Cybertrust Japan EV CA Certification Practice Statement€¦ · 3.0 March 30, 2015 Added "4.2.4 CAA...
Transcript of Cybertrust Japan EV CA Certification Practice Statement€¦ · 3.0 March 30, 2015 Added "4.2.4 CAA...
-
Extended Validation Certificate Certification Practice Statement Version 4.2
© 2008 Cybertrust Japan Co., Ltd.
Cybertrust Japan EV CA
Certification Practice Statement
Version 4.2
Cybertrust Japan Co., Ltd.
24th June 2019
-
Extended Validation Certificate Certification Practice Statement Version 4.2
© 2008 Cybertrust Japan Co., Ltd. 1
■ Copyright and distribution conditions of this CPS
This CPS is available under Attribution-NoDerivs (CC-BY-ND) 4.0 (or later version) of the Creative Commons
license.
© 2008 Cybertrust Japan Co., Ltd.
Version 4.2
Revision date: 24th June 2019
This CPS can be copied and distributed in whole or in part for free of charge if the following conditions are
satisfied.
▪ Display the copyright notice, Version, and revision date in the top of its pages of whole or part of the copies. ▪ Set forth that full text can be obtained at https: //www.cybertrust.ne.jp/repository if only a part of this document
is distributed.
▪ Specify the citation source appropriately when using part of this document as excerpts and citations in other documents.
▪ Cybertrust shall not be liable for any dispute or damage related to copying and distribution of this CPS. ▪ In addition, Cybertrust prohibits alteration and modification in any case.
Inquiries about the copyright and distribution conditions of this CPS are accepted at this CPS "1.5.2 Contact Point".
-
Extended Validation Certificate Certification Practice Statement Version 4.2
© 2008 Cybertrust Japan Co., Ltd. 2
Revision History
Version Date Reason for Revision
1.0 March 5, 2008 Formulation of initial version
1.1 April 15, 2009
▪ Reviewed "3.2.2 Verification of Subscribers" ▪ Changed acceptance date of renewals and issuance date of
certificates associated with key renewal
▪ Added reason of revocation by the Certification Authority ▪ Changed FIPS 140-2 to 140-1
1.2 July 15, 2009 ▪ Made revision pursuant to start of operation of OCSP server
1.3 September 29, 2009
▪ Added description regarding remote storage locations to "5. Management, Operational, and Physical Controls"
▪ Specified personal information in "9.4.7 Other Cases of Information Disclosure"
1.4 February 18, 2011
▪ Changed "5.1 Physical Security Controls" and "6.2.6 Private Key Transfer" in relation to remote storage locations
▪ Changed "5.1.9 Backup Site" pursuant to change of name of remote storage location to backup site
▪ Changed "1.1 Overview", "2.2 Information to be Published", "6.1.5 Key Length" and "APPENDIX B" due to deletion of descriptions
regarding Cybertrust Japan EV CA G1 associated with termination
of SureServerEV1024 bit service
1.5 September 30, 2011
▪ Included description of Serial Number of Certification Authority Certificate in "1.1 Overview"
▪ Changed "5.4.3 Audit Log Archival Period"
1.6 January 14, 2012 ▪ Changes made pursuant to addition of SubjectAltName extension
1.7 February 27, 2012
▪ Changed URL of "2.2 Information to be Published" ▪ Changed Policies extension of SureServer EV Certificates in
"Appendix B"
1.8 June 29, 2012
▪ Added "Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates" as requirements in "1.1 Overview"
▪ Changed items to be screened in "1.4.1.1 SureServer EV Certificate" ▪ Changed meaning of Organization Unit (OU) of SureServer EV
Certificates in "3.1.2 Need for Names to be Meaningful"
▪ Changed "4.9.1.1 Reason of Revocation by Subscriber" ▪ Changed "4.9.1.2 Reason of Revocation by Certification Authority" ▪ Changed "5.5.2 Record Archival Period" ▪ Changed "9.6.3 Representations and Warranties of Subscribers" ▪ Added Baseline Requirements for the Issuance and Management of
Publicly-Trusted Certificates" and "Fully-Qualified Domain Name
(FQDN)" to "Appendix A"
1.9 November 14, 2012 ▪ Changed "6.1.1 Generation of Key Pair"
2.0 December 19, 2012
▪ Added information of certificates of Cybertrust Japan EV CA G2 to "1.1 Overview"
▪ Added profile of Cybertrust Japan EV CA G2 with extended valid term to "Appendix B"
2.1 February 20, 2013 ▪ Changed SHA1" in "Appendix A" to "SHA1/SHA2" ▪ Added SureServer EV[SHA-2] certificate profile to "Appendix B"
2.2 May 1, 2013 ▪ Changed "4.6 Certificate Renewal Not Involving Rekey"
2.3 June 24, 2013 ▪ Changed certificate profile associated with issuance of Japanese
(UTF8String) of the certificate DN information in "Appendix B"
2.4 August 21, 2013
▪ Revised registration contents of Business Category of SureServer EV Certificates according revisions of the EVC Guidelines in "3.1.2
Need for Names to be Meaningful"
▪ Similarly revised the value of the Business Category of SureServer EV Certificates and SureServer EV[SHA-2] Certificates in
"Appendix B"
2.5 February 10, 2014 ▪ Made changes pursuant to the renewal of certificate of Cybertrust
Japan EV CA G2
-
Extended Validation Certificate Certification Practice Statement Version 4.2
© 2008 Cybertrust Japan Co., Ltd. 3
▪ Made other corrections of descriptions and errors
2.6 April 13, 2014
▪ Made changes pursuant to the renewal of certificate of Cybertrust Japan EV CA G2
▪ Made other corrections of descriptions and errors
2.7 July 1, 2014 ▪ Change name of building of contact address ▪ Corrected typographical errors
2.8 February 2, 2015
▪ Added profile to "Appendix B" pursuant to dealing with Certificate Transparency
▪ Made other corrections of descriptions and errors
2.9 February 9, 2015 ▪ Changed "3.3.2 Identification and Authentication for Renewal of
Key (Certificate) after Revocation"
3.0 March 30, 2015 ▪ Added "4.2.4 CAA Record (Certification Authority Authorization
Record) Procedures"
3.1 August 29, 2015 ▪ Made changes pursuant to the period for accepting of renewal
request
3.2 June 29, 2016
▪ Changed Business Days in "1.5.2 Contact Point" ▪ Changed keyUsage of SureServer [SHA-2] Certificates (Cybertrust
Japan Public CA G3) in "Appendix B" to TRUE
▪ Made other corrections of descriptions
3.3 March 4, 2017 ▪ Remove annotations on CT certificate of "Appendix B" ▪ Made other corrections of descriptions
3.4 April 28、2017
▪ Made changes pursuant to the values that cannot be specified for the review of the Organization Unit (OU)
▪ "1.4.1.1 SureServer Certificate (iv)" ▪ Meaning of Organization Unit (OU) in DN section of “3.1.2.1
SureServer Certificate”
▪ “4.9.1.1 Reason for Revocation by Subscriber (vi)” ▪ “4.9.1.2 Reason for Revocation by the Certification Authority (vii)” ▪ “9.6.3 Representations and Warranties of Subscribers (iv)”
3.5 May 21, 2017 ▪ Removed "User Notice" of "certificatePolicies" in "Appendix B"
3.6 September 3, 2017
▪ Changed “4.2.4 CAA Record (Certification Authority Authorization Record) Procedures”
▪ Made changes pursuant to the renewal of certificate of Cybertrust Japan EV CA G2
3.7 October 19, 2017
To comply with BR V 1.5.2 (Ballot 190 Effective October 19, 2017),
changed the following
▪ Segmented “3.2.2 Verification of Subscribers” ▪ Moved “4.2.4 CAA Record (Certification Authority Authorization
Record) Procedures” to “3.2.2.8 CAA Record”
3.8 December 21, 2017
▪ Added “Copyright and distribution conditions of this CPS” ▪ Added “CyberTrust Japan Policy Authority” ▪ Added fingerprint in “1.1 Overview” ▪ Changed Business Days in "1.5.2 Contact Point" ▪ Changed “6.3.2 Valid Term of Key Pair”
3.9 March 1st, 2018
▪ ” 1.3.2 Registration Authority” Added description that Cybertrust does not delegate any of operations to any of thrird partys.
