Department of Labor: dst-aces-cps-v20040123

8/14/2019 Department of Labor: dst-aces-cps-v20040123

1/121

January 23, 2004

Copyright 2004 Digital Signature Trust, LLC, an Identrus Company. All Rights Reserved.

Certification Practices Statement ofDigital Signature Trust for the

Access Certificates for Electronic

Services Program

Digital Signature Trust, LLC

Version 4.0

January 23, 2004


2/121

January 23, 2004

ii

TABLE OF CONTENTS

SECTION PAGE

SECTION 1 INTRODUCTION............................................................................................ 1

1.1 OVERVIEW............................................................................................................. 11.2 POLICY IDENTIFICATION................................................................................... 1

1.3 COMMUNITY AND APPLICABILITY................................................................. 2

1.3.1 Certificate Service Providers ............................................................................ 31.3.1.1 Certification Authorities (CAs).............................................................................................31.3.1.2 Registration Authorities (RAs) and Trusted Agents .......... ........... ........... ........... .......... ........31.3.1.3 Certificate Manufacturing Authorities (CMAs) ........... ........... ........... .......... ........... ........... ...41.3.1.4 Repositories...........................................................................................................................4

1.3.2 End Entities....................................................................................................... 41.3.2.1 Subscribers............................................................................................................................4

1.3.2.2 Relying Parties ......................................................................................................................41.3.2.3 Agency and Relying Party Applications .......... ........... ........... ........... ........... .......... ........... ....51.3.2.3.1 Agency and Relying Party Application SSL Server Certificates .......... ........... ........... ........... .51.3.2.3.2 Agency and Relying Party Application (Mutual Authentication and Signing) ........... ............51.3.2.3.3 Agency and Relying Party Application (Encryption)......... ........... ........... .......... ........... ..........51.3.2.3.4 Agency and Relying Party Application (Other) .......... ........... ........... .......... ........... ........... ......5

1.3.3 Policy Authority................................................................................................ 5

1.3.4 Applicability ..................................................................................................... 61.3.4.1 Purpose..................................................................................................................................61.3.4.2 Suitable Uses.........................................................................................................................8

1.4 CONTACT DETAILS.............................................................................................. 8

1.4.1 Organization Responsible for this Certification Practice Statement................. 8

1.4.2 Contact Person .................................................................................................. 91.4.3 Person Determining Suitability of this CPS ..................................................... 9

SECTION 2 GENERAL PROVISIONS............................................................................ 10

2.1 OBLIGATIONS...................................................................................................... 10

2.1.1 CAs Obligations ............................................................................................ 10

2.1.2 RA / Trusted Agent Obligations ..................................................................... 112.1.3 CMA Obligations............................................................................................ 11

2.1.4 Repository Obligations ................................................................................... 11

2.1.5 Subscriber Obligations.................................................................................... 122.1.6 Relying Party Obligations............................................................................... 12

2.1.7 Policy Authority Obligations.......................................................................... 132.2 LIABILITIES.......................................................................................................... 13

2.2.1 DST Liability .................................................................................................. 14

2.2.2 RA, CMA, and Repository Liability............................................................... 14

2.3 FINANCIAL RESPONSIBILITY.......................................................................... 14

2.3.1 Indemnification by Relying Parties ................................................................ 152.3.3 Fiduciary Relationships .................................................................................. 15

2.3.4 Administrative Processes ................................................................................ 15


3/121

January 23, 2004

iii

2.4 INTERPRETATION AND ENFORCEMENT ...................................................... 15

2.4.1 Governing Law ............................................................................................... 15

2.4.2 Severability, Survival, Merger, Notice ........................................................... 152.4.3 Dispute Resolution Procedures ....................................................................... 15

2.5 FEES ....................................................................................................................... 16

2.5.1 Certificate Issuance, Renewal, Suspension, and Revocation Fees ................. 162.5.2 Certificate Access Fees................................................................................... 162.5.3 Revocation Status Information Access Fees (Certificate Validation

Services) 16

2.5.4 Fees for Other Services such as Policy Information....................................... 162.5.5 Refund Policy.................................................................................................. 16

2.6 PUBLICATION AND REPOSITORY................................................................... 16

2.6.1 Publication of Information.............................................................................. 162.6.2 Frequency of Publication ................................................................................ 16

2.6.3 Access Controls .............................................................................................. 17

2.6.4 Repositories..................................................................................................... 17

2.7 INSPECTIONS AND REVIEWS........................................................................... 172.7.1 Certification and Accreditation....................................................................... 17

2.7.1.1 Frequency of Certification Authority Compliance Review.................................................182.7.1.2 Identity/Qualifications of Reviewer .......... ........... .......... ........... ........... ........... ........... .........182.7.1.3 Auditor's Relationship to Audited Party..............................................................................182.7.1.4 Communication of Results..................................................................................................18

2.7.2 Quality Assurance Inspection and Review..................................................... 182.7.2.1 Topics Covered by Quality Assurance Inspection and Review...........................................182.7.2.2 Identity/Qualifications of Reviewer .......... ........... .......... ........... ........... ........... ........... .........182.7.2.3 Auditor's Relationship to Audited Party..............................................................................182.7.2.4 Audit Compliance Report ...................................................................................................182.7.2.5 Actions Taken as a Result of Deficiency .......... ........... .......... ........... ........... ........... ........... .192.7.2.6 Communication of Results..................................................................................................19

2.8 CONFIDENTIALITY............................................................................................. 192.8.1 Types of Information to Be Kept Confidential ............................................... 19

2.8.1.1 Privacy Policy and Procedures............................................................................................192.8.1.2 Subscriber Information........................................................................................................192.8.1.3 GSA and Other Government Information........... .......... ........... ........... .......... ........... ...........20

2.8.2 Types of Information Not Considered Confidential ....................................... 20

2.8.3 Disclosure of Certificate Revocation/Suspension Information....................... 21

2.8.4 Release to Law Enforcement Officials ........................................................... 21

2.9 SECURITY REQUIREMENTS............................................................................. 212.9.1 System Security Plan ...................................................................................... 22

2.9.2 Risk Management ........................................................................................... 22

2.9.3 Certification and Accreditation....................................................................... 222.9.4 Rules of Behavior ........................................................................................... 22

2.9.5 Contingency Plan............................................................................................ 22

2.9.6 Incident Response Capability ......................................................................... 222.10 INTELLECTUAL PROPERTY RIGHTS.............................................................. 23


4/121

January 23, 2004

iv

SECTION 3 IDENTIFICATION AND AUTHENTICATION ....................................... 24

3.1 INITIAL REGISTRATION.................................................................................... 243.1.1 Types of Names .............................................................................................. 24

3.1.1.1 ACES Unaffiliated Individual Digital Signature and Encryption Certificates ............ ........24

3.1.1.2 ACES Business Representative Digital Signature and Encryption Certificates..................243.1.1.3 ACES Agency (Relying Party Applications) Digital Signature and EncryptionCertificates 253.1.1.4 Agency Application SSL Server Certificates......................................................................253.1.1.5 ACES Federal Employee Digital Signature and Encryption Certificates .......... ............ .....25

3.1.2 Name Meanings .............................................................................................. 263.1.2.1 ACES Unaffiliated Individual Digital Signature and Encryption Certificates ............ ........263.1.2.2 ACES Business Representative Digital Signature and Encryption Certificates..................263.1.2.3 ACES Agency (Relying Party Applications) Digital Signature and EncryptionCertificates 273.1.2.4 ACES DST Digital Signature Certificates .......... ........... ........... ........... .......... ........... ..........273.1.2.5 Agency Application SSL Server Certificates......................................................................273.1.2.6 ACES Federal Employee Digital Signature and Encryption Certificates .......... ............ .....27

3.1.3 Rules for Interpreting Various Name Forms .................................................. 273.1.4 Name Uniqueness ........................................................................................... 273.1.5 Name Claim Dispute Resolution Procedures.................................................. 28

