From ea81c834411722600bfc7f383c03647d9d273fc2 Mon Sep 17 00:00:00 2001 From: Paul van Brouwershaven Date: Thu, 17 Oct 2024 11:59:08 +0200 Subject: [PATCH 1/2] Update for Subscriber Agreement and CPR reporting methods --- entrust.md | 81 +++++++++++++++--------------------------------------- 1 file changed, 22 insertions(+), 59 deletions(-) diff --git a/entrust.md b/entrust.md index 090abe1..a43497a 100644 --- a/entrust.md +++ b/entrust.md @@ -1,10 +1,10 @@ --- title: Entrust Certificate Services subtitle: Certification Practice Statement -version: 3.23 +version: 3.24 author: - Entrust -date: September 11, 2024 +date: September 19, 2024 copyright: © 2024 Entrust Limited. All rights reserved --- @@ -97,6 +97,7 @@ This document is called the Entrust Certificate Services Certification Practice | 3.21 | May 14, 2024 | Subject/Subscriber changes, Certificate profile updates | | 3.22 | July 31, 2024 | Change SSL Certificate to OV TLS Certificate and EV SSL Certificate to EV TLS Certificate | | 3.23 | September 11, 2024 | Correct practices to support verification of Business Entities | +| 3.24 | September 19, 2024 | Update for Subscriber Agreement and CPR reporting methods | ## 1.3 PKI Participants @@ -383,7 +384,7 @@ The contact information for questions about Certificates is: > Tel: [1-866-267-9297](tel:+18662679297) or [1-613-270-2680](tel:+16132702680) > Email: [ecs.support@entrust.com](mailto:ecs.support@entrust.com) -Certificate Problem Reports, such as Certificate misuse, vulnerability reports or external reports of key compromise, must be emailed to [ecs.support@entrust.com](mailto:ecs.support@entrust.com). +Certificate Problem Reports, such as Certificate misuse, vulnerability reports or external reports of key compromise, must be posted to or emailed to [problemreport@entrust.com](mailto:problemreport@entrust.com). Contact details are also provided and maintained in the CCADB. @@ -605,7 +606,7 @@ This CPS and any subsequent changes shall be approved by the Policy Authority. **Subscriber:** means a person, entity, or organization that has applied for and has been issued a Certificate. -**Subscriber Agreement:** means the agreement between a Subscriber and Entrust (or an Affiliate of Entrust) or between a Subscriber and an independent third-party RA or Reseller under a CA in respect to the issuance, management, and provision of access to a Certificate and the provision of other services in respect to such Certificate. The Subscriber Agreement may consist of one or more parts. +**Subscriber Agreement:** means the agreement(s) between a Subscriber and Entrust (or an Affiliate of Entrust) acting as the CA or between a Subscriber and an independent third-party RA or Reseller under a CA that specifies the rights and responsibilities of the Subscriber and the CA with respect to a particular type of Certificate. There may be a separate Subscriber Agreement for each type of Certificate requested. A Subscriber Agreement may consist of one or more parts. **Subsidiary Company:** as defined in the Baseline Requirements. @@ -1659,7 +1660,7 @@ Relying Parties shall conform to §9.6.4. ### 4.6.1 Circumstance for certificate renewal -In accordance with the Subscriber Agreement, CAs or RAs will provide a Certificate lifecycle monitoring service which will support Certificate renewal. +CAs or RAs may provide a Certificate lifecycle monitoring service which will support Certificate renewal. ### 4.6.2 Who may request renewal @@ -3011,7 +3012,7 @@ Entrust will monitor CAs which have been issued a Technically Constrained Subord ## 9.1 Fees -Unless otherwise set out in a Subscriber Agreement, the fees for services provided by Entrust with respect to Certificates are set forth on the websites (including e-commerce sites)operated by Entrust. Unless otherwise set out in a Subscriber Agreement, these fees are subject to change, and any such changes shall become effective immediately after posting on such websites (including e-commerce sites). The fees for services provided by independent third-party RAs, Resellers and Co-marketers in respect to Certificates are set forth on the websites operated by such RAs, Resellers and Co-marketers. These fees are subject to change, and any such changes shall become effective immediately after posting on such websites. +Unless otherwise set out in a contract with Entrust, the fees for services provided by Entrust with respect to