Department of Labor: aces cps

8/14/2019 Department of Labor: aces cps

1/91

2001 Digital Signature Trust Co. All rights reserved.

Certification Practices Statement



Digital Signature Trust Co.


For Access Certificates for Electronic Services (ACES)

Version 3.2

Copyright 2001 Digital Signature Trust Co. All rights reserved.

This document is subject to change without notice.


2/91





ii

Table of Contents

1 INTRODUCTION .................................................................................................... 1

1.1 CPS OVERVIEW .....................................................................................................1

1.2 POLICY IDENTIFICATION .........................................................................................1

1.3 COMMUNITY AND APPLICABILITY..........................................................................2

1.3.1 Approved Applications...................................................................................3

1.3.2 Prohibited Applications..................................................................................3

1.4 CONTACT DETAILS ................................................................................................3

2 GENERAL PROVISIONS....................................................................................... 4

2.1 RIGHTS AND OBLIGATIONS.....................................................................................4

2.1.1 CA Rights and Obligations.............................................................................4

2.1.2 CA Right to Subcontract ................................................................................4

2.1.3 RA Obligations ...............................................................................................5

2.1.4 Subscriber Contractual Obligations...............................................................52.1.5 Applicant (Person Authorized to Receive Certificate for Qualified Relying

Party Application).....................................................................................................29

AUTHORIZING OFFICIAL OF QUALIFIED RELYING PARTY.............................29

2.1.6 Relying Party Rights and Obligations ..........................................................31

2.1.6 Repository Obligations ....................................................................................31

2.2 LIABILITY.............................................................................................................31

2.2.1 CA Liability..................................................................................................32

2.2.2 RA Liability...................................................................................................32

2.2.3 Repository Liability......................................................................................32

2.3 FINANCIAL RESPONSIBILITY .................................................................................322.4 INTERPRETATION AND ENFORCEMENT..................................................................32

2.4.1 Governing Law ............................................................................................32

2.4.2 Severability, Survival, Merger, and Notice..................................................32

2.4.3 Dispute Resolution Procedures ....................................................................33

2.5 FEES.....................................................................................................................33

2.5.1 Certificate Issuance or Renewal Fees..........................................................33

2.5.2 Certificate Access Fees................................................................................33

2.5.3 Revocation or Status Information Access Fees............................................33

2.5.4 Fees for Other Services Such as Policy Information ...................................33

2.5.5 Refund Policy ...............................................................................................33

2.6 PUBLICATION AND REPOSITORY ...........................................................................34

2.6.1 Publication of CA Information ....................................................................34

2.6.2 Frequency of Publication.............................................................................34

2.6.3 Access Controls............................................................................................34

2.6.4 Repositories..................................................................................................34

2.7 COMPLIANCE AUDIT ............................................................................................34

2.8 CONFIDENTIALITY AND PRIVACY..........................................................................35


3/91





iii

2.9 INTELLECTUAL PROPERTY RIGHTS ........................................................................36

3 IDENTIFICATION AND AUTHENTICATION.................................................. 37

3.1 INITIAL REGISTRATION.........................................................................................37

3.1.1 Types of Names ............................................................................................373.1.2 Need for Names to be Meaningful ...............................................................37

3.1.3 Rules for Interpreting Various Name Forms................................................38

3.1.4 Uniqueness of Names...................................................................................38

3.1.5 Name Claim Dispute Resolution Procedure.................................................38

3.1.6 Recognition, Authentication, and Role of Trademarks................................38

3.1.7 Verification of Possession of Key Pair.........................................................38

3.1.8 Authentication of Organizational Identity...................................................39

3.1.9 Authentication of Individual Identity...........................................................39

3.2 ROUTINE REKEY AND CERTIFICATE RENEWAL......................................................39

3.3 REKEY AFTER REVOCATION..................................................................................393.4 REVOCATION REQUEST.........................................................................................39

4 OPERATIONAL REQUIREMENTS.................................................................... 40

4.1 CERTIFICATE APPLICATION ..................................................................................40

4.2 CERTIFICATE ISSUANCE........................................................................................42

4.3 CERTIFICATE ACCEPTANCE ..................................................................................42

4.4 CERTIFICATE SUSPENSION AND REVOCATION.......................................................43

4.4.1 Circumstances for Revocation .....................................................................43

4.4.2 Who Can Request Revocation......................................................................44

4.4.3 Procedure for Revocation Request...............................................................454.4.4 Circumstances for Suspension .....................................................................45

4.4.5 Who Can Request Suspension ......................................................................45

4.4.6 Procedure for Suspension Request ...............................................................46

4.4.7 Limits on Suspension Period........................................................................46

4.4.8 CRL Issuance Frequency (If Applicable)......................................................46

4.4.9 Online Revocation/Status Checking Availability .........................................46

4.4.10 Online Revocation Checking Requirements.................................................47

4.4.11 Other Forms of Revocation Advertisements Available................................47

4.4.12 Checking Requirements for Other Forms of Revocation Advertisements...47

4.4.13 Special Requirements Rekey Compromise ...................................................47

4.5 SECURITY AUDIT PROCEDURES .............................................................................47

4.6 RECORDS ARCHIVAL.............................................................................................48

4.6.1 Types of Events Recorded............................................................................48

4.6.2 Retention Period for Archive.......................................................................51

4.6.3 Protection of Archive...................................................................................51

4.6.4 Archive Backup Procedures.........................................................................52

4.6.5 Archive Collection System (Internal or External)........................................52


4/91





iv

4.6.6 Procedures to Obtain and Verify Archive Information................................52

4.7 KEYCHANGEOVER ...............................................................................................52

4.8 COMPROMISE AND DISASTER RECOVERY..............................................................52

4.9 CA TERMINATION................................................................................................53

5 PHYSICAL, PROCEDURAL, AND PERSONNEL SECURITY CONTROLS . 535.1 PHYSICAL CONTROLS ...........................................................................................53

5.2 PROCEDURAL CONTROLS......................................................................................55

5.2.1 Operating System Administrators................................................................55

5.2.2 CA Operators ...............................................................................................56

5.2.3 Directory/Repository Administrators ...........................................................56

5.2.4 Help Desk Infrastructure Personnel.............................................................57

5.2.5 Network Infrastructure Personnel...............................................................57

5.2.6 Backup Operators ........................................................................................57

5.2.7 DST Management Group.............................................................................58

5.3 PERSONNEL CONTROLS.........................................................................................585.3.1 Background, Qualifications, Experience, and Clearance Requirements .....58