3.1.6 Recognition, Authentication, and Role of Trademarks .................................. 28

3.1.7 Verification of Possession of Key Pair ........................................................... 293.1.7.1 Hardware Tokens................................................................................................................293.1.7.2 Use of Shared Secrets..........................................................................................................29

3.1.8 Authentication of Sponsoring Organization Identity...................................... 30

3.1.9 Authentication of Individual Identity.............................................................. 303.1.9.1 Authentication of ACES Unaffiliated Individual Digital Signature and EncryptionCertificates 313.1.9.2 Authentication of ACES Business Representative Digital Signature and Encryption

Certificates 323.1.9.3 Authentication of ACES Agency (Relying Party Applications) Digital Signature andEncryption Certificates...........................................................................................................................333.1.9.4 Authentication of Component Identity................................................................................333.1.9.5 Authentication of ACES Federal Employee Digital Signature and EncryptionCertificates 343.1.9.6 Other Certificates ................................................................................................................35

3.2 CERTIFICATE RENEWAL, UPDATE AND ROUTINE REKEY..................... 35

3.2.1 Certificate Renewal......................................................................................... 353.2.2 Certificate Rekey ................................................................................................. 36

3.2.3 Certificate Update ........................................................................................... 36

3.3 REKEY AFTER REVOCATION........................................................................... 37

3.4 REVOCATION REQUEST.................................................................................... 37

SECTION 4 OPERATIONAL REQUIREMENTS.......................................................... 38

4.1 CERTIFICATE APPLICATION............................................................................ 384.1.1 Application Initiation...................................................................................... 38

4.1.1.1 Application Form................................................................................................................394.1.1.2 Applicant Education and Disclosure .......... ........... ........... ........... ........... .......... ........... ........39

4.1.2 Enrollment Process / DSTs Secure Registration Messaging Protocol .......... 39


5/121

January 23, 2004

v

4.1.3 Enrollment Process / Bulk Loading....................................................................... 39

4.1.4 Application Rejection ..................................................................................... 40

4.2 CERTIFICATE ISSUANCE .................................................................................. 414.2.1 Certificate Delivery......................................................................................... 41

4.2.2 Certificate Replacement.................................................................................. 42

4.3 CERTIFICATE ACCEPTANCE............................................................................ 424.4 CERTIFICATE REVOCATION............................................................................ 43

4.4.1 Who Can Request Revocation ........................................................................ 43

4.4.2 Circumstances for Revocation ........................................................................ 434.4.2.1 Permissive Revocation.......... ........... ........... .......... ........... ........... .......... ........... .......... .........434.4.2.2 Required Revocation...........................................................................................................43

4.4.3 Procedure for Revocation Request.................................................................. 44

4.4.4 Revocation Request Grace Period .................................................................. 454.4.5 Certificate Authority Revocation Lists/Certificate Revocation Lists ............. 45

4.4.5.1 CRL Issuance Frequency ....................................................................................................454.4.5.2 CRL Checking Requirements..............................................................................................46

4.4.6 Online Revocation/Status Checking Availability ........................................... 46

4.4.7 Online Revocation Checking Requirements................................................... 474.4.8 Other Forms of Revocation Advertisements Available.................................. 47

4.4.9 Checking Requirements for Other Forms of Revocation Advertisements ..... 474.4.10 Special Requirements re Key Compromise .................................................... 47

4.5 CERTIFICATE SUSPENSION.............................................................................. 47

4.5.1 Circumstances for Suspension ........................................................................ 474.5.2 Who Can Request Suspension ........................................................................ 47

4.5.3 Procedure for Suspension Request.................................................................. 47

4.6 COMPUTER SECURITY AUDIT PROCEDURES.............................................. 484.6.1 Types of Events Recorded.............................................................................. 48

4.6.2 Frequency of Processing Data ........................................................................ 48

4.6.3 Retention Period for Security Audit Data....................................................... 484.6.4 Protection of Security Audit Data................................................................... 48

4.6.5 Security Audit Data Backup Procedures......................................................... 49

4.6.6 Security Audit Collection System (Internal vs. External) .............................. 49

4.6.7 Notification to Event-Causing Subject ........................................................... 494.6.8 Vulnerability Assessments.............................................................................. 49

4.7 RECORDS ARCHIVAL .............................................................................................. 49

4.7.1 Types of Events Recorded.............................................................................. 494.7.2 Retention Period for Archive.......................................................................... 50

4.7.3 Protection of Archive...................................................................................... 50

4.8 KEY CHANGEOVER............................................................................................ 51

4.9 COMPROMISE AND DISASTER RECOVERY.................................................. 514.9.1 Computing Resources, Software, and/or Data are Corrupted......................... 51

4.9.2 DST Public Key Is Revoked........................................................................... 51

4.9.3 DST Private Key Is Compromised (Key Compromise Plan) ......................... 514.9.4 Secure Facility after a Natural or Other Disaster (Disaster Recovery Plan)... 52

4.10 AUTHORIZED CA CESSATION OF SERVICES ............................................... 52

4.11 CUSTOMER SERVICE CENTER ........................................................................ 534.12 PRIVATE KEY RECOVERY............................................................................... 53


6/121

January 23, 2004

vi

4.12.1 Circumstances for private key recovery ......................................................... 54

4.12.2 Key Recovery Roles; Who can request private key recovery......................... 54

4.12.3 Procedure for Private Key Recovery Request ................................................ 55

SECTION 5 PHYSICAL, PROCEDURAL, AND PERSONNEL SECURITY

CONTROLS.......................................................................................................................... 57

5.1 PHYSICAL SECURITY CONTROLS .................................................................. 575.1.1 Physical Access Controls................................................................................ 57

5.1.2 Security Checks .............................................................................................. 58

5.1.3 Media Storage................................................................................................. 58

5.1.4 Environmental Security .................................................................................. 585.1.5 Off-Site Backup .............................................................................................. 59

5.2 PROCEDURAL CONTROLS................................................................................ 60

5.2.1 Trusted Roles .................................................................................................. 605.2.1.1 Physical Security.................................................................................................................60

5.2.2 Number of Persons Required Per Task........................................................... 605.2.3 Identification and Authentication for Each Role ............................................ 61

5.2.4 Hardware/Software Maintenance Controls..................................................... 61

5.2.5 Documentation................................................................................................ 61

5.2.6 Security Awareness and Training................................................................... 625.3 PERSONNEL SECURITY CONTROLS............................................................... 62

5.3.1 Access Authorization...................................................................................... 63

5.3.2 Limited Access................................................................................................ 635.3.2.1 Background Screening ........................................................................................................635.3.2.2 Least Privilege.....................................................................................................................635.3.2.3 Separation of Duties............................................................................................................645.3.2.4 Individual Accountability....................................................................................................65

SECTION 6 TECHNICAL SECURITY CONTROLS ................................................... 66

6.1 KEY PAIR GENERATION AND INSTALLATION............................................ 66

6.1.1 Key Pair Generation........................................................................................ 666.1.1.1 CA Key Pair Generation .....................................................................................................666.1.1.2 Hardware/Software Key Generation for Program Participants ........... ........... ........... ..........66

6.1.2 Private Key Delivery to Entity/Owner............................................................ 676.1.3 Subscriber Public Key Delivery to DST......................................................... 67

6.1.4 CA Public Key Delivery to Users................................................................... 67

6.1.5 Key Sizes ........................................................................................................ 67

6.1.6 Public Key Parameters Generation ................................................................. 68

6.1.7 Parameter Quality Checking........................................................................... 686.1.8 Key Usage Purposes ....................................................................................... 68

6.1.9 Private Key Shared by Multiple Subscribers ........................................................ 686.1.10 Date/Time Stamps........................................................................................... 68

6.2 PRIVATE KEY PROTECTION............................................................................. 68

6.2.1 Standards for Cryptographic Module.............................................................. 696.2.2 Private Key Backup ........................................................................................ 69

6.2.3 Private Key Archival....................................................................................... 69


7/121

January 23, 2004

vii

6.2.4 Private Key Entry into Cryptographic Module............................................... 70

6.2.5 Method of Activating Private Keys ................................................................ 70

6.2.6 Method of Deactivating Private Keys............................................................. 706.2.7 Method of Destroying Subscriber Private Signature Keys............................. 70

