Transcription
Symantec Trust Network (STN)Certificate PolicyVersion 2.8.23December 19, 2016Symantec Corporation350 Ellis StreetMountain View, CA 94043 USA 1 650.527.8000www.symantec.com- i -
- ii -
Symantec Trust Network (STN) Certificate Policy 2016 Symantec, Corporation. All rights reserved.Printed in the United States of America.Published date: December 19, 2016Important – Acquisition NoticeOn August 9, 2010, Symantec Corporation completed the acquisition of VeriSign Inc’sAuthentication division. As a result Symantec is now the registered owner of this Certificate Policydocument and the PKI Services described within this document.However a hybrid of references to both “VeriSign” and “Symantec” shall be evident within thisdocument for a period of time until it is operationally practical to complete the re-branding of theCertification Authorities and services. Any references to VeriSign as a corporate entity should bestrictly considered to be legacy language that solely reflects the history of ownership.Trademark NoticesSymantec, the Symantec Logo, and the Checkmark Logo are the registered trademarks ofSymantec Corporation or its affiliates in the U.S. and other countries. The VeriSign logo, VeriSignTrust and other related marks are the trademarks or registered marks of VeriSign, Inc. or itsaffiliates or subsidiaries in the U.S. and other countries and licensed by Symantec Corporation.Other names may be trademarks of their respective owners.Without limiting the rights reserved above, and except as licensed below, no part of thispublication may be reproduced, stored in or introduced into a retrieval system, or transmitted, inany form or by any means (electronic, mechanical, photocopying, recording, or otherwise),without prior written permission of Symantec Corporation.Notwithstanding the above, permission is granted to reproduce and distribute this Symantec STNCertificate Policy on a nonexclusive, royalty-free basis, provided that (i) the foregoing copyrightnotice and the beginning paragraphs are prominently displayed at the beginning of each copy,and (ii) this document is accurately reproduced in full, complete with attribution of the documentto Symantec Corporation.Requests for any other permission to reproduce this Symantec STN Certificate Policy (as well asrequests for copies from Symantec) must be addressed to Symantec Corporation., 350 EllisStreet, Mountain View, CA 94043 USA Attn: Practices Development. Tel: 1 650.527.8000 Fax: 1 650.527.8050 Email: practices@symantec.com.- iii -
Table of Contents1.INTRODUCTION. 11.1OVERVIEW. 21.2DOCUMENT NAME AND IDENTIFICATION . 31.2.1 CABF Policy Identifiers . 41.2.2 Microsoft Policy Identifiers . 41.3PKI PARTICIPANTS . 51.3.1 Certification Authorities . 51.3.2 Registration Authorities . 61.3.3 Subscribers . 61.3.4 Relying Parties . 61.3.5 Other Participants . 61.4CERTIFICATE USAGE . 71.4.1 Appropriate Certificate Usages . 71.4.2 Prohibited Certificate Uses . 81.5POLICY ADMINISTRATION . 91.5.1 Organization Administering the Document . 91.5.2 Contact Person . 91.5.3 Person Determining CP Suitability for the Policy91.5.4 CP Approval Procedure . 91.6DEFINITIONS AND ACRONYMS . 102.PUBLICATION AND REPOSITORYRESPONSIBILITIES . 102.12.22.32.43.REPOSITORIES . 10PUBLICATION OF CERTIFICATE INFORMATION . 10TIME OR FREQUENCY OF PUBLICATION . 10ACCESS CONTROLS ON REPOSITORIES. 10IDENTIFICATION AND AUTHENTICATION . 113.1NAMING. 113.1.1 Type of Names . 113.1.2 Need for Names to be Meaningful . 123.1.3 Anonymity or Pseudonymity of Subscribers . 123.1.4 Rules for Interpreting Various Name Forms . 123.1.5 Uniqueness of Names . 123.1.6 Recognition, Authentication, and Role ofTrademarks . 123.2INITIAL IDENTITY VALIDATION . 123.2.1 Method to Prove Possession of Private Key . 123.2.2 Authentication of Organization Identity . 123.2.3 Authentication of Individual Identity . 133.2.4 Non-Verified Subscriber information . 153.2.5 Validation of Authority . 153.2.6 Criteria for Interoperation . 153.3IDENTIFICATION AND AUTHENTICATION FOR RE-KEYREQUESTS . 163.3.1 Identification and Authentication for Routine Rekey163.3.2 Identification and Authentication for Re-keyAfter Revocation . 163.4IDENTIFICATION AND AUTHENTICATION FORREVOCATION REQUEST . 174.CERTIFICATE LIFE-CYCLE OPERATIONALREQUIREMENTS . 