Transcription
SwissSign Silver CP/CPSSwissSign Silver CP/CPSCertificate Policy and Certification Practice Statement of the SwissSign Silver CA and its subordinated issuing CA.Document :Issue :Certificate Policy and Certification Practice Statement2.16.756.1.89.1.3.1.12Information Security and ComplianceC1 (public)GlobalCEONovember 25th, 20193.7.0Version 3.6.0, December 17th, 2018SwissSign Document RepositoryGlobalReleasedReview: This document is reviewed periodically at least once per calendar year. The owner is responsible for this review.Disclaimer: The electronic version of this document and all its stipulations are considered binding if saved in Adobe PDF Formatand signed by two legal representatives of SwissSign AG. All other copies and media are null and void. SwissSign AG, 25.11.20191/71
SwissSign Silver CP/CPSVersion certification versionJoseph A. Doekbrijder25.07.20062.0.0RevisionMelanie Raemy16.08.20062.0.1ReviewMichael Doujak19.10.20062.0.2Review, Minor changesBjörn Kanebog18.12.20062.0.3RevisionMelanie Raemy21.12.20063.0.0Insert SWITCH CAMelanie Raemy14.05.20073.0.1Review, Minor changesBjörn Kanebog27.06.20073.0.2Extensions: domain validationMelanie Raemy15.04.20083.1.017.04.20083.1.1ReviewMichael Doujak19.11.20083.1.2Update for flexible pseudonym identifiers.Michael Doujak02.11.20093.1.3Allow domain validation, 7*24 availability,Michael Doujak19.07.20103.2.0Added G3 CA certificatesMichael Doujak27.06.20113.2.1Allow Nicknames, E-mail validated only, OCSP ResponderMichael Doujak26.03.20123.2.2prohibit MITM and traffic managementMichael Doujak26.06.20122.2.3Adjustments to the CA/Browser Forum Baseline RequirementsChristoph Stalder30.09.20142.4.0Added G22 Issuing CA CertificatesCornelia Enke13.10.20142.4.1Deleted SWITCH CACornelia Enke13.09.20172.4.2Implement CAACornelia Enke06.10.20172.4.2.1adjust layoutCornelia Enke16.10.20172.4.3adjust after auditor reviewCornelia Enke25.06.20182.4.4adjust after auditor reviewCornelia Enke18.10.20183.5.0Adjust after auditor reviewJürg Eiholzer SwissSign AG, clemanagementBjörn Kanebog2/71
SwissSign Silver CP/CPS17.12.20183.6.0Removal G3 CA hierarchyMichael Guenther25.11.20193.7.0Improvement CA hierarchy, Removal revoked Issuing CANathalie Weiler SwissSign AG, 25.11.20193/71
SwissSign Silver CP/CPSAuthorizationDateApproved byApproved byVersion21.12.2006Michael DoujakMelanie Raemy2.0.0 / OID 126.07.2007Michael DoujakMelanie Raemy3.0.2 / OID 228.04.2008Adrian HumbelBjörn Kanebog3.1.1 / OID 319.11.2008Freddy KaiserMichael Doujak3.1.2 / OID 302.11.2009Adrian HumbelMichael Doujak3.1.4 / OID 429.07.2010Adrian HumbelMichael Doujak3.2.0 / OID 529.06.2011Adrian HumbelMichael Doujak3.2.1 / OID 520.04.2012Urs FischerReinhard Dietrich3.2.2 / OID 528.06.2012Urs FischerReinhard Dietrich2.3.3 / OID 530.09.2014Urs FischerReinhard Dietrich2.4.0 / OID 613.10.2014Urs FischerReinhard Dietrich2.4.1 / OID 615.09.2017Reinahard DietrichMarkus Naef2.4.2 / OID 716.10.2017Reinahard DietrichMarkus Naef2.4.3 / OID 828.06.2018Reinhard DietrichMarkus Naef2.4.4 / OID 922.10.2018Matthias BartholdiMarkus Naef3.5.0 / OID 1017.12.2018Matthias BartholdiMarkus Naef3.6.0 / OID 1125.11.2019Nathalie WeilerMarkus Naef3.7.0 / OID 12Markus Naef(QualifiedSignature)digital signature SwissSign AG, 25.11.2019Digital unterschriebenvon Markus Naef(Qualified Signature)Datum: 2019.11.2513:03:07 01'00'signed byNathalie Weiler DigitallyNathalie Weiler(Qualified Signature)(QualifiedDate: 2019.11.25Signature)10:41:24 01'00'digital signature4/71
SwissSign Silver CP/CPSTable of Contents1.1.11.21.31.41.51.6Introduction . 7Overview . 7Document name and identification . 8PKI participants. 8Certificate usage . 10Policy administration . 10Definitions and acronyms . 112.2.12.22.32.42.5Publication and Repository Responsibilities . 18Repositories . 18Publication of certification information. 18Time or frequency of publication . 18Access controls on repositories. 19Additional testing . 193.3.13.23.33.4Identification and Authentication . 20Naming. 20Initial identity validation. 21Identification and authentication for re-key requests . 23Identification and authentication for revocation request . tificate Life-Cycle Operational Requirements . 24Certificate application . 24Certificate application processing . 24Certificate issuance . 25Certificate acceptance . 26Key pair and certificate usage . 27Certificate renewal . 27Certificate reissuance . 27Certificate re-key. 27Certificate modification . 27Certificate revocation and suspension . 28Certificate status services . 32End of subscription . 32Key escrow and recovery . 325.5.15.25.35.45.55.65.75.8Facility, Management, and Operations Controls . 33Physical controls . 33Procedural controls . 34Personnel controls . 38Audit logging procedures . 42Records archival . 44Key changeover . 45Compromise and disaster recovery . 45CA or RA termination. 466.6.16.26.36.4Technical Security Controls . 48Key pair generation and installation . 48Private Key Protection and Cryptographic Module Engineering Controls . 50Other aspects of key pair management . 52Activation data . 53 SwissSign AG, 25.11.20195/71
