.2.840.113549.1.1.11 1.2.840.113549.1.1.5 The following information has been replaced with: Pos Digicert CPS OID : 1.3.6.1.4.1.50501.1 Pos Digicert OCSP OID : 1.3.6.1.4.1.50501.2 7.1.4 Name Forms: The following information has been replaced with in section 7.1.4 Name Forms: based on CAB Page 5 of 6
If the SubjectAltName (SAN) extension is present in a certificate, POS DIGICERT will proceed to register the SAN (limited to a maximum of three (3) additional alternate names). Page 6 of 6