5.3.2 Background Check Procedures....................................................................59

5.3.3 Training Requirements.................................................................................59

5.3.4 Retraining Frequency and Requirements.....................................................60

5.3.5 Job Rotation Frequency and Sequence ........................................................60

5.3.6 Sanctions for Unauthorized Actions ............................................................60

5.3.7 Contracting Personnel Requirements ..........................................................60

5.3.8 Documentation Supplied to Personnel.........................................................60

6 TECHNICAL SECURITY CONTROLS............................................................... 61

6.1 KEYPAIR GENERATION AND INSTALLATION ........................................................61

6.1.1 Key pair generation......................................................................................61

6.1.2 Private Key Delivery to Entity.....................................................................61

6.1.3 Public Key Delivery to Certificate Issuer.....................................................62

6.1.4 CA Public Key Delivery to Users.................................................................62

6.1.5 Key Sizes.......................................................................................................63

6.1.6 Public Key Parameters Generation .............................................................63

6.1.7 Parameter Quality Checking .......................................................................63

6.1.8 Hardware/Software Key Generation ...........................................................63

6.1.9 Key Usage Purposes (As Per X.509 v3 Key-Usage Field)...........................63

6.2 PRIVATE KEY PROTECTION...................................................................................64

6.2.1 Standards for Cryptographic Module..........................................................64

6.2.2 Private Key (n out of m) Multiperson Control.............................................64

6.2.3 Private Key Escrow .....................................................................................64

6.2.4 Private Key Backup .....................................................................................64

6.2.5 Private Key Archival....................................................................................64

6.2.6 Private Key Entry into Cryptographic Module............................................64


5/91





v

6.2.7 Method of Activating Private Key ...............................................................64

6.2.8 Method of Deactivating Private Key...........................................................65

6.2.9 Method of Destroying Private Key ..............................................................65

6.3 OTHER ASPECTS OF KEYPAIR MANAGEMENT......................................................65

6.3.1 Public Key Archival .....................................................................................65

6.3.2 Usage Periods for the Public and Private Keys ..........................................65

6.4 ACTIVATION DATA ..............................................................................................65

6.4.1 Activation Data Generation and Installation ..............................................66

6.4.2 Activation Data Protection..........................................................................66

6.4.3 Other Aspects of Activation Data................................................................66

6.5 COMPUTER SECURITY CONTROLS .........................................................................66

6.6 LIFE-CYCLETECHNICAL CONTROLS......................................................................66

6.6.1 System Development Controls.....................................................................66

6.6.2 Security Management Controls....................................................................67

6.6.3 Life-Cycle Security Ratings ..........................................................................67

6.7 NETWORK SECURITY CONTROLS ..........................................................................676.8 CRYPTOGRAPHIC MODULE ENGINEERING CONTROLS.............................................67

7 CERTIFICATE AND CRL PROFILES................................................................ 67

7.1 CERTIFICATE PROFILE ..........................................................................................67

7.1.1 Version Number(s) .......................................................................................68

7.1.2 Certificate Extensions..................................................................................68

7.1.3 Algorithm Object Identifiers ........................................................................69

7.1.4 Name Forms.................................................................................................69

7.1.5 Name Constraints ........................................................................................69

7.1.6 Certificate Policy Object Identifier..............................................................697.1.7 Usage of Policy Constraints Extension .......................................................69

7.1.8 Policy Qualifiers Syntax and Semantics.......................................................70

7.1.9 Processing Semantics for the Critical Certificate Policy Extension............70

7.2 CRL PROFILE .......................................................................................................70

7.2.1 Version Number(s) .......................................................................................70

7.2.2 CRL and CRL Entry Extensions...................................................................70

8 SPECIFICATION ADMINISTRATION .............................................................. 71

8.1 SPECIFICATION CHANGE PROCEDURES..................................................................71

8.2 PUBLICATION AND NOTIFICATION POLICIES .........................................................71

8.3 CPS APPROVAL PROCEDURES ..............................................................................71

9 APPENDIX: ACES PRIVACY POLICY AND PROCEDURES........................... 1

9.1 ADMINISTRATIVE, TECHNICAL, AND PHYSICAL SAFEGUARDS ................................1

9.1.1 Handling of Information ................................................................................2

9.1.2 Information Provided to Certificate Applicant..............................................3

9.1.3 Limitations on Collection, Maintenance and Dissemination of Data............3


6/91





vi

9.1.4 Notice of Existence of Records ......................................................................4

9.1.5 Access to Records by Covered Individual......................................................6

9.1.6 Amendment of Records ..................................................................................8

9.1.7 Disclosure Accounting..................................................................................13

9.1.8 Reports .........................................................................................................14

9.1.9 Certificate Issuance Warrants......................................................................14


7/91





1

1 INTRODUCTION

1.1 CPS Overview

This Certification Practices Statement (CPS) documents the internal practices and procedures

used by Digital Signature Trust Co. (DST). It covers the operation of systems and management

of facilities used to provide public key infrastructure (PKI) services described in the DST

Concept of Operations, which include Certification Authority (CA), Registration Authority

(RA), and repository functionality.

As with every CPS, a Certificate Policy (CP) provides additional specification of policies and

procedures applicable to a particular project, to a contract or set of contracts or contract forms,

or to a class of certificates issued. DST has multiple CPs under which certificates are issued,

and this CPS provides practices that are common to many of these CPs.

1.2 Policy Identification

This CPS is referred to as the DST ACES CPS. This CPS alone is not intended to provide the

basis for any contractual obligations.

DST has registered an Object Identifier (OID) under which it assigns CPS OIDs. This OID is

{joint-iso-ccitt (2) country (16) USA (840) US-company (1) DST (113839) certification-

practices (1)}. The DST ACES Certification Practices Statement Version 3.2 is assigned a


8/91




Certification Practices Statement2

separate OID under this arc of {joint-iso-ccitt (2) country (16) USA (840) US-company (1)

DST (113839) certification-practices (1) ACES (2)}.

1.3 Community and Applicability

The community of clients served by DST includes the following:

Clients of the DST CA service bureau requesting certificates issued under specific

certificate policies

Clients for SSL certificates requesting Web server certificates

Clients for repository services requesting certificates, certificate revocation lists

(CRLs), and other items from the DST directories.

People become clients of DST by signing contracts with DST that cover a set of services and

terms to be provided. For ACES, the ACES CP specifies three types of certificate holders:

Unaffiliated Individuals, Business Representatives and Qualified Relying Party Applications.

Thus, for each of the preceding communities, a subscriber contract exists (see 2.1.4), and, if

necessary, CAs, RAs, end entities, and repositories are created and run as desired by the client.

Many clients ask DST to run multiple CAs, RAs, and repositories on their behalf, while others

ask DST to only provide a repository and will perform CA and RA services themselves.


9/91





1.3.1 Approved Applications

Since individual DST clients define their own requirements for their requested services, the list of

approved applications is determined differently for each type of certificate according to each

certificate policy. There is no general set of applications for which DST approves use of

certificates.

1.3.2 Prohibited Applications

Since individual DST clients define their own requirements for their requested services, the list of

prohibited applications is determined differently for each type of certificate. There are no

applications of certificate or repository services that DST strictly prohibits for certificates.

1.4 Contact Details

DST's Customer Service Center is available between 7 a.m. and 6 p.m. Mountain Standard

Time (MST), Monday through Friday, excluding Federal holidays. DST's Customer Service

Center assists subscribers with certificate- and key-related issues. Such issues include, but are

not limited to, problems with key generation and certificate installation. Problems and inquiries

received that are not certificate-related are directed to the relevant government agency for

resolution with the subscriber. Those concerns can include, but are not limited to, problems with

accessing information and inquiries of a general nature.

For questions concerning ACES certificates, DST operations or the DST ACES CPS please

contact: Digital Signature Trust Co.

255 North Admiral Byrd Road

Salt Lake City, Utah 84116-3703

[email protected]

www.trustdst.com
mailto:[email protected]://www.digsigtrust.com/http://www.digsigtrust.com/mailto:[email protected]


10/91


11/91
http://www.trustdst.com/digital/signatures.html


12/91
http://www.gsa.gov/aces/aces_pol.htmlhttp://www.digsigtrust.com/projects/aces/cps.html


13/91
http://www.digsigtrust.com/projects/aces/cps.html


14/91





to any person without your prior consent, unless otherwise required by law, or except as may be necessary

for the performance of DST services under its contract with GSA and for auditing requirements. DST also

agrees to protect your personal information in a manner designed to ensure its integrity and to make

available to you, following an appropriate request and for correction if necessary, any information collected.

