VeriSign Certified Document Service (CDS) For Adobe PKI . PDF Free Download

2y ago

50 Views

1 Downloads

322.35 KB

55 Pages

Report/dmca

Download PDF

Transcription

VeriSignCertified Document Service (CDS)for Adobe PKICertification Practice StatementVersion 1.013 September 2010(Portions of this document have been redacted.)VeriSign, Inc.487 East Middlefield RoadMountain View, CA 94043 1 650.527.8000http//:www.verisign.comCOPYRIGHT 2010 VERISIGN, INC. ALL RIGHTS RESERVED

VeriSign ConfidentialVeriSign Certified Document Service (CDS) for Adobe PKI Certificate Practice Statement 2010 VeriSign, Inc. All rights reserved.Printed in the United States of America.Initial Publication Date: September 13, 2010Trademark NoticesVeriSign is a registered trade mark of VeriSign, Inc. The VeriSign logo is a trademark and service mark ofVeriSign, Inc. Other trademarks and service marks in this document are the property of their respectiveowners.Without limiting the rights reserved above, and except as licensed below, no part of this publication may bereproduced, stored in or introduced into a retrieval system, or transmitted, in any form or by any means(electronic, mechanical, photocopying, recording, or otherwise), without prior written permission ofVeriSign, Inc.Notwithstanding the above, permission is granted to reproduce and distribute this VeriSign CDS for AdobeCertificate Practice Statement on a nonexclusive, royalty-free basis, provided that (i) the foregoing copyrightnotice and the beginning paragraphs are prominently displayed at the beginning of each copy, and (ii) thisdocument is accurately reproduced in full, complete with attribution of the document to VeriSign, Inc.Requests for any other permission to reproduce this VeriSign CDS for Adobe Certificate Practice Statement(as well as requests for copies from VeriSign) must be addressed to:VeriSign, Inc.487 East Middlefield RoadMountain View, CA 94043 USAAttn: Practices Development.Tel: 1 650.527.8000Fax: 1 650-527.8050practices@verisign.comCOPYRIGHT 2010 VERISIGN, INC. ALL RIGHTS RESERVED-iii-

TABLE OF CONTENTS1. INTRODUCTION.11.1 OVERVIEW .11.2 POLICY IDENTIFICATION .21.3 COMMUNITY AND APPLICABILITY .21.3.1 Certification Authority (CA). 21.3.1.1 Other Participants . 31.3.1.2 Related Authorities . 31.3.2 Registration Authority (RA). 31.3.2.1 Trusted Agent . 32.4.1.4 Headings and Appendices of this CPS. 142.4.2 Severability, Survival, Merger, and Notice.142.4.2.1 Severability . 142.4.2.2 Survival. 142.4.2.3 Merger . 142.4.2.4 Notice. 152.4.3 Dispute Resolution Procedures and Choice of Forum.152.4.3.1 Notification among Parties to a Dispute. 152.4.3.2 Formal Dispute Resolution . 151.3.4 Applicability . 41.3.5 PKI Policy Authority (PA). 42.4.4 Successors and Assigns.162.4.5 No Waiver .162.4.6 Compliance with Export Laws and Regulations .162.4.7 Choice of Cryptographic Methods.162.4.8 Force Majeure .161.3.5.1 Organization Policy Management Authority (PMA) . 42.5 FEES . 161.4 CONTACT DETAILS.52.5.1 Certificate Issuance or Renewal Fees.162.5.2 Certificate Access Fees .162.5.3 Revocation or Status Information Access Fees .162.5.4 Fees for Other Services.162.5.5 Refund Policy.161.3.3. End Entities . 41.3.3.1 Subscribers. 41.3.3.2 Relying Parties. 41.4.1 Specification Administration Organization . 51.4.2 Contact Persons . 51.4.3 Person Determining CPS Suitability for the Policy. 52. GENERAL PROVISIONS .62.1 OBLIGATIONS .62.1.1 PMA Obligations. 62.1.2 Organization PMA Obligations. 62.1.3 CA Obligations . 72.1.4 RA Obligations . 82.1.4.1 Trusted Agent Obligations . 82.1.5 End Entity Obligations . 82.1.5.1 Trusted Roles Obligations. 82.1.5.2 Subscriber Obligations. 92.1.5.3 Sponsor Obligations. 92.1.6 Relying Party Obligations . 102.1.7 Repository Obligations. 102.2 LIABILITY .102.2.1 Warranties and Limitations on Warranties . 102.2.1.1 Certificate Authority Warranties. 102.2.1.2 Subscribers’ Representations . 102.6 PUBLICATION AND REPOSITORIES . 172.6.1 Publication of CA Information.172.6.2 Frequency of Publication.172.6.3 Access Controls.172.6.4 Repositories .182.7 COMPLIANCE AUDIT . 182.7.1 Frequency of Compliance Audit .182.7.2 Identity/Qualifications of Reviewer .182.7.3 Auditor's Relationship to Audited Party .182.7.4 Topics Covered by Compliance Audit.182.7.5 Actions Taken as a Result of Deficiency .192.7.6 Communication of Results .192.8 CONFIDENTIALITY . 192.8.1 Types of Information to Be Kept Confidential .192.8.2 Information Release Circumstances .192.9 INTELLECTUAL PROPERTY RIGHTS . 192.2.2 Disclaimers of Warranty and Liability. 11 3. IDENTIFICATION AND AUTHENTICATION . 212.2.2.1 Specific Disclaimers . 112.2.2.2 General Disclaimer . 112.2.3 Limitations of Liability . 122.2.3.1 Limitations on Amount of Damages . 122.2.3.2 Exclusion of Certain Elements of Damages. 122.2.4 Third Party Beneficiary. 122.3 FINANCIAL RESPONSIBILITY .132.3.1 Subscriber’s Liability and Indemnity . 132.3.2 Relying Party’s Liability and Indemnity. 132.3.3 Fiduciary Relationships. 132.3.4 Administrative Processes. 132.4 INTERPRETATION AND ENFORCEMENT .142.4.1 Interpretation. 142.4.1.1 Governing Law . 142.4.1.2 Conflict of Provisions . 142.4.1.3 Interpretation. 143.1 INITIAL REGISTRATION . 213.1.1 Types of Names .213.1.2 Need for Names to be Meaningful.223.1.3 Rules for Interpreting Various Name Forms .223.1.4 Uniqueness of Names.223.1.5 Name Claim Dispute Procedure .223.1.6 Recognition, Authentication, and Role of Trademarks.223.1.7 Method to prove possession of private key .223.1.8 Authentication of CA Certificate Issuance.233.1.9 Authentication of Organization Identity.233.1.10 Authentication of Individual Identity .233.1.11 Authentication for Group Certificates .24COPYRIGHT 2010 VERISIGN, INC. ALL RIGHTS RESERVED-iv-