17- i -4.1CERTIFICATE APPLICATION .174.1.1 Who Can Submit a Certificate Application? .174.1.2 Enrollment Process and Responsibilities .184.2CERTIFICATE APPLICATION PROCESSING .184.2.1 Performing Identification and AuthenticationFunctions .184.2.2 Approval or Rejection of Certificate Applications184.2.3 Time to Process Certificate Applications .194.2.4 Certificate Authority Authorization (CAA) .194.3CERTIFICATE ISSUANCE.194.3.1 CA Actions during Certificate Issuance .194.3.2 Notifications to Subscriber by the CA ofIssuance of Certificate .194.3.3 CABF Requirement for Certificate Issuance by aRoot CA .194.4CERTIFICATE ACCEPTANCE .194.4.1 Conduct Constituting Certificate Acceptance .194.4.2 Publication of the Certificate by the CA .204.4.3 Notification of Certificate Issuance by the CA toOther Entities .204.5KEY PAIR AND CERTIFICATE USAGE .204.5.1 Subscriber Private Key and Certificate Usage 204.5.2 Relying Party Public Key and Certificate Usage204.6CERTIFICATE RENEWAL .214.6.1 Circumstances for Certificate Renewal .214.6.2 Who May Request Renewal .214.6.3 Processing Certificate Renewal Requests .214.6.4 Notification of New Certificate Issuance toSubscriber .214.6.5 Conduct Constituting Acceptance of a RenewalCertificate .214.6.6 Publication of the Renewal Certificate by the CA224.6.7 Notification of Certificate Issuance by the CA toOther Entities .224.7CERTIFICATE RE-KEY.224.7.1 Circumstances for Certificate Re-Key .224.7.2 Who May Request Certification of a New PublicKey224.7.3 Processing Certificate Re-Keying Requests .224.7.4 Notification of New Certificate Issuance toSubscriber .224.7.5 Conduct Constituting Acceptance of a ReKeyed Certificate .234.7.6 Publication of the Re-Keyed Certificate by theCA234.7.7 Notification of Certificate Issuance by the CA toOther Entities .234.8CERTIFICATE MODIFICATION .234.8.1 Circumstances for Certificate Modification .234.8.2 Who May Request Certificate Modification .234.8.3 Processing Certificate Modification Requests .234.8.4 Notification of New Certificate Issuance toSubscriber .23
4.8.5 Conduct Constituting Acceptance of ModifiedCertificate . 234.8.6 Publication of the Modified Certificate by the CA234.8.7 Notification of Certificate Issuance by the CA toOther Entities . 234.9CERTIFICATE REVOCATION AND SUSPENSION . 234.9.1 Circumstances for Revocation . 244.9.2 Who Can Request Revocation . 254.9.3 Procedure for Revocation Request . 264.9.4 Revocation Request Grace Period . 264.9.5 Time within Which CA Must Process theRevocation Request . 264.9.6 Revocation Checking Requirements for RelyingParties 264.9.7 CRL Issuance Frequency . 274.9.8 Maximum Latency for CRLs . 274.9.9 On-Line Revocation/Status CheckingAvailability . 274.9.10On-Line Revocation Checking Requirements284.9.11Other Forms of Revocation AdvertisementsAvailable 284.9.12Special Requirements Regarding KeyCompromise . 284.9.13Circumstances for Suspension . 284.9.14Who Can Request Suspension . 284.9.15Procedure for Suspension Request. 284.9.16Limits on Suspension Period . 284.10CERTIFICATE STATUS SERVICES . 284.10.1Operational Characteristics . 284.10.2Service Availability . 294.10.3Optional Features . 294.11END OF SUBSCRIPTION . 294.12KEY ESCROW AND RECOVERY. 294.12.1Key Escrow and Recovery Policy andPractices 294.12.2Session Key Encapsulation and RecoveryPolicy and Practices . 305.FACILITY, MANAGEMENT, AND OPERATIONALCONTROLS . 30 6.5.1PHYSICAL CONTROLS . 305.1.1 Site Location and Construction . 305.1.2 Physical Access . 315.1.3 Power and Air Conditioning . 315.1.4 Water Exposures. 315.1.5 Fire Prevention and Protection . 315.1.6 Media Storage . 315.1.7 Waste Disposal . 325.1.8 Off-Site Backup . 325.2PROCEDURAL CONTROLS. 325.2.1 Trusted Roles . 325.2.2 Number of Persons Required per Task . 325.2.3 Identification and Authentication for Each Role335.2.4 Roles Requiring Separation of Duties . 335.3PERSONNEL CONTROLS . 