Certificates are set forth on the websites (including e-commerce sites) operated by Entrust. Unless otherwise set out in a contract with Entrust, these fees are subject to change, and any such changes shall become effective immediately after posting on such websites (including e-commerce sites). The fees for services provided by independent third-party RAs, Resellers and Co-marketers in respect to Certificates are set forth on the websites operated by such RAs, Resellers and Co-marketers. These fees are subject to change, and any such changes shall become effective immediately after posting on such websites. ### 9.1.1 Certificate issuance or renewal fees @@ -3107,7 +3108,7 @@ If a Certificate is revoked by a CA, the Certificate status will be provided by ## 9.5 Intellectual property rights -Entrust retains all right, title, and interest (including all intellectual property rights), in, to and under the CPS and all Certificates, except for any information that is supplied by an Applicant or a Subscriber and that is included in a Certificate, which information shall remain the property of the Applicant or Subscriber. Subject to availability, Entrust may in its discretion make copies of one or more Subordinate CA Certificate(s) available to Subscribers for use solely with the Certificate issued to such Subscribers. Entrust retains all right, title, and interest (including all intellectual property rights), in, to and under the Subordinate CA Certificate(s). Except as expressly set forth herein in Subscriber Agreement no right is or shall be deemed to be granted, whether by implication, estoppel, inference or otherwise. +Entrust retains all right, title, and interest (including all intellectual property rights), in, to and under the CPS and all Certificates, except for any information that is supplied by an Applicant or a Subscriber and that is included in a Certificate, which information shall remain the property of the Applicant or Subscriber. Subject to availability, Entrust may in its discretion make copies of one or more Subordinate CA Certificate(s) available to Subscribers for use solely with the Certificate issued to such Subscribers. Entrust retains all right, title, and interest (including all intellectual property rights), in, to and under the Subordinate CA Certificate(s). No right is or shall be deemed to be granted under this CPS, whether by implication, estoppel, inference or otherwise. ## 9.6 Representations and warranties @@ -3142,55 +3143,17 @@ Entrust may use one or more representatives or agents to perform its obligations ### 9.6.3 Subscriber representations and warranties -As a condition of having any Certificate issued to or for Subscriber, each Subscriber (in this section, "Subscriber" includes "Applicant" when referring to any time prior to issuance of the Certificate) makes, on its own behalf and if applicable on behalf of its principal or agent under a subcontractor or hosting service relationship, the following representations, commitments, affirmations and warranties for the benefit of Certificate Beneficiaries, Entrust and any of Entrust’s Affiliates that will issue Certificates to or for Subscriber: - -**9.6.3.1 For all Certificates:** - -1. If Subscriber is applying for a Certificate to be issued to or for another Person, such Person has authorized Subscriber to act on its behalf, including to request Certificates on behalf of such Person, and to make the representations, commitments, affirmations and warranties in this §9.6.3 on behalf of such Person as well as on Subscriber’s own behalf. -2. All information provided, and all representations made, at all times, by Subscriber in relation to any Certificate Services, including in the Certificate request and otherwise in connection with Certificate issuance, are and will be complete, correct and accurate, including that any legal entity Subject legally exists as a valid entity in the jurisdiction of incorporation or registration specified in the Certificate (and such information and representations will be promptly updated from time to time as necessary to maintain such completeness, correctness and accuracy), and does not infringe, misappropriate, dilute, unfairly compete with, or otherwise violate the intellectual property, or other rights of any person, entity, or organization in any jurisdiction. For clarity, in submitting any request for a Certificate using