▪ ” 3.2.2.4 Validation of Domain Authorization or Control” ▪ ” 4.9.9 Online Verification of Revocation Information” Added the
description which the procedure should comply with RFC6960.
▪ ” 4.9.10 Online Verification of Certificate Status” Added the prescription.
▪ ” 4.10.1 Operational Features” Added the prescription. ▪ ” 4.10.2 Service Leve ” Added the prescription. ▪ ” 6.2.7 Private Key Storage in Cryptographic Module” Added the
prescription concerning Cryptographic Module.
▪ ” 9.12.1 Amendment Procedures” Added annual review of this CPS. ▪ Few other minor modifications on phraseology and typographical
errors.
4.0 August 1, 2018 ▪ Changed “1.4.1 Types of Certificates” ▪ Minor modifications on phraseology
4.1. December 17, 2018 ▪ ” 3.1.3 Requirements for Anonymity or Pseudonymity of
Subscribers” Added the prescription.
▪ Changed ”4.9.1 due to revocation requirement”
-
Extended Validation Certificate Certification Practice Statement Version 4.2
© 2008 Cybertrust Japan Co., Ltd. 4
▪ ” 7.1.5 Name Restrictions” Added the prescription.
▪ ” 9.12.3 Modification of Object Identifier” Added the prescription.
▪ ” 9.15 Compliance with Applicable Law” Added the prescription.
▪ ” 9.16.4 Enforceability” Added the prescription. ▪ Minor modifications on phraseology
4.2 June 24, 2019
▪ Changed ”1.4.1 Types of Certificates”, ”4.9.1 Revocation Requirements”, ”9.6.3 Representations and Warranties of
Subscribers”.
▪ Changed ”3.2.2.4 Validation of Domain Authorization or Control” and to comply with BR v1.6.5
▪ Moved the detail of CAA validation practice from section ”3.2.2.8 CAA Record (Certification Authority Authorization Record)
Procedures” to section ”4.2.1 Identity Validation and Execution of
Certification Operations”
▪ Add the definitions of terms in Appendix A ▪ Minor modifications on phraseology
-
Extended Validation Certificate Certification Practice Statement Version 4.2
© 2008 Cybertrust Japan Co., Ltd. 5
Contents
1. INTRODUCTION ................................................................................................................................. 10
1.1 OVERVIEW ............................................................................................................................................. 10 1.2 DOCUMENT NAME AND IDENTIFICATION ................................................................................................ 12 1.3 PKI PARTICIPANTS ................................................................................................................................ 12
1.3.1 Certification Authority ................................................................................................................... 12 1.3.2 Registration Authority ................................................................................................................... 12 1.3.3 Issuing Authority ............................................................................................................................ 12 1.3.4 Subscriber ....................................................................................................................................... 12 1.3.5 Relying Party .................................................................................................................................. 12 1.3.6 Other Participants .......................................................................................................................... 12
1.4 CERTIFICATE USAGE ............................................................................................................................. 13 1.4.1 Types of Certificates ....................................................................................................................... 13 1.4.2 Appropriate Certificate Uses ......................................................................................................... 13 1.4.3 Prohibited Certificate Uses ............................................................................................................ 13
1.5 POLICY ADMINISTRATION ...................................................................................................................... 14 1.5.1 Organization Administering Documents ....................................................................................... 14 1.5.2 Contact Point .................................................................................................................................. 14 1.5.3 Party to Determine Suitability of CPS .......................................................................................... 14 1.5.4 Suitability Approval Procedures .................................................................................................... 14
1.6 DEFINITIONS AND ACRONYMS ................................................................................................................ 14
2. PUBLICATION AND REPOSITORY RESPONSIBILITIES ................................................................. 15
2.1 ORGANIZATION TO CONTROL REPOSITORIES .......................................................................................... 15 2.2 INFORMATION TO BE PUBLISHED ........................................................................................................... 15 2.3 TIMING AND FREQUENCY OF PUBLICATION ............................................................................................ 15 2.4 ACCESS CONTROL ON REPOSITORIES ..................................................................................................... 15
3. IDENTIFICATION AND AUTHENTICATION .................................................................................... 16
3.1 NAMING ................................................................................................................................................ 16 3.1.1 Types of Names ............................................................................................................................... 16 3.1.2 Need for Names to be Meaningful ................................................................................................. 16 3.1.3 Requirements for Anonymity or Pseudonymity of Subscribers .................................................... 17 3.1.4 Rules for Interpreting Various Name Forms ................................................................................ 17 3.1.5 Uniqueness of Names ..................................................................................................................... 17 3.1.6 Recognition, Authentication, and Role of Trademarks ................................................................. 17
3.2 INITIAL IDENTITY VALIDATION .............................................................................................................. 17 3.2.1 Method to Prove Possession of Private Key................................................................................... 17 3.2.2 Verification of Organization and Domain ...................................................................................... 17 3.2.3 Authentication of Individual Identity ............................................................................................ 22 3.2.4 Non-verified Subscriber Information ............................................................................................. 22 3.2.5 Verification of Application Supervisor ........................................................................................... 22 3.2.6 Interoperability Standards ............................................................................................................. 22
3.3 IDENTIFICATION AND AUTHENTICATION FOR KEY (CERTIFICATE) RENEWAL REQUEST ........................... 23 3.3.1 Identification and Authentication upon Renewal for Routine Key (Certificate) Renewal .......... 23 3.3.2 Identification and Authentication for Renewal of Key (Certificate) after Revocation ................ 23
3.4 IDENTITY VALIDATION AND AUTHENTICATION UPON REVOCATION REQUEST ......................................... 23
4. CERTIFICATE LIFE-CYCLE OPERATIONAL REQUIREMENTS ..................................................... 24
4.1 CERTIFICATE APPLICATION ................................................................................................................... 24 4.1.1 Persons Who May Apply for Certificates ....................................................................................... 24 4.1.2 Enrollment Process and Responsibilities ...................................................................................... 24
4.2 CERTIFICATE APPLICATION PROCESSING ............................................................................................... 24 4.2.1 Identity Validation and Execution of Certification Operations ................................................... 24 4.2.2 Approval or Rejection of Certificate Application ........................................................................... 24 4.2.3 Time Required for Certificate Application Procedures ................................................................. 25
4.3 CERTIFICATE ISSUANCE ......................................................................................................................... 25 4.3.1 Certificate Issuance Procedures by Certification Authority ......................................................... 25 4.3.2 Notification of Issuance of Certificate to Subscribers ................................................................... 25
4.4 CERTIFICATE ACCEPTANCE ................................................................................................................... 25 4.4.1 Certificate Acceptance Verification Procedures ............................................................................ 25 4.4.2 Publication of Certificate by Certification Authority .................................................................... 25
-
Extended Validation Certificate Certification Practice Statement Version 4.2
© 2008 Cybertrust Japan Co., Ltd. 6
4.4.3 Notification of Issuance of Certificate by Certification Authority to Other Participants ........... 25 4.5 KEY PAIR AND CERTIFICATE USAGE ...................................................................................................... 25
4.5.1 Use of Private Key and Certificate by Subscriber ......................................................................... 25 4.5.2 Use of Subscriber's Public Key and Certificate by Relying Party ................................................ 25
4.6 CERTIFICATE RENEWAL NOT INVOLVING REKEY ................................................................................... 26 4.6.1 Requirements for Certificate Renewal Not Involving Kew Renewal ........................................... 26 4.6.2 Persons Who May Request Renewal .............................................................................................. 26 4.6.3 Renewal Request Procedures ......................................................................................................... 26 4.6.4 Notification of Issuance of Renewed Certificate............................................................................ 26 4.6.5 Procedures for Accepting Renewed Certificate ............................................................................. 26 4.6.6 Publication of Renewed Certificate ................................................................................................ 26 4.6.7 Notification of Issuance of Certificate by Certification Authority to Other Participants ........... 26
4.7 CERTIFICATE RENEWAL INVOLVING REKEY ........................................................................................... 26 4.7.1 Requirements for Certificate Renewal Involving Rekey ............................................................... 26 4.7.2 Persons Who May Request Renewal .............................................................................................. 26 4.7.3 Rekey Application Procedures ....................................................................................................... 26 4.7.4 Notification of Issuance of Rekeyed Certificate ............................................................................ 26 4.7.5 Procedures for Accepting Rekeyed Certificate .............................................................................. 26 4.7.6 Publication of Rekeyed Certificate ................................................................................................. 27 4.7.7 Notification of Issuance of Rekeyed Certificate to Other Participants ........................................ 27
4.8 MODIFICATION OF CERTIFICATE ............................................................................................................ 27 4.8.1 Requirements for Modification of Certificate ................................................................................ 27 4.8.2 Persons Who May Request Modification of Certificate ................................................................. 27 4.8.3 Certificate Modification Procedures .............................................................................................. 27 4.8.4 Notification of Issuance of Modified Certificate ............................................................................ 27 4.8.5 Procedures for Accepting Modified Certificate .............................................................................. 27 4.8.6 Publication of Modified Certificate ................................................................................................ 27 4.8.7 Notification of Issuance of Modified Certificate to Other Participants ........................................ 27
