IdenTrust LogoDST Logo
 
 
TrustID Policies
   TrustID Certificate Policy
   Past Policies
   Certification Practice Statement
TrustMint Policies
ACES Certificates
IECA Policies
State of Washington Policies
RosettaNet by Identrus Policies
 

TrustID® Certificate Policy

TABLE OF CONTENTS

1 INTRODUCTION

1.1 GENERAL INFORMATION
1.2 IDENTIFICATION
1.3 COMMUNITY AND APPLICABILITY
1.4 CONTACT DETAILS

2 GENERAL PROVISIONS

2.1 APPORTIONING LEGAL RESPONSIBILITIES AMONG PARTIES
2.2 LIMITATION ON LIABILITY
2.3 FINANCIAL RESPONSIBILITY
2.4 INTERPRETATION AND ENFORCEMENT
2.5 FEES
2.6 NOTICE AND PUBLICATION
2.7 COMPLIANCE INSPECTION
2.8 PRIVACY AND DATA PROTECTION POLICY
2.9 INTELLECTUAL PROPERTY RIGHTS
2.10 LEGAL VALIDITY OF CERTIFICATES

3 IDENTIFICATION AND AUTHENTICATION

3.1 INITIAL REGISTRATION
3.2 CERTIFICATE RE-KEY, RENEWAL AND UPDATE
3.3 RE-KEY AFTER REVOCATION OR EXPIRATION
3.4 REVOCATION REQUEST

4 CERTIFICATE LIFE CYCLE OPERATIONAL REQUIREMENTS

4.1 CERTIFICATE REQUEST
4.2 CERTIFICATE APPLICATION VALIDATION
4.3 CERTIFICATE ISSUANCE
4.4 CERTIFICATE ACCEPTANCE
4.5 NOTIFICATION OF CERTIFICATE ISSUANCE TO OTHERS CERTIFICATE USAGE
4.6 CERTIFICATE USAGE
4.7 PROCESSING A REQUEST FOR A NEW KEY
4.8 CERTIFICATE MODIFICATIONS
4.9 CERTIFICATE REVOCATION
4.10 CERTIFICATE STATUS SERVICES
4.11 END OF SUBSCRIPTION
4.12 PRIVATE KEY RECOVERY

5 CA FACILITY AND MANAGEMENT CONTROLS

5.1 PHYSICAL CONTROLS
5.2 PROCEDURAL CONTROLS
5.3 PERSONNEL CONTROLS
5.4 SECURITY AUDIT PROCEDURES
5.5 RECORDS ARCHIVAL
5.6 KEY CHANGEOVER
5.7 COMPROMISE AND DISASTER RECOVERY
5.8 CA TERMINATION
5.9 CUSTOMER SERVICE

6 TECHNICAL SECURITY CONTROLS

6.1 KEY PAIR GENERATION AND INSTALLATION
6.2 CA PRIVATE KEY PROTECTION
6.3 OTHER ASPECTS OF KEY PAIR MANAGEMENT
6.4 ACTIVATION DATA
6.5 COMPUTER SECURITY CONTROLS
6.6 LIFE CYCLE TECHNICAL CONTROLS
6.7 NETWORK SECURITY CONTROLS
6.8 CRYPTOMODULE ENGINEERING CONTROLS

7 CERTIFICATE AND CRL PROFILES

7.1 CERTIFICATE PROFILE
7.2 CRL PROFILE

8 POLICY ADMINISTRATION

8.1 POLICY CHANGE PROCEDURES
8.2 PUBLICATION AND NOTIFICATION POLICIES
8.3 CPS APPROVAL PROCEDURES
8.4 WAIVERS

1 INTRODUCTION  
1.1 GENERAL INFORMATION  
     
1.1.1 Overview This TrustIDâ Certificate Policy contains the rules governing the use of TrustID Certificates among those parties authorized to participate in the Public Key Infrastructure described by this Policy, namely: (i) PKI Service Providers, consisting of (a) the Policy Management Authority; (b) Issuing Certification Authorities; (c) Registration Authorities; (d) Certificate Manufacturing Authorities, and (e) Repositories; and (ii) End Entities, consisting of (a) Certificate Holders and (b) Authorized Relying Parties. This Policy describes the roles, responsibilities, and relationships of the PKI Service Providers and End Entities (collectively "Participants"), and the rules and requirements for the issuance, acquisition, management, and use of TrustID Certificates to verify Digital Signatures and to encrypt and authenticate electronic communications.
     