6.3 GOOD PRACTICES REGARDING KEY PAIR MANAGEMENT..................... 70

6.3.1 Public Key Archival........................................................................................ 706.3.2 Private Key Archival....................................................................................... 716.3.3 Usage Periods for the Public and Private Keys (Key Replacement) .............. 71

6.3.4 Restrictions on CA's Private Key Use ............................................................ 71

6.4 ACTIVATION DATA............................................................................................ 716.4.1 Activation Data Generation and Installation................................................... 71

6.4.2 Activation Data Protection.............................................................................. 71

6.5 COMPUTER SECURITY CONTROLS................................................................ 726.5.1 Audit ............................................................................................................... 72

6.5.2 Technical Access Controls.............................................................................. 73

6.5.3 Identification and Authentication ................................................................... 73

6.5.4 Trusted Paths................................................................................................... 736.6 LIFE CYCLE TECHNICAL CONTROLS............................................................ 74

6.6.1 System Development Controls ....................................................................... 74

6.6.2 Security Management Controls....................................................................... 746.6.3 Object Reuse ................................................................................................... 75

6.7 NETWORK SECURITY CONTROLS.................................................................. 75

6.7.1 Remote Access/ Dial-Up Access .................................................................... 766.7.2 Firewalls.......................................................................................................... 76

6.7.3 Encryption....................................................................................................... 766.7.4 Interconnections.............................................................................................. 76

6.7.4.1 Connectivity with Internet and Other WANs......................................................................76

6.7.5 Router.............................................................................................................. 776.7.6 Inventory of Network Hardware and Software............................................... 77

6.8 CRYPTOGRAPHIC MODULE ENGINEERING CONTROLS........................... 77

SECTION 7 CERTIFICATE AND CRL PROFILES...................................................... 78

7.1 CERTIFICATE PROFILE...................................................................................... 787.1.1 Version Numbers ............................................................................................ 78

7.1.2 Certificate Extensions ..................................................................................... 78

7.1.3 Algorithm Object Identifiers........................................................................... 787.1.4 Name Forms.................................................................................................... 79

7.1.5 Name Constraints............................................................................................ 79

7.1.6 Certificate Policy Object Identifiers ............................................................... 797.1.7 Usage of Policy Constraints Extension........................................................... 79

7.1.8 Policy Qualifiers Syntax and Semantics ......................................................... 79

7.1.9 Processing Semantics for the Critical Certificate Policy Extension ............... 79

7.2 CRL PROFILE........................................................................................................ 79


8/121

January 23, 2004

viii

SECTION 8 POLICY ADMINISTRATION..................................................................... 80

8.1 POLICY CHANGE PROCEDURES ..................................................................... 808.1.1 List of Items.................................................................................................... 80

8.1.2 Comments ....................................................................................................... 80

8.2 PUBLICATION AND NOTIFICATION PROCEDURES.................................... 808.3 CPS APPROVAL PROCEDURES ........................................................................ 80

8.4 Waivers ................................................................................................................... 80

SECTION 9 ACES PRIVACY POLICY AND PROCEDURES..................................... 81

9.1 Administrative, Technical, and Physical Safeguards............................................. 81

9.1.1 Handling of Information ........................................................................................ 81

9.1.2 Information Provided to Certificate Applicant ...................................................... 829.1.3 Limitations on Collection, Maintenance and Dissemination of Data.................... 82

9.1.4 Notice of Existence of Records.............................................................................. 82

9.1.5 Access to Records by Covered Individual ............................................................. 839.1.6 Amendment of Records ......................................................................................... 849.1.6.1 Handling of Request to Amend Record......................................................................................859.1.6.2 Handling of Request to Review Refusal to Amend Record .......... .......... ........... .......... ........... ...869.1.6.3 Notification of Right to Appeal to GSA.....................................................................................86

9.1.7 Disclosure Accounting........................................................................................... 87

9.1.8 Reports................................................................................................................... 87

9.1.9 Certificate Issuance Warrants ................................................................................ 87

APPENDIX A RELYING PARTY AGREEMENT.................................................... 88

APPENDIX B ACRONYMS AND ABBREVIATIONS............................................. 89

GLOSSARY........................................................................................................................... 93

APPENDIX C AUDITABLE EVENTS TABLE ....................................................... 106

APPENDIX D APPLICABLE FEDERAL AND GSA REGULATIONS ............... 112

APPENDIX E CERTIFICATE PROFILES .................................................................. 113


9/121

January 23, 2004

1

SECTION 1

INTRODUCTION

1.1 OVERVIEW

This Certification Practices Statement (CPS) describes the certification

practices of Digital Signature Trust, an Identrus company (DST), related to its

operations as a Certification Authority (CA) authorized to issue digital certificates inaccordance with the Certificate Policy (CP) for the Access Certificates for Electronic

Services (ACES) program of the United States Government. This CPS covers the

operation of systems and management of facilities used to provide public keyinfrastructure (PKI) services described in the DST Concept of Operations, which include

Certification Authority (CA), Registration Authority (RA), and repository functionality.

In addition to this CPS, the ACES Certificate Policy (ACES CP) and the United

States Government Common Policy CP may further specify requirements applicable to aparticular project, contract or set of contracts, or issuance of a class of certificatesundertaken by DST.

In particular, this CPS addresses the following:

(1) the roles, responsibilities, and relationships among DST, Trusted Agents,Registration Authorities (RAs), Certificate Manufacturing Authorities (CMAs),

Repositories, Subscribers, Relying Parties, and the Policy Authority (referred to

collectively as Program Participants);

(2) obligations and operational responsibilities of the Program Participants; and

(3) DSTs policies and practices for the issuance, delivery, management, and useof ACES Certificates to verify digital signatures.

In the event that there is any inconsistency between this CPS, the ACES CP, and DSTs

ACES Contract with GSA, the GSA ACES Contract provisions take precedence over the

CP, which will take precedence over the CPS, even though this CPS may describe inmore detail the policies, practices and procedures implemented by DST in order to

comply with the ACES CP and its ACES Contract with GSA.

1.2 POLICY IDENTIFICATION

This CPS is DSTs ACES CPS version 4.0. This CPS alone is not intended to providethe basis for any contractual obligations. Certificates are differentiated by function

(signature or encryption), key storage method (software module or hardware token) and

by the certificate subject or holder (unaffiliated individual, business representative,Federal employee, etc.) See Section 1.3. DST issues ACES certificates under the

following policy OIDS:


10/121

January 23, 2004

2

DSTs ACES CA Certificate: { 2 16 840 1 101 3 2 1 1 1}

ACESUnaffiliated Individual Digital Signature Certificates: { 2 16 840 1 101 3 2 1 1 2}

ACESUnaffiliated Individual Encryption Certificates: { 2 16 840 1 101 3 2 1 1 2}

ACES Business Representative Digital Signature Certificates:{2 16 840 1 101 3 2 1 1 3}

ACES Business Representative Encryption Certificates: { 2 16 840 1 101 3 2 1 1 3}

ACES Relying Party Digital Signature Certificates: {2 16 840 1 101 3 2 1 1 4}

ACES Relying Party Encryption Certificates: {2 16 840 1 101 3 2 1 1 4}

ACES Agency Application SSL Server Certificates: {2 16 840 1 101 3 2 1 1 5}

ACES Federal Employee Digital Signature Certificates: {2 16 840 1 101 3 2 1 1 6}

ACES Federal Employee Encryption Certificates: {2 16 840 1 101 3 2 1 1 6}

ACES Federal Employee Digital Signature Certificates on Hardware Token:

{2 16 840 1 101 3 2 1 1 7}

ACES Federal Employee Encryption Certificates on Hardware Token:

{2 16 840 1 101 3 2 1 1 7}

All ACES Certificates issued by DST under this CPS include the appropriate OID for the

applicable certificate in the Certificate Policies field of the Certificate. The foregoing

OIDs are placed in certificates only as specifically authorized by the ACES CP. Uponapproval by the Federal PKI Policy Authority for cross certification with the FederalBridge Certification Authority (FBCA), ACES certificates issued by DST will support

interoperability between the ACES PKI and another PKI by asserting the appropriate

FBCA CP OIDS in thepolicyMappings extension. Certificates issued in accordance withother approved federal government certificate policies may assert other OIDs uponapproval of the relevant policy authorities.