However, information contained in your ACES certificate and related status information are not private.

(That would defeat the purpose of an ACES certificate, which is to establish your identity with Qualified

Relying Parties.) DST may disclose such certificate-related identification information to Qualified RelyingParties in accordance with DST's contract with the GSA. Disclosure of system records to consumer

reporting systems is not permitted.

4. DST's Obligations as an ACES CA. In performing its duties as a government contractor under ACES,

DST warrants that:

(a) it has issued, and will manage, your ACES certificate in accordance with the requirements of the

CP;

(b) it has complied with all requirements of the CP when identifying You and issuing You an ACES

certificate;

(c) it knows of no misrepresentations of fact in the ACES certificate and that it has verified the

information in the ACES certificate;

(d) it has accurately transcribed information provided by You into the ACES certificate; and

(e) the ACES certificate meets the material requirements of the CP.

5. Your Obligations

5.1 Submit Correct Information. You represent and warrant to DST that all of the information You

submit in your application is accurate, current and complete and that You have provided DST with all

Material Facts (as defined in 10.4 below) necessary to confirm your identity and the reliability of the ACES

certificate to be issued. You further agree that for purposes of certificate issuance, certificate renewal and

certificate replacement, You will immediately inform DST if any Material Facts submitted by You change

(e.g., You have a change of address or a change in your legal name).

5.2. Binding Effect of Signed Message. For each electronic message that is digitally signed using

your Private Key corresponding to the Public Key listed in your ACES Certificate that was valid at the time

of such signing (Message), You represent and warrant, o nly to Qualified Relying Parties, that:

(a) for purposes of complying with any applicable law that requires a writing, such Message shall be

considered to be "in writing" or "written" to an extent no less than if it were in paper form;

(b) where You intended the Digital Signature as a signature, such Message shall be considered to be

"signed" to an extent no less than if it were undertaken using pen and paper;

(c) if introduced as evidence in any judicial, arbitration, mediation, or administrative proceedings, such

Message shall be admissible to the same extent and under the same conditions as Messages originated and

maintained in paper form; and

(d) You will not contest the admissibility of the Message under either the business records exception to thehearsay rule, the best evidence rule, or a comparable evidentiary rule on the basis that the Message was not

originated or maintained in paper form.

5.3. Protect Your Private Key. DST issues You an ACES Certificate based on a Public Key

that You send to DST. In Public Key Cryptography, a Key Pair of two mathematically related keys is

generated by computer software whereby a Public Key has a corresponding Private Key. The Key Pair is

stored on a computer, smart card, or some other cryptographic hardware device. To obtain an ACES

Certificate, You will need to submit a certificate request to DST containing your Public Key. (In most cases,

a Key Pair and certificate request will be generated by your Internet browser after You "Accept" this


15/91


16/91





may have been lost or otherwise compromised; (c) your ACES certificate has become unreliable; (d) a

Material Fact in your Certificate has changed or is no longer true; (e) You have violated any provision of

this Agreement or the CP; (f) You request revocation; (g) a governmental authority has lawfully ordered

DST to revoke your ACES certificate; (h) this Agreement terminates; or (i) there are any other grounds for

suspension or revocation. Your right to use your ACES certificate ceases immediately upon revocation of

your ACES certificate. If your certificate is revoked, DST will send you prompt notice of revocation. Once

your ACES certificate has been revoked, it cannot be used or reinstated.

5.6. Cease Using Your Certificate. You agree to immediately cease using your ACES certificate,

after notifying DST, in the following circumstances: (a) when You suspect or discover that the

private key corresponding to your ACES certificate has been or may be compromised; (b) when a

Material Fact in your ACES certificate has changed or is no longer true, (c) upon the revocation or

expiration of your ACES certificate, or (d) upon termination of this Agreement.

5.7. Indemnification. You agree to indemnify and hold DST and its affiliates harmless from any

and all liabilities, costs and expenses, including reasonable attorneys' fees, related to: any

misrepresentation or omission of Material Fact, whether intentional or not, made by You to DST;

any violation of this Agreement or the CP by You or authorized users of your Certificate; or any

misuse of your ACES certificate.

6. DISCLAIMER OF WARRANTIES. DST DISCLAIMS ANY AND ALL WARRANTIES OF ANY TYPE,

WHETHER EXPRESS OR IMPLIED, THAT ARE NOT SPECIFICALLY PROVIDED HEREIN OR ITS

CONTRACT WITH THE GSA, INCLUDING BUT NOT LIMITED TO ANY IMPLIED WARRANTY OF

MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE, AND NONINFRINGEMENT

WITH REGARD TO DST SERVICES OR ANY CERTIFICATE ISSUED HEREUNDER.

7. LIMITATION OF LIABILITY. DST SHALL NOT BE LIABLE FOR CONSEQUENTIAL, INDIRECT,

SPECIAL, OR INCIDENTAL DAMAGES, EVEN IF DST HAS BEEN ADVISED OF THE POSSIBILITY OF

SUCH DAMAGES.

8. Dispute Resolution Provisions. This Agreement shall be governed by, and interpreted and

construed under, the laws of the United States, and the parties agree that the United Nations Convention onContracts for the International Sale of Goods shall not apply to this Agreement.

If any provision of this Agreement is found to be invalid or unenforceable, then such documents

shall be deemed amended by modifying such provision to the extent necessary to make it valid and

enforceable while preserving its intent or, if that is not possible, by striking the provision and enforcing the

remainder of this Agreement.

Except for a controversy, claim, or dispute involving the federal government of the United States,

or where the federal government may ultimately be responsible for satisfaction of a judgment or claim, or a

"Core Proceeding" under the United States Bankruptcy Code, the parties agree to submit any controversy,

claim, or dispute, whether in tort, contract, or otherwise (and their respective employees, officers, directors,

attorneys, and other agents) arising out of or related in any way to this Agreement that cannot be resolved

by communications among the parties, for resolution by binding arbitration by a single arbitrator andjudgment upon the award rendered by the arbitrator may be entered in any court having jurisdiction over the

parties. The arbitrator shall have no authority to impose penalties or award punitive damages. Binding

arbitration will be governed by the Federal Arbitration Act (Title 9 of the United States Code) and be

conducted in accordance with the Commercial Arbitration Rules of the American Arbitration Association

("AAA"). Each party shall bear its costs for the arbitration; however, upon award of any judgment or

conclusion of arbitration, the arbitrator shall award the prevailing party the costs it expended in such

arbitration. Unless the arbitrator otherwise directs, the parties, their representatives, other participants, and

the arbitrator shall hold the existence, content, and result of the arbitration in confidence. This arbitration


17/91





requirement does not limit the right of either party to obtain provisional ancillary remedies such as injunctive

relief or the appointment of a receiver, before during or after the pendency or any arbitration proceeding.

This exclusion does not constitute a waiver of the right or obligation of either party to submit any dispute to

arbitration.