1.1.2 General Definitions  
     
1.1.2.1 Terms Capitalized terms used in this Policy have the following meanings:
     
  Accept or Acceptance An End Entity’s act that triggers the End Entity’s rights and obligations with respect to its TrustID Certificate under the applicable Certificate Agreement or Authorized Relying Party Agreement. Indications of Acceptance may include without limitation: (i) using the TrustID Certificate (after issuance); (ii) failing to notify the Issuing CA of any problems with the TrustID Certificate within a reasonable time after receiving it, or (iii) other manifestations of assent.
     
  Activation Data Private data used or required to access or activate Cryptomodules (e.g., a personal identification number (PIN), pass phrase, or a manually-held key share used to unlock a Private Key prior to creating a Digital Signature).
     
  Affiliated Individual An Individual having an affiliation with an Organization who has been authorized by the Organization to obtain a TrustID Certificate that identifies the Organization and the fact of the Individual’s affiliation with the Organization. See "Sponsoring Organization."
     
  Applicant An Individual or Organization that submits application information to an RA or an Issuing CA for the purpose of obtaining or renewing a TrustID Certificate.
     
  Authority Revocation List (ARL) A list of revoked CA Certificates. An ARL is a CRL for CA Certificates.
     
  Authorized Relying Party An Individual or Organization that has entered into an Authorized Relying Party Agreement.
     
  Authorized Relying Party Agreement A contract between an Individual or an Organization and an Issuing CA allowing the party to rely on TrustID Certificates in accordance with this Policy.
     
  CA Certificate A Certificate at the beginning of a certification chain within the TrustID PKI hierarchy. A CA Certificate is established as part of the set-up and activation of the Issuing CA. The CA Certificate contains the Public Key that corresponds to the CA Private Signing Key used either to create or manage TrustID Certificates. CA Certificates and their corresponding Public Keys may be embedded in software or obtained or downloaded by the affirmative act of an Authorized Relying Party in order to establish a certification chain.
     
  CA Private Signing Key The Private Key that corresponds to the Issuing CA's Public Key listed in its CA Certificate and used to sign TrustID Certificates.
     
  CA Private Root Key The Private Key used to sign CA Certificates.
     
  Certificate A computer-based record or electronic message that: (i) identifies the Certification Authority issuing it; (ii) names or identifies a Certificate Holder or Authorized Relying Party; (iii) contains the Public Key of the Certificate Holder or Authorized Relying Party; (iv) identifies the Certificate's Validity Period; (v) is digitally signed by a Certification Authority; and (vi) has the meaning ascribed to it in accordance with applicable standards. A Certificate includes not only its actual content but also all documents expressly referenced or incorporated in it.
     
  Certificate Agreement The contract between a Certificate Holder and the CA and/or RA that details the procedures, rights and obligations of each party with respect to a TrustID Certificate issued to the Certificate Holder.
     
  Certificate Holder An Individual or Organization that: (i) is named or identified in a TrustID Certificate, or is responsible for the Electronic Device named, as the subject of the TrustID Certificate; and (ii) holds a Private Key that corresponds to the Public Key listed in that TrustID Certificate; however, for purposes of interpreting this Policy, persons holding Certificates for administrative purposes (e.g., the subject of an Authorized Relying Party certificate used to access a Repository to verify Certificate status) will not be considered "Certificate Holders" with respect to Certificates issued under this Policy.
     
  Certificate Policy (CP) A named set of rules that indicates the applicability of Certificates to particular communities and classes of applications and specifies the Identification and Authentication processes performed prior to Certificate issuance, the Certificate Profile and other allowed uses of Certificates.
     
  Certificate Manufacturing Authority (CMA) An Organization that manufactures or creates TrustID Certificates for a particular Issuing CA.
     
  Certificate Profile The protocol used in Section 7 of this Policy to establish the allowed format and contents of data fields within TrustID Certificates, which identify the Issuing CA, the End Entity, the Certificate’s Validity Period, and other information that identifies the End Entity.
     
