This chapter describes obligations for relevant parties and makes statements on liability and financial/economical issues. Moreover there is a section about confidentiality that classifies information into confidential information and publicly available and distributable information. Auditing statements are also located here.
A conforming CA SHALL operate a certificate authority service. The conforming CA is responsible for all aspects of the issuance and management of a certificate referencing this policy, including:
Development of a detailed statement of practices and procedures (the CPS) by which the CA implements the requirements of this policy.
Publication of CA contact information.
Certificate application/enrollment process.
Verification of the identity of the applicant.
Certificate creation process.
Posting of the certificate in a public repository.
Suspension and revocation of the certificate.
Ensuring that all aspects of the CA services and CA operations and CA infrastructure related to certificates issued under this policy are performed in accordance with the requirements, representations, and warranties of this policy.
Define and publish a dispute resolution procedure.
By issuing a certificate that references this policy, the CA certifies to the subscriber, and to all relying parties who reasonably and in good faith rely on the information contained in the certificate during its operational period, that:
The CA has issued, and will manage, the certificate in accordance with this policy.
There are no misrepresentations of fact in the certificate known to the CA, and the CA has taken reasonable steps to verify additional information in the certificate unless otherwise noted in its CPS.
The certificate meets all material requirements of this policy and the CA's CPS.
An RA is obliged to operate RA service. This includes:
Authenticating the identity of the subject
Validating the connection between a public key and the requester identity including a suitable proof of possession method of the corresponding private key
Confirming such validation versus the CA
Adhere to the agreement made with the CA
Subscribers MUST accurately represent the information required of them in a certificate request.
Subscribers MUST properly protect their private key at all times, against loss, disclosure to any other party, modification and unauthorized use, in accordance with this CP and the CPS. From the creation of their private and public key pair, subscribers are personally and solely responsible of the confidentiality and integrity of their private keys. Every usage of their private key is assumed to be the act of its owner.
Upon suspicion that their private keys are compromised subscribers MUST notify the CA that issued their certificates by sending a certificate revocation request.
Upon any change of information in their certificates subscribers MUST notify the CA that issued their certificates by sending a certificate revocation request.
Subscribers MUST use the keys and certificates only for the purposes authorized by the CA.
Subscribers MUST authorize the treatment and conservation of their personal data.
A relying party MUST be familiar with the CPS and this CP before drawing any conclusion on how much trust he can put in the use of a certificate issued from the CA.
The relying party MUST only use the certificate for the proscribed applications and MUST NOT use the certificates for forbidden applications.
Relying parties MUST verify the digital signature of a received digitally signed message and to verify the digital signature of the CA who issued the certificate used for the verification purpose.
When validating a certificate a relying party MUST check it for its validity, revocation, or suspension.
A conforming CA SHALL use a publicly accessible repository to store certificates and Certificate Revocation Lists (CRLs). The repository SHALL be available as much as practically possible.
A conforming CA MAY accept liability. The complete list of accepted liabilities MUST be specified in the CPS.
No financial responsibility is accepted for certificates issued under this CP.
This CP is governed by the law of the Czech Republic.
No fees SHOULD be charged for issuing certificates.
Access to certificates SHOULD be free of charge.
Access to Certificate Revocation Lists SHOULD be free of charge.
No fees SHOULD be charged for allowing policy and CPS information access.
A conforming CA MUST make publicly available, in its repositories:
The Certificate Practice Statement it operates according to.
This Certificate Policy.
All issued certificates including CA-certificates.
Signed Certificate Revocation Lists.
The certificates issued SHALL be published as soon as they are issued.
The CRLs SHALL be published in accordance with Section 4.4.9.
CP and CPS SHALL be published as soon as they are updated.
The CP, CPS, CRLs, and the certificates issued SHOULD be publicly available with no access control.
All subscribers' information that is not present in the certificate and CRLs issued by a conforming CA is considered confidential and SHALL not be released outside without explicit subscriber's authorization.
Information included in public certificates and CRLs issued by a conforming CA are not considered confidential.
When a certificate is revoked/suspended, a reason code is not considered confidential and MAY be shared with all other users and relying parties. However, no other details concerning the revocation are normally disclosed.
A conforming CA MUST NOT disclose confidential information to any third party, except when required by law enforcement officials that exhibit regular warrant.
The CA SHALL release information if authorized by the subscriber.
A conforming CA MUST NOT claim any intellectual property rights on issued certificates.