1.3 COMMUNITY AND APPLICABILITY

The ACES PKI is a bounded public key infrastructure. The ACES CP and this CPSdescribe the rights and obligations of persons and entities authorized under the CP to

fulfill any of the following roles: Certificate Service Provider roles, End Entity roles, and

Policy Authority role. Certificate Service Provider roles are CA, Trusted Agent, RA,

CMA, and Repository. End Entity roles are Subscriber--Unaffiliated Individual,Business Representative, Federal Employee, Server, Agency Application, State and Local

Government--and Relying Party and Relying Party Application. Requirements for


11/121

January 23, 2004

3

persons and entities authorized to fulfill any of these roles are in this Section. A general

description of each of these roles and their responsibilities is set forth in Section 2 of this

CPS.

1.3.1 Certificate Service Providers

1.3.1.1 Certification Authorities (CAs)

DST, LLC, is a subsidiary of Identrus, LLC, and is also subject to oversight by the Office

of the Comptroller of the Currency ("OCC") and other state and federal entities. DST

performs Certification Authority functions (e.g., certificate generation, distribution,

revocation, etc.) centrally while performing Registration Authority functions (e.g.,subscriber identification and communication) using a decentralized registration process

established by DST in cooperation with its private sector and public sector partners.

DST is qualified to issue certificates identifying the ACES CP (ACES Certificates)having been qualified by GSA by:

(a) entering into an appropriate GSA ACES Contract;

(b) documenting in this CPS and other relevant documents the specificpractices and procedures implemented to satisfy the requirements of the

ACES CP; and

(c) successfully completing GSAs ACES Security Certification and

Accreditation (C&A).

As an ACES CA, DST is responsible for the generation and management of Certificates

and Certificate revocation using a variety of mechanisms including but not limited toLightweight Directory Access Protocol ("LDAP") Certificate directories, CRLs and

Online Certificate Status Protocol ("OCSP") checking. In addition to the responsibilitiesabove, DST's service responsibilities also include the processing of Certificate requests

and revocation requests, generation and sending of responses, generation of CRLs and

maintenance of OCSP databases, posting of Certificates and CRLs to directories, thedesignation of Trusted Agents and Registration Authorities and other tasks related to

Certificate/CRL management. See Section 2.1.1 for further discussion of the CAs

obligations and responsibilities.

1.3.1.2 Registration Authorities (RAs) and Trusted Agents

DST performs the role and functions of the RA. DST also receives assistance in

performing its registration authority functions from GSA-approved contracting third

parties (including government agencies) who agree to be subject to and bound by theACES CP with respect to registration services, referred to herein as Authorized RAs.

DST employs Trusted Agents who are authorized to assist in processing Subscriber

identification information during the registration process. Trusted Agents perform theirregistration functions without use of automated RA interfaces with DSTs CA system.


12/121

January 23, 2004

4

1.3.1.3 Certificate Manufacturing Authorities (CMAs)

DST performs the role and functions of CMA. DST may also receive assistance in

performing its CMA functions from GSA-approved contracting third parties who agree to

be subject to and bound by the ACES CP with respect to CMA services.

1.3.1.4 Repositories

DST performs the role and functions of Repository. DST may also receive assistance in

performing its Repository functions from GSA-approved contracting third parties who

agree to be subject to and bound by the ACES CP with respect to Repository services.

1.3.2 End Entities

1.3.2.1 Subscribers

DST issues ACES Certificates to the following classes of Subscribers:

(a) Members of the general public (Unaffiliated Individuals);(b) Individuals authorized to act on behalf of business entities (i.e., Sponsoring

Organizations) recognized by DST, such as employees, officers, and agents of

a Sponsoring Organization (Business Representatives);(c) Government employees authorized to act on behalf of state and local

government organizations;

(d) Federal Employees1

authorized to act on behalf of federal SponsoringOrganizations recognized by DST, such as employees, officers, and agents of

an Eligible Federal Agency, entity, or department. Eligible Federal agenciesand entities include all Federal agencies, authorized Federal Contractors,

agency-sponsored universities and laboratories, other organizations, and, if

authorized by law, state, local, and tribal governments. All organizationslisted in GSA Order ADM 4800.2D (as updated) are also eligible. The

Government has the right to add authorized users in these categories pursuant

to the ACES CP;

(e) Relying Parties that choose to use ACES; and(f) Agency Application Servers.

1.3.2.2 Relying Parties

Relying Parties are those persons and entities authorized by either GSA or DST to acceptand rely upon ACES Certificates for purposes of verifying digital signatures on electronic

records and messages. Agencies desiring to become Relying Parties must enter into a

GSA ACES Relying Party Agreement via a Memorandum of Understanding (MOA) to

accept ACES Certificates and agree to be bound by the terms of the ACES CP. The

1 Any Business Representative Certificates issued to Federal Employees prior to the implementation of

Federal Employee Certificates shall remain in effect until they expire.


13/121

January 23, 2004

5

Government may specify Relying Parties pursuant to the ACES CP. Any party other

than an Agency desiring to become a Relying Party must enter into a DST ACES Relying

Party Agreement with DST. DST shall have no liability to any Relying Party withrespect to any DST-issued ACES certificate unless that party has entered into a GSA

ACES Relying Party Agreement or a DST ACES Relying Party Agreement that remains

in force at the time the certificate is relied upon.

1.3.2.3 Agency and Relying Party Applications

DST issues certificates to federal, state and local Agency and Relying Party Applications

for various purposes as described below.

1.3.2.3.1 Agency and Relying Party Application SSL Server Certificates

DST issues Agency Application SSL Server Certificates for use on federal, state andlocal Agency Servers to allow mutual authentication and/or trusted SSL communications

with the federal, state or local agencys or Relying Partys customers. These certificatesare issued to the agency or Relying Party server where the common name is theregistered Domain Name of the Webserver and allow for server and client authentication

through the extended KeyUsage extension.

1.3.2.3.2 Agency and Relying Party Application (Mutual Authentication and

Signing)

DST issues signing-only certificates to federal, state and local agency and Relying Party

applications for mutual authentication and for the purpose of providing Agency andRelying Party Customers with signed return receipt notifications acknowledging that the

agency or relying party application received the customers transaction or to sign internal

data (customer transactions, Application log files or agency archive data) where requiredby the agency policies.

1.3.2.3.3 Agency and Relying Party Application (Encryption)

DST issues data encryption certificates to federal, state and local agency and relying

party applications for the purpose of encrypting sensitive data where agency or relyingparty policy dictates.

1.3.2.3.4 Agency and Relying Party Application (Other)

DST may issue other certificate types as needed by a federal, state or local agency,relying party, or agency or relying party application. See Section 3.1.9.6 for further

information.

1.3.3 Policy Authority

GSA is the Policy Authority responsible for organizing and administering the ACES CP

and ACES Contract(s).