  Certificate Revoc-ation List (CRL) A database or other list of Certificates that have been revoked prior to the expiration of their Validity Period.
     
  Certification Authority (CA) An entity that creates, issues, manages and revokes Certificates. See also Issuing CA.
     
  Certification Practice Statement (CPS) A statement of the practices that a CA employs in creating, issuing, managing and revoking Certificates.
     
  Cross-Certificate A Certificate used to establish a trust relationship between two Certification Authorities.
     
  Cryptomodule Secure software, device or utility that: (i) generates Key Pairs, (ii) stores cryptographic information, and/or (iii) performs cryptographic functions.
     
  Digital Signature/ Digitally Sign The transformation of an electronic record by one person using a Private Key and Public Key Cryptography so that another person having the transformed record and the corresponding Public Key can accurately determine: (i) whether the transformation was created using the Private Key that corresponds to the Public Key; and (ii) whether the record has been altered since the transformation was made.
     
  Distinguished Name (DN) The unique identifier for a Certificate Holder so that he, she or it can be located in a directory (e.g., the DN for a Certificate Holder might contain the following attributes: common name (cn), e-mail address (mail), Organization name (o), Organizational unit (ou), locality (l), state (st) and country (c)).
     
  Electronic Device Computer software, hardware or other electronic or automated means configured and enabled by a person to act as its agent and to initiate or respond to electronic records or performances, in whole or in part, without review or intervention by such person.
     
  End Entity(ies) Certificate Holders and Authorized Relying Parties.
     
  High-Security Zone An area to which access is controlled through an entry point and limited to authorized, appropriately screened personnel and properly escorted visitors, accessible only from Security Zones, separated from Security Zones and Operations Zones by a perimeter. High-Security Zones are monitored 24 hours a day and 7 days a week by security staff, other personnel and electronic means.
     
  Identification and Authentication (I&A) To ascertain and confirm through appropriate inquiry and investigation the identity of an End Entity or Sponsoring Organization.
     
  Individual A natural person and not a juridical person or legal entity.
     
  Issue Certificates/ Issuance The act performed by a CA in creating a Certificate, listing itself as "Issuer," and notifying the Applicant of its contents and that the Certificate is ready and available for Acceptance.
     
  Issuing Certification Authority

(Issuing CA) 		An entity authorized by the PMA to issue and sign Certificates in accordance with this Policy and licensed by DST to brand such Certificates with the TrustID mark.
     
  Key A general term used throughout this Policy to encompass any one of the defined keys mentioned in this General Definitions section.
     
  Key Generation The process of creating a Key Pair.
     
  Key Pair Two mathematically related Keys (a Private Key and its corresponding Public Key), having the properties that: (i) one Key can be used to encrypt a communication that can only be decrypted using the other Key; and (ii) even knowing one Key it is computationally infeasible to discover the other Key.
     
  Lightweight Directory Access Protocol (LDAP) A client-server protocol used for accessing an X.500 directory service over the Internet.
     
  Object Identifier (OID) The unique alphanumeric/numeric identifier registered under the ISO registration standard to reference a specific object or object class. In the PKI established by this Policy, they are used to uniquely identify Certificates issued under this Policy and the cryptographic algorithms supported.
     
  Online Status Check An online, real-time status check of the validity of a TrustID Certificate. An Online Status Check involving a CRL consists of checking the most recently issued CRL (e.g., not involving a cached CRL).
     
  Operational Period A Certificate’s actual term of validity, beginning with the start of the Validity Period and ending on the earlier of (i) the end of the Validity Period disclosed in the Certificate, or (ii) the revocation of the Certificate.
     
  Operations Zone An area where access is limited to personnel who work there and to properly escorted visitors. Operations Zones should be monitored at least periodically and should preferably be accessible only from a Reception Zone.
     
  Organization

 An entity that is legally recognized in its jurisdiction of origin (e.g., a corporation, partnership, sole proprietorship, government department, non-government organization, university, trust, special interest group or non-profit corporation).
     
  Participants

 All PKI Service Providers and End Entities authorized to participate in the PKI defined by this Policy.
     