pre-qualified information, a Subscriber is deemed to be making anew the representations, commitments, affirmations and warranties set out in this §9.6.3, and Entrust will have no obligation to issue any Certificate containing pre-qualified information if such information is subsequently found to have changed or to be in any way inaccurate, incorrect, or misleading. -3. The Private Key corresponding to the Public Key submitted to Entrust with the Certificate request was created using sound cryptographic techniques and all reasonable measures have been taken to, at all times, assure control of (and, in the case of Code Signing Certificates and EV Code Signing Certificates, sole control of), keep confidential, properly protect, and prohibit unauthorized use of, the Private Key (and any associated access or activation data or device, e.g., password or token), including, in the case of Code Signing Certificates and EV Code Signing Certificates, in accordance with the "Private Key Storage" provisions of the Code Signing Baseline Requirements. For clarity, Key Pairs for Code Signing and EV Code Signing Certificates, Document Signing Certificates, and Time-Stamp Certificates are required to be generated in a cryptographic module that prevents exportation or duplication and that meets or exceed the requirements as defined in §6.2.11. -4. Any device storing Private Keys will be operated and maintained in a secure manner. -5. A Certificate will not be installed or used until Subscriber (or, in the case of Code Signing Certificates, Subscriber’s Agent) has reviewed and verified that the content of the Certificate is accurate and correct. -6. In the case of all Entrust OV TLS Certificates and EV TLS Certificates the Certificate will be installed only on servers that are accessible at the Domain Name (subjectAltName(s)) listed in the Certificate, and in the case of S/MIME Certificates, the Certificate will only be used on email addresses listed in the Certificate. -7. Certificates and the Private Key corresponding to the Public Key listed in such Certificate will only be used in compliance with all applicable laws and solely in accordance with the Subscriber Agreement. -8. The contents of Certificates will not be improperly modified. -9. Subscriber will notify Entrust, cease all use of the Certificate and the Private Key corresponding to the Public Key in the Certificate, and request the revocation of the Certificate, - 1. promptly, if any information included in the Certificate or the application for a Certificate changes, is or becomes incorrect or inaccurate, or if any change in any circumstances would make the information in the Certificate misleading. - 2. immediately, if there is any actual or suspected Key Compromise, or if control over the Private Key has been lost for other reasons. - 3. immediately, in the case of a Code Signing Certificate or EV Code Signing Certificate, if there is evidence that the Certificate was used to sign Suspect Code. -10. Subscriber will promptly cease all use of the Certificate and the Private Key corresponding to the Public Key in such Certificate upon expiration or revocation of such Certificate. -11. Subscriber will immediately respond to Entrust’s instructions concerning any Key Compromise or misuse or suspected misuse of a Certificate. -12. Subscriber acknowledges and agrees that Entrust is entitled to revoke a Certificate immediately if: - 1. Subscriber breaches the Subscriber Agreement. - 2. Entrust discovers that there has been a Key Compromise of the Certificate’s Private Key. - 3. Revocation is required under the CPS, the Baseline Requirements, the EV SSL Guidelines, the Code Signing Baseline Requirements or the VMC Requirements. - 4. Entrust discovers that the Certificate is compromised or being used for Suspect Code or the Private Key corresponding to the Public Key in the Certificate has been used to digitally sign Suspect Code. -13. Where the Subject named in the Certificate(s) is a separate entity from the Subscriber, the Subject has authorized the inclusion of the Subject’s information in the Certificate. -14. Subscriber owns, controls, or has the exclusive right to use the Domain Name or email address listed in Certificate. -15. Subscriber acknowledges and agrees that Entrust is entitled to modify the Agreement when necessary to comply with any changes in Industry Standards as defined in the Subscriber