9. Survival. Sections 3, 4, 5, 6, 7 and 8 shall survive any termination or expiration of this Agreement.

10. Definitions

10.1 Certificate (ACES Certificate): A computer-based record or electronic message issued by DST

pursuant to its role as a Ce rtification Authority that: (a) identifies DST as the Certification Authority issuing

it; (b) names or identifies a Subscriber; (c) contains the Public Key of the Subscriber; (d) identifies the

Certificates operational period; (e) is digitally signed by DST; and (f) has the meaning ascribed to it in

accordance with applicable standards. A Certificate includes not only its actual content but also all

documents expressly referenced or incorporated in it.

10.2 Digital Signature: A Digital Signature is a transformation of a Message using Public Key Cryptography

so that a person having the communication and the Subscriber's Public Key can accurately determine (1)

whether the transformation was created using the Private Key corresponding to the Subscriber's Public Key,

and (2) whether the communication has been altered since the transformation was made. It does not involvea handwritten signature.

10.3 Key Pair: In Public Key Cryptography, a Key Pair is two mathematically related keys (a Private Key and

its corresponding Public Key), having the properties that (i) one key can be used to encrypt a message that

can only be decrypted using the other key, and (ii) even knowing one key, it is computationally infeasible to

discover the other key.

10.4 Material Fact: The phrase, "Material Fact," shall have the following meanings for the following

circumstances as used in this Agreement:

For Certificate Issuance ( 1 & 5.1): Material Facts are all facts requested by DST as part of the enrollment,

certificate issuance, certificate replacement and certificate renewal processes, which are relied upon by DST

to confirm a Subscriber's identity and to bind the Subscriber's identity to the Public/Private Key Pair

certified.

For Facts Contained in the Certificate and giving rise to the Subscriber's Duty to Request Revocation of the

Certificate ( 5.4 5.6): Material Facts are the Subscriber's Legal Name and Public/Private Key Pair.

For misrepresentations or omissions of Material Fact giving rise to the Subscriber's duty to idemnify DST

(5.7): "Material Fact" means all of the above.

10.5 Private Key: In Public Key Cryptography, a Private Key is the key of a Key Pair kept secret by its

holder and can be used by its holder to encrypt or decrypt messages corresponding to the Public Key. The

Private Key is used to create a Digital Signature.

10.6 Public Key: In Public Key Cryptography, a Public Key is the key of a Key Pair publicly disclosed by

the holder of the corresponding Private Key and is used by the recipient to encrypt or decrypt messages

corresponding to the Private Key. The Public Key is used to verify a Digital Signature.

10.7 Public Key Cryptography: A form of cryptography (a process of creating and deciphering

communications to keep them secure) in which two keys are used. One key encrypts a message, and the

other key decrypts the message. One key is kept secret (Private Key), and one is made available to others

(Public Key). These keys are, in essence, large mathematically related numbers that form a unique pair.

Either key may be used to encrypt a message, but only the other corresponding key may be used to decrypt

the message.


18/91
http://www.gsa.gov/aces/aces_pol.htmlhttp://www.digsigtrust.com/docs/policieshttp://www.digsigtrust.com/pdsb.html


19/91


20/91
http://www.digsigtrust.com/projects/aces/cps.html


21/91





However, information contained in your ACES certificate and related status information are not private.

(That would defeat the purpose of an ACES certificate, which is to establish your identity with Qualified

Relying Parties.) DST may disclose such certificate-related identification information to Qualified Relying

Parties in accordance with DST's contract with the GSA. Disclosure of system records to consumer

reporting systems is not permitted.

4. DST's Obligations as an ACES CA. In performing its duties as a government contractor underACES, DST warrants that:

(a) it has issued, and will manage, your ACES Certificate in accordance with the requirements of the CP;

(b) it has complied with all requirements of the CP when identifying You and issuing You an ACES

Certificate;

(c) it knows of no misrepresentations of fact in the ACES Certificate and that it has verified the

information in the ACES Certificate;

(d) it has accurately transcribed information provided by You into the ACES Certificate; and

(e) the ACES Certificate meets the material requirements of the CP.

5. Your Obligations

5.1. Submit Correct Information. You represent and warrant to DST that all of the

information You submit in your application form including but not limited to Your Organizationname is accurate, current and complete and that You have provided DST with all Material Facts

(as defined in 10.4 below) necessary to confirm your identity and to the reliability of the Certificate

to be issued. You further agree that for purposes of certificate issuance, certificate renewal and

certificate replacement, You will immediately inform DST if any Material Facts submitted by You

change (e.g., You have a change of employment, change of address or a change in your legal

name).You also represent and warrant that You are authorized to use Your Organizations name

that You designated in your application form. You also agree to inform Your Organization that You

have applied for a Certificate.

5.2. Binding Effect of Signed Message. For each electronic message that is digitally signed using

your Private Key corresponding to the Public Key listed in your Certificate that was valid at the time of

such signing (Message), You represent and warrant, only to Qualified Relying Parties, that:

(a) for purposes of complying with any applicable law that requires a writi

considered to be "in writing" or "written" to an extent no less than if it were in paper form;

(b) where You intended the Digital Signature as a signature, such Message shall be considered to be

"signed" to an extent no less than if it were undertaken using pen and paper;

(c) if introduced as evidence in any judicial, arbitration, mediation, or administrative proceedings, such

Message shall be admissible to the same extent and under the same conditions as messages originated and

maintained in paper form; and

(d) You will not contest the admissibility of the Message under either the business records exception to the

hearsay rule, the best evidence rule, or a comparable evidentiary rule on the basis that the Message was notoriginated or maintained in paper form.

5.3. Protect Your Private Key. DST issues You a Certificate based on a Public Key that You

send to DST. In Public Key Cryptography, a Key Pair of two mathematically related keys is generated by

computer software whereby a Public Key has a corresponding Private Key. The Key Pair is stored on a

computer, smart card, or some other cryptographic hardware device. To obtain a Certificate, You will need

to submit a certificate request to DST containing your Public Key. (In most cases, a Key Pair and certificate

request will be generated by your Web browser after You "Accept" this Agreement and click "Continue" on


22/91


23/91





discretion, determines that: (a) the Certificate was not properly issued or was obtained by fraud; (b) the

security of the Private Key corresponding to the Certificate has or may have been lost or otherwise

compromised; (c) the Certificate has become unreliable; (d) Material Facts in the Certificate have changed or

become untrue (e.g., You are no longer affiliated with Your Organization); (e) You or Your Organization have

violated any applicable agreement or obligation; (f) You or Your Organization requests revocation; (g) a

governmental authority has lawfully ordered DST to revoke your Certificate; (h) this Agreement terminates;

or (j) there are any other grounds for revocation. Your right to use your Certificate ceases immediately uponrevocation of your Certificate. Once Your Certificate has been revoked, it cannot be used or reinstated.

5.6. Cease Using Your ACES Business Representative Certificate. You agree to

immediately cease using your Certificate in the following circumstances: (a) when You suspect or

discover that the Private Key corresponding to your Certificate has been or may be compromised

or subjected to unauthorized use in any way; (b) when a Material Fact in the Certificate has

changed or is no longer true, (c) upon the revocation or expiration of your Certificate, or (d) upon

termination of this Agreement.

5.7. Indemnification. You agree to indemnify and hold DST and its affiliates harmless

from any and all liabilities, costs, and expenses, including reasonable attorneys' fees, related to:

any misrepresentation or omission of Material Fact, whether intentional or not, made by You or

Your Organization to DST; any violation of this Agreement or the CP by You or authorized users ofyour Certificate; or any misuse of your ACES certificate.