4.9 CERTIFICATE REVOCATION AND SUSPENSION ........................................................................................ 27 4.9.1 Revocation Requirements ............................................................................................................... 27 4.9.2 Persons Who May Request Revocation .......................................................................................... 29 4.9.3 Revocation Request Procedures ..................................................................................................... 29 4.9.4 Grace Period up to Revocation Request ......................................................................................... 29 4.9.5 Time Required for Certification Authority to Process Revocation ............................................... 29 4.9.6 Verification of Revocation by Relying Parties ............................................................................... 30 4.9.7 CRL Issue Cycle .............................................................................................................................. 30 4.9.8 Maximum Delay Time up to CRL Issue ........................................................................................ 30 4.9.9 Online Verification of Revocation Information ............................................................................. 30 4.9.10 Online Verification of Certificate Status ....................................................................................... 30 4.9.11 Means for Providing Other Available Revocation Information .................................................... 30 4.9.12 Special Requirements for Compromise of Key .............................................................................. 30 4.9.13 Certificate Suspension Requirements ........................................................................................... 30 4.9.14 Persons Who May Request Suspension ......................................................................................... 30 4.9.15 Suspension Application Procedures ............................................................................................... 30 4.9.16 Term of Suspension ........................................................................................................................ 30
4.10 CERTIFICATE STATUS SERVICES ............................................................................................................ 30 4.10.1 Operational Characteristics ........................................................................................................... 30 4.10.2 Service Availability......................................................................................................................... 31 4.10.3 Other Requirements ....................................................................................................................... 31
4.11 END OF SUBSCRIPTION (REGISTRATION) ................................................................................................ 31 4.12 THIRD PARTY DEPOSIT OF KEY AND KEY RECOVERY.............................................................................. 31
4.12.1 Policy and Procedures for Key Deposit and Key Recovery ........................................................... 31 4.12.2 Policy and Procedures for Capsulation and Recovery of Session Key .......................................... 31
5. MANAGEMENT, OPERATIONAL, AND PHYSICAL CONTROLS ..................................................... 32
5.1 PHYSICAL SECURITY CONTROLS ............................................................................................................ 32 5.1.1 Site Location and Structure ........................................................................................................... 32 5.1.2 Physical Access ............................................................................................................................... 32 5.1.3 Power and Air-conditioning Equipment ........................................................................................ 32 5.1.4 Flood Control Measures ................................................................................................................. 32 5.1.5 Fire Control Measures .................................................................................................................... 32 5.1.6 Anti-earthquake Measures............................................................................................................. 32 5.1.7 Medium Storage Site ...................................................................................................................... 32 5.1.8 Waste Disposal ............................................................................................................................... 32
-
Extended Validation Certificate Certification Practice Statement Version 4.2
© 2008 Cybertrust Japan Co., Ltd. 7
5.1.9 Backup Site ..................................................................................................................................... 33 5.2 PROCEDURAL CONTROLS ....................................................................................................................... 33
5.2.1 Trusted Roles and Personnel ......................................................................................................... 33 5.2.2 Number of Personnel Required for Each Role ............................................................................... 33 5.2.3 Personal Identification and Validation of Each Role .................................................................... 33 5.2.4 Roles Requiring Segregation of Duties .......................................................................................... 34
5.3 PERSONNEL SECURITY CONTROLS ......................................................................................................... 34 5.3.1 Qualifications, Experience, Clearances ......................................................................................... 34 5.3.2 Background Checks and Clearance Procedures ............................................................................ 34 5.3.3 Training Requirements and Procedures ........................................................................................ 34 5.3.4 Retraining Period and Retraining Procedures .............................................................................. 34 5.3.5 Cycle and Order of Job Rotation .................................................................................................... 34 5.3.6 Sanction against Unauthorized Actions ........................................................................................ 34 5.3.7 Contract Requirements of Contract Employees ............................................................................ 34 5.3.8 Documents Available to Certification Authority Staff .................................................................. 35
5.4 AUDIT LOGGING PROCEDURES ............................................................................................................... 35 5.4.1 Types of Events to be Recorded...................................................................................................... 35 5.4.2 Audit Logging Frequency ............................................................................................................... 35 5.4.3 Audit Log Archival Period .............................................................................................................. 35 5.4.4 Audit Log Protection ....................................................................................................................... 35 5.4.5 Audit Log Backup Procedures ........................................................................................................ 35 5.4.6 Audit Log Collection System .......................................................................................................... 35 5.4.7 Notification to Parties .................................................................................................................... 35 5.4.8 Vulnerability Assessment .............................................................................................................. 35
5.5 RECORDS ARCHIVAL .............................................................................................................................. 36 5.5.1 Records to be Archived ................................................................................................................... 36 5.5.2 Record Archival Period ................................................................................................................... 36 5.5.3 Record Protection ............................................................................................................................ 36 5.5.4 Record Backup Procedures ............................................................................................................. 36 5.5.5 Time-stamping ................................................................................................................................ 36 5.5.6 Record Collecting System ............................................................................................................... 36 5.5.7 Record Acquisition and Validation Procedures ............................................................................. 36
5.6 KEY RENEWAL OF CERTIFICATION AUTHORITY ...................................................................................... 36 5.7 COMPROMISE AND DISASTER RECOVERY ................................................................................................ 37
5.7.1 Compromise and Disaster Recovery Procedures ........................................................................... 37 5.7.2 Procedures upon System Resource Failure ................................................................................... 37 5.7.3 Procedures upon Compromise of Subscriber's Private Key .......................................................... 37 5.7.4 Business Continuity upon Disasters ............................................................................................. 37
5.8 TERMINATION OF CERTIFICATION AUTHORITY OPERATIONS .................................................................. 37
6. TECHNICAL SECURITY CONTROLS................................................................................................. 38
6.1 KEY PAIR GENERATION AND INSTALLATION ........................................................................................... 38 6.1.1 Key Pair Generation ....................................................................................................................... 38 6.1.2 Delivery of Subscriber's Private Key ............................................................................................. 38 6.1.3 Delivery of Subscriber's Private Key to Certification Authority .................................................. 38 6.1.4 Delivery of Certification Authority Private Key to Relying Parties ............................................. 38 6.1.5 Key Length ...................................................................................................................................... 39 6.1.6 Public Key Parameter Generation and Inspection ....................................................................... 39 6.1.7 Key Usage ....................................................................................................................................... 39
6.2 PRIVATE KEY PROTECTION AND CRYPTOGRAPHIC MODULE ENGINEERING CONTROLS ........................... 39 6.2.1 Cryptographic Module Standards and Controls ........................................................................... 39 6.2.2 Private Key Controls by Multiple Persons .................................................................................... 39 6.2.3 Private Key Escrow ........................................................................................................................ 39 6.2.4 Private Key Backup ........................................................................................................................ 40 6.2.5 Private Key Archive ........................................................................................................................ 40 6.2.6 Private Key Transfer ...................................................................................................................... 40 6.2.7 Private Key Storage in Cryptographic Module ............................................................................. 40 6.2.8 Private Key Activation ................................................................................................................... 40 6.2.9 Private Key Non-activation ............................................................................................................ 40 6.2.10 Private Key Destruction ................................................................................................................. 40 6.2.11 Cryptographic Module Assessment ............................................................................................... 40