Agreement. -16. Subscriber will use appropriate judgment about whether it is appropriate, given the level of security and trust provided by Certificate, to use the Certificate in any given circumstance. - -**9.6.3.2 In addition, in the case of Code Signing Certificates and EV Code Signing Certificates,** - -1. Subscriber will use commercially reasonable efforts to employ the code signing practices set out in the Code Signing Best Practices document made available or by contacting Entrust ("Code Signing Best Practices"). -2. Subscriber will generate and operate any device storing Private Keys in a secure manner, as described in the Code Signing Best Practices, and will use passwords that are randomly generated with at least 16 characters containing uppercase letters, lowercase letters, numbers, and symbols to transport Private Keys. Without limiting the foregoing, Subscriber will use one of the following options to generate and protect its Certificate private keys: - 1. Subscriber uses a tamper‐resistant device, with a cryptography processor, used for the specific purpose of protecting the lifecycle of cryptographic keys (generating, managing, processing, and storing) ("Hardware Crypto Module") with a unit design form factor certified as conforming to at least FIPS 140‐2 Level 2, FIPS 140-3 Level 2, or Common Criteria EAL 4+ ("Specified Requirements"); - 2. Subscriber uses a cloud‐base key generation and protection solution with the following requirements: a. key creation, storage, and usage of private key must remain within the security boundaries of the cloud solution’s Hardware Crypto Module that conforms to the Specified Requirements; b. subscription at the level that manages the private key must be configured to log all access, operations, and configuration changes on the resources securing the private key. - 3. Subscriber uses an organization that signs code on behalf of Subscriber using a private key associated with a code signing Certificate which meets the requirements of the Code Signing Baseline Requirements. -3. Subscriber will not request a Code Signing Certificate or EV Code Signing Certificate containing a Public Key that is, or will be used with any other type of Certificate. -4. The Certificate and the Private Key corresponding to the Public Key in such Certificate will only be used for authorized and legal purposes, and will not be used to digitally sign Suspect Code. -5. An adequate network and other security controls will be provided to protect against misuse of the Private Key corresponding to the Public Key in the Certificate. -6. Subscriber acknowledges and agrees that Entrust is authorized to share information about the Subscriber, signed application, Certificate, and surrounding circumstances with other certification authorities or industry groups, including the CA/Browser Forum, if: - 1. the Certificate or Subscriber is identified as a source of Suspect Code, - 2. the authority to request the Certificate cannot be verified, or - 3. the Certificate is revoked for reasons other than at Subscriber’s request (e.g. as a result of Private Key compromise, discovery of malware, etc.). -7. Subscriber acknowledges that ASVs may independently determine that a Certificate is malicious or compromised and that ASVs and ASV products may have the ability to modify its customer experiences or "blocklist" a Code Signing Certificate or EV Code Signing Certificate without notice to Subscriber or Entrust and without regard to the revocation status of the Code Signing Certificate or EV Code Signing Certificate. -8. Subscriber acknowledges that (a) the CA will not provide Certificates with signing keys that are less than 2048 bits, and (b) the CA will hash the Certificate with the SHA-2 algorithm. - -**9.6.3.3 In addition, in the case of VMCs:** - -1. Subscriber will apply for and use VMCs in accordance with and subject to the VMC Requirements. -2. The trademarks submitted in a VMC application represent registered trademarks that the Subscriber owns or for which it has obtained sufficient license to be able to grant the limited license in the VMC Terms, and that it will immediately revoke the VMC if it no longer owns or has a sufficient license to the applicable trademarks. +As a condition of having any Certificate issued to or for Subscriber, each Subscriber (in this section, "Subscriber" includes "Applicant" when referring to any time prior