33- ii -5.3.1 Qualifications, Experience, and ClearanceRequirements .335.3.2 Background Check Procedures .345.3.3 Training Requirements .345.3.4 Retraining Frequency and Requirements .355.3.5 Job Rotation Frequency and Sequence .355.3.6 Sanctions for Unauthorized Actions .355.3.7 Independent Contractor Requirements .355.3.8 Documentation Supplied to Personnel .355.4AUDIT LOGGING PROCEDURES .355.4.1 Types of Events Recorded .355.4.2 Frequency of Processing Log .365.4.3 Retention Period for Audit Log .365.4.4 Protection of Audit Log .365.4.5 Audit Log Backup Procedures .365.4.6 Audit Collection System (Internal vs. External)365.4.7 Notification to Event-Causing Subject .365.4.8 Vulnerability Assessments .365.5RECORDS ARCHIVAL .375.5.1 Types of Records Archived .375.5.2 Retention Period for Archive .375.5.3 Protection of Archive .375.5.4 Archive Backup Procedures .375.5.5 Requirements for Time-Stamping of Records .375.5.6 Archive Collection System (Internal or External)375.5.7 Procedures to Obtain and Verify ArchiveInformation.375.6KEY CHANGEOVER .385.7COMPROMISE AND DISASTER RECOVERY .385.7.1 Incident and Compromise Handling Procedures385.7.2 Computing Resources, Software, and/or DataAre Corrupted .385.7.3 Entity Private Key Compromise Procedures .385.7.4 Business Continuity Capabilities after a Disaster385.8CA OR RA TERMINATION .395.9DATA SECURITY .40TECHNICAL SECURITY CONTROLS .406.1KEY PAIR GENERATION AND INSTALLATION.406.1.1 Key Pair Generation .406.1.2 Private Key Delivery to Subscriber .406.1.3 Public Key Delivery to Certificate Issuer .406.1.4 CA Public Key Delivery to Relying Parties .416.1.5 Key Sizes .416.1.6 Public Key Parameters Generation and QualityChecking.416.1.7 Key Usage Purposes (as per X.509 v3 KeyUsage Field) .426.2PRIVATE KEY PROTECTION AND CRYPTOGRAPHICMODULE ENGINEERING CONTROLS .426.2.1 Cryptographic Module Standards and Controls426.2.2 Private Key (m out of n) Multi-Person Control.426.2.3 Private Key Escrow .42
6.2.4 Private Key Backup . 426.2.5 Private Key Archival . 436.2.6 Private Key Transfer Into or From aCryptographic Module . 436.2.7 Private Key Storage on Cryptographic Module436.2.8 Method of Activating Private Key . 436.2.9 Method of Deactivating Private Key . 456.2.10Method of Destroying Private Key . 456.2.11Cryptographic Module Rating . 456.3OTHER ASPECTS OF KEY PAIR MANAGEMENT . 456.3.1 Public Key Archival . 456.3.2 Certificate Operational Periods and Key PairUsage Periods . 466.4ACTIVATION DATA . 476.4.1 Activation Data Generation and Installation . 476.4.2 Activation Data Protection . 476.4.3 Other Aspects of Activation Data . 486.5COMPUTER SECURITY CONTROLS . 486.5.1 Specific Computer Security TechnicalRequirements . 486.5.2 Computer Security Rating . 496.6LIFE CYCLE TECHNICAL CONTROLS . 496.6.1 System Development Controls . 496.6.2 Security Management Controls . 496.6.3 Life Cycle Security Controls . 506.7NETWORK SECURITY CONTROLS . 506.8TIME-STAMPING . 507.CERTIFICATE, CRL, AND OCSP PROFILES . 507.1CERTIFICATE PROFILE . 507.1.1 Version Number(s) . 507.1.2 Certificate Extensions . 517.1.3 Algorithm Object Identifiers . 527.1.4 Name Forms . 537.1.5 Name Constraints . 537.1.6 Certificate Policy Object Identifier . 537.1.7 Usage of Policy Constraints Extension . 537.1.8 Policy Qualifiers Syntax and Semantics . 537.1.9 Processing Semantics for the Critical CertificatePolicies Extension . 537.2CRL PROFILE . 537.2.1 Version Number(s) . 547.2.2 CRL and CRL Entry Extensions . 547.3OCSP PROFILE . 547.3.1 Version Number(s) . 547.3.2 OCSP Extensions . 548.COMPLIANCE AUDIT AND OTHER ASSESSMENTS558.18.28.38.48.58.69.FREQUENCY AND CIRCUMSTANCES OF ASSESSMENT55IDENTITY/QUALIFICATIONS OF ASSESSOR. 55ASSESSOR'S RELATIONSHIP TO ASSESSED ENTITY . 56TOPICS COVERED BY ASSESSMENT . 56ACTIONS TAKEN AS A RESULT OF DEFICIENCY. 56COMMUNICATIONS OF RESULTS. 57OTHER BUSINESS AND LEGAL MATTERS. 57- iii -9.1FEES .579.1.1 Certificate Issuance or Renewal Fees .579.1.2 Certificate Access Fees.579.1.3 Revocation or Status Information Access Fees579.1.4 Fees for Other Services .579.1.5 Refund Policy .589.2FINANCIAL RESPONSIBILITY .589.2.1 Insurance Coverage .589.2.2 Other Assets .589.2.3 Extended Warranty Coverage .589.3CONFIDENTIALITY OF BUSINESS INFORMATION.589.3.1 Scope of Confidential Information .589.3.2 Information Not Within the Scope of ConfidentialInformation.589.3.3 Responsibility to Protect ConfidentialInformation.599.4PRIVACY OF PERSONAL INFORMATION.599.4.1 Privacy Plan .599.4.2 Information Treated as Private .599.4.3 Information Not Deemed Private .599.4.4 Responsibility to Protect Private Information .599.4.5 Notice and Consent to Use Private Information599.4.6 Disclosure Pursuant to Judicial orAdministrative Process .599.4.7 Other