6.3 OTHER ASPECTS OF KEY PAIR MANAGEMENT ........................................................................................ 40 6.3.1 Storage of Public Key ..................................................................................................................... 40 6.3.2 Certificate Operational Periods and Key Pair Usage Periods ...................................................... 41
-
Extended Validation Certificate Certification Practice Statement Version 4.2
© 2008 Cybertrust Japan Co., Ltd. 8
6.4 ACTIVATION DATA ................................................................................................................................. 41 6.4.1 Generation and Setting of Activation Data ................................................................................... 41 6.4.2 Activation Data Protection and Controls ...................................................................................... 41 6.4.3 Other aspects of activation data .................................................................................................... 41
6.5 COMPUTER SECURITY CONTROLS .......................................................................................................... 41 6.5.1 Technical Requirements of Computer Security............................................................................. 41 6.5.2 Computer Security Assessment ..................................................................................................... 41
6.6 LIFE CYCLE SECURITY CONTROLS ......................................................................................................... 41 6.6.1 System Development Controls ....................................................................................................... 41 6.6.2 Security Operation Controls .......................................................................................................... 42 6.6.3 Life Cycle Security Controls ........................................................................................................... 42
6.7 NETWORK SECURITY CONTROLS ............................................................................................................ 42 6.8 TIME-STAMPING .................................................................................................................................... 42
7. CERTIFICATE, CRL AND OCSP PROFILES ...................................................................................... 43
7.1 CERTIFICATE PROFILE ........................................................................................................................... 43 7.1.1 Version No. ...................................................................................................................................... 43 7.1.2 Certificate Extensions .................................................................................................................... 43 7.1.3 Algorithm Object Identifier ............................................................................................................ 43 7.1.4 Name Format .................................................................................................................................. 43 7.1.5 Name Restrictions .......................................................................................................................... 43 7.1.6 Certificate Policy Object Identifier ................................................................................................ 43 7.1.7 Use of Policy Constraint Extensions .............................................................................................. 43 7.1.8 Construction and Meaning of Policy Modifier ............................................................................... 43 7.1.9 Processing Method of Certificate Policy Extensions ..................................................................... 43
7.2 CRL PROFILE ........................................................................................................................................ 43 7.2.1 Version No. ...................................................................................................................................... 43 7.2.2 CRL, CRL Entry Extension ............................................................................................................ 43
7.3 OCSP PROFILE ..................................................................................................................................... 44 7.3.1 Version No. ...................................................................................................................................... 44 7.3.2 OCSP Extension ............................................................................................................................. 44
8. COMPLIANCE AUDIT AND OTHER ASSESSMENT ......................................................................... 45
8.1 AUDIT FREQUENCY AND REQUIREMENTS ............................................................................................... 45 8.2 AUDITOR REQUIREMENTS ...................................................................................................................... 45 8.3 RELATION OF AUDITOR AND AUDITEE .................................................................................................... 45 8.4 SCOPE OF AUDIT ................................................................................................................................... 45 8.5 MEASURES AGAINST IDENTIFIED MATTERS ............................................................................................ 45 8.6 DISCLOSURE OF AUDIT RESULTS ........................................................................................................... 45 8.7 SELF AUDIT ........................................................................................................................................... 45
9. OTHER BUSINESS AND LEGAL MATTERS ...................................................................................... 46
9.1 FEES ..................................................................................................................................................... 46 9.2 FINANCIAL RESPONSIBILITY .................................................................................................................. 46 9.3 CONFIDENTIALITY OF BUSINESS INFORMATION ..................................................................................... 46
9.3.1 Scope of Confidential Information ................................................................................................. 46 9.3.2 Information Outside Scope of Confidential Information .............................................................. 46 9.3.3 Responsibility of Protecting Confidential Information ................................................................. 47
9.4 PROTECTION OF PERSONAL INFORMATION ............................................................................................. 47 9.4.1 Privacy Policy.................................................................................................................................. 47 9.4.2 Information Handled as Personal Information ............................................................................. 47 9.4.3 Information not Deemed Personal Information ............................................................................ 47 9.4.4 Responsibility of Protecting Personal Information ....................................................................... 47 9.4.5 Notification to and Approval from Individuals on Use of Personal Information ......................... 47 9.4.6 Disclosure based on Judicial or Administrative Procedures ........................................................ 47 9.4.7 Other Cases of Information Disclosure .......................................................................................... 48
9.5 INTELLECTUAL PROPERTY RIGHTS ........................................................................................................ 48 9.6 REPRESENTATIONS AND WARRANTIES ................................................................................................... 48
9.6.1 Representations and Warranties of Issuing Authority ................................................................. 48 9.6.2 Representations and Warranties of Registration Authority ........................................................ 48 9.6.3 Representations and Warranties of Subscribers ........................................................................... 48 9.6.4 Representations and Warranties of Relying Parties ..................................................................... 49 9.6.5 Representations and Warranties of Other Participants ............................................................... 49
9.7 DISCLAIMERS OF WARRANTIES .............................................................................................................. 49
-
Extended Validation Certificate Certification Practice Statement Version 4.2
© 2008 Cybertrust Japan Co., Ltd. 9
9.8 LIMITATIONS OF LIABILITY .................................................................................................................... 49 9.9 INDEMNITIES ......................................................................................................................................... 50 9.10 TERM OF DOCUMENT AND TERMINATION ............................................................................................... 50
9.10.1 Term of Document .......................................................................................................................... 50 9.10.2 Termination .................................................................................................................................... 51 9.10.3 Influence of Termination and Surviving Provisions ..................................................................... 51
9.11 INDIVIDUAL NOTIFICATIONS AND COMMUNICATIONS WITH PARTICIPANTS ............................................. 51 9.12 AMENDMENTS ....................................................................................................................................... 51
9.12.1 Amendment Procedures ................................................................................................................. 51 9.12.2 Notification Method and Period ..................................................................................................... 51 9.12.3 Modification of Object Identifier .................................................................................................... 51
9.13 DISPUTE RESOLUTION PROCEDURES ..................................................................................................... 51 9.14 GOVERNING LAW ................................................................................................................................... 51 9.15 COMPLIANCE WITH APPLICABLE LAW .................................................................................................... 51 9.16 MISCELLANEOUS PROVISIONS ............................................................................................................... 51
9.16.1 Entire Agreement ........................................................................................................................... 51 9.16.2 Assignment of Rights...................................................................................................................... 52 9.16.3 Severability ..................................................................................................................................... 52 9.16.4 Enforceability .................................................................................................................................. 52 9.16.5 Force Majeure ................................................................................................................................. 52
9.17 OTHER PROVISIONS ........................................................................................................................ 52
APPENDIX A: LIST OF DEFINITIONS .................................................................................................... 53
APPENDIX B: PROFILE OF CERTIFICATE ............................................................................................ 56
-
Extended Validation Certificate Certification Practice Statement Version 4.2
© 2008 Cybertrust Japan Co., Ltd. 10
1. Introduction
1.1 Overview Cybertrust Japan Co., Ltd. ("Cybertrust") issues SureServer EV Certificates (unless separately provided
for herein, "certificate(s)") in Japan.
