GlobalSign Certification Practice Statement

1 CA Digitally signed by Governance CA Governance Policy Authority Policy Date: Authority 15:49:02 +01'00'. GlobalSign Certification Practice Statement Date: November 30, 2021. Effective date for Qualified Timestamping, Qualified Web Authentication Certificates, Qualified Certificates for Electronic Signatures and Qualified Certificates for Electronic Seals: {normal date + 2 weeks}. Version: Table of Contents TABLE OF CONTENTS .. 2. DOCUMENT HISTORY .. 8. ACKNOWLEDGMENTS ..11. INTRODUCTION ..12. OVERVIEW .. 14. Certificate Naming .. 17. DOCUMENT NAME AND IDENTIFICATION .. 19. PKI PARTICIPANTS .. 25. Certification Authorities .. 25. Registration Authorities .. 25. Subscribers .. 27. Relying Parties .. 27. Other Participants .. 28. CERTIFICATE USAGE .. 28. Appropriate Certificate Usage.

2 28. Prohibited Certificate usage .. 30. POLICY ADMINISTRATION .. 31. Organization Administering the Document .. 31. Contact Person .. 31. Person Determining CPS Suitability for the 31. CPS Approval Procedures .. 32. DEFINITIONS AND ACRONYMS .. 32. PUBLICATION AND REPOSITORY RESPONSIBILITIES ..40. REPOSITORIES .. 40. PUBLICATION OF CERTIFICATE INFORMATION .. 41. TIME OR FREQUENCY OF 41. ACCESS CONTROLS ON REPOSITORIES .. 42. IDENTIFICATION AND AUTHENTICATION ..42. NAMING .. 42. Types of 42. Need for Names to be Meaningful .. 42. Anonymity or Pseudonymity of Subscribers .. 42. Rules for Interpreting Various Name Forms .. 43. Uniqueness of Names .. 43. Recognition, Authentication, and Role of Trademarks .. 43. INITIAL IDENTITY 44. Method to Prove Possession of Private Key .. 44.

3 Authentication of Organization Identity .. 44. Authentication of Individual identity .. 46. Non-Verified Subscriber Information .. 50. Validation of Authority .. 51. Criteria for Interoperation .. 52. Authentication of Domain Names .. 53. Authentication of Email addresses .. 54. IDENTIFICATION AND AUTHENTICATION FOR RE-KEY 54. Identification and Authentication for Routine Re-key .. 54. Identification and Authentication for Reissuance after Revocation .. 55. Re-verification and Revalidation of Identity When Certificate Information Changes .. 55. Identification and Authentication for Re-key After Revocation .. 55. IDENTIFICATION AND AUTHENTICATION FOR REVOCATION REQUEST .. 55. GlobalSign CPS ( Certification Practice Statement ) 2 of 97. Version: CERTIFICATE LIFECYCLE OPERATIONAL REQUIREMENTS.

4 56. CERTIFICATE APPLICATION .. 56. Who Can Submit a Certificate Application .. 56. Enrollment Process and Responsibilities .. 56. CERTIFICATE APPLICATION PROCESSING .. 57. Performing Identification and Authentication Functions .. 57. Approval or Rejection of Certificate Applications .. 57. Time to Process Certificate Applications .. 57. CERTIFICATE ISSUANCE .. 58. CA Actions during Certificate Issuance .. 58. Notifications to Subscriber by the CA of Issuance of Certificate .. 58. Notification to North American Energy Standards Board (NAESB) Subscribers by the CA of Issuance of Certificate .. 58. CERTIFICATE ACCEPTANCE .. 58. Conduct Constituting Certificate Acceptance .. 58. Publication of the Certificate by the CA .. 58. Notification of Certificate Issuance by the CA to Other Entities.

5 59. KEY PAIR AND CERTIFICATE 59. Subscriber Private Key and Certificate Usage .. 59. Relying Party Public Key and Certificate Usage .. 59. CERTIFICATE RENEWAL .. 59. Circumstances for Certificate Renewal .. 59. Who May Request Renewal .. 60. Processing Certificate Renewal Requests .. 60. Notification of New Certificate Issuance to Subscriber .. 60. Conduct Constituting Acceptance of a Renewal Certificate .. 60. Publication of the Renewal Certificate by the CA .. 60. Notification of Certificate Issuance by the CA to Other Entities .. 60. CERTIFICATE RE-KEY .. 60. Circumstances for Certificate Re-Key .. 60. Who May Request Certification of a New Public Key .. 61. Processing Certificate Re-Keying Requests .. 61. Notification of New Certificate Issuance to Subscriber .. 61. Conduct Constituting Acceptance of a Re-Keyed Certificate.

