The CESNET CA MUST publish a CPS describing the practices employed in issuing the digital certificates. The CA MUST operate in accordance with its CPS, and the law of the Czech Republic.
The CESNET CA MUST verify that any CA with which it cross-certifies complies with the mutually recognized CPs.
The CA is obliged to handle certificate requests and issue new certificates:
accept certification requests from entities requesting a certificate according to the agreed procedures contained in this CPS and in the relevant CP
authenticate entities requesting a certificate, possibly by the help of separately designated RAs
issue certificates based on requests from authenticated entities
send notification of issued certificate to requesters
make issued certificates publicly available
The CA is obliged to handle certificate revocation requests and certificate revocation:
accept revocation requests from entities requesting a certificate to be revoked according to the agreed procedures contained in this CPS and the relevant CP
authenticate entities requesting a certificate to be revoked
issue a CRL
make CRLs publicly available
The CA is authorized to collect the information related to personal data that is necessary to perform its services. These personal data can only be used in the context of the certification services provision. The subscriber has the right to access and request correction of these data.
The CA is obliged to protect its private key in accordance with this CPS.
An RA is obliged to operate RA service. This includes:
The RA MUST operate in accordance with its CPS and the law of the Czech Republic.
The RA is obliged to authenticate the identity of the subject to be certified using procedures specified in Section 3.1.
The RA is obliged to verify that the requester is in possession of the private key corresponding to the public key contained in the certificate request using procedures specified in Section 3.1.7.
The RA is obliged to keep supporting evidence for any certificate request made to a CA (e. g., certificate request forms) in accordance with this CPS.
The RA is obliged to protect its private key in accordance with this CPS.
The private key used by a RA for signing certificate signing requests (CSRs), certificate suspensions, and certificate revocations as part of its RA function must not be used for any other purpose. Separate certificates will be issued to facilitate routine secure communication by the RA.
Subscribers MUST accurately represent the information required of them in a certificate request process.
Subscribers MUST generate their public key pair using a trustworthy method.
Subscribers MUST properly protect their private key at all times, against loss, disclosure to any other party, modification and unauthorized use, in accordance with this CPS and the relevant CP. From the creation of their private and public key pair, subscribers are personally and solely responsible of the confidentiality and integrity of their private keys. Every usage of their private key is assumed to be the act of its owner.
Upon suspicion that their private keys are compromised subscribers MUST notify the CA that issued their certificates by sending a certificate revocation request.
Upon any change in the content of their certificates subscribers MUST notify the CA that issued their certificates by sending a certificate revocation request.
Subscribers MUST use the keys and certificates only for the purposes authorized by the CA.
A relying party MUST be familiar with the CPS and the relevant CP before drawing any conclusion on how much trust he can put in the use of a certificate issued from the CA.
The relying party MUST only use the certificate for the proscribed applications and MUST NOT use the certificates for forbidden applications
Relying parties MUST verify the digital signature of a received digitally signed message and to verify the digital signature of the CA who issued the certificate used for the verification purpose.
The CESNET CA warrants that all certificates issued were issued in accordance with this CPS and the relevant CP.
No financial responsibility is accepted for certificates issued under this CPS.
The CESNET CA assumes no financial responsibility for improperly used certificates.
Issuance of certificates in accordance with this CPS and the corresponding CP does not make the CESNET CA, or any RA within the CESNET CA infrastructure an agent, fiduciary, trustee, or other representative of subscribers or relying parties.
Should it be determined that one section of this CPS is incorrect or invalid, the other sections shall remain in effect until the CPS is updated as indicated in Chapter 8
In case of a dispute based on the contents of this CPS, the Director of CESNET a. l. e. will be the sole person responsible for resolution of the problem. The complainer cannot take legal action against CESNET a. l. e. or any of the CESNET a. l. e. partners.
If arbitration proves impossible, the parties can take legal actions.
Access to certificates on the CESNET CA Certificate Registry is free of charge.
Access to Certificate Revocation Lists on the CESNET CA Certificate Registry is free of charge.
No fees are charged for allowing policy and CPS information access.
The CESNET CA MUST make publicly available, in its repositories:
CRL publication must be in accordance with Section 4.4.9 of this CPS.
CPS publication must be in accordance with Chapter 8 of this CPS.
There is no access control on reading the CP or the CPS.
There is no access control on reading the certificates.
The certificates, CRLs, CPs and CPS in the electronic repository are protected against any unauthorized modification.
Chosen electronic repository must comply to this CPS. See Section 2.1.5.
The CESNET CA declares that their practices fully comply with this CPS.
The CA collects personal information about the subscribers (e. g. full name, organization, and e-mail address). These data MUST be processed in a way that ensures privacy protection according to the law of the Czech Republic.
All subscribers' information that is not present in the certificate and CRL issued by the CESNET CA is considered confidential and SHALL not be released outside without explicit subscriber's authorization.
Information included in public certificates and CRLs issued by the CESNET CA are not considered confidential.
When a certificate is revoked, a reason code MAY be included in the CRL entry for the action. This reason code is not considered confidential and may be shared with all other users and relying parties. However, no other details concerning the revocation are normally disclosed.
The CESNET CA MUST NOT disclose confidential information to any third party, except when required by law enforcement officials that exhibit regular warrant.
The CESNET CA MUST NOT disclose confidential information to any third party, except when required by law enforcement officials that exhibit regular warrant.
The CA will release information if authorized by the subscriber.