The SureServer EV Certificate is an Extended Validation Certificate ("EVC") for use in certifying
servers and network devices upon performing SSL/TLS communication based on the "Guidelines
ForThe Issuance And Management Of Extended Validation Certificates" ("EV Guidelines") set forth
by the CA/Browser Forum.
A subscriber's certificate is issued by the certification authority operated by Cybertrust ("Certification
Authority").
The Certification Authority has been certified by the Root CA operated by DigiCert.
Name of Certification Authority Cybertrust Japan EV CA G2
Serial Number of Certification Authority
Certificate 0aa15896a4d1af800da1690ef4a3afb4
Valid Term of Certification Authority Certificate July 13, 2017 to December 14, 2021
Signature System SHA2 with RSA
Key Length of Certification Authority 2048 bit
Fingerprint (SHA1) E3D9D219C4ED513669F5EF3FA15A8DE1
278F2927
Fingerprint (SHA256) 400E5E8524F35598798576312E75A545140
A4E4B7314C1C8C53FD7EC820E77B5
Certificates to be Issued SureServer EV Certificate
Root CA Cybertrust Global Root
Name of Certification Authority Cybertrust Japan EV CA G2
Serial Number of Certification Authority
Certificate 040000000001446e1952e6
Valid Term of Certification Authority Certificate February 26, 2014 to December 10, 2019
Signature System SHA2 with RSA
Key Length of Certification Authority 2048 bit
Fingerprint (SHA1) 9902D1D15C5A1628812C2E23A384C2BB4
E1DA370
Fingerprint (SHA256) 87D9130F0DB2627814E486AF7FE1954C1F
E4E3CBFA193D0F66AA1157CC9EE08C
Certificates to be Issued SureServer EV Certificate
Root CA Cybertrust Global Root
Name of Certification Authority Cybertrust Japan EV CA G2
-
Extended Validation Certificate Certification Practice Statement Version 4.2
© 2008 Cybertrust Japan Co., Ltd. 11
Serial Number of Certification Authority
Certificate 040000000001437203349a
Valid Term of Certification Authority Certificate January 8, 2014 to December 10, 2019
Signature System SHA1 with RSA
Key Length of Certification Authority 2048 bit
Fingerprint (SHA1) 15C936ADCA01CA4CF31F0FC1137FA60C
110EBFD7
Fingerprint (SHA256) BD45B252C72F3D6D94A57BD6F73154129
762880396E74417ACF51257932969C6
Certificates to be Issued SureServer EV Certificate
Root CA Cybertrust Global Root
Name of Certification Authority Cybertrust Japan EV CA G2
Serial Number of Certification Authority
Certificate 0400000000013ae537ed9e
Valid Term of Certification Authority Certificate November 9, 2012 to December 19, 2019
Signature System SHA1 with RSA
Key Length of Certification Authority 2048 bit
Fingerprint (SHA1) B5D17FE3BDC03F80B7A81FFCB63FCB58
32268ABD
Fingerprint (SHA256) 8917FCCC50424C56C985BC0B352F53B0C
C9A8E4B7763242EA988C9D1CD0527F0
Certificates to be Issued SureServer EV Certificate
Root CA Cybertrust Global Root
The Certification Authority is compliant with the following guidelines and laws and ordinances in order
to issue certificates:
(i). EV Guidelines;
(ii). Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates;
(iii). Extended Validation Certificate Certification Practice Statement;
(iv). agreement concerning signature based on DigiCert's Root CA; and
(v). laws of Japan that are applicable to the operations to be performed by the Certification Authority established in Japan.
The Certification Authority is compliant with the latest version of the EV Guidelines and the Baseline
Requirements for the Issuance and Management of Publicly-Trusted Certificates ("EV Guidelines" and
"BR" collectively, "Guidelines, etc.") published in https://www.cabforum.org. If there is any
discrepancy between this "Extended Validation Certificate Certification Practice Statement" (this
"CPS") and the Guidelines, etc., the Guidelines, etc. shall prevail.
This CPS prescribes the requirements for the Certification Authority to issue certificates. The
requirements include obligations of the Certification Authority, obligations of subscribers, and
obligations of relying parties.
Upon specifying the various requirements in this CPS, the Certification Authority shall adopt the
RFC3647 "Certificate Policy and Certification Practices Framework" set forth by the IETF PKIX
Working Group. RFC3647 is an international guideline that sets forth the framework of CPS or CP.
Matters that do not apply to the Certification Authority in the respective provisions of this CPS provided
based on the framework of RFC3647 are indicated as "Not applicable".
-
Extended Validation Certificate Certification Practice Statement Version 4.2
© 2008 Cybertrust Japan Co., Ltd. 12
The Certification Authority does not individually prescribe a policy for each subscriber certificate
("CP"), and this CPS shall include the respective CPs.
1.2 Document Name and Identification The official name of this CPS shall be the "Extended Validation Certificate Certification Practice
Statement".
1.3 PKI Participants The PKI Participants described in this CPS are set forth below. Each of the relevant parties must observe
the obligations set forth in this CPS.
1.3.1 Certification Authority
The Certification Authority set forth in "1.1 Overview" of this CPS. The Certification Authority is
composed from an Issuing Authority and a Registration Authority. The Certification Authority shall be
governed by the Certification Authority Supervisor set forth in "5.2.1 Trusted Roles and Personnel" of
this CPS, and Cybertrust Japan Policy Authority (“CTJ PA”) approves this CPS.
1.3.2 Registration Authority
The Registration Authority is operated by Cybertrust, and accepts applications for certificates from
subscribers, and screens the applications based on this CPS. Based on the screening results, the
Registration Authority instructs the Issuing Authority to issue or revoke the certificates of subscribers,
or dismisses the applications. Cybertrust does not delegate its RA operation to any of third parties.
1.3.3 Issuing Authority
The Issuing Authority is operated by Cybertrust, and issues or revokes certificates of subscribers based
on instructions from the Registration Authority. The Issuing Authority also controls the private key of
the Certification Authority based on this CPS.
1.3.4 Subscriber
A subscriber is an organization that applies for a certificate with the Certification Authority and uses
the certificate based on this CPS and the subscriber agreement, and is a corporation registered in Japan
or a Japanese administrative agency.
A person who is responsible for applying for a subscriber's certificate is referred to as an application
supervisor. A subscriber must appoint an application supervisor among persons affiliated with the
subscriber's organization.
Persons affiliated with the subscriber who may apply for a certificate with the Certification Authority
shall be limited to the application supervisor, or a procedural manager who is authorized by the
application supervisor to submit an application. The procedural manager may be appointed among
persons inside or outside the subscriber's organization. When the procedural manager is to be appointed
from the outside, the procedural manager may be an individual or an organization. The procedural
manager appointed among persons outside the subscriber's organization may be defined as the
"Applicant's Agent" in the subscriber agreement, etc.
1.3.5 Relying Party
A relying party is an organization or an individual that verifies the validity of the certificates of the
Certification Authority and subscribers, and relies on the certificates the Certification Authority and
subscribers based on one's own judgment.
1.3.6 Other Participants
Not applicable.
-
Extended Validation Certificate Certification Practice Statement Version 4.2
© 2008 Cybertrust Japan Co., Ltd. 13
1.4 Certificate Usage
1.4.1 Types of Certificates
The Certification Authority issues the following certificates to subscribers.
1.4.1.1 SureServer EV Certificate
A certificate certifies a subscriber's server or network device and realizes the SSL/TLS encrypted
communication between such server or network device and a relying party's client device. Upon issuing
a certificate, the Registration Authority shall screen the following matters based on this CPS:
(i). legal and physical existence of subscribers;
(ii). existence of the subscriber's business (provided, however, that this shall be implemented when 3 years have not elapsed from the establishment of the
subscriber's organization, and its physical existence cannot be verified in the
screening);
(iii). a subscriber has the right to use the Fully-Qualified Domain Name ("FQDN") included in the SureServer EV Certificate;
(iv). the OU attribute listed in the certificates does not include the name, DBA, product name, trademark, address, location, or other text refers to a specific
natural person or Legal entity unless the Certification Authority verifies that
specified information indicates the Subscriber. This field MUST NOT contain
only metadata such as '.', '-', and ' ' (i.e. space) characters, and/or any other
indication that the value is absent, incomplete, or not applicable;
(v). name, title and authority of an application supervisor;
(vi). acceptance of the subscriber agreement;
(vii). approval of the application supervisor for the procedural manager to submit an application; and
(viii). high risk status, etc.*
*The followings are surveyed as the high risk status, etc.:
▪ past fishing cases;
▪ records of applications that were dismissed or records of certificates that were revoked by the Certification Authority in the past due to
suspicion of fishing and other fraudulent acts; and
▪ punishment by an administrative agency against a subscriber (trade embargo).