6. DISCLAIMER OF WARRANTIES. DST DISCLAIMS ANY AND ALL WARRANTIES OF ANY TYPE,

WHETHER EXPRESS OR IMPLIED, THAT ARE NOT SPECIFICALLY PROVIDED HEREIN OR ITS

CONTRACT WITH THE GSA, INCLUDING BUT NOT LIMITED TO ANY IMPLIED WARRANTY OF

MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE, AND NONINFRINGEMENT

WITH REGARD TO DST SERVICES OR ANY ACES BUSINESS REPRESENTATIVE CERTIFICATE ISSUED

HEREUNDER.

7. Limitation of Liability. DST shall not be liable for any consequential, indirect, special, or incidental

damages, and in no event shall DST be liable to You or Your Organization for damages in excess of amountspaid to DST by You or Your Organization under this Agreement, including, without limitation, damages

arising from loss of use or business interruption, even if DST has been advised of the possibility of such

loss.

8. Dispute Resolution Provisions. This Agreement shall be governed by, interpreted and construed

under the laws of the United States and the Parties agree that the United Nations Convention on Contracts

for the International Sale of Goods shall not apply to this Agreement. If any provision of this Agreement is

found to be invalid or unenforceable, then such document shall be deemed amended by modifying such

provision to the extent necessary to make it valid and enforceable while preserving its intent or, if that is not

possible, by striking the provision and enforcing the remainder of this Agreement.

Except for a controversy, claim, or dispute involving the federal government of the United States,

or where the federal government may ultimately be responsible for satisfaction of a judgment or claim, or a

"Core Proceeding" under the United States Bankruptcy Code, the parties agree to submit any controversy,claim, or dispute, whether in tort, contract, or otherwise (and their respective employees, officers, directors,

attorneys, and other agents) arising out of or related in any way to this Agreement, that cannot be resolved

by communications among the parties, for resolution by binding arbitration by a single arbitrator and

judgment upon the award rendered by the arbitrator may be entered in any court having jurisdiction over the

parties. The arbitrator shall have no authority to impose penalties or award punitive damages. Binding

arbitration will be governed by the Federal Arbitration Act (Title 9 of the United States Code) and be

conducted in accordance with the Commercial Arbitration Rules of the American Arbitration Association

("AAA"). Each party shall bear its costs for the arbitration; however, upon award of any judgment or


24/91





conclusion of arbitration, the arbitrator shall award the prevailing party the costs it expended in such

arbitration. Unless the arbitrator otherwise directs, the parties, their representatives, other participants, and

the arbitrator shall hold the existence, content, and result of the arbitration in confidence. This arbitration

requirement does not limit the right of either party to obtain provisional ancillary remedies such as injunctive

relief or the appointment of a receiver, before during or after the pendency or any arbitration proceeding.

This exclusion does not constitute a waiver of the right or obligation of either party to submit any dispute to

arbitration.

9. Survival. Sections 4, 5, 6, 7, 8 and the Authorization Form provisions of this Agreement shall

survive any termination or expiration of this Agreement.

10. Definitions

10.1 Certificate (ACES Certificate): A computer-based record or electronic message issued by DST

pursuant to its role as a Certification Authority that: (a) identifies DST as the Certification Authority issuing

it; (b) names or identifies a Subscriber; (c) contains the Public Key of the Subscriber; (d) identifies the

Certificates operational period; (e) is digitally signed by DST; and (f) has the meaning ascribed to it in

accordance with applicable standards. A Certificate includes not only its actual content but also all

documents expressly referenced or incorporated in it.




and (2) whether the communication has been altered since the transformation was made. It does not involve

a handwritten signature.





10.4 Material Fact: The phrase, "Material Fact," shall have the following meanings for the following

circumstances as used in this Agreement:

For Certificate Issuance ( 1 & 5.1): Material Facts are all facts requested by DST as part of the enrollment,

certificate issuance, certificate replacement and certificate renewal processes, which are relied upon by DST

to confirm a Subscriber's identity and to bind the Subscriber's identity to the Public/Private Key Pair

certified.

For Facts Contained in the Certificate and giving rise to the Subscriber's Duty to Request Revocation of the

Certificate ( 5.4 5.6): Material Facts are the Subscriber's Legal Name, Organizational Affiliation and

Public/Private Key Pair.

For misrepresentations or omissions of Material Fact giving rise to the Subscriber's duty to idemnify DST

(5.7): "Material Fact" means all of the above.

10.5 Private Key: In Public Key Cryptography, a Private Key is the key of a Key Pair kept secret by its

holder and can be used by its holder to encrypt or decrypt messages corresponding to the Public Key. ThePrivate Key is used to create a Digital Signature.

10.6 Public Key: In Public Key Cryptography, a Public Key is the key of a Key Pair publicly disclosed by

the holder of the corresponding Private Key and is used by the recipient to encrypt or decrypt messages


10.7 Public Key Cryptography: A form of cryptography (a process of creating and deciphering

communications to keep them secure) in which two keys are used. One key encrypts a message, and the


25/91





other key decrypts the message. One key is kept secret (Private Key), and one is made available to others

(Public Key). These keys are, in essence, large mathematically related numbers that form a unique pair.

Either key may be used to encrypt a message, but only the other corresponding key may be used to decrypt

the message.

10.8 Qualified Relying Party: A federal agency or other recipient of a digitally signed message authorized by

the CP to rely on an ACES Certificate and that has entered into a Memorandum of Understanding with theGeneral Services Administration to participate in the ACES Program to verify the digital signature on the

message.

10.9 Repository: A database containing information and data relating to ACES Certificates, including

information relating to ACES Certificate status as valid or revoked.

10.10 Subscriber: A person that (a) is named or identified in a certificate as the "subject" of the Certificate,

and (b) holds a Private Key that corresponds to a Public Key listed in that Certificate.

___________________________________________________

BY CLICKING ON THE ACCEPT BUTTON BELOW, YOU ARE AGREEING TO BE LEGALLYBOUND BY THE TERMS AND CONDITIONS OF THIS AGREEMENT AS IF YOU HAD SIGNED

IT. IF YOU CHOOSE NOT TO ACCEPT THIS AGREEMENT, CLICK THE DECLINE BUTTON

BELOW, IN WHICH CASE YOU MAY NOT APPLY FOR AN ACES BUSINESS

REPRESENTATIVE CERTIFICATE.

BY CLICKING ON THE "ACCEPT" BUTTON BELOW, YOU REPRESENT AND WARRANT

THAT (1) YOU ARE AUTHORIZED TO HOLD A CERTIFICATE ASSOCIATING YOU WITH THE

ORGANIZATION IDENTIFIED IN YOUR APPLICATION, (2) YOUR ORGANIZATION IS THE

ENTITY THAT IT IS REPRESENTED TO BE IN THE APPLICATION, AND (3) YOU ARE

AUTHORIZED TO ENTER INTO THIS AGREEMENT WITH DST.

[ACCEPT] [DECLINE]

INSTRUCTIONS FOR ACES BUSINESS REPRESENTATIVE

AUTHORIZATION FORM

Thank you for choosing Digital Signature Trust Co. ("DST") to issue you an ACES business representative

certificate.

ACES business representative certificates are issued to individuals, such as employees, officers, and agents

(Business Representatives) who are authorized to act on behalf of business entities ("Sponsoring

Organizations") that have been validated by DST.