14/121

January 23, 2004

6

1.3.4 Applicability

1.3.4.1 Purpose

DST and its Subscribers may use ACES Digital Signature Certificates to mutually

authenticate Subscribers and Relying Party applications. Subscribers and Agency

Applications may use ACES Encryption Certificates to employ the confidentiality serviceon the data exchanged. The following table summarizes the functional uses of ACES

Certificates:

ACES Certificate

Type

Subscriber Purpose Use of Certificate

Digital

Signature

To enable an Unaffiliated

Individual ACES Subscriber andRelying Parties to mutually

authenticate themselveselectronically for information

and transactions and to verify

digitally signed

documents/transactions

UnaffiliatedIndividual

Certificate

UnaffiliatedIndividual

Encryption

To enable an UnaffiliatedIndividual ACES Subscriber to

use confidentiality services

(encryption and decryption) on

his/her information andtransactions

Digital

Signature

To enable a Business

Representative to mutually

authenticate themselves to

conduct business-relatedactivities electronically and to

verify digitally signed

documents/ transactions

Business

Representative

Certificate

Business

Representativeauthorized to

act on behalf of

a Sponsoring

Organization

Encryption

To enable a BusinessRepresentative to use

confidentiality services(encryption and decryption) onhis/her information and

transactions


15/121

January 23, 2004

7

ACES Certificate

Type

Subscriber Purpose Use of Certificate

DigitalSignature

To enable a State or Local

Government Representative tomutually authenticate themselves

to conduct business-relatedactivities electronically and toverify digitally signed

documents/ transactionsState and LocalGovernments

GovernmentEmployee

authorized to

act on behalf ofa State or Local

Government

Encryption

To enable a State or Local

Government Representative to

use confidentiality services

(encryption and decryption) onhis/her information and

transactions

Digital

Signature

To enable a Relying Party and

Unaffiliated Individuals,Business Representatives (non-

federal Employees), State and

Local Governments, FederalEmployees, and DSTto

mutually authenticate

themselves; to make signed

validation requests; and to signlog files.

Relying PartyCertificate

Relying Party

Encryption

To enable a Relying Party to

provide confidentiality services

(encryption and decryption) toSubscribers on their information

and transactions

Agency / Relying

Party Application

SSL Server

Certificate

Server

Authentication

and Encrypted

Data

Transmission

To enable authenticated

encrypted communicationsbetween subscribers and servers

FederalEmployee

DigitalSignature

To enable a Federal Employeeand Relying Parties mutually

authenticate themselves and to

verify digitally signed

documents/transactionsFederal EmployeeCertificate

Federal

EmployeeEncryption

To enable a Federal Employee touse confidentiality services

(encryption and decryption) onhis/her information and

transactions

CACertificate

N/ATo enable the authorized CA toissue subscriber certificates


16/121

January 23, 2004

8

1.3.4.2 Suitable Uses

ACES Certificates may be used by individuals, businesses, and state and local

governments to transact business with the Federal Government and non-FederalGovernment participants who would otherwise be involved in such transactions provided

that the Federal Government does not incur any additional costs.

1.4 CONTACT DETAILS

DST's Customer Service Center is available between 7 a.m. and 6 p.m. MountainStandard Time (MST), Monday through Friday, excluding Federal holidays. DST's

Customer Service Center assists subscribers with certificate- and key-related issues.

Such issues include, but are not limited to, problems with key generation and certificateinstallation. Problems and inquiries received that are not certificate-related are directed

to the relevant government agency for resolution with the subscriber. Those concerns caninclude, but are not limited to, problems with accessing information and inquiries of ageneral nature. For questions concerning ACES certificates, DST operations or the DST

ACES CPS, please contact:

Digital Signature Trust

ACES Program

255 Admiral Byrd Road

Salt Lake City, UT [email protected]

Toll-free US: 888-339-8798Outside of the US: 801 326 5974

Fax: 801-326-5438

Otherwise, assistance is available at the Web site above, 24 hours per day, including

Federal holidays, to individual subscribers, business representatives, and individualsauthorized to act on behalf of agency applications.

1.4.1 Organization Responsible for this Certification Practice Statement

DST's Change and Risk Management Committee ("CRMC") reviews CPs and approves

CPSs. The CRMC manages the audit and risk assessment function for DSTs CAoperations to ensure that the risks are accurately identified, that necessary mitigatingactivities are identified, and that individual projects should proceed. The Chair of the

CRMC represents DST at meetings of the Audit Committee. The CRMC is comprised of

representatives from functional units across the organization.


17/121

January 23, 2004

9

1.4.2 Contact Person

Attn.: Keren CumminsDigital Signature Trust, LLC

15200 Shady Grove Road

Suite 350Rockville, MD 20850

Phone: (301) 921-5977

1.4.3 Person Determining Suitability of this CPS

Attn: ACES Program Manager

Federal Technology Service

General Services AdministrationWashington, D.C. 20407


18/121

January 23, 2004

10

SECTION 2

GENERAL PROVISIONS

2.1 OBLIGATIONS

This Section provides a general description of the roles and responsibilities of the ACES

Program Participants operating under the ACES CP and this CPS: DST, RAs, CMAs,

Repositories, Subscribers, Relying Parties, and the Policy Authority. Additional

obligations are set forth in other provisions of this CPS, DSTs ACES Contract, theSystem Security Plan (the SSP), Privacy Practices and Procedures (the PPP),

Agreements with Relying Parties, Subscriber Agreements and other agreements with

Program Participants.

2.1.1 CAs Obligations

This section corresponds to Section 2.1.1. of the ACES CP and addresses the obligationsand responsibilities of DST and its Authorized RAs, CMAs, and Repositories and their

performance with respect to all ACES Certificates that DST issues.

DST is responsible for all aspects of the issuance and management of ACES Certificates,

including the application/enrollment process; the identification verification and

authentication process; the certificate manufacturing process; dissemination andactivation of the certificate; publication of the certificate (if required); renewal,

suspension, revocation, and replacement of the certificate; verification of certificate status

upon request; and ensuring that all aspects of DSTs services, operations andinfrastructure related to ACES Certificates are performed in accordance with the

requirements, representations, and warranties of the ACES CP (except in circumstanceswhere government agencies or Relying Parties agree to provide defined RA roles andfunctions).

DST assumes responsibility for ensuring that all work is performed under the supervisionof DST and responsible DST employees. DST provides assurance of the trustworthiness

and competence of its employees and their satisfactory performance of duties relating to

the provision of ACES services as described in this CPS and other relevant documents.

Each DST employee to whom information is made available or disclosed is notified inwriting by DST that information disclosed to such employee can be used only for the

purpose and to the extent authorized in the ACES CP and other relevant documents.

DST complies with all applicable Federal and GSA requirements set forth in its ACES

Contract with GSA, including the Federal Privacy Act, Appendices I and III of OMB

Circular A-130, and regulations governing the prevention and reporting of waste, fraudand abuse, as supported by the documentation that it submits to GSA and/or other Federal

agencies. DST has standard forms for contracts, which contain DSTs obligations among

different classes of subscribers and relying parties. DSTs system architectures support

varying levels of workload, as set forth in DSTs ACES Contract.


19/121

January 23, 2004

11

2.1.2 RA / Trusted Agent Obligations

A Registration Authority (RA) is a person or entity responsible for the applicant

registration, certificate application, and authentication of identity functions for

Unaffiliated Individuals, Business Representatives, State and Local GovernmentRepresentatives, Federal Employees, Servers, and Relying Parties. An Authorized RA

may also be responsible for handling suspension and revocation requests, and for aspects

of Subscriber education.

Authorized RAs retained under contract to perform RA services on behalf of DST are

required to comply with the provisions of this CPS and the ACES CP.

Trusted Agents are responsible for reviewing and collecting registration data and

completed in-person registration forms for submission to DST or its Authorized RA as

part of a bulk-loading registration process for applicants who are authorized by the

Trusted Agents organization to hold an ACES Certificate. DST enters into contractualagreements with some Trusted Agents and Authorized RAs requiring them to retain and

protect collected information in accordance with applicable requirements of the ACESCP. DST and its Authorized RAs and Trusted Agents shall accurately verify subscriber

identity and process requests and responses timely and securely. DSTs Authorized RAs

and Trusted Agents shall comply with this CPS and the ACES CP. DST will monitor thecompliance of its Authorized RAs and Trusted Agents with this CPS and the ACES CP.

Failure to comply with the provisions of the CPS and the CP may subject DST, and anyAuthorized RA or Trusted Agent, to sanctions, including termination as agent of DST

and possible civil and criminal sanctions.

2.1.3 CMA Obligations

A CMA is responsible for the functions of manufacturing, issuance, suspension, and

revocation of ACES Certificates. CMAs retained under contract to perform CMA

services on behalf of DST are required to comply with the provisions of this CPS and theACES CP.