to issuance of the Certificate) makes, on its own behalf and if applicable on behalf of its principal or agent under a subcontractor or hosting service relationship, the representations, commitments, affirmations and warranties set out in each applicable Subscriber Agreement for the benefit of Certificate Beneficiaries, Entrust and any of Entrust’s Affiliates that will issue Certificates to or for Subscriber. Without limiting the generality of the foregoing: + +9.6.3.1 For OV TLS Certificates and EV TLS Certificates, Subscriber makes the representations and warranties set out in the TLS Certificate Subscriber Agreement posted in the Repository, which shall be in accordance with the requirements in s.9.6.3 of the Baseline Requirements. + +9.6.3.2 For Code Signing Certificates and EV Code Signing Certificates, Subscriber makes the representations and warranties set out in the Digital Certificates for Code Signing Subscriber Agreement posted in the Repository, which shall be in accordance with the requirements in s.9.6.3 of the Code Signing Baseline Requirements. + +9.6.3.3 For S/MIME Certificates, Subscriber makes the representations and warranties set out in the Digital Certificates for Email and Mobile Devices Subscriber Agreement posted in the Repository, which shall be in accordance with the requirements in s.9.6.3 of the S/MIME Baseline Requirements. + +9.6.3.4 For Document Signing Certificates, Subscriber makes the representations and warranties set out in the Certificates for Electronic Signatures and Electronic Seals Subscriber Agreement posted in the Repository. + +9.6.3.5 For VMCs, Subscriber makes the representations and warranties set out in the Digital Certificates for Marks Subscriber Agreement posted in the Repository, which shall be in accordance with the requirements in s.9.6.3 of the VMC Requirements. ### 9.6.4 Relying party representations and warranties @@ -3251,7 +3214,7 @@ RELYING PARTIES SHALL INDEMNIFY AND HOLD ENTRUST GROUP AND ALL INDEPENDENT THIRD ### 9.9.3 Indemnification by Subscribers -Unless otherwise set out in in a SUBSCRIBER Agreement SUBSCRIBERS SHALL INDEMNIFY AND HOLD ENTRUST AND ALL INDEPENDENT THIRD-PARTY REGISTRATION AUTHORITIES OPERATING UNDER A CERTIFICATION AUTHORITY, AND ALL APPLICATION SOFTWARE VENDORS(COLLECTIVELY, THE "INDEMNIFIED PARTIES") HARMLESS FROM AND AGAINST ANY AND ALL LIABILITIES, LOSSES, COSTS, EXPENSES, DAMAGES, CLAIMS, AND SETTLEMENT AMOUNTS (INCLUDING REASONABLE ATTORNEY’S FEES, COURT COSTS, AND EXPERT’S FEES) ARISING OUT OF OR RELATING TO ANY RELIANCE BY A RELYING PARTY ON ANY CERTIFICATE OR ANY SERVICE PROVIDED IN RESPECT TO CERTIFICATES, INCLUDING ANY (I) ERROR, MISREPRESENTATION OR OMISSION MADE BY A SUBSCRIBER IN USING OR APPLYING FOR A CERTIFICATE, (II) MODIFICATION MADE BY A SUBSCRIBER TO THE INFORMATION CONTAINED IN A CERTIFICATE, (III) USE OF A CERTIFICATE OTHER THAN AS PERMITTED BY THE CPS, THE SUBSCRIBER AGREEMENT, ANY RELYING PARTY AGREEMENT, AND APPLICABLE LAW, (IV) FAILURE BY A SUBSCRIBER TO TAKE THE NECESSARY PRECAUTIONS TO PREVENT LOSS, DISCLOSURE, COMPROMISE OR UNAUTHORIZED USE OF THE PRIVATE KEY CORRESPONDING TO THE PUBLIC KEY IN SUCH SUBSCRIBER’S CERTIFICATE, OR (V) ALLEGATION THAT THE USE OF A SUBSCRIBER’S CERTIFICATE OR THE INFORMATION CONTAINED IN A SUBSCRIBER’S CERTIFICATE INFRINGES, MISAPPROPRIATES, DILUTES, UNFAIRLY COMPETES WITH, OR OTHERWISE VIOLATES THE RIGHTS INCLUDING INTELLECTUAL PROPERTY RIGHTS OR ANY OTHER RIGHTS OF ANYONE IN ANY JURISDICTION. NOTWITHSTANDING THE FOREGOING, A SUBSCRIBER SHALL NOT BE OBLIGATED TO PROVIDE ANY INDEMNIFICATION TO AN INDEMNIFIED PARTY IN RESPECT TO ANY LIABILITIES, LOSSES, COSTS, EXPENSES, DAMAGES, CLAIMS, AND SETTLEMENT AMOUNTS (INCLUDING REASONABLE ATTORNEY’S FEES, COURT COSTS AND EXPERTS FEES) TO THE EXTENT THAT SUCH LIABILITIES, LOSSES, COSTS, EXPENSES, DAMAGES, CLAIMS, AND SETTLEMENT AMOUNTS (INCLUDING REASONABLE ATTORNEY’S FEES, COURT COSTS, AND EXPERT’S FEES) ARISE OUT OF OR RELATE TO ANY WILLFUL MISCONDUCT BY SUCH INDEMNIFIED PARTY. +UNLESS OTHERWISE SET OUT IN AN AGREEMENT WITH ENTRUST, SUBSCRIBERS SHALL INDEMNIFY AND HOLD ENTRUST AND ALL INDEPENDENT THIRD-PARTY REGISTRATION AUTHORITIES OPERATING UNDER A CERTIFICATION AUTHORITY, AND ALL APPLICATION SOFTWARE VENDORS(COLLECTIVELY, THE “INDEMNIFIED PARTIES”) HARMLESS FROM AND AGAINST ANY AND ALL LIABILITIES, LOSSES, COSTS, EXPENSES, DAMAGES, CLAIMS, AND SETTLEMENT