6 61. Publication of the Re-Keyed Certificate by the CA .. 61. Notification of Certificate Issuance by the CA to Other Entities .. 62. CERTIFICATE MODIFICATION .. 62. Circumstances for Certificate Modification .. 62. Who May Request Certificate 62. Processing Certificate Modification Requests .. 62. Notification of New Certificate Issuance to Subscriber .. 62. Conduct Constituting Acceptance of Modified Certificate .. 62. Publication of the Modified Certificate by the CA .. 62. Notification of Certificate Issuance by the CA to Other Entities .. 62. CERTIFICATE REVOCATION AND SUSPENSION .. 62. Circumstances for Revocation .. 62. Who Can Request Revocation .. 64. Procedure for Revocation Request .. 65. Revocation Request Grace Period .. 65. Time Within Which CA Must Process the Revocation Request.

7 65. Revocation Checking Requirements for Relying Parties .. 65. CRL Issuance Frequency .. 66. Maximum Latency for CRLs .. 66. On-Line Revocation/Status Checking Availability .. 66. On-Line Revocation Checking Requirements .. 66. Other Forms of Revocation Advertisements Available .. 67. GlobalSign CPS ( Certification Practice Statement ) 3 of 97. Version: Special Requirements Related to Key Compromise .. 67. Circumstances for Suspension .. 67. Who Can Request Suspension .. 67. Procedure for Suspension 67. Limits on Suspension Period .. 67. CERTIFICATE STATUS SERVICES .. 67. Operational Characteristics .. 67. Service Availability .. 68. Operational Features .. 68. END OF 68. KEY ESCROW AND RECOVERY .. 68. Key Escrow and Recovery Policy and practices .. 68. Session Key Encapsulation and Recovery Policy and practices .

8 68. FACILITY, MANAGEMENT, AND OPERATIONAL CONTROLS ..68. PHYSICAL CONTROLS .. 69. Site Location and Construction .. 69. Physical 69. Power and Air Conditioning .. 69. Water Exposures .. 69. Fire Prevention and Protection .. 69. Media Storage .. 69. Waste Disposal .. 69. Off-Site Backup .. 69. PROCEDURAL CONTROLS .. 69. Trusted Roles .. 69. Number of Persons Required per Task .. 70. Identification and Authentication for Each Role .. 70. Roles Requiring Separation of 70. PERSONNEL CONTROLS .. 70. Qualifications, Experience, and Clearance 70. Background Check Procedures .. 71. Training 71. Retraining Frequency and Requirements .. 71. Job Rotation Frequency and Sequence .. 71. Sanctions for Unauthorized Actions .. 71. Independent Contractor Requirements .. 71. Documentation Supplied to 71.

9 AUDIT LOGGING PROCEDURES .. 72. Types of Events Recorded .. 72. Frequency of Processing Log .. 73. Retention Period for Audit Log .. 73. Protection of Audit Log .. 73. Audit Log Backup Procedures .. 73. Audit Collection System .. 73. Notification to Event-Causing Subject .. 73. Vulnerability Assessments .. 73. RECORDS ARCHIVAL .. 73. Types of Records Archived .. 73. Retention Period for Archive .. 73. Protection of Archive .. 74. Archive Backup Procedures .. 74. Requirements for Timestamping of 74. Archive Collection System (Internal or External) .. 74. Procedures to Obtain and Verify Archive Information .. 74. KEY CHANGEOVER .. 74. COMPROMISE AND DISASTER RECOVERY .. 74. GlobalSign CPS ( Certification Practice Statement ) 4 of 97. Version: Incident and Compromise Handling Procedures.

10 74. Computing Resources, Software, and/or Data Are Corrupted .. 75. Entity Private Key Compromise Procedures .. 75. Availability of revocation status .. 75. Business Continuity Capabilities After a Disaster .. 75. CA OR RA TERMINATION .. 75. Successor Issuing Certification Authority .. 76. TECHNICAL SECURITY KEY PAIR GENERATION AND INSTALLATION .. 76. Key Pair Generation .. 76. Private Key Delivery to Subscriber .. 76. Public Key Delivery to Certificate Issuer .. 77. CA Public Key Delivery to Relying Parties .. 77. Key 77. Public Key Parameters Generation and Quality Checking .. 78. Key Usage Purposes (as per v3 Key Usage Field) .. 78. PRIVATE KEY PROTECTION AND CRYPTOGRAPHIC MODULE ENGINEERING CONTROLS .. 78. Cryptographic Module Standards and Controls .. 78. Private Key (n out of m) Multi-Person Control.