2.1.4 Repository Obligations

A Repository is responsible for maintaining a secure system for storing and retrievingcurrently valid ACES Certificates, a current copy of the ACES CP, and other information

relevant to ACES Certificates, and for providing information regarding the status of

ACES Certificates as valid or invalid that can be determined by a Relying Party.Repositories retained under contract to perform Repository services on behalf of DST are

required to comply with the provisions of this CPS and the ACES CP.


20/121

January 23, 2004

12

2.1.5 Subscriber Obligations

Through a combination of online processes and printed forms, each applicant for anACES Certificate shall:

provide complete and accurate responses to all requests for information madeby DST (or a Trusted Agent or Authorized RA) during the applicantregistration, certificate application, and authentication of identity processes;

generate a key pair using a reasonably trustworthy system, and takereasonable precautions to prevent any compromise, modification, loss,

disclosure, or unauthorized use of the private key;

upon issuance of an ACES Certificate naming the applicant as the Subscriber,

review the ACES Certificate to ensure that all Subscriber information

included in it is accurate, and to expressly indicate acceptance or rejection of

the ACES Certificate;

promise to protect a private keys at all times, in accordance with the

applicable Subscriber Agreement, this CPS, the ACES CP and any otherobligations that the Subscriber may otherwise have;

use the ACES Certificate and the corresponding private key exclusively for

purposes authorized by the ACES CP and only in a manner consistent with theACES CP;

instruct DST (or an Authorized RA or employer) to revoke the ACES

Certificate promptly upon any actual or suspected loss, disclosure, or othercompromise of the private key, or, in the case of Business Representative andFederal Employee ACES Certificates, whenever the Subscriber is no longer

affiliated with the Sponsoring Organization; and

respond as required to notices issued by DST or its authorized agents.

Subscribers who receive certificates from DST shall comply with these requirements as

well as those in the ACES CP. Additional information concerning the rights andobligations of Subscribers may be found in Sections 1.3, 3.1 and 4.1 of this CPS.

2.1.6 Relying Party Obligations

The ACES CP and an applicable Relying Party Agreement (the Relying Party Agreement

contained in Appendix A to the ACES CP or a Relying Party Agreement entered into

between DST and a non-Agency Relying Party) is binding on each Relying Party andgovern its performance with respect to its application for, use of, and reliance on ACES

Certificates.


21/121

January 23, 2004

13

(a) Acceptance of Certificates. Each Relying Party will validate ACES Certificates

issued by all Authorized CAs;

(b) Certificate Validation. Each Relying Party will validate every ACES Certificate it

relies upon with the Authorized CA that issued the certificate; and

(c) Reliance. A Relying Party may rely on a valid ACES Certificate for purposes ofverifying the digital signature only if:

the ACES Certificate was used and relied upon to authenticate a Subscribers

digital signature for an application bound by the ACES CP;

prior to reliance, the Relying Party (1) verified the digital signature byreference to the public key in the ACES Certificate, and (2) checked the status

of the ACES Certificate by generating an appropriate status request via acurrent CRL, OCSP, or other comparable validation method, as approved by

GSA, and (3) a check of the certificates status indicated that the certificatewas valid; and

the reliance was reasonable and in good faith in light of all the circumstancesknown to the Relying Party at the time of reliance.

Relying Parties must evaluate the environment and the associated threats andvulnerabilities and determine the level of risk they are willing to accept based on the

sensitivity or significance of the information. This evaluation is done by each Relying

Party for each application and is not controlled by the ACES CP or this CPS. Relying

Parties who rely on stale CRLs do so at their own risk. See Section 4.4 (Certificate

Revocation).

Parties who rely upon the certificates issued under the ACES CP or this CPS should

preserve original signed data, the applications necessary to read and process that data,

and the cryptographic applications needed to verify the digital signatures on that data foras long as it may be necessary to verify the signature on that data.

2.1.7 Policy Authority Obligations

The Policy Authority is responsible for the terms and maintenance of the ACES CP.

2.2 LIABILITIES

Except as expressly provided in written contracts, including DSTs ACES Contract, andaccording to specific certificate policies and other statutory and regulatory requirements,

DST disclaims all warranties and obligations of any type, including any warranty of

merchantability, any warranty of fitness for a particular purpose, and any warranty ofaccuracy of information provided.


22/121

January 23, 2004

14

Nothing in the ACES CP or this CPS shall create, alter, or eliminate any other obligation,

responsibility, or liability that may be imposed on any Program Participant by virtue of

any contract or obligation that is otherwise determined by applicable law.

DST SHALL HAVE NO LIABILITY FOR LOSS DUE TO USE OF A DST-

ISSUED ACES CERTIFICATE, UNLESS THE LOSS IS PROVEN TO BE APROXIMATE RESULT OF THE NEGLIGENCE, FRAUD OR WILLFUL

MISCONDUCT OF DST.

IN NO EVENT SHALL DST BE LIABLE FOR ANY CONSEQUENTIAL, INDIRECT,REMOTE, EXEMPLARY, PUNITIVE, SPECIAL, OR INCIDENTAL DAMAGES, OR

DAMAGES FOR BUSINESS INTERRUPTION, LOSS OF PROFITS, REVENUES OR

SAVINGS, REGARDLESS OF THE FORM OF ACTION AND REGARDLESS OFWHETHER DST WAS ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

DST SHALL INCUR NO LIABILITY IF DST IS PREVENTED, FORBIDDEN OR

DELAYED FROM PERFORMING, OR OMITS TO PERFORM, ANY ACT ORREQUIREMENT BY REASON OF ANY PROVISION OF ANY APPLICABLE LAW,

REGULATION OR ORDER, THE FAILURE OF ANY ELECTRICAL,

COMMUNICATION OR OTHER SYSTEM OPERATED BY ANY PARTY OTHERTHAN DST OR ANY ACT OF GOD, EMERGENCY CONDITION OR WAR OR

OTHER CIRCUMSTANCE BEYOND THE CONTROL OF DST.

Any applicable limitation of DSTs liability contained in any DST Subscriber Agreement

or DST Relying Party Agreement, respectively, shall apply to any claim against DST bysuch Subscriber or Relying Party, respectively.

2.2.1 DST Liability

See Section 2.2. Tort liability for transactions involving Certificates issued under the

ACES Contract is governed by the Federal Tort Claims Act. DST asserts the

Government Contractor defense, which is applicable to DST to the extent that DST hasmet the standard of care spelled out by the ACES Contract. Other limitations and

disclaimers of liability may exist in agreements between DST and Program Participants.

Use outside of an agreement with GSA or DST is prohibited and is at such partys ownrisk.

2.2.2 RA, CMA, and Repository Liability

See Section 2.2 and Section 2.2.1.

2.3 FINANCIAL RESPONSIBILITY

No stipulation.


23/121

January 23, 2004

15

2.3.1 Indemnification by Relying Parties

A Relying Party under a DST ACES Relying Party Agreement shall indemnify DSTunder the applicable terms and conditions of any indemnification provision therein.

2.3.2 Indemnification by Subscriber

A Subscriber under a DST ACES Subscriber Agreement shall indemnify DST under the

applicable terms and conditions of any indemnification provision therein.

2.3.3 Fiduciary Relationships

Issuance of ACES Certificates by DST or its representatives or agents in accordance with

this CPS does not make DST or its representatives or agents, fiduciaries, trustees, or

representatives of Subscribers or Relying Parties.

2.3.4 Administrative Processes

No stipulation.

2.4 INTERPRETATION AND ENFORCEMENT

2.4.1 Governing Law

The laws of the United States and the State of Utah shall govern the enforceability,construction, interpretation, and validity of this CPS.

2.4.2 Severability, Survival, Merger, Notice

Should it be determined that one section of this CPS is incorrect or invalid, the other

sections of this CPS shall remain in effect until the CPS is updated.

2.4.3 Dispute Resolution Procedures

In the event of any dispute or disagreement between two or more of the ProgramParticipants (Disputing Parties) arising out of or relating to the ACES CP or ACES

Contracts, this CPS, or relevant Agreements related to this policy, which include Relying

Party Agreements and Subscriber Agreements, the Disputing Parties shall use their bestefforts to settle the dispute or disagreement through negotiations in good faith following

notice from one Disputing Party to the other(s). If the Disputing Parties cannot reach amutually agreeable resolution of the dispute or disagreement within sixty (60) daysfollowing the date of such notice, then the Disputing Parties may present the dispute to

the GSA ACES Contract Officer for resolution.