3.2 CERTIFICATE RENEWAL, UPDATE, AND ROUTINE REKEY .253.2.1 Certificate Renewal/Modification. 253.2.2 Certificate Re-key . 253.2.3 Certificate Update . 263.3 RE-KEY AFTER REVOCATION.263.4 REVOCATION REQUEST .264. OPERATIONAL REQUIREMENTS .274.1 CERTIFICATE APPLICATION .274.1.1 Delivery of Subscriber’s Public Key to CertificateIssuer . 274.2 CERTIFICATE ISSUANCE .284.3 CERTIFICATE ACCEPTANCE .284.4 CERTIFICATE SUSPENSION AND REVOCATION .284.4.1 Revocation . 284.4.1.1 Circumstances for Revocation . 284.4.1.2 Who Can Request Revocation . 284.4.1.3 Procedure for Revocation Request. 284.4.1.4 Revocation Request Grace Period. 294.4.2 Suspension. 294.4.3 Certificate Revocation Lists . 294.4.4 Online Status Checking . 304.4.5 Other Forms of Revocation Advertisements Available. 304.4.6 Checking Requirements for Other Forms ofRevocation Advertisements. 304.4.7 Special Requirements Regarding Key Compromise . 304.5 SECURITY AUDIT /AUDIT LOGGING PROCEDURES .304.5.1 Types of Events Recorded. 304.5.7 Notification to Event-Causing Subject . 304.5.8 Vulnerability Assessments . 304.6 RECORDS ARCHIVAL.314.6.1 Types of Data/Records Archived . 314.6.2 Retention Period for Archive. 316.1.1 Key Pair Generation .356.1.1.1 CA Key Pair Generation . 356.1.1.2 Subscriber Key Pair Generation. 356.1.2 Private Key Delivery to Subscriber .356.1.3 Public Key Delivery to Certificate Issuer .356.1.4 CA Public Key Delivery to Relying Parties .366.1.5 Key Sizes and Signature Algorithms .366.1.6 Public Key Parameters .366.1.7 Parameter Quality Checking .366.1.8 Hardware/Software Key Generation .366.1.9 Key Usage Purposes .366.2 PRIVATE KEY PROTECTION . 376.2.1 Standards for Cryptographic Modules .376.2.3 Private Key Escrow .376.2.4 Private Key Backup .376.2.4.1 Backup of CA Private Signature Key . 376.2.4.2 Backup of Subscriber Private Keys. 376.2.5 Private Key Archival.376.2.6 Private Key Entry into Cryptographic Module.376.2.7 Method of Activating Private Key.376.2.8 Method of Deactivating Private Key.386.2.9 Method of Destroying Private Key.386.3 OTHER ASPECTS OF KEY PAIR MANAGEMENT . 386.3.1 Public Key Archival .386.3.2 Usage Periods for the Public and Private Keys.386.4 ACTIVATION DATA . 386.4.1 Activation Data Generation and Installation.386.4.2 Activation Data Protection .386.4.3 Other Aspects of Activation Data.386.5 COMPUTER SECURITY CONTROLS . 386.5.1 Specific Computer Security Technical Requirements386.6 LIFE CYCLE TECHNICAL CONTROLS . 396.7 NETWORK SECURITY CONTROLS . 396.8 CRYPTOGRAPHIC MODULE ENGINEERING CONTROLS. 394.7 KEY CHANGEOVER .31 7. CERTIFICATE AND CRL PROFILES. 404.8 COMPROMISE AND DISASTER RECOVERY.327.1 CERTIFICATE PROFILE . 404.9 CA TERMINATION .325. PHYSICAL, PROCEDURAL AND PERSONNELSECURITY CONTROLS.335.1 PHYSICAL CONTROLS .335.2 PROCEDURAL CONTROLS .335.2.1 Trusted Roles. 335.2.1.2 Officer. 335.2.1.5 Trusted Agent . 335.2.1.6 PKI Sponsor. 335.3 PERSONNEL CONTROLS.345.3.1 Background, Qualifications, Experience andClearance Requirements . 345.3.3 Training Requirements . 346. TECHNICAL SECURITY CONTROLS .356.1 KEY PAIR GENERATION AND INSTALLATION .357.1.1 Version Numbers.407.1.2 Certificate Extensions .407.1.3 Algorithm Object Identifiers .407.1.4 Name Forms.407.1.5 Name Constraints .407.1.6 Certificate Policy Object Identifier.407.1.7 Usage of Policy Constraints .407.1.8 Policy Qualifiers Syntax and Semantics .417.1.9 Processing Semantics for the Critical CertificatePolicy Extension .417.2 CRL PROFILE . 417.2.1 Version numbers .417.2.2 CRL and CRL Entry Extensions.417.3 OCSP PROFILE . 418. SPECIFICATION ADMINISTRATION . 428.1 SPECIFICATION CHANGE PROCEDURES . 42COPYRIGHT 2010 VERISIGN, INC. ALL RIGHTS RESERVED-v-