To complete your enrollment as an ACES Business Representative, you must complete the following steps:

Please take the following ACES Business Representative Authorization Form ("Authorization Form") Part

I to an officer in your Organization who can sign on behalf of your Organization and represent to DST that

You are a duly-authorized representative, have them sign it and return it to you for submission to DST (a

Glossary of Terms is included at page 4 of this document to define some of the terms used in this Form);

Take Part II of the Authorization Form to a licensed Notary employed by your Organization or a financial

institution (most banks have notaries on staff);


26/91





Present the Notary with Part II of the Authorization Form and a current, valid driver's license or state-issued

ID card;

Sign the Form in the presence of the Notary;

Have the Notary verify your identity by reviewing and recording the information on the photo ID card;

Make sure the Notary has properly notarized your signature and affixed his or her raised seal or colored ink

stamp;

Record the name and place where you had the Form notarized; and

Make and keep a copy of both Part I and II of the Form and

send the signed originals by courier or mail to:

ACES


255 Admiral Byrd RoadSalt Lake City UT 84116

ACES Business Representative Authorization Form Part I

THIS AUTHORIZATION is given by a Sponsoring Organization ("Organization"), identified below, to

Digital Signature Trust Co. ("DST"), a Utah corporation with its principal place of business at 255 Admiral

Byrd Road, Salt Lake City, Utah 84116 U.S.A (www.trustdst.com) and a Certification Authority

("CA") under contract with the federal government for the Access Certificates for Electronic Services

("ACES") program. Capitalized terms are defined in Part III of this Authorization Form.

WHEREAS Organization desires to authorize, and DST desires to perform (free of charge under its contractwith the General Services Administration), the issuance of an ACES Business Representative Certificate

("Certificate") that will identify "Subscriber," identified below, as being employed, associated, affiliated with

or authorized by Organization and will certify Subscriber's Public Key (in "Public Key Infrastructures" like

ACES, a Public/Private Key Pair is held by the Subscriber, the Private Key is kept secure and used to create

Digital Signatures, and the Public Key is held openly, certified by a CA, and used to authenticate network

access and Digital Signatures),

1. DST and Organization agree that:

(a) DST or Organization, in its sole discretion, may terminate this Authorization and revoke the Certificate

at any time and for any reason;

(b) DST will revoke the Certificate promptly upon confirming that the person making the revocation request

is authorized to do so or upon otherwise determining that the Certificate should be revoked; and

(c) Irrespective of the place of performance, this Authorization shall be construed, interpreted, andenforced in accordance with the substantive laws of the State of Utah, without regard to its conflicts of

law rules.

2. Organization warrants, represents and agrees that:

(a) Organization is duly-organized and validly-existing under the laws of its state of organization and has

full right and authority to use the Organization's name, given below, to grant this authorization, and to

perform all obligations required of it hereunder;


27/91





(b) Subscriber is a duly-authorized representative of the Organization as an employee, partner, member,

agent, or other associate, and DST is hereby authorized to issue a Certificate to Subscriber that

identifies Subscriber as being employed, associated, affiliated with and/or authorized by Organization;

(c) Federal agencies, and other government-authorized recipients of messages signed with Subscriber's

Private Key, may rely on such messages to the same extent as though they were manually signed by the

Subscriber listed in a valid, unrevoked and unexpired Certificate issued by DST (Certificates have a two-

year lifetime);(d) All information provided to DST by Organization will be accurate, current and complete and that

Organization will immediately notify DST and request that the Certificate be revoked if: (1) Organization

suspects any loss, disclosure, or other compromise of the Subscriber's Private Key; (2) information

contained in the Certificate is no longer accurate or current (e.g., the Subscriber changes his or her

name); or (3) Subscriber is no longer employed by, associated with, authorized by or affiliated with

Organization; and

(e) DST does not assume, nor should it be exposed to, the business and operational risks associated with

Organization's business, and Organization will hold DST, its subcontractors, affiliates, and employees

harmless from any and all liabilities, costs, and expenses, including reasonable attorneys' fees, related to

the services provided to Subscriber or in connection with any performance under this Authorization.

The undersigned personally warrants and represents that he or she has authority to accept the terms and

conditions of this Authorization and to bind the Organization by his or her signature.

_____________________________________ ___________________________________

Print Subscriber Name Organization Officer Signs Here

_____________________________________ By: ________________________________

Print Sponsoring Organization Name Print Name Here

_____________________________________ Its: ________________________________

Address Print Officer's Title Here

_____________________________________ Date: _________________________________

ACES Business Representative Authorization Form Part II

INSTRUCTIONS FOR NOTARY

FOR THE PURPOSES OF THIS DOCUMENT, PERSONAL ACQUAINTANCE WITH THE INDIVIDUAL IS

INSUFFICIENT. You must: 1) review a current government-issued ID containing the individual's name and

photograph, 2) verify that such photo ID information is protected against forgery, modification, or

substitution, and 3) record below the serial number and type of government-issued ID presented by the

applicant. You should also record in your notarys journal the ID serial number of the identification that

was presented to you.

The undersigned applicant warrants, represents, and attests that all facts and information provided areaccurate, current and complete and that he or she: a) is authorized to receive, and has applied electronically

for, a digital certificate to be issued by DST; b) has read and accepts the personal identifying information to

be contained in the certificate; c) is who he or she represents himself or herself to be; and d) has read,

understood, and agrees to the responsibilities associated with being a certificate subscriber, including the

terms and conditions found in the on-line ACES Business Representative Certificate Agreement. The

applicant agrees to: 1) accurately represent him or herself in all communications with DST and Qualified

Relying Parties; 2) protect his or her private key at all times; 3) immediately notify DST if he or she suspects

his or her private key to have been compromised, stolen or lost; and 4) use his or her key only for authorized


28/91





business as allowed by the ACES Program.

Signed By: ______________________________________

(Sign Only In The Presence Of Notary)

Print ___________________________________ E-mail Address

________________________________First Name, Middle Initial, Last Name

ACKNOWLEDGEMENT

State of ______________________

County of ____________________

I hereby certify that on this ___ day of ____________________, _______, personally appeared

before me the signer and subject of the above form, who signed or attested t he same in my presence, and

presented the following government-issued photo ID card as proof of their identity:

________________________ ___________________ ______ ___________Exact Name Listed on Photo ID Serial Number of Photo ID Expiration ID Type

Notary Public___________________________

Residing in: ___________________________

My Commission Expires: _______________

______________________________________

Street Address of Branch or Office

Space Reserved for Notary Seal

_________________________________

Name of Organization Employing Notary

PART III - TERMS USED IN THE BUSINESS REPRESENTATIVE AUTHORIZATION FORM

Agency: A federal agency, authorized federal contractor, agency-sponsored university or laboratory, or

when authorized by law or regulation, a state, local, or tribal government.

Application: A computer program or web-based interface used by an Agency to interact with Subscribers.

Business Representative: The Subscriber of a Certificate that identifies the Subscriber as being employed,

associated, affiliated with or authorized by a Sponsoring Organization.

Certificate: A computer-based record or electronic message issued by DST that: (a) identifies DST as the

Certification Authority issuing it; (b) names or identifies a Subscriber and the Subscriber's Organization; (c)

contains the Public Key of the Subscriber; (d) identifies the Certificates operational period; (e) is digitally

signed by DST; and (f) has the meaning ascribed to it in accordance with applicable standards. A Certificate

includes not only its actual content but also all documents expressly referenced or incorporated in it.