If there is suspicion of fraudulent use of a certificate for which an application was submitted
with the Certification Authority based on the foregoing survey, the Certification Authority
shall perform additional screening that it deems appropriate as needed.
1.4.2 Appropriate Certificate Uses
Uses of a subscriber's certificate shall be as set forth below.
(i). Certification of devices (server, network device, etc.) in which the SureServer EV Certificate is to be used; and
(ii). SSL or TLS encrypted communication.
1.4.3 Prohibited Certificate Uses
The Certification Authority prohibits the use of certificates for any purpose other than as set forth in
"1.4.2 Appropriate Certificate Uses" of this CPS.
-
Extended Validation Certificate Certification Practice Statement Version 4.2
© 2008 Cybertrust Japan Co., Ltd. 14
1.5 Policy Administration
1.5.1 Organization Administering Documents
This CPS and the subscriber agreement are administered by the Certification Authority.
1.5.2 Contact Point
The Certification Authority accepts inquiries related to the services provided by Cybertrust and this
CPS at the following contact information.
1.5.3 Party to Determine Suitability of CPS
Certificates of the Certification Authority are issued by the Root CA operated by DigiCert. In order to
receive the issuance of a certificate from the Root CA, this CPS must comply with the matters requested
by DigiCert. DigiCert assesses and determine the suitability of this CPS.
1.5.4 Suitability Approval Procedures
The suitability described in "1.5.3 Party to Determine Suitability of CPS" of this CPS shall go through
an external audit, and then be approved by DigiCert.
1.6 Definitions and Acronyms As prescribed in Appendix A of this CPS.
Contact Information
Cybertrust Japan Co., Ltd. SureServer EV Section
Address: 13F SE Sapporo Bldg., 1-1-2 Kita 7-jo Nishi, Kita-ku, Sapporo-shi 060-0807
Tel: 011-708-5283
Business Days: Monday to Friday (excluding National Holidays, and the designated days addressed
on Cybertrust’s website including Year-End and New Year)
Business Hours: 9:00 to 18:00
Inquiries and complaints: As indicated below
Description Address
▪ Inquiries regarding the application process for issuance and technical inquiries
▪ Other inquiries regarding this CPS, etc.
▪ Inquiries regarding revocation requests and application process
▪ Inquiries regarding problems with certificates or upon
discovery of fraudulent certificates
▪ Communication of other complaints
-
Extended Validation Certificate Certification Practice Statement Version 4.2
© 2008 Cybertrust Japan Co., Ltd. 15
2. Publication and Repository Responsibilities
2.1 Organization to Control Repositories Repositories of the Certification Authority are controlled by Cybertrust.
2.2 Information to be Published The Certification Authority publishes the repositories as follows.
Publish the following information on https://www.cybertrust.ne.jp/ssl/repository/index.html:
▪ this CPS;
▪ subscriber agreement; and
▪ other terms and conditions regarding the services of the Certification Authority (the "Related
Rules")
Publish the following information on:
http://sureseries-crl.cybertrust.ne.jp/SureServer/2021_ev/cdp.crl.
▪ CRL issued by Cybertrust Japan EV CA G2
Publish the following information on:
https://www.cybertrust.ne.jp/sureserver/support/download_ca.html.
▪ Certificates of the Certification Authority
2.3 Timing and Frequency of Publication The timing and frequency of publication regarding the information to be published by the Certification
Authority shall be as follows; save for cases where repository maintenance or the like is required, but
CRL shall be published 24 hours:
(i). this CPS, the subscriber agreement, and other terms and conditions regarding the services of the Certification Authority shall be published each time they
are amended;
(ii). this CRL shall be renewed according to the cycle prescribed in "4.9.7 CRL Issue Cycle" of this CPS and the published; and
(iii). the certificates of the Certification Authority shall be published at least during the effective period.
2.4 Access Control on Repositories The Certification Authority shall not perform special access control on the repositories.
-
Extended Validation Certificate Certification Practice Statement Version 4.2
© 2008 Cybertrust Japan Co., Ltd. 16
3. Identification and Authentication
3.1 Naming
3.1.1 Types of Names
Subscribers are identified based on the X.500 Distinguished Name ("DN") in the certificate.
3.1.2 Need for Names to be Meaningful
The name included in the DN of the certificate shall have the meaning of the subsequent paragraph.
3.1.2.1 SureServer EV Certificate
DN Item Meaning
Common Name Complete host name of server or network device to use the certificate
Organization Name of organization of subscriber
Organization Unit
*(voluntary item)
Business division, service, etc.
*Any of the values described in "1.4.1.1 SureServer Certificate (ⅳ)" in this CPS must not be included.
Locality Address of business location (locality)
State or Province Address of business location (state or province)
Country Address of business location (country)
Business Category
Information for identifying form of organization set forth in the EV
Guidelines
Private Organization
Government Entity
Business Entity
Non-Commercial Entity
Serial Number For private organizations, indicate the corporate registration number
For government entities, indicate "The Subject is a Government Entity"
Jurisdiction of
Incorporation State
or Province
Jurisdiction of Incorporation State or Province
Jurisdiction of
Incorporation
Country
Jurisdiction of Incorporation Country
-
Extended Validation Certificate Certification Practice Statement Version 4.2
© 2008 Cybertrust Japan Co., Ltd. 17
3.1.3 Requirements for Anonymity or Pseudonymity of Subscribers
This Certification Authority does not accept any certificate request by anonymity or pseudonymity of
subscriber.
3.1.4 Rules for Interpreting Various Name Forms
Rules for interpreting the DN form of certificates issued by the Certification Authority shall be pursuant
to X.500.
3.1.5 Uniqueness of Names
The certificates issued by the Certification Authority can uniquely identify a subscriber based on the
DN.
3.1.6 Recognition, Authentication, and Role of Trademarks
The Certification Authority does not authenticate, the copyrights, trade secrets, trademark rights, utility
model rights, patent rights and other intellectual property rights (including, but not limited to, rights for
obtaining patents and other intellectual properties; simply "Intellectual Property Rights") upon issuing
a subscriber's certificate.
3.2 Initial Identity Validation
3.2.1 Method to Prove Possession of Private Key
A certificate issuance request ("CSR") which constitutes a part of the application information from a
subscriber includes a digital signature encrypted with a public key and a private key corresponding to
the public key.
The Certification Authority verifies the digital signature by using the public key included in the CSR
and thereby validate that the digital signature was signed using the subscriber's private key, and
determine that the subscriber is in possession of the private key.
3.2.2 Verification of Organization and Domain
3.2.2.1 Identity
The Certification Authority shall screen and verify the matters set forth in "1.4.1.1 SureServer EV
Certificate" of this CPS.
Upon verifying the subscriber, the Certification Authority shall use public documents and data,
documents and data provided by a third party that is deemed reliable by the Certification Authority,
and documents provided by the subscriber based on the EV Guidelines, as well as make inquiries to an
appropriate individual affiliated with the subscriber.
However, when there are documents or data that were received from the subscriber or documents or
data that were independently obtained by the Certification Authority during the period that was posted
on the website by Cybertrust or the period notified to the subscriber, and such documents or data have
been screened by the Certification Authority, the Certification Authority shall not request the
resubmission of such documents or data.
Moreover, when a subscriber is to apply for a certificate with a domain name owned by a third party,
the Certification Authority shall verify with the organization or individual that owns the domain name
regarding whether the FQDN has been exclusively licensed to the subscriber.