8.2 PUBLICATION AND NOTIFICATION PROCEDURES.42 APPENDIX B: DEFINITIONS . 448.3 CPS APPROVAL PROCEDURES .42APPENDIX C: REFERENCES. 488.4 CPS WAIVERS .42APPENDIX D: ACRONYMS AND ABBREVIATIONSAPPENDIX A: CERTIFICATE AND CRL FORMATS. 49.43COPYRIGHT 2010 VERISIGN, INC. ALL RIGHTS RESERVED-vi-

1. INTRODUCTIONCertified Document Services (CDS) is an offering available in the Acrobat 6.0 product family. Using digitalsignature technology, CDS provides recipients with assurances that certified PDF documents are authentic –that they did originate from their stated author and the portion of the document signed by the author have notbeen modified since authoring.While digital signature technology is not new, Adobe is taking a leadership position working with securitypartners to provide a solution that is easy to use for document authors and recipients on the Adobe PDFplatform. Document recipients using the free Adobe Reader on supported platforms will have the ability toautomatically validate a certified document without additional software or configuration.VeriSign, Inc. (VeriSign) is contracted with Adobe Systems Incorporated (Adobe) as a 3rd party PKI ServicesProvider to provide Certification Authority (CA) services including all Registration Authority (RA)functionality. VeriSign may also offer CDS services through a global network of affiliates (“Affiliates”)throughout the world.Organizations interested in creating certified documents may register with the VeriSign CDS PKI, have theiridentification information verified and then be provided with a certificate used in Adobe Acrobat Standard orProfessional to certify documents.This VeriSign Certified Document Services (CDS) PKI Certification Practice Statement (CPS) in conjunctionwith the Adobe Certified Document Services Certification Policy (CP) defines the practices that VeriSign, andVeriSign Affiliates, will employ in issuing and managing certificates and in maintaining a certificate-basedCDS PKI for Adobe clients.1.1 OverviewThis CPS is the statement of practices that VeriSign employs when issuing digital certificates from the VeriSignCDS PKI (“VeriSign CDS”). This CPS is structured in accordance with RFC 2527 of the Internet EngineeringTask Force (IETF).The VeriSign CDS PKI operates under the Adobe CDS Certificate Policy (CP) as a subordinate CA andprovides complete certificate life-cycle support and certificate repository services for Adobe client entities.The architecture and functional soluti

document is accurately reproduced in full, complete with attribution of the document to VeriSign, Inc. Requests for any other permission to reproduce this VeriSign CDS for Adobe Certificate Practice Statement (as well as requests for copies from VeriSign) must be addressed to: VeriSign, I