AMOUNTS (INCLUDING REASONABLE ATTORNEY’S FEES, COURT COSTS, AND EXPERT’S FEES) ARISING OUT OF OR RELATING TO ANY RELIANCE BY A RELYING PARTY ON ANY CERTIFICATE OR ANY SERVICE PROVIDED IN RESPECT TO CERTIFICATES, INCLUDING ANY (I) ERROR, MISREPRESENTATION OR OMISSION MADE BY A SUBSCRIBER IN USING OR APPLYING FOR A CERTIFICATE, (II) MODIFICATION MADE BY A SUBSCRIBER TO THE INFORMATION CONTAINED IN A CERTIFICATE, (III) USE OF A CERTIFICATE OTHER THAN AS PERMITTED BY THE CPS, THE SUBSCRIBER AGREEMENT, ANY RELYING PARTY AGREEMENT, AND APPLICABLE LAW, (IV) FAILURE BY A SUBSCRIBER TO TAKE THE NECESSARY PRECAUTIONS TO PREVENT LOSS, DISCLOSURE, COMPROMISE OR UNAUTHORIZED USE OF THE PRIVATE KEY CORRESPONDING TO THE PUBLIC KEY IN SUCH SUBSCRIBER’S CERTIFICATE, OR (V) ALLEGATION THAT THE USE OF A SUBSCRIBER’S CERTIFICATE OR THE INFORMATION CONTAINED IN A SUBSCRIBER’S CERTIFICATE INFRINGES, MISAPPROPRIATES, DILUTES, UNFAIRLY COMPETES WITH, OR OTHERWISE VIOLATES THE RIGHTS INCLUDING INTELLECTUAL PROPERTY RIGHTS OR ANY OTHER RIGHTS OF ANYONE IN ANY JURISDICTION. NOTWITHSTANDING THE FOREGOING, A SUBSCRIBER SHALL NOT BE OBLIGATED TO PROVIDE ANY INDEMNIFICATION TO AN INDEMNIFIED PARTY IN RESPECT TO ANY LIABILITIES, LOSSES, COSTS, EXPENSES, DAMAGES, CLAIMS, AND SETTLEMENT AMOUNTS (INCLUDING REASONABLE ATTORNEY’S FEES, COURT COSTS AND EXPERTS FEES) TO THE EXTENT THAT SUCH LIABILITIES, LOSSES, COSTS, EXPENSES, DAMAGES, CLAIMS, AND SETTLEMENT AMOUNTS (INCLUDING REASONABLE ATTORNEY’S FEES, COURT COSTS, AND EXPERT’S FEES) ARISE OUT OF OR RELATE TO ANY WILLFUL MISCONDUCT BY SUCH INDEMNIFIED PARTY. ## 9.10 Term and termination @@ -3265,7 +3228,7 @@ This CPS will remain in effect until replaced by a newer version. ### 9.10.3 Effect of termination and survival -The provisions of sections 1.6, 3.1.6, 5.5, 9.1, 9.3, 9.4, 9.5, 9.7, 9.8, 9.9.2, 9.9.3, 9.10.3, 9.13, 9.14 and 9.16 shall survive termination or expiration of the CPS, any Subscriber Agreements, and any Relying Party Agreements. All references to sections that survive termination of the CPS, any Subscriber Agreements, and any Relying Party Agreements, shall include all sub-sections of such sections. All payment obligations shall survive any termination or expiration of the CPS, any Subscriber Agreements, and any Relying Party Agreements. +The provisions of sections 1.6, 3.1.6, 5.5, 9.1, 9.3, 9.4, 9.5, 9.7, 9.8, 9.9.2, 9.9.3, 9.10.3, 9.13, 9.14 and 9.16 shall survive termination or expiration of the CPS, any Subscriber Agreements, and any Relying Party Agreements. All references to sections that survive termination of the CPS, any Subscriber Agreements, and any Relying Party Agreements, shall include all sub-sections of such sections. ## 9.11 Individual notices and communications with participants @@ -3297,7 +3260,7 @@ Unless otherwise set out in in a Subscriber Agreement or Relying Party Agreement ## 9.15 Compliance with applicable law -Certificates and related information may be subject to export, import, and/or use restrictions. Subscribers and Relying Parties will comply in all respects with any and all applicable laws, rules and regulations and obtain all permits, licenses and authorizations or certificates that may be required in connection with their exercise of their rights and obligations under any part of the CPS, Subscriber Agreement, and/or Relying Party Agreement, including use or access by any of Subscriber or Relying Party’s users. Without limiting the foregoing, Subscribers and Relying Parties will comply with all applicable trade control laws, including but not limited to any sanctions or trade controls of the European Union ("E.U."), Canada, the United Kingdom ("U.K."), and United Nations ("U.N."); the Export Administration Regulations administered by the U.S. Department of Commerce’s Bureau of Industry and Security; U.S. sanctions regulations administered by the U.S. Treasury Department’s Office of Foreign Assets Control ("OFAC"); or on the U.S. Department of Commerce Entities List ("Entities List"); and any import or export licenses required pursuant to any of the foregoing; and all applicable anti-money laundering laws, including the U.S. Bank Secrecy Act, Money Laundering Control Act, and Patriot Act, the Canadian Proceeds of Crime (Money Laundering) and Terrorist Financing Act, the U.K. Proceeds of Crime Act, and legislation implementing the International Convention on the Suppression of