Details regarding the verification procedures to be requested to subscribers shall be posted on
Cybertrust's website or notified individually to the subscribers.
3.2.2.2 DBA/Tradename
This Certification Authority does not allow DBA / Tradename to be included in subscriber's
certificate.
-
Extended Validation Certificate Certification Practice Statement Version 4.2
© 2008 Cybertrust Japan Co., Ltd. 18
3.2.2.3 Verification of Country
This Certification Authority confirms the Country included in the subscriber's certificate with this CPS
"3.2.2.1 Identity".
3.2.2.4 Validation of Domain Authorization or Control
This Certification Authority SHALL confirm that prior to issuance, the Applicant’s ownership or
control the requested Authorization Domain Name(s) in accordance with Section 3.2.2.4 of the BR or
Section 11.7 of the EV Guidelines. The Certification Authority validates each Fully‐Qualified Domain Name (FQDN) listed in the Certificate using at least one of the methods listed below.
Completed validations of Applicant authority may be valid for the issuance of multiple Certificates
over time. In all cases, the validation must have been initiated within the time period specified in the
relevant requirement (such as Section 4.2.1 of BR) prior to Certificate issuance. For purposes of
domain validation, the term Applicant includes the Applicant's Parent Company, Subsidiary
Company.
This Certification Authority SHALL maintain a record of which domain validation method, including
relevant BR version number, they used to validate every domain.
Note: FQDNs may be listed in Subscriber Certificates using dNSNames in the subjectAltName
extension or in Subordinate CA Certificates via dNSNames in permittedSubtrees within the Name
Constraints extension.
3.2.2.4.1 Validating the Applicant as a Domain Contact
This Certification Authority does not use this method.
3.2.2.4.2 Email, Fax, SMS, or Postal Mail to Domain Contact
Confirming the Applicant's control over the FQDN by sending a Random Value via email, fax, SMS,
or postal mail and then receiving a confirming response utilizing the Random Value. The Random
Value MUST be sent to an email address, fax/SMS number, or postal mail address identified as a Domain Contact.
Each email, fax, SMS, or postal mail MAY confirm control of multiple Authorization Domain
Names.
This Certification Authority MAY send the email, fax, SMS, or postal mail identified under this
section to more than one recipient provided that every recipient is identified by the Domain Name
Registrar as representing the Domain Name Registrant for every FQDN being verified using the
email, fax, SMS, or postal mail.
The Random Value SHALL be unique in each email, fax, SMS, or postal mail.
This Certification Authority MAY resend the email, fax, SMS, or postal mail in its entirety, including
re‐use of the Random Value, provided that the communication's entire contents and recipient(s) remain unchanged.
The Random Value SHALL remain valid for use in a confirming response for no more than 30 days
from its creation. The CPS MAY specify a shorter validity period for Random Values, in which case this Certification Authority MUST follow its CPS.
Note: Once the FQDN has been validated using this method, the Certification Authority MAY also
issue Certificates for other FQDNs that end with all the labels of the validated FQDN.
3.2.2.4.3 Phone Contact with Domain Contact
The Certification Authority SHALL NOT perform validations using this method after May 31, 2019.
Completed validations using this method SHALL continue to be valid for subsequent issuance per the
applicable certificate data reuse periods.
-
Extended Validation Certificate Certification Practice Statement Version 4.2
© 2008 Cybertrust Japan Co., Ltd. 19
Confirming the Applicant's control over the FQDN by calling the Domain Name Registrant's phone
number and obtaining a response confirming the Applicant's request for validation of the FQDN. This
Certification Authority MUST place the call to a phone number identified by the Domain Name
Registrar as the Domain Contact.
Each phone call SHALL be made to a single number and MAY confirm control of multiple FQDNs,
provided that the phone number is identified by the Domain Registrar as a valid contact method for
every Base Domain Name being verified using the phone call.
Note: Once the FQDN has been validated using this method, this Certification Authority MAY also
issue Certificates for other FQDNs that end with all the labels of the validated FQDN.
3.2.2.4.4 Constructed Email to Domain Contact
Confirm the Applicant's control over the FQDN by (i) sending an email to one or more addresses
created by using 'admin', 'administrator', 'webmaster', 'hostmaster', or 'postmaster' as the local part,
followed by the atsign ("@"), followed by an Authorization Domain Name, (ii) including a Random
Value in the email, and (iii) receiving a confirming response utilizing the Random Value.
Each email MAY confirm control of multiple FQDNs, provided the Authorization Domain Name
used in the email is an Authorization Domain Name for each FQDN being confirmed
The Random Value SHALL be unique in each email.
The email MAY be re‐sent in its entirety, including the re‐use of the Random Value, provided that its entire contents and recipient SHALL remain unchanged.
The Random Value SHALL remain valid for use in a confirming response for no more than 30 days
from its creation. The CPS MAY specify a shorter validity period for Random Values.
Note: Once the FQDN has been validated using this method, this Certification Authority MAY also
issue Certificates for other FQDNs that end with all the labels of the validated FQDN.
3.2.2.4.5 Domain Authorization Document
This Certification Authority does not use this method.
3.2.2.4.6 Agreed‐Upon Change to Website
Confirming the Applicant's control over the FQDN by confirming one of the following under the
"/.wellknown/pki‐validation" directory, or another path registered with IANA for the purpose of Domain Validation, on the Authorization Domain Name that is accessible by this Certification
Authority via HTTP/HTTPS over an Authorized Port:
(i). The presence of Required Website Content contained in the content of a file. The entire Required Website Content MUST NOT appear in the request used
to retrieve the file or web page, or
(ii). The presence of the Request Token or Request Value contained in the content of a file where the Request Token or Random Value MUST NOT appear in the
request.
If a Random Value is used, this Certification Authority SHALL provide a Random Value unique to
the certificate request and SHALL not use the Random Value after the longer of (i) 30 days or (ii) if
the Applicant submitted the Certificate request, the timeframe permitted for reuse of validated
information relevant to the Certificate (such as in Section 4.2.1 of BR or Section 11.14.3 of the EV
Guidelines).
This certification authority does not adopt Request Token.
Note: Once the FQDN has been validated using this method, this Certification Authority MAY also
issue Certificates for other FQDNs that end with all the labels of the validated FQDN.
-
Extended Validation Certificate Certification Practice Statement Version 4.2
© 2008 Cybertrust Japan Co., Ltd. 20
3.2.2.4.7 DNS Change
Confirming the Applicant's control over the FQDN by confirming the presence of a Random Value or
Request Token for either in a DNS CNAME, TXT or CAA record for either 1) an Authorization
Domain Name; or 2) an Authorization Domain Name that is prefixed with a label that begins with an
underscore character.
If a Random Value is used, this Certification Authority SHALL provide a Random Value unique to
the Certificate request and SHALL not use the Random Value after (i) 30 days or (ii) if the Applicant
submitted the Certificate request, the timeframe permitted for reuse of validated information relevant
to the Certificate (such as in Section 3.3.1 of BR or Section 11.14.3 of the EV Guidelines).
This certification authority does not adopt Request Token.
Note: Once the FQDN has been validated using this method, this Certification Authority MAY also
issue Certificates for other FQDNs that end with all the labels of the validated FQDN.
3.2.2.4.8 IP Address
Confirming the Applicant's control over the FQDN by confirming that the Applicant controls an IP
address returned from a DNS lookup for A or AAAA records for the FQDN in accordance with
section 3.2.2.5.
Note: Once the FQDN has been validated using this method, this Certification Authority MAY NOT
also issue Certificates for other FQDNs that end with all the labels of the validated FQDN unless the
CA performs a separate validation for that FQDN using an authorized method.
3.2.2.4.9 Test Certificate
This Certification Authority does not use this method.
3.2.2.4.10 TLS Using a Random Number
This Certification Authority does not use this method.
3.2.2.4.11 Any Other Method
This Certification Authority does not use this method.