  PKI Service Providers The PMA, Issuing CAs, RAs, CMAs, and Repositories participating in the PKI defined by this Policy.
     
  PMA Charter The document adopted by the PMA that identifies the policies and procedures for administering this Policy.
     
  Policy This TrustID Certificate Policy.
     
  Policy Management Authority (PMA) The Organization responsible for setting, implementing and administering policy decisions regarding this Policy.
     
  Private Key The Key of a Key Pair kept secret by its holder, used to create Digital Signatures and to decrypt messages or files that were encrypted with the corresponding Public Key.
     
  Public Key The Key of a Key Pair publicly disclosed by the holder of the corresponding Private Key and used by the recipient to validate Digital Signatures created with the corresponding Private Key and to encrypt messages or files to be decrypted with the corresponding Private Key.
     
  Public Key Cryptography A type of cryptography also known as asymmetric cryptography that uses a Key Pair to securely encrypt and decrypt messages.
     
  Public Key Infrastructure (PKI) The architecture, organization, techniques, practices, and procedures that collectively support the implementation and operation of a Certificate-based Public Key Cryptography system.
     
  Reasonable Reliance For purposes of this Policy, an Authorized Relying Party's decision to rely on a TrustID Certificate will be considered Reasonable Reliance if he, she or it:
  • Has entered into an Authorized Relying Party Agreement and agreed to be bound by the terms and conditions of this Policy;
  • Verified that the Digital Signature in question (if any) was created by the Private Key corresponding to the Public Key in the TrustID Certificate during the time that the TrustID Certificate was valid, and that the communication signed with the Digital Signature had not been altered;
  • Verified that the TrustID Certificate in question was valid at the time of the Authorized Relying Party’s reliance, by conducting a status check of the Certificate's then-current validity as required by the Issuing CA; and
  • Used the TrustID Certificate for purposes appropriate under this Policy and under circumstances where reliance would be reasonable and in good faith in light of all the circumstances that were known or should have been known to the Authorized Relying Party prior to reliance. (An Authorized Relying Party bears all risk of relying on a TrustID Certificate while knowing or having reason to know of any facts that would cause a person of ordinary business prudence to refrain from relying on the Certificate).
     
  Reception Zone The entry to a facility where the initial contact between the public and the Issuing CA or RA occurs, where services are provided, information is exchanged and access to Restricted Zones is controlled.
     
  Registration Authority (RA) An entity contractually delegated by an Issuing CA to accept and process Certificate applications, and to verify the identity of potential End Entities and authenticate information contained in Certificate applications, in conformity with the provisions of this Policy and related agreements.
     
  Registration Authority Agreement An agreement entered into between an entity and a CA authorizing the entity to act as an RA, and detailing the specific duties and obligations of the RA, including but not limited to, the procedures for conducting appropriate I&A on potential End Entities.
     
  RA Security and Operations Manual A manual, handbook or other publications in either hard-copy or electronic form that outlines the security and general operations standards and rules for a particular PKI.
     
  Repository An online system maintained by an Issuing CA for storing and retrieving Certificates and other information relevant to Certificates, including information relating to Certificate validity or revocation.
     
  Restricted Zones Any one of : (i) an Operations Zone; (ii) a Security Zone; and (iii) a High Security Zone.
     
  Revocation The act of making a Certificate permanently ineffective from a specified time forward. Revocation is effected by notation or inclusion in a set of revoked Certificates or other directory or database of revoked Certificates (e.g., inclusion in a CRL).
     
  Security Zone An area to which access is limited to authorized personnel and to authorized and properly escorted visitors. Security Zones should preferably be accessible from an Operations Zone, and through a specific entry point. A Security Zone need not be separated from an Operations Zone by a secure perimeter. A Security Zone should be monitored 24 hours a day and 7 days a week by security staff, other personnel or electronic means.

  Shared Secret Activation Data used to assist parties in authenticating identity and establishing a reliable channel of communication. For purposes of establishing identity between an RA and a Certificate Holder, a Shared Secret may consist of an account PIN or online banking password shared solely between the RA and the Certificate Holder, but not the Issuing CA. For purposes of establishing identity between the Certificate Holder and the Issuing CA necessary for Certificate issuance, a Shared Secret consists of different Activation Data, which is shared among the RA, Certificate Holder and Issuing CA.
     