Any Contract dispute between DST and GSA shall be handled under the terms andconditions of the ACES Contract.


24/121

January 23, 2004

16

2.5 FEES

2.5.1 Certificate Issuance, Renewal, Suspension, and Revocation Fees

Fees may be assessed for certificate issuance and for certificate renewal (re-key). Fees

will not be assessed for certificate suspension and revocation.

2.5.2 Certificate Access Fees

DST shall not impose any certificate access fees on Subscribers with respect to the

content of their own ACES Certificate(s) or the status of such ACES Certificate(s).

2.5.3 Revocation Status Information Access Fees (Certificate Validation

Services)

Fees may be assessed for certificate validation services based upon Relying Partyagreements negotiated between DST and the validating party.

2.5.4 Fees for Other Services such as Policy Information

DST may charge for recovery of escrowed decryption keys, but shall not impose fees for

access to policy information.

2.5.5 Refund Policy

Refunds are not provided unless other arrangements are specifically made through

customer agreements.

2.6 PUBLICATION AND REPOSITORY

2.6.1 Publication of Information

ACES Certificates issued by DST contain pointers to locations where certificate-related

information is published. DSTs secure online Repository is available to Subscribers and

Relying Parties at DSTs LDAP repository directory, which contains: (1) all ACESCertificates issued by DST that have been accepted by Subscribers; and (2) Authority

Revocation Lists / Certificate Revocation Lists (ARLs/CRLs), as specified by the ACES

Contract and the ACES Policy Office. Online certificate status information is available

through DSTs ACES validation services. DSTs Federal web pages for ACES contain

links to: (1) DSTs ACES Certificate for its signing key; (2) past and current versions ofDSTs ACES CPS; (3) a copy of the ACES CP; and (4) other relevant information about

ACES Certificates.

2.6.2 Frequency of Publication

All information to be published in the repository shall be published immediately after

such information is available to DST. DST will publish ACES Certificates immediately


25/121

January 23, 2004

17

upon acceptance of such ACES Certificates. Information relating to the status of an

ACES Certificate will be published in accordance with DSTs GSA ACES Contract.

2.6.3 Access Controls

DST does not impose any access controls on the ACES CP, DST's ACES Certificate forits signing key, and past and current versions of this CPS as well as subscriber certificates

and status information. DST does, however, impose access controls to ensure

authentication of Subscribers with respect to their own certificate(s) and the status ofsuch certificate(s) and personal registration information, which is separately managed

from the public certificate and status repository. Access is restricted in accordance with

Section 2.8.1.1. Access to information in DSTs ACES repositories is otherwisedetermined by the GSA pursuant to its authorizing and controlling statutes.

2.6.4 Repositories

Information in DSTs ACES repository is protected in accordance with the Privacy Actof 1974 as set forth in DSTs Privacy Policies and Procedures (PPP), available at DSTsFederal web pages for ACES and other privacy- and security-related documents that are

maintained internally by DST. See Section 2.8.1.1.

2.7 INSPECTIONS AND REVIEWS

DST is subject to inspections and reviews in accordance with Federal regulations andGSA policy and security guidelines (See Appendix D to the ACES CP). DSTs system

security test and evaluation plan describes how the security features and controls of itssystems are to be tested and reviewed when significant modifications are made. DST is

also subject to examination and the regulatory authority of the Office of the Comptroller

of the Currency (OCC) under 12 U.S.C. 867(c). DST's commercial practices areaudited as required by the OCC and states where DST is licensed as a CA. Full or partial

audit results may be released to the extent permitted by law, regulation, contract or DST

management. DST is audited annually pursuant to the American Institute of CertifiedPublic Accountants (AICPAs) / Canadian Institute of Chartered Accountants (CICAs)

Web Trust Program for Certification Authorities. (CA Web Trust). In addition to

examination and regulation by the OCC, CA Web Trust, and other audits performed by

independent auditors, DST is subject to the GSAs Certification and Accreditation (C&A)process.

2.7.1 Certification and Accreditation

In accordance with the ACES CP and the DST ACES Contract, DST and its CA systemsubcontractors must undergo ACES Security C&A as a condition of obtaining and

retaining approval to operate as an Authorized CA under the ACES CP. The C&A

process verifies that DST has in place and follows a system that assures that the quality of

its CA Services conforms to the requirements of the ACES CP and its ACES Contract.C&A is performed in accordance with Federal regulations and GSA policy and

supporting security guidelines. (See Appendix D to the ACES CP).


26/121

January 23, 2004

18

2.7.1.1 Frequency of Certification Authority Compliance Review

DST has passed previous C&As and has demonstrated compliance with the ACES CP, its

ACES CPS, and its GSA ACES Contract. The GSA and other authorized Federal entities

may perform periodic and aperiodic compliance audits or inspections of DST,subordinate CA, or RA operations to validate that the subordinate entities are operating in

accordance with the security practices and procedures described in their respective CPSs,

Registration Practices Statements (RPSs), SSPs and PPPs.

2.7.1.2 Identity/Qualifications of Reviewer

See Section 2.7.1.2 of the ACES CP.

2.7.1.3 Auditor's Relationship to Audited Party


2.7.1.4 Communication of Results


2.7.2 Quality Assurance Inspection and Review

2.7.2.1 Topics Covered by Quality Assurance Inspection and Review

The purpose of a quality assurance inspection and review of DST is to verify that it is

operating in compliance with the requirements of the ACES CP, its ACES Contract, and

this CPS. Quality assurance inspections of DST are conducted pursuant to theAICPA/CICAs Web Trust Program for Certification Authorities (CA Web Trust).

2.7.2.2 Identity/Qualifications of Reviewer

DSTs compliance auditors demonstrate competence in the field of compliance audits,

and are thoroughly familiar with the requirements that DST imposes on the issuance andmanagement of its certificates. The auditor performs such compliance audits as its

primary responsibility. See Sections 2.7.1.2, 2.7.1.3 and 2.7.2.3.

2.7.2.3 Auditor's Relationship to Audited Party

DSTs compliance auditors are representatives from the OCC, the GSA, firmsspecializing in information systems and network security, and private, unaffiliated and

nationally recognized accounting firms.

2.7.2.4 Audit Compliance Report

The results of DSTs compliance audit are fully documented, and reports resulting from


27/121

January 23, 2004

19

Quality Assurance Inspections are submitted to GSA within 30 calendar days of the date

of their completion.

2.7.2.5 Actions Taken as a Result of Deficiency

DST shall correct any deficiencies noted during compliance reviews, as specified byGSA. Also, if irregularities are found during OCC compliance audits, the OCC may

require appropriate remedial action or terminate DST operations after appropriate notice

to existing clients. The results of compliance audits will not be made public except asdescribed in Section 2.7.2.6.

2.7.2.6 Communication of Results

DST posts its auditors CA Web Trust certification on its web site in accordance with

applicable AICPA audit-reporting standards. Audit information that might pose animmediate threat of harm to Program Participants or that could potentially compromise

the future security of DST's operations is not made publicly available.

2.8 CONFIDENTIALITY

DST implements appropriate administrative, technical, and physical safeguards to insurethe security and confidentiality of records and to protect against any anticipated threats or

hazards to their security or integrity which could result in substantial harm,

embarrassment, inconvenience, or unfairness to any individual on whom information ismaintained, in accordance with Title 5, U.S.C., Sec. 552a.

2.8.1 Types of Information to Be Kept Confidential

2.8.1.1 Privacy Policy and Procedures

DSTs written Privacy Policies and Procedures (PPP) , designed to ensure compliancewith the requirements of 5 U.S.C. 552a, Appendix I to OMB Circular A-130, and the

ACES Contract, may be found in Section 9 of this CPS.