Information Disclosure Circumstances.609.5INTELLECTUAL PROPERTY RIGHTS .609.5.1 Property Rights in Certificates and RevocationInformation.609.5.2 Property Rights in the CP .609.5.3 Property Rights in Names .609.5.4 Property Rights in Keys and Key Material.609.6REPRESENTATIONS AND W ARRANTIES .609.6.1 CA Representations and Warranties .609.6.2 RA Representations and Warranties .619.6.3 Subscriber Representations and Warranties .619.6.4 Relying Party Representations and Warranties629.6.5 Representations and Warranties of OtherParticipants .629.7DISCLAIMERS OF W ARRANTIES .629.8LIMITATIONS OF LIABILITY .629.9INDEMNITIES .639.9.1 Indemnification by Subscribers .639.9.2 Indemnification by Relying Parties .639.9.3 Indemnification of Application SoftwareSuppliers.639.10TERM AND TERMINATION .649.10.1Term .649.10.2Termination .649.10.3Effect of Termination and Survival .649.11INDIVIDUAL NOTICES AND COMMUNICATIONS WITHPARTICIPANTS .649.12AMENDMENTS .649.12.1Procedure for Amendment .649.12.2Notification Mechanism and Period .64
Circumstances under Which OID Must be9.12.3Changed 659.13DISPUTE RESOLUTION PROVISIONS . 659.13.1Disputes among Symantec, Affiliates, andCustomers . 659.13.2Disputes with End-User Subscribers orRelying Parties . 659.14GOVERNING LAW . 659.15COMPLIANCE WITH APPLICABLE LAW . 669.16MISCELLANEOUS PROVISIONS . 669.16.1Entire Agreement . 669.16.2Assignment . 669.16.3Severability . 669.16.4Enforcement (Attorney's Fees and Waiver ofRights)669.16.5Force Majeure . 669.17OTHER PROVISIONS. 66APPENDIX A. TABLE OF ACRONYMS AND DEFINITIONS. 67TABLE OF ACRONYMS . 67DEFINITIONS . 68APPENDIX B: HISTORY OF CHANGES . 74- iv -
1. INTRODUCTIONThe Symantec Trust Network (STN) is a global PKI that accommodates a large, public, andwidely distributed community of users with diverse needs for communications and informationsecurity. Symantec offers STN services together with a global network of affiliates (“Affiliates”)throughout the world.This document, “Symantec Trust Network Certificate Policies” (CP) is the principal statement ofpolicy governing the STN. The CP sets forth the business, legal, and technical requirements forapproving, issuing, managing, using, revoking, and renewing, digital Certificates within the STNand providing associated trust services for all participants within the STN. These requirementsprotect the security and integrity of the STN and comprise a single set of rules that applyconsistently STN-wide, thereby providing assurances of uniform trust throughout the STN. TheCP is not a legal agreement between Symantec and STN participants; rather, contractualobligations between Symantec and STN participants are established by means of agreementswith such participants.This document is targeted at:o STN PKI service providers who have to operate in terms of their own CertificationPractices Statement (CPS) that complies with the requirements laid down by the CPo STN certificate Subscribers who need to understand how they are authenticated andwhat their obligations are as STN subscribers and how they are protected under the STNo Relying parties who need to understand how much trust to place in a STN certificate, ora digital signature using that certificateThe CP, however, does not govern any services outside the STN. For example, Symantec andcertain Affiliates offer private label services by which organizations create their own privatehierarchies outside the STN, approve certificate applications, and outsource to Symantec or anAffiliate the back-end functions of certificate issuance, management, revocation, and renewal.Because the CP applies only to the STN, it does not apply to these private hierarchies.1This CP conforms to the Internet Engineering Task Force (IETF) RFC 3647 for Certificate Policyand Certification Practice Statement construction. STN Certificate Policy also adopts the currentversion of the CA/Browser Forum requirements as set forth in the following documents: Guidelines for the Issuance and Management of Extended Validation (EV) Certificates, Guidelines for the Issuance and Management of Extended Validation (EV) Code-SigningCertificates, and, Baseline Requirements for the Issuance and Management of Publicly-TrustedCertificates,published at www.cabforum.org. In the event of any inconsistency between this document