the Financing of Terrorism or the money laundering provisions of the U.N. transnational Organized Crime Convention. Each Subscriber and Relying Party represents and warrants that: (a) neither it nor any of its users is located in, under the control of, or a national or resident of any country to which the export of any software or technology licensed under the Agreement, or related information, would be prohibited by the applicable laws, rules or regulations of the U.S., Canada, U.K., E.U., or other applicable jurisdiction; (b) neither it nor any of its users is a Person to whom the export of any software or technology licensed under the Agreement, or related information, would be prohibited by the laws of the U.S., Canada, U.K., E.U., or other applicable jurisdiction; (c) it and each of its users has and will comply with applicable laws, rules and regulations of the U.S., Canada, U.K., E.U., or other applicable jurisdiction(s) and of any state, province, or locality or applicable jurisdiction governing exports of any product or service provided by or through Entrust; (d) it and all its users will not use any product or service for any purposes prohibited by applicable laws, rules or regulations on trade controls, including related to nuclear, chemical, or biological weapons proliferation, arms trading, or in furtherance of terrorist financing; (e) neither it nor any of its users nor any of its affiliates, officers, directors, or employees is (i) an individual listed on, or directly or indirectly owned or controlled by, a Person (whether legal or natural) listed on, or acting on behalf of a Person listed on, any U.S, Canadian, E.U., U.K., or U.N. sanctions list, including OFAC’s list of Specially Designated Nationals or the Entities List; or (ii) located in, incorporated under the laws of, or owned (meaning 50% or greater ownership interest) or otherwise, directly or indirectly, controlled by, or acting on behalf of, a person located in, residing in, or organized under the laws of any of the countries listed at (each of (i) and (ii), a "Denied Party"); and (f) it and each of its users is legally distinct from, and not an agent of any Denied Party. In the event any of the above representations and warranties is incorrect or the Subscriber, Relying Party or any their users engages in any conduct that is contrary to sanctions or trade controls or other applicable laws, regulations, or rules, any agreements, purchase orders, performance of services, or other contractual obligations of Entrust are immediately terminated. +Certificates and related information may be subject to export, import, and/or use restrictions. Subscribers and Relying Parties will comply in all respects with any and all applicable laws, rules and regulations and obtain all permits, licenses and authorizations or certificates that may be required in connection with their exercise of their rights and obligations under any part of the CPS, Subscriber Agreement, and/or Relying Party Agreement, including use or access by any of Subscriber or Relying Party’s users. Without limiting the foregoing, Subscribers and Relying Parties will comply with all applicable trade control laws, including but not limited to any sanctions or trade controls of the European Union ("E.U."), Canada, the United Kingdom ("U.K."), and United Nations ("U.N."); the Export Administration Regulations administered by the U.S. Department of Commerce’s Bureau of Industry and Security; U.S. sanctions regulations administered by the U.S. Treasury Department’s Office of Foreign Assets Control ("OFAC"); or on the U.S. Department of Commerce Entities List ("Entities List"); and any import or export licenses required pursuant to any of the foregoing; and all applicable anti-money laundering laws, including the U.S. Bank Secrecy Act, Money Laundering Control Act, and Patriot Act, the Canadian Proceeds of Crime (Money Laundering) and Terrorist Financing Act, the U.K. Proceeds of Crime Act, and legislation implementing the International Convention on the Suppression of the Financing of Terrorism or the money laundering provisions of the U.N. transnational Organized Crime Convention. Each Subscriber and Relying Party represents and warrants that: (a) neither it nor any of its users is located in, under the control of, or a national or resident of any country to which the export of any software or technology licensed under