2.8.1.2 Subscriber Information

Certificates issued by DST only contain information that is necessary for their effective

use. Non-Certificate information, however, is requested from applicants and is required

to identify Subscribers, issue Certificates and manage information on behalf of

Subscribers. Such information includes numeric identifiers of driver's licenses, creditcard accounts, passports, social security numbers and other identifiers, as well as business

or home addresses and telephone numbers. (See Section 3.1.9.1.) Such personal

information collected by DST is treated as private and is not disclosed unless otherwiserequired by law or for auditing purposes. All non-Certificate, non-repository information

in DST records will be handled as sensitive, and access will be restricted to those with

business, operational or official needs. Certificate-restricted access will require


28/121

January 23, 2004

20

presentation of a user's Certificate, and only the appropriate access permissions will be

granted to the user.

DST protects the confidentiality of personal information regarding Subscribers that is

collected during the applicant registration, ACES Certificate application, authentication,

and certificate status checking processes in accordance with the Privacy Act of 1974,Appendix III to Office of Management and Budget (OMB) Circular A-130, GSA Order2100.1A, and supporting GSA security guidelines. Such information is used only for the

purpose of providing CA Services and carrying out the provisions of the ACES CP and

DSTs ACES Contract, and is not disclosed in any manner to any person without theprior consent of the Subscriber, unless otherwise required by law, except as may be

necessary for the performance of CA Services in accordance with DSTs ACES Contract.

In addition, personal information submitted by Subscribers:

(a) Shall be made available by DST to the Subscriber involved following an

appropriate request by such Subscriber;

(b) Shall be subject to correction and/or revision by such Subscriber;(c) Shall be protected by DST in a manner designed to ensure the datas

integrity; and

(d) Shall not be used or disclosed by DST for purposes other than the directoperational support of ACES unless such use is authorized by the

Subscriber involved.

For purposes of notification of the existence of and granting access to records, DST shall

permit the parent of any minor, or the legal guardian of any individual declared to beincompetent by a court of competent jurisdiction, to act on behalf of such individual.

Under no circumstances shall DST (or any Authorized RA, CMA, or Repository) haveaccess to the private signature keys of any Subscriber to whom it issues an ACES

Certificate.

2.8.1.3 GSA and Other Government Information

DST shall take reasonable steps to protect the confidentiality of any GSA, Relying Party,or other Government information provided to DST. Such information shall be used only

for the purpose of providing CA Services and carrying out the provisions of the ACES

CP and DSTs ACES Contract, and shall not be disclosed in any manner to any personexcept as may be necessary for the performance of CA Services in accordance with

DSTs ACES Contract.

2.8.2 Types of Information Not Considered Confidential

Information contained on a single ACES Certificate or related status information shall notbe considered confidential, when the information is used in accordance with the purposes

of providing CA Services and carrying out the provisions of the ACES CP and DSTs

ACES Contract and in accordance with the Privacy Act of 1974, and Appendix III to


29/121

January 23, 2004

21

Office of Management and Budget (OMB) Circular A-130. However, a compilation of

such information shall be treated as confidential.

2.8.3 Disclosure of Certificate Revocation/Suspension Information

See 2.8.2.

2.8.4 Release to Law Enforcement Officials

DST may release sensitive information to law enforcement officials as required by law,

government rule or regulation, or order of a court of competent jurisdiction. Disclosure is

permitted to any agency or instrumentality of any governmental jurisdiction within orunder the control of the United States for a civil or criminal law enforcement activity.

DST will make reasonable efforts to provide notice of any such disclosures except when

it is prohibited by law (e.g., ongoing criminal investigations, national security, etc.).

2.9 SECURITY REQUIREMENTS

DST is required to have the following minimum security controls in place:

Technical and/or security evaluation complete

Risk assessment conducted

Rules of behavior established and signed by users

Contingency Plan developed and tested

Security Plan developed, updated, and reviewed

System meets all applicable Federal laws, regulations, policies, guidelines,

and standards In-place and planned security safeguards appear to be adequate and

appropriate for the system, i.e., the level of controls should be consistent withthe level of sensitivity of the system.

DST shall not publish or disclose in any manner, without the GSA ACO's written

consent, the details of any safeguards either designed or developed by DST under theACES Contract or otherwise provided by the Government.

No party may use any software, program, routine, query, device or manual process in anattempt to: bypass security measures (including attempting to probe, scan or test

vulnerabilities to breach security); access data for which they are unauthorized to access;interfere with the proper working of DSTs CA systems; or impose a disproportionatelylarge load on (i.e., overload or crash) the infrastructure supporting DSTs systems (e.g.,

DOS/DDOS attacks, viruses, etc.). The unauthorized use of any robot, spider, software,

routine, meta-search, automated query to monitor, copy or make any other unauthorizeduses of DSTs systems is strictly prohibited and will be prosecuted to the fullest extent

allowed by law. DST reserves the right block any activity that it interprets as a runaway


30/121

January 23, 2004

22

application, attack or other event that might be an attempt to bring down DSTs ACES

PKI infrastructure and systems.

2.9.1 System Security Plan

DST has prepared and maintains a System Security Plan (SSP) in accordance with

requirements set forth in OMB Circular A-130, NIST 800-18, GSA Order 2100.1A and

all supporting GSA security guidelines, and the ACES Contract.

2.9.2 Risk Management

DST conducts periodic risk assessments and maintain its ACES systems at the level of

residual risk accepted by the designated approving authority in accordance with OMB

Circular A-130, NIST 800-18, GSA Order 2100.1A and all supporting GSA securityguidelines, and the ACES Contract.

2.9.3 Certification and Accreditation

Certification and Accreditation of DSTs ACES system shall be performed and

maintained in accordance with requirements set forth in OMB Circular A-130, NIST 800-18, GSA Order 2100.1A and all supporting GSA security guidelines, and the ACES

Contract.

2.9.4 Rules of Behavior

The SSP includes the rules of conduct that will be used to instruct DSTs officers and

employees in compliance requirements and penalties for noncompliance. DSTs rules ofbehavior are developed and implemented in accordance with requirements set forth in

OMB Circular A-130, NIST 800-18, GSA Order 2100.1A and all supporting GSA

security guidelines, and the ACES Contract.

2.9.5 Contingency Plan

DST develops, implements, maintains, and periodically tests its contingency plan for its

ACES system in accordance with guidelines provided in OMB Circular A-130, NIST

800-18, FIPS PUB 87, and GSA Order 2100.1A and all supporting GSA securityguidelines.

2.9.6 Incident Response Capability

DST is able to provide help to users when a security incident occurs in the system and to

share information concerning common vulnerabilities and threats. A security incident isdefined to be any adverse event that threatens the security of information resources.

Adverse events include compromises of integrity, denial of service, compromises of

confidentiality, loss of accountability, or damage to any part of the system.


31/121

January 23, 2004

23

Incident response procedures and reporting of security incidents shall be in accordance

with guidelines provided in OMB Circular A-130, NIST 800-18, GSA Order 2100.1A

and all supporting GSA security guidelines, and the ACES contract.

2.10 INTELLECTUAL PROPERTY RIGHTS

Private keys shall be treated as the sole property of the legitimate holder of the

corresponding public key identified in an ACES Certificate. Access Certificates for

Electronic Services, ACES, and the ACES OIDs are the property of GSA, which may beused only by DST in accordance with the provisions of the ACES CP and DSTs ACES

Contract. Any other use of the above without the express written permission of GSA is

expressly prohibited.


32/121

January 23, 2004

24

SECTION 3

IDENTIFICATION AND AUTHENTICATION

3.1 INITIAL REGISTRATION

Subject to the requirements noted below, applications for ACES Certificates may be

communicated from the applicant to DST, a Trusted Agent, or an Authorized RA, andauthorizations to issue ACES Certificates may be communicated from an Authorized RA

or Trusted Agent to DST, (1) electronically, provided that all communication is secure,

(2) by U.S. Postal Service first-class mail, or (3) in person. Certificates issued tobusiness representatives and Federal employees require a face-to-face registration process

to validate ide

Department of Labor: dst-aces-cps-v20040123

Documents