  Split-Knowledge Technique A security procedure where no single individual possesses the equipment, knowledge or expertise to view, alter or otherwise have access to sensitive or confidential information in a particular PKI.
     
  Sponsoring Organization An Organization that has an affiliation with an Individual and has authorized the Individual to hold a TrustID Certificate that identifies the Organization and the fact of the Individual’s affiliation with the Organization. See "Affiliated Individual."
     
  Subject Name The specific field in a Certificate containing the unique name-identifier for the Certificate Holder.
     
  Token A Cryptomodule consisting of a hardware object (e.g., a "smart card"), often with memory and a microchip.
     
  Trusted Role A role involving functions that may introduce security problems if not carried out properly, whether accidentally or maliciously. The functions of Trusted Roles form the basis of trust for the entire PKI.
     
  TrustID Certificate

 A Certificate issued pursuant to this Policy by an Issuing CA authorized to do so by the PMA and DST.
     
  Trustworthy System Computer hardware and software that: (i) are reasonably secure from intrusion and misuse; (ii) provide a reasonable level of availability; and (iii) are reasonably suited to perform their intended functions.
     
  Validity Period The intended term of validity of a Certificate, beginning with the date of Issuance ("Valid From" or "Activation" date), and ending on the expiration date indicated in the Certificate ("Valid To" or "Expiry" date).
     
1.1.2.2 Acronyms  
     
  ABA American Bankers Association
     
  ARL Authority Revocation List
     
  CA Certification Authority
     
  CMA Certificate Manufacturing Authority
     
  CPS Certification Practice Statement
     
  CRL Certificate Revocation List
     
  DN Distinguished Name
     
  DSA Digital signature algorithm
     
  DST Digital Signature Trust Co.
     
  I&A Identification and Authentication
     
  LDAP Lightweight Directory Access Protocol
     
  ISO International Standards Organization
     
  OID Object Identifier
     
  PKI Public Key Infrastructure
     
  PMA Policy Management Authority
     
  RA Registration Authority
     
  X.500 The ITU-T (International Telecommunication Union-T) standard that establishes a distributed, hierarchical directory protocol organized by country, region,

Organization, etc.
     
  X.501 The ITU-T (International Telecommunication Union-T) standard for use of Distinguished Names in an X.500 directory.
     
  X.509 The ITU-T (International Telecommunication Union-T) standard for Certificates. X.509, version 3, refers to Certificates containing or capable of containing extensions.
     
1.1.3 Monetary Amounts All monetary values used in this Policy are in United States Dollars.
     
1.2 IDENTIFICATION The American National Standards Institute ("ANSI") has assigned DST a unique numeric Object Identifier ("OID") of 2.16.840.1.113839. DST has registered an OID for this Policy, which may not be used except as specifically authorized by this Policy. The Policy OID to be asserted in TrustID Certificates issued in accordance with this Policy will have a base arc of: {joint-iso-ccitt (2) country (16) USA (840) US-company (1) DST (113839) CP (0) TrustID-v2 (6)}.
     
1.2.1 Certificate Types The following certificate types and OIDs will be recognized for use within the PKI established by this Policy. All TrustID Certificates issued under this Policy will contain the OID listed below in the CertificatePolicies field of the Certificate: TrustID Personal Certificates (2.16.840.1.113839.0.6.1) – issued to Individuals in accordance with Section 3.1; TrustID Business Certificates (2.16.840.1.113839.0.6.2) – issued to Affiliated Individuals in accordance with Section 3.1 TrustID Server Certificate (2.16.840.1.113839.0.6.3) – issued to SSL-enabled Electronic Devices in accordance with Section 3.1.10. TrustID Demo Certificate (2.16.840.1.113839.0.6.4) – issued solely for testing and demonstration purposes. Administrative CA Certificates – (arc of 2.16.840.1.113839.0.7) used solely for the management and operation of the PKI, including: Administrators (2.16.840.1.113839.0.7.1) Registration Authorities (2.16.840.1.113839.0.7.2) Authorized Relying Parties (2.16.840.1.113839.0.7.3) Others as needed Other Types – as allowed by this Policy and upon approval of the PMA.
     