3.2.2.4.12 Validating Applicant as a Domain Contact
This Certification Authority does not use this method.
3.2.2.4.13 Email to DNS CAA Contact
Confirming the Applicant's control over the FQDN by sending a Random Value via email and then
receiving a confirming response utilizing the Random Value. The Random Value MUST be sent to a
DNS CAA Email Contact. The relevant CAA Resource Record Set MUST be found using the search
algorithm defined in RFC 6844 Section 4, as amended by Errata 5065.
Each email MAY confirm control of multiple FQDNs, provided that each email address is a DNS
CAA Email Contact for each Authorization Domain Name being validated. The same email MAY be
sent to multiple recipients as long as all recipients are DNS CAA Email Contacts for each
Authorization Domain Name being validated.
The Random Value SHALL be unique in each email. The email MAY be re-sent in its entirety,
including the re- use of the Random Value, provided that its entire contents and recipient(s) SHALL
remain unchanged. The Random Value SHALL remain valid for use in a confirming response for no
more than 30 days from its creation. The CPS MAY specify a shorter validity period for Random
Values.
-
Extended Validation Certificate Certification Practice Statement Version 4.2
© 2008 Cybertrust Japan Co., Ltd. 21
Note: Once the FQDN has been validated using this method, the Certification Authority MAY also
issue Certificates for other FQDNs that end with all the labels of the validated FQDN.
3.2.2.4.14 Email to DNS TXT Contact
Confirming the Applicant's control over the FQDN by sending a Random Value via email and then
receiving a confirming response utilizing the Random Value. The Random Value MUST be sent to a
DNS TXT Record Email Contact for the Authorization Domain Name selected to validate the FQDN.
Each email MAY confirm control of multiple FQDNs, provided that each email address is DNS TXT
Record Email Contact for each Authorization Domain Name being validated. The same email MAY
be sent to multiple recipients as long as all recipients are DNS TXT Record Email Contacts for each
Authorization Domain Name being validated.
The Random Value SHALL be unique in each email. The email MAY be re-sent in its entirety,
including the re- use of the Random Value, provided that its entire contents and recipient(s) SHALL
remain unchanged. The Random Value SHALL remain valid for use in a confirming response for no
more than 30 days from its creation. The CPS MAY specify a shorter validity period for Random
Values.
Note: Once the FQDN has been validated using this method, the Certification Authority MAY also
issue Certificates for other FQDNs that end with all the labels of the validated FQDN.
3.2.2.4.15 Phone Contact with Domain Contact
Confirm the Applicant's control over the FQDN by calling the Domain Contact’s phone number and
obtain a confirming response to validate the Authorization Domain Name. Each phone call MAY
confirm control of multiple Authorization Domain Names provided that the same Domain Contact
phone number is listed for each ADN being verified and they provide a confirming response for each
Authorization Domain Name.
In the event that someone other than a Domain Contact is reached, the Certification Authority MAY
request to be transferred to the Domain Contact.
In the event of reaching voicemail, the Certification Authority may leave the Random Value and the
ADN(s) being validated. The Random Value MUST be returned to the CA to approve the request.
The Random Value SHALL remain valid for use in a confirming response for no more than 30 days
from its creation. The CPS MAY specify a shorter validity period for Random Values.
Note: Once the FQDN has been validated using this method, the Certification Authority MAY also
issue Certificates for other FQDNs that end with all the labels of the validated FQDN.
3.2.2.4.16 Phone Contact with DNS TXT Record Phone Contact
Confirm the Applicant's control over the FQDN by calling the DNS TXT Record Phone Contact’s
phone number and obtain a confirming response to validate the ADN. Each phone call MAY confirm
control of multiple ADNs provided that the same DNS TXT Record Phone Contact phone number is
listed for each ADN being verified and they provide a confirming response for each ADN.
The Certification Authority MAY NOT knowingly be transferred or request to be transferred as this
phone number has been specifically listed for the purposes of Domain Validation.
In the event of reaching voicemail, the Certification Authority may leave the Random Value and the
ADN(s) being validated. The Random Value MUST be returned to the Certification Authority to
approve the request.
The Random Value SHALL remain valid for use in a confirming response for no more than 30 days
from its creation. The CPS MAY specify a shorter validity period for Random Values.
Note: Once the FQDN has been validated using this method, the Certification Authority MAY also
issue Certificates for other FQDNs that end with all the labels of the validated FQDN.
-
Extended Validation Certificate Certification Practice Statement Version 4.2
© 2008 Cybertrust Japan Co., Ltd. 22
3.2.2.5 Authentication for an IP Address
This Certification Authority does not issue the certificate when an IP address appears in the common
name field.
3.2.2.6 Wildcard Domain Validation
This Certification Authority does not issue wildcard certificates.
3.2.2.7 Data Source Accuracy
Prior to using any data source as a Reliable Data Source, the Certification Authority SHALL evaluate
the source for its reliability, accuracy, and resistance to alteration or falsification based on the EV
Guidelines. The CA considers the following during its evaluation:
▪ The age of the information provided,
▪ The frequency of updates to the information source,
▪ The data provider and purpose of the data collection,
▪ The public accessibility of the data availability, and
▪ The relative difficulty in falsifying or altering the data.
Databases maintained by the Certification Authority, its owner, or its affiliated companies do not
qualify as a Reliable Data Source if the primary purpose of the database is to collect information with
the intention of fulfilling the validation requirements under this Section 3.2.
3.2.2.8 CAA Record (Certification Authority Authorization Record) Procedures
The Certification Authority verifies the CAA Record defined in RFC6844(DNS Certification Authority
Authorization (CAA) Resource Record) and section 3.2.2.8 of the BR.
If the CAA record (issue) contains any of the values listed in section 4.2.1 of this CPS, the Certification
Authority recognizes that it is designated as a certification authority permits issuance of the certificates.
3.2.3 Authentication of Individual Identity
This Certification Authority does not issue a certificate to individual.
3.2.4 Non-verified Subscriber Information
The Certification Authority does not verify the truthfulness and accuracy of the information described
in the subscriber's organization unit (OU).
3.2.5 Verification of Application Supervisor
The Certification Authority shall verify the name and title of the application supervisor and the authority
to submit a certificate request on behalf of the subscriber based on the EV Guidelines. The Certification
Authority shall additionally verify that the application supervisor has accepted the subscriber agreement
and approved the filing of an application by the procedural manager by way of callback. The phone
number to be used for the callback shall be a number provided by a third party.
3.2.6 Interoperability Standards
Not applicable.
-
Extended Validation Certificate Certification Practice Statement Version 4.2
© 2008 Cybertrust Japan Co., Ltd. 23
3.3 Identification and Authentication for Key (Certificate) Renewal Request
3.3.1 Identification and Authentication upon Renewal for Routine Key (Certificate) Renewal
The provisions of "3.2 Initial Identity Validation" of this CPS shall apply correspondingly.
3.3.2 Identification and Authentication for Renewal of Key (Certificate) after Revocation
To be performed based on the same procedures as "3.2 Initial Identity Validation" of this CPS.
However, when it is verified that the public key, certification information and expiration date included
in the CSR of the re-issuance application coincide with the certificate of the re-issuer, verification based
on "3.2 Initial Identity Validation" of this CPS is not performed, and a certificate shall be issued based
on the verification of the foregoing coincidence.
3.4 Identity Validation and Authentication upon Revocation Request
When the Certification Authority receives a revocation request from a subscriber via email, the
Certification Authority shall verify the identity of the person who submitted the revocation, that such
person is authorized to submit a revocation request, and the reason of revocation. As the verification
method, the Certification Authority shall compare the information notified to the Certification
Authority upon application for issuance of a certificate and the information only known to the
Certification Authority and the subscriber.
Upon receiving a revocation request for a certificate of a specific subscriber other than the subscriber
of that certificate, the Certification Authority shall survey the reason of revocation and verify with the
subscriber.
When the reason for revocation in the revocation request from a subscriber or a party other than that
subscriber corresponds to a revocation event set forth in t