the Agreement, or related information, would be prohibited by the applicable laws, rules or regulations of the U.S., Canada, U.K., E.U., or other applicable jurisdiction; (b) neither it nor any of its users is a Person to whom the export of any software or technology licensed under the Agreement, or related information, would be prohibited by the laws of the U.S., Canada, U.K., E.U., or other applicable jurisdiction; (c) it and each of its users has and will comply with applicable laws, rules and regulations of the U.S., Canada, U.K., E.U., or other applicable jurisdiction(s) and of any state, province, or locality or applicable jurisdiction governing exports of any product or service provided by or through Entrust; (d) it and all its users will not use any product or service for any purposes prohibited by applicable laws, rules or regulations on trade controls, including related to nuclear, chemical, or biological weapons proliferation, arms trading, or in furtherance of terrorist financing; (e) neither it nor any of its users nor any of its affiliates, officers, directors, or employees is (i) an individual listed on, or directly or indirectly owned or controlled by, a Person (whether legal or natural) listed on, or acting on behalf of a Person listed on, any U.S, Canadian, E.U., U.K., or U.N. sanctions list, including OFAC’s list of Specially Designated Nationals or the Entities List; or (ii) located in, incorporated under the laws of, or owned (meaning 50% or greater ownership interest) or otherwise, directly or indirectly, controlled by, or acting on behalf of, a person located in, residing in, or organized under the laws of any of the countries listed as Restricted Countries at (each of (i) and (ii), a "Denied Party"); and (f) it and each of its users is legally distinct from, and not an agent of any Denied Party. In the event any of the above representations and warranties is incorrect or the Subscriber, Relying Party or any their users engages in any conduct that is contrary to sanctions or trade controls or other applicable laws, regulations, or rules, any agreements, purchase orders, performance of services, or other contractual obligations of Entrust are immediately terminated. ## 9.16 Miscellaneous provisions From 09b6759430cc903fc29090f8557e35b147147bdc Mon Sep 17 00:00:00 2001 From: Paul van Brouwershaven Date: Thu, 17 Oct 2024 12:11:11 +0200 Subject: [PATCH 2/2] Update for Government Entity registration number indication --- entrust.md | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/entrust.md b/entrust.md index a43497a..7dbdfe9 100644 --- a/entrust.md +++ b/entrust.md @@ -1,10 +1,10 @@ --- title: Entrust Certificate Services subtitle: Certification Practice Statement -version: 3.24 +version: 3.25 author: - Entrust -date: September 19, 2024 +date: October 9, 2024 copyright: © 2024 Entrust Limited. All rights reserved --- @@ -98,6 +98,7 @@ This document is called the Entrust Certificate Services Certification Practice | 3.22 | July 31, 2024 | Change SSL Certificate to OV TLS Certificate and EV SSL Certificate to EV TLS Certificate | | 3.23 | September 11, 2024 | Correct practices to support verification of Business Entities | | 3.24 | September 19, 2024 | Update for Subscriber Agreement and CPR reporting methods | +| 3.25 | October 9, 2024 | Update for Government Entity registration number indication | ## 1.3 PKI Participants @@ -978,12 +979,12 @@ Unless otherwise stated below, the CA will verify the identity and/or address of **EV TLS, EV Code Signing and Verified Mark Certificates** -In accordance with the EV SSL Guidelines or the VMC Requirements, the CA or the RA will determine: +In accordance with the EV SSL Guidelines, Code Signing Baseline Requirements, or the VMC Requirements, the CA or the RA will determine: 5. Full legal name; 6. Business Category; 7. Jurisdiction of Incorporation or Registration, which will not include information which is not relevant to the level of the Incorporating or Registration Agency; -8. Registration Number or if there is no Registration Number, the date of registration; +8. Registration Number or if there is no Registration Number, the date of registration. For Government Entities that do not have a Registration Number or readily verifiable date of creation, the phrase “Government Entity” is used in its place; 9. Physical address of Place of Business; and 10. Operational Existence.