Certification Authority. A Certification Authority is an entity that is responsible for authorizing and causing

the issuance of a Certificate.


29/91





Certification Practice Statement. A Certification Practice Statement is a statement of the practices that a

Certification Authority employs in issuing, suspending, revoking, and renewing Certificates and providing

access to same, in accordance with the requirements of a contract for certificate services.

Digital Signature: A Digital Signature is a transformation of an electronic message using Public Key

Cryptography so that a person having the communication and the Subscriber's Public Key can accuratelydetermine (1) whether the transformation was created using the Private Key corresponding to the

Subscriber's Public Key, and (2) whether the communication has been altered since the transformation was

made. It does not involve a handwritten signature.

Key Pair: In Public Key Cryptography, a Key Pair is two mathematically related keys (a Private Key and its

corresponding Public Key), having the properties that (i) one key can be used to encrypt a message that can

only be decrypted using the other key, and (ii) even knowing one key, it is computationally infeasible to


Private Key: In Public Key Cryptography, a Private Key is the key of a Key Pair kept secret by its holder

and can be used by its holder to encrypt or decrypt messages corresponding to the Public Key. The Private

Key is used to create a Digital Signature.

Public Key: In Public Key Cryptography, a Public Key is the key of a Key Pair publicly disclosed by the

holder of the corresponding Private Key and is used by the recipient to encrypt or decrypt messages


Public Key Cryptography: A form of cryptography (a process of creating and deciphering communications

to keep them secure) in which two keys are used. One key encrypts a message, and the other key decrypts

the message. One key is kept secret (Private Key), and one is made available to others (Public Key). These

keys are, in essence, large mathematically-related numbers that form a unique pair. Either key may be used to

encrypt a message, but only the other corresponding key may be used to decrypt the message.

Qualified Relying Party: A federal agency or other recipient of a digitally signed message authorized by the

CP to rely on an ACES Certificate and that has entered into a Memorandum of Understanding with the

General Services Administration to participate in the ACES Program to verify the Digital Signature on the

message.

Responsible Individual. A trustworthy person designated by a Sponsoring Organization to authenticate

individual applicants seeking certificates on the basis of their affiliation with the Sponsoring Organization.

Sponsoring Organization. A business entity, government agency, or other organization with which a

Business Representative is affiliated (e.g., as an employee, agent, member, user of a service, business

partner, customer, etc.).

Subscriber: A person (e.g., a Business Representative) that (a) is named or identified in a Certificate as its

subject, and (b) holds a Private Key that corresponds to a Public Key listed in that Certificate.

2.1.4.3 Qualified Relying Party Applications

ACES QUALIFIED RELYING PARTY CERTIFICATE AGREEMENT

IMPORTANT NOTICE: Digital Signature Trust Co. ("DST," "Us," "We," or Our) provides Certificate

Services under the Access Certificates for Electronic Services ("ACES") program under Contract

#GS00T99ALD0006 with the General Services Administration ("the GSA Contract"). This ACES Qualified


30/91
http://www.gsa.gov/aces/aces_pol.htmlhttp://www.digsigtrust.com/docs/policieshttp://www.digsigtrust.com/pdsb.html


31/91


32/91





confirmed that the person making the revocation request is authorized to do so. DST may also revoke the

Certificate without advance notice if DST, in its sole discretion, determines that: (a) the Certificate was not

properly issued or was obtained by fraud; (b) the security of the Private Key corresponding to the

Certificate has or may have been lost or otherwise compromised; (c) the Certificate has become unreliable;

(d) material information in the Certificate has changed (i.e., the name of the Application changes or the Key

Pair is no longer used with the Application); (e) You or Your Organization have violated any applicable

agreement or obligation; (f) You or Your Organization requests revocation; (g) a governmental authority haslawfully ordered DST to revoke the Certificate; (h) this Agreement terminates; or (j) there are any other

grounds for revocation. Your Organization's right to use the Certificate ceases immediately upon revocation

of the Certificate. Once a Certificate has been revoked, it cannot be used or reinstated.

3.6. Cease Using the ACES Certificate. You agree to immediately cease using the Certificate in the

following circumstances: (a) when You suspect or discover that the Private Key corresponding to

the Certificate has been or may be compromised or subjected to unauthorized use in any way; (b)

when information contained in the Certificate is no longer accurate, current, or complete, (c) upon

the revocation or expiration of the Certificate, or (d) upon termination of this Agreement.

4. Other Agreements. Unless otherwise provided herein, DST's warranties and liabilities shall be limited as

provided in the GSA Contract, and any amendments or modifications thereto.

5. Definitions

5.1 Agency: A federal agency, authorized federal contractor, agency-sponsored university or laboratory,

or when authorized by law or regulation, a state, local, or tribal government.

5.2 Application: A computer program or web-based interface used by an Agency to interact with

Subscribers.

5.3 Authorized Certification Authority: A Certification Authority that meets the qualifications of Section

1.3.1 of the CP.

5.4 Business Representative: The Subscriber of a Certificate that identifies the Subscriber as being

employed, associated, affiliated with or authorized by a Sponsoring Organization.

5.5 Certificate (ACES Certificate): A computer-based record or electronic message issued by DST pursuant

to its role as a Certification Authority that: (a) identifies DST as the Certification Authority issuing it; (b)

names or identifies a Subscriber; (c) contains the Public Key of the Subscriber; (d) identifies the Certificates

operational period; (e) is digitally signed by DST; and (f) has the meaning ascribed to it in accordance with

applicable standards. A Certificate includes not only its actual content but also all documents expressly

referenced or incorporated in it.




and (2) whether the communication has been altered since the transformation was made. It does not involvea handwritten signature.






33/91


34/91





To complete your enrollment for an ACES QRP certificate, you must complete the following steps. A

Glossary of Terms is included below that explains some of the terms used in this Form.

After completing the informational sections, please take this Form to your supervisor or some other official

who can sign on behalf of the Qualified Relying Party and represent to DST that You are duly-authorized to

manage the Agency Application, and have them sign this Form.

Make and keep a copy of this Form and

send the signed original by courier or mail to:

ACES


255 Admiral Byrd Road

Salt Lake City UT 84116-3703

ACES Qualified Relying Party Authorization Form

THIS AUTHORIZATION is given by "Qualified Relying Party" and "Applicant," identified below, to Digital

Signature Trust Co. ("DST"), a Utah corporation and Certification Authority with its principal place of

business at 255 Admiral Byrd Road, Salt Lake City, Utah 84116-3703 (http://www.trustdst.com).

Qualified Relying Party authorizes DST to issue an ACES Qualified Relying Party Application Certificate

("Certificate") and deliver it to "Applicant," who has been authorized by Qualified Relying Party to manage

Qualified Relying Party's Agency Application.

1. Qualified Relying Party and Applicant warrant, represent and agree that:

(a) Applicant is duly-authorized by Qualified Relying Party to act on behalf of Qualified Relying Party and

to manage and control (1) Qualified Relying Party's Agency Application, (2) the Application'sPrivate/Public Key Pair, (3) the Certificate to be issued by DST and (4) communications between DST

and Qualified Relying Party's Application;

(b) Applicant has the association or relationship with Qualified Relying Party's Application identified

below;

(c) Qualified Relying Party and Applicant have read, understood, and agree to the responsibilities

associated with subscribing to Certificate, including the terms and conditions found in the online ACES

Qualified Relying Party Certificate Agreement;

(d) The Application's Private/Public Key Pair will only be used for purposes authorized by the GSA's ACES

Certificate Policy/the GSA Contract;

(e) Qualified Relying Party and Applicant will protect the Private Key at all times;

(f) Applicant shall ensure that any and all individuals who may have access to the Private Key are advised

of the responsibilities of Private Key safekeeping, along with the consequences that can accompany

the improper use or disclosure of a Private Key.