1.3 COMMUNITY AND APPLICABILITY This Policy describes an open-but-bounded Public Key Infrastructure. It describes the rights and obligations of all Participants – i.e., all persons and entities authorized under this Policy to fulfill any of the following roles: Policy Management Authority, Certification Authority, Registration Authority, Certificate Manufacturing Authority, Repository, Certificate Holder and Authorized Relying Party.
1.3.1 PKI Service Providers  
     
1.3.1.1 The PMA The PMA for this Policy is the ABA, which will administer the policy decisions regarding this Policy.
     
1.3.1.2 Issuing CAs

 Issuing CAs are Organizations authorized by the PMA to create, sign, issue, and manage Certificates. An Issuing CA may issue TrustID Certificates only if it is licensed by DST to use the TrustID mark and approved by the PMA, following satisfaction of the requirements established under the PMA Charter and satisfaction of the requirements for Certificate interoperability specified by the PMA. Each Issuing CA is bound to act according to the terms of this Policy. An Issuing CA's specific practices, in addition to the more general requirements set out in this Policy, must be set out in a Certification Practice Statement adopted by the Issuing CA and approved by the PMA. The Issuing CA’s CPS will set forth, among other things, the types of TrustID Certificates to be issued by the Issuing CA (e.g., personal Certificates, business Certificates, server Certificates). An Issuing CA must enter into an agreement with the PMA, for the benefit of all End Entities, to be bound by and comply with the undertakings and representations of this Policy, with respect to all TrustID Certificates it issues.
     
1.3.1.3 Registration Authorities (RAs) Each Issuing CA will remain ultimately responsible for all TrustID Certificates it issues. However, under this Policy, the Issuing CA may subcontract registration and I&A functions to an Organization that agrees to fulfill the functions of an RA in accordance with the terms of this Policy, and who will accept TrustID Certificate applications and locally collect and verify Applicant identity information to be entered into a TrustID Certificate. An RA operating under this Policy is only responsible for those duties assigned to it by the Issuing CA pursuant to an agreement with the Issuing CA or as specified in this Policy.
     
1.3.1.4 Certificate Manufacturing Authorities (CMAs) The Issuing CA will remain ultimately responsible for the manufacture of TrustID Certificates. However, the Issuing CA may subcontract manufacturing functions to third party CMAs who agree to be bound by this Policy.
     
1.3.1.5 Repositories The Issuing CA will perform the role and functions of the Repository. The Issuing CA may subcontract performance of the Repository functions to a third party Organization that agrees to fulfill the functions of a Repository, and who agrees to be bound by this Policy, but the Issuing CA remains responsible for the performance of those services in accordance with this Policy.
     
1.3.2 End Entities  
     
1.3.2.1 Certificate Holders The Issuing CA may issue TrustID Certificates to the following classes of Certificate Holders: Individuals and Organizations.
     
1.3.2.2 Authorized Relying Parties This Policy is intended for the benefit of Individuals and Organizations who have entered into an Authorized Relying Party Agreement to be bound by this Policy.
     
1.3.3 PKI Applicability and Applications  
     
1.3.3.1 Purpose TrustID Certificates are intended to support verification of Digital Signatures in applications where: (i) the identity of communicating parties needs to be authenticated; (ii) a message or file needs to be bound to the identity of its originator by a signature; and/or (iii) the integrity of the file or message has to be assured.
     
1.3.3.2 Approved Applications Applications for which TrustID Certificates are suitable include, but are not limited to, applications that:
  • provide authentication-based access and secure communication with online sources of information, including those that distribute information based on a fee or subscription and those which handle the Certificate Holder’s personal or restricted information, such as financial institutions, governmental agencies, health/medical and insurance providers and others;
  • provide support for form signing and other application processes and filings with governmental and non-governmental Organizations; and
  • sign, encrypt, decrypt and/or verify electronic messages and Digital Signatures on contracts, letters of credit, wire transfers, foreign exchange transactions, stock transactions, cash management transactions, security interests, bank statements and other electronic documentation.
     
i Prohibited Applications TrustID Certificates may not be used for: (i) any application requiring fail-safe performance such as: (a) the operation of nuclear power facilities, (b) air traffic control