The CESNET CA MUST publish a CPS describing the practices employed in issuing the digital certificates. The CA MUST operate in accordance with its CPS, and the law of the Czech Republic.
The CESNET CA MUST verify that any CA with which it cross-certifies complies with the mutually recognized CPs.
The CA is obliged to handle certificate requests and issue new certificates:
accept certification requests from entities requesting a certificate according to the agreed procedures contained in this CPS and in the relevant CP
authenticate entities requesting a certificate, possibly by the help of separately designated RAs
issue certificates based on requests from authenticated entities
send notification of issued certificate to requesters
make issued certificates publicly available
The CA is obliged to handle certificate revocation requests and certificate revocation:
accept revocation requests from entities requesting a certificate to be revoked according to the agreed procedures contained in this CPS and the relevant CP
authenticate entities requesting a certificate to be revoked
issue a CRL
make CRLs publicly available
The CA is authorized to collect the information related to personal data that is necessary to perform its services. These personal data can only be used in the context of the certification services provision. The subscriber has the right to access and request correction of these data.
The CA is obliged to protect its private key in accordance with this CPS.
The CA's private key used for issuing certificates in accordance with this CPS and the applicable CP may be used only for signing certificates and CRLs, and other adequate information consistent with the certificate issuance.
An RA is obliged to operate RA service. This includes:
The RA MUST operate in accordance with its CPS and the law of the Czech Republic.
The RA is obliged to authenticate the identity of the subject to be certified using procedures specified in Section 3.1.
The RA is obliged to verify that the requester is in possession of the private key corresponding to the public key contained in the certificate request using procedures specified in Section 3.1.7.
The RA is obliged to keep supporting evidence for any certificate request made to a CA (e.g., certificate request forms) in accordance with this CPS.
The RA is obliged to protect its private key in accordance with this CPS.
The private key used by a RA for signing certificate signing requests (CSRs), certificate suspensions, and certificate revocations as part of its RA function must not be used for any other purpose. Separate certificates will be issued to facilitate routine secure communication by the RA.
Subscribers must accurately represent the information required of them in a certificate request.
Subscribers MUST generate their public key pair using a trustworthy method.
Subscribers MUST properly protect their private key at all times, against loss, disclosure to any other party, modification and unauthorized use, in accordance with this CPS and the relevant CP. From the creation of their private and public key pair, subscribers are personally and solely responsible of the confidentiality and integrity of their private keys. Every usage of their private key is assumed to be the act of its owner.
Upon suspicion that their private keys are compromised subscribers MUST notify the CA that issued their certificates by sending a certificate revocation request.
Upon any change in the content of their certificates subscribers MUST notify the CA that issued their certificates by sending a certificate revocation request.
Subscribers MUST use the keys and certificates only for the purposes authorized by the CA.
Subscribers MUST authorize the treatment and conservation of their personal data.
A relying party MUST be familiar with the CPS and the relevant CP before drawing any conclusion on how much trust he can put in the use of a certificate issued from the CA.
The relying party MUST only use the certificate for the proscribed applications and MUST NOT use the certificates for forbidden applications
Relying parties MUST verify the digital signature of a received digitally signed message and to verify the digital signature of the CA who issued the certificate used for the verification purpose.
When validating a certificate a relying party MUST check it for its validity, revocation, or suspension.
The CESNET CA SHALL use a publicly accessible repository to store certificates and Certificate Revocation Lists (CRLs). The repository SHALL be available as much as practically possible.
The CESNET CA warrants that all certificates issued were issued in accordance with this CPS and the relevant CP.
RA warrants that subscriber's identity has been verified and that the identities in the certificate were valid at the time of issuance.
No financial responsibility is accepted for certificates issued under this CPS.
The CESNET CA assumes no financial responsibility for improperly used certificates..
Issuance of certificates in accordance with this CPS and the corresponding CP does not make the CESNET CA, or any RA within the CESNET CA infrastructure an agent, fiduciary, trustee, or other representative of subscribers or relying parties.
Not applicable
This CPS is governed by the law of the Czech Republic.
Should it be determined that one section of this CPS is incorrect or invalid, the other sections shall remain in effect until the CPS is updated as indicated in Section 8
In case a dispute is not successfully resolved by negotiations, the parties involved MAY appoint an independent third party arbitrator.
If arbitration proves impossible, the parties can take legal actions.
No fees are charged for issuing certificates.
Access to certificates on the CESNET CA Certificate Registry is free of charge.
Access to Certificate Revocation Lists on the CESNET CA Certificate Registry is free of charge.
No fees are charged for allowing policy and CPS information access.
Not applicable.
The CESNET CA MUST make publicly available, in its repositories:
The CESNET CA Certificate Practice Statement in http://www.cesnet.cz/pki/CPS.html
The applicable Certificate Policies in http://www.cesnet.cz/pki/CP/.
All issued certificates including CA-certificates in ldap://pki.cesnet.cz/
Signed Certificate Revocation Lists in http://www.cesnet.cz/pki/crl/
CRL publication must be in accordance with Section 4.4.9 of this CPS.
CPS publication must be in accordance with Section 8 of this CPS.
There is no access control on reading the CP or the CPS.
There is no access control on reading the certificates.
The certificates, CPs and CPS in the electronic repository are protected against any unauthorized modification.
Chosen electronic repository must comply to this CPS. See Section 2.1.5.
The CESNET CA declares that their practices fully comply with this CPS.
No stipulation
No stipulation
No stipulation
No stipulation
No stipulation
No stipulation
The CA collects personal information about the subscribers (e.g. full name, organization, and e-mail address). These data MUST be processed in a way that ensures privacy protection according to the law of the Czech Republic.
All subscribers' information that is not present in the certificate and CRL issued by the CESNET CA is considered confidential and SHALL not be released outside without explicit subscriber's authorization.
Information included in public certificates and CRLs issued by the CESNET CA are not considered confidential.
When a certificate is revoked, a reason code MAY be included in the CRL entry for the action. This reason code is not considered confidential and may be shared with all other users and relying parties. However, no other details concerning the revocation are normally disclosed.
The CESNET CA does not suspend certificates.
The CESNET CA MUST NOT disclose confidential information to any third party, except when required by law enforcement officials that exhibit regular warrant.
The CESNET CA MUST NOT disclose confidential information to any third party, except when required by law enforcement officials that exhibit regular warrant.
The CA will release information if authorized by the subscriber.
Not applicable
The CESNET CA claims no intellectual property rights on issued certificates.