SwissSign Silver CP/CPS6.56.66.76.8Computer security controls . 53Life cycle technical controls . 54Network security controls . 55Time-stamping . 557.7.17.27.3Certificate, CRL and OCSP Profiles . 56Certificate profile . 56CRL profile . 61OCSP profile . 618.8.18.28.38.48.58.68.7Compliance Audit and Other Assessments . 63Frequency or circumstances of assessment . 63Identity/qualifications of assessor . 63Assessor's relationship to assessed entity. 63Topics covered by assessment . 63Actions taken as a result of deficiency . 63Communication of results . 63Risk assessment . 49.159.169.17Other Business and Legal Matters . 65Fees . 65Financial responsibility . 65Confidentiality of business information. 66Privacy of personal information . 66Intellectual property rights . 67Representations and warranties. 67Disclaimers of warranties . 68Liability . 68Indemnities . 68Term and termination . 68Individual notices and communications with participants . 69Amendments . 69Dispute resolution provisions . 69Governing law and place of jurisdiction. 70Compliance with applicable law . 70Miscellaneous provisions . 70Other provisions. 71 SwissSign AG, 25.11.20196/71
SwissSign Silver CP/CPS1.IntroductionSince 2001 SwissSign AG offers several trust services such as SSL and S/MIME certificates to customers all over the world, witha focus on Switzerland and Europe.This Trust Service Provider (TSP) document describes the Certificate Policy / Certification Practice Statement CP/CPS of the trustservices provided by SwissSign AG. The structure of this document corresponds to the RFC3647. Under this CP/CPS the TSPoperates all Trust Services published under the root “SwissSign Silver CA G2”.This Root Certificate Authority is operated by SwissSign AG, Sägereistrasse 25, 8152 Glattbrugg, Switzerland (“SwissSignSwitzerland”) and only issue certificates to its subordinated issuing CA.The offered services are non-discriminatory. They respect the applying export regulations.For the issuance of SSL certificates for domain validation (DV), SwissSign fully complies with the rules and regulations publishedby the CA/Browser Forum, using the currently valid versions (http://www.cabforum.org): BR Guidelines: “Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates” ETSI EN 319 401 (2018): General Policy Requirements for Trust Service Providers ETSI EN 319 411-1 (2018): Policy and security requirements for Trust Service Providers issuing certificates; Part 1: Generalrequirements ETSI TS 119 312 (2019): Cryptographic Suites IETF RFC 6960 (2013): Online Certificate Status Protocol - OCSP IETF RFC 3647 (2003): Internet X.509 Public Key Infrastructure – Certificate Policy and Certification Practices Framework IETF RFC 5280 (May 2008): Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) ProfileIn this CP/CPS, “this CA” refers to the “SwissSign Silver CA” and all it subordinated CA, unless stated differently.The certificates are classified with the following Policy OIDs: LCP DVCPIn the event of any inconsistency between this document and those Requirements, those Requirements take precedence overthis document.1.1OverviewThis certificate policy and certification practice statement (CP/CPS) describes: The certification and registration policy of this CA. Practices and procedures of this CA. Practices and procedures of the registration authorities for this CA. Terms and conditions under which this CA is made available.The documents above are available in their current and all previous versions on the https://repository.swissign.com website.This CP/CPS is applicable to all persons, including, without limitation, all requesters, subscribers, relying parties, registrationauthorities and any other persons that have a relationship with the TSP with respect to certificates issued by this CA. This CP/CPSalso provides statements of the rights and obligations of SwissSign AG, authorized registration authorities, requesters,subscribers, relying parties, resellers, co-marketers and any other person, or organization that may use or rely on certificatesissued by this CA.SwissSign AG provides a detailed product overview on the website (swisssign.com) for Silver certificates and for other services. SwissSign AG, 25.11.20197/71
SwissSign Silver CP/CPSThe TSP does not have and is not isuing any cross certificates for this CA.1.2Document name and identificationThis document is named ”SwissSign Silver CP/CPS - Certificate Policy and Certification Practice Statement of the SwissSignSilver CA and its subordinated issuing CAs” as indicated on the cover page of this document.The applicable CP/CPS for each ce
Since 2001 SwissSign AG offers several trust services such as SSL and S/MIME certificates to customers all over the world, wit h a focus on Switzerland and Europe. This Trust Service Provider (TSP) document describes the Certificate Policy / Certification Practice Statement CP/CPS of the trust services provided by SwissSign AG.