andthose Requirements, those Requirements take precedence over this document.At this time, Symantec’s Extended Validation (EV) SSL certificates, Extended Validation (EV)Code-Signing certificates, and Domain-Validated (DV) and Organization-Validated (OV) SSLcertificates2 issued by Symantec CAs under this CP, are governed by the CABF Requirements.1Authenticated Content Signing Certificates (ACS) are issued by a non-STN CA. However, reference is made to thesecertificates in certain sections of this CP, for ACS customers to understand certain procedural differences used for thesecertificates2 Additionally, Symantec issues organizational Client (non-SSL) certificates that are not subject to the CA Browser ForumBaseline Requirements. In addition to practices pertaining exclusively to the CA Browser Forum (ie, for OV SSLcertificates), this CP describes practices that pertain to any Class 2 or Class 3 certificate that is issued to an organizationand contains organization information. Such certificates are referred to throughout this CP as “organizational certificates”.- 1 -
Such DV and OV certificates are issued containing the corresponding policy identifier(s) specifiedin section 1.2 indicating adherence to and compliance with these requirements. Symantec CAsshall also assert that all Certificates issued containing these policy identifier(s) are issued andmanaged in accordance with the CABF Requirements.The Symantec Trust Network is managed within a dedicated business unit within Symantec andoperates separately from the business units responsible for the Company’s other securityofferings. The STN shall not issue SSL inspection intermediate CAs from roots that are part of theNetwork. Only roots with no current or previous trust in Application Software Supplier products(private roots) may be used to create intermediate CAs used for SSL inspection.Effective February 1, 2017 and after, the STN adopts the current version of the MinimumRequirements for the Issuance and Management of Publicly-Trusted Code Signing Certificatespublished at https://aka.ms/csbr. If there is any inconsistency between this document and thoseRequirements, those Requirements take precedence over this document.CAs shall disclose all Cross Certificates that identify the CA as the Subject in the established trustrelationship.1.1 OverviewAn overview of the STN structure is shown in Diagram 1 below. At the top of the hierarchy is thisCP that sets out the policies under which STN participants must operate.Symantec and Affiliate Processing Centers operate as CAs under the STN CP, issuing end-usersubscriber certificates.Registration Authorities (RAs) are entities that authenticate certificate requests under the STN.Symantec and Affiliates act as RAs for certificates they issue. Symantec and Affiliates also enterinto contractual relationships with Enterprises who wish to manage their own certificate requests.These enterprise customers act as RAs, authenticating certificate requests for themselves andtheir affiliated individuals. Symantec or the Affiliate will then issue these authenticated certificaterequests.Depending on the class and type of certificate, Digital Certificates may be used by Subscribers tosecure websites, digitally sign code or other content, digitally sign documents and/or e-mails. Theperson who ultimately receives a signed document or communication, or accesses a securedwebsite is referred to as a relying party, i.e., he/she is relying on the certificate and has to make adecision on whether to trust it. A Relying Party must rely on a certificate in terms if the relevantRelying Party Agreement included in the Certificate.- 2 -
STN CPSubscriberCertificate.Relying PartySymantec CPSAffiliate CPSRA 1RA 2RA 3SubscriberCertificateSubscriberCertificateRelying PartyRelying PartyRA berCertificateRelying PartyRelying PartyRelying PartyDiagram 1. Structure of the STNDiagram 2 below provides a summary of the classes of certif
to Symantec Corporation. Requests for any other permission to reproduce this Symantec STN Certificate Policy (as well as requests for copies from Symantec) must be addressed to Symantec Corporation., 350 Ellis Street, Mountain View, CA 94043 USA Attn: Practices Development. Tel: 1 650.527.8000 Fax: 1 650.527.8050 Email: practices@symantec.com.