(g) All facts and information provided to DST by Qualified Relying Party and Applicant have been and will

be accurate, current and complete and that Qualified Relying Party and Applicant will immediately

notify DST and request that the Certificate be revoked if: (1) Qualified Relying Party or Applicant

suspects any loss, disclosure, or other compromise of the Application's Private Key; (2) information

contained in the Certificate is no longer accurate or current; or (3) the Private Key is no longer used by,

associated with, authorized by or affiliated with Qualified Relying Party or the Qualified Relying Party's

Application; and
http://www.digsigtrust.com/http://www.digsigtrust.com/


35/91





(h) DST is hereby authorized to issue a Certificate and deliver it to Applicant for use with Qualified Relying

Party's Application.

Applicant (Person Authorized to Receive Certificate for Qualified Relying Party Application)

PRINT NAME___________________________________ SIGN HERE _______________________

LAST FIRST MI

AGENCY APPLICATION NAME

__________________________________________________________________________________

APPLICANT'S RELATIONSHIP TO APPLICATION

___________________________________________________________________________

QUALIFIED RELYING PARTY

NAME___________________________________________________________________________

IF AGENCY OR BUREAU, DEPT. NAME

_______________________________________________________________________________

MAILING

ADDRESS________________________________________________________________________

STREET ADDRESS SUITE/MAILSTOP

_________________________________________________________________________________

CITY STATE ZIP COUNTRY

TELEPHONE_____________________ FAX__________________________

E-MAIL________________

AUTHORIZING OFFICIAL OF QUALIFIED RELYING PARTY

PRINT NAME_________________________________ SIGN HERE ____________________________

LAST FIRST MI

MAILING ADDRESS (If different than

above)_____________________________________________________________________________

MAILING ADDRESS

__________________________________________________________________________________

___

CITY STATE ZIP COUNTRY


36/91





TELEPHONE__________________________FAX______________________

E-MAIL_______________________

GLOSSARY OF TERMS USED IN THE AUTHORIZATION

Agency: A federal agency, authorized federal contractor, agency-sponsored university or laboratory, or

when authorized by law or regulation, a state, local, or tribal government.

Application: A computer program or web-based interface used by an Agency to interact with Subscribers.

Certificate: A computer-based record or electronic message issued by DST that: (a) identifies DST as the

Certification Authority issuing it; (b) names or identifies a Subscriber and the Subscriber's Organization; (c)

contains the Public Key of the Subscriber; (d) identifies the Certificates operational period; (e) is digitally

signed by DST; and (f) has the meaning ascribed to it in accordance with applicable standards. A Certificate

includes not only its actual content but also all documents expressly referenced or incorporated in it.

Certification Authority. A Certification Authority is an entity that is responsible for authorizing and causing

the issuance of a Certificate.

Digital Signature: A Digital Signature is a transformation of an electronic message using Public Key

Cryptography so that a person having the communication and the Subscriber's Public Key can accurately

determine (1) whether the transformation was created using the Private Key corresponding to the

Subscriber's Public Key, and (2) whether the communication has been altered since the transformation was

made. It does not involve a handwritten signature.

Key Pair: In Public Key Cryptography, a Key Pair is two mathematically related keys (a Private Key and its

corresponding Public Key), having the properties that (i) one key can be used to encrypt a message that can

only be decrypted using the other key, and (ii) even knowing one key, it is computationally infeasible to


Private Key: In Public Key Cryptography, a Private Key is the key of a Key Pair kept secret by its holder

and can be used by its holder to encrypt or decrypt messages corresponding to the Public Key. The PrivateKey is used to create a Digital Signature.

Public Key: In Public Key Cryptography, a Public Key is the key of a Key Pair publicly disclosed by the

holder of the corresponding Private Key and is used by the recipient to encrypt or decrypt messages


Public Key Cryptography: A form of cryptography (a process of creating and deciphering communications

to keep them secure) in which two keys are used. One key encrypts a message, and the other key decrypts

the message. One key is kept secret (Private Key), and one is made available to others (Public Key). These

keys are, in essence, large mathematically-related numbers that form a unique pair. Either key may be used to

encrypt a message, but only the other corresponding key may be used to decrypt the message.

Qualified Relying Party: A federal agency or other recipient of a digitally signed message authorized by theCP to rely on an ACES Certificate and that has entered into a Memorandum of Understanding with the

General Services Administration to participate in the ACES Program to verify the Digital Signature on the

message.

Responsible Individual. A trustworthy person designated by a Sponsoring Organization to authenticate

individual applicants seeking certificates on the basis of their affiliation with the Sponsoring Organization.


37/91





Subscriber: An Agency (or person) or an Application (software program or electronic device) that (a) is

named or identified in a Certificate as its subject, and (b) holds a Private Key that corresponds to a Public

Key listed in that Certificate.

2.1.5 Relying Party Rights and Obligations

Typically, DST will provide a limited level of assurance for each certificate. A relying party will

be required to sign appropriate contracts that detail any relying party rights and obligations.

Relying party rights and obligations may include the following:

Rely reasonably and in good faith in light of all the circumstances known to the

relying party at the time of reliance

Rely within the validity limits stated in the certificate

Check the authenticity of the certificate before relying

Check the status of the certificate prior to reliance.

2.1.6 Repository Obligations

The DST Repositories make obligations to subscribers to provide certain continuity of service

and availability of up-to-date certificates and CRLs. However, the level of service and the

remedies available to clients are described in the contracts signed by each client and DST.

2.2 Liability

Except as expressly provided in contracts with clients, and according to specific certificate

policies, DST disclaims all warranties and obligations of any type, including any warranty of


38/91





merchantability, any warranty of fitness for a particular purpose, and any warranty of accuracy

of information provided.

2.2.1 CA Liability

See the Subscriber Agreements set forth in 2.1.4.

2.2.2 RA Liability

Additional policies and procedures in this category are determined by client and by CP.

2.2.3 Repository Liability


2.3 Financial Responsibility


2.4 Interpretation and Enforcement

2.4.1 Governing Law

The governing law for this CPS shall be the law of the State of Utah.

2.4.2 Severability, Survival, Merger, and Notice

If a particular provision of this CPS is terminated or determined to be invalid, illegal, or

unenforceable, the remaining provisions of this CPS shall remain in full force and effect.



39/91





2.4.3 Dispute Resolution Procedures

See the Subscriber Agreements set forth in 2.1.4.

2.5 Fees

There shall be no access controls or fees on the reading of this policy or authorized CA's CPS.

DST shall assess fees or impose access controls on certificates, certificate status, or CRLs at its

sole discretion, subject to agreement between DST and its clients, and in accordance with fee

schedules negotiated and detailed in contracts with the clients.

2.5.1 Certificate Issuance or Renewal Fees


2.5.2 Certificate Access Fees


2.5.3 Revocation or Status Information Access Fees


2.5.4 Fees for Other Services Such as Policy Information


2.5.5 Refund Policy

Department of Labor: aces cps

Documents