Add to collection(s) Add to saved
  1. Social Science
  2. Law

Version 2.1 - ITSC - Hong Kong University of Science and Technology

advertisement 
HKUST CA
Certification Practice Statement
IN SUPPORT OF HKUST CA CERTIFICATION SERVICES
Version :
2.1
Date :
12 November 2003
Prepared by : Information Technology Services Center
© Hong Kong University of Science & Technology
Table of Contents
1.
Introduction ..................................................................................................................... 1
1.1
Overview ............................................................................................................. 1
1.2
Scope of HKUST CA Certification Services ...................................................... 1
1.3
HKUST CA Identity ........................................................................................... 1
1.4
Publication .......................................................................................................... 2
1.5
Further Information ............................................................................................. 2
2.
HKUST CA Certification Infrastructure ......................................................................... 3
2.1
Overview ............................................................................................................. 3
2.2
Certificate Classes ............................................................................................... 3
2.2.1 Personal e-Cert ....................................................................................... 3
2.2.2 Personal (Smartcard) e-Cert ................................................................... 4
2.2.3 Secure Server e-Cert .............................................................................. 4
2.2.4 Developer e-Cert .................................................................................... 4
2.2.5 Role e-Cert ............................................................................................. 4
2.2.6 Certificate Class Properties .................................................................... 5
2.3
Certification Authority (CA) ............................................................................... 6
2.4
Registration Authority (RA) ............................................................................... 6
2.5
Certificate Repository ......................................................................................... 7
3.
Certificate Application .................................................................................................... 8
3.1
Overview ............................................................................................................. 8
3.2
Application for Personal e-Cert .......................................................................... 8
3.3
Application for Personal (Smartcard) e-Cert ...................................................... 9
3.4
Application for Secure Server e-Cert ................................................................ 10
3.5
Application for Developer e-Cert ..................................................................... 11
3.6
Application for Role e-Cert .............................................................................. 11
4.
Validation of Certificate Application............................................................................ 13
4.1
Overview ........................................................................................................... 13
4.2
Validation Requirements for Certificate Application ....................................... 13
4.3
Approval of Certificate Application ................................................................. 15
4.4
Rejection of Certificate Application ................................................................. 15
5.
Certificate Issuance ....................................................................................................... 16
5.1
Overview ........................................................................................................... 16
5.2
Issuance & Publication...................................................................................... 16
5.3
Refusal .............................................................................................................. 16
5.4
Certificate Validity and Operational Periods .................................................... 16
5.5
Certificate Format ............................................................................................. 17
6.
Certificate Revocation .................................................................................................. 18
6.1
Overview ........................................................................................................... 18
6.2
General Reasons for Revocation ....................................................................... 18
6.3
Revocation of a HKUST CA Certificate........................................................... 18
6.4
Revocation at Certificate Owner’s Request ...................................................... 19
7.
Certificate Expiration .................................................................................................... 20
7.1
Overview ........................................................................................................... 20
 Hong Kong University of Science & Technology
ii
7.2
7.3
Certificate Expiry .............................................................................................. 20
Certificate Renewal ........................................................................................... 20
8.
Rights and obligations................................................................................................... 21
8.1
Rights and obligations of Certificate Owners ................................................... 21
8.2
Rights and obligations of HKUST CA ............................................................. 22
9.
Liability ......................................................................................................................... 24
9.1
Liability of Certificate Owner ........................................................................... 24
9.2
Liability of HKUST CA .................................................................................... 24
10.
Use of Certificates......................................................................................................... 25
11.
Appendices .................................................................................................................... 27
11.1 Sample Letter for Secure Server e-Cert Application ........................................ 27
11.2 Sample Letter for Developer e-Cert Application .............................................. 28
11.3 Sample Letter for Role e-Cert Application ....................................................... 29
 Hong Kong University of Science & Technology
iii
1. Introduction
1.1
Overview
This HKUST CA Certification Practice Statement (CPS) describes the practices and
standards employed by HKUST CA to perform Certification Authority Services and to
exhibit trust by providing evidence of the methods used to manage and complete tasks
associated with certificate generation.
1.2
Scope of HKUST CA Certification Services
HKUST CA Certification Services are designed to support secure electronic transactions and
other general security services to satisfy HKUST users for digital signatures and other
network security services. To accomplish this, HKUST CA serves as a trusted third party,
issuing, managing, renewing and revoking certificates in accordance with published practices.
The services offered by HKUST CA include the following:







1.3
Certificate Application
Certificate Issuance
Certificate Publication
Certificate Expiry
Certificate Revocation
Online Certificate Status Protocol (OCSP) support
Certificate Revocation List (CRL) Management
HKUST CA Identity
HKUST CA certifies certificates in the name of the organization detailed below.
Company Name:
Hong Kong University of Science and Technology
Registered Offices:
Hong Kong University of Science and Technology
Information Technology Services Center
Clear Water Bay
Kowloon
Hong Kong
 Hong Kong University of Science & Technology
1
1.4
Telephone:
Fax:
(852) 2358 6200
(852) 2358 0967
Electronic mail:
hkustca@ust.hk
Publication
This HKUST CA Certification Practice Statement is published in electronic form at
http://www.ust.hk/itsc/pki/cps/
1.5
Further Information
HKUST user acknowledges that HKUST CA has provided him/her with sufficient
information to become familiar with digital certificates before applying for, using, and relying
upon a certificate.
For more information about this CPS or information related to HKUST CA services, please
contact our HKUST Certification Authority at hkustca@ust.hk.
 Hong Kong University of Science & Technology
2
2. HKUST CA Certification Infrastructure
2.1
Overview
HKUST CA acts as a trusted third party to facilitate the confirmation of identity within
HKUST community. Such confirmation is expressly represented by a certificate, i.e. a
message which is digitally signed and issued by HKUST CA. The high-level management of
this certification process includes registration, naming, appropriate applicant authentication,
issuance, revocation and audit-trail generation.
HKUST CA currently offers distinct levels of certification services. Each level, or class of
certificate provides specific functionality and security features. Certificate applicants choose
from this set of service qualities according to their needs. Depending on the class of
certificate desired, certificate applicants may apply electronically to HKUST CA, and they
may be required to apply in person by visiting the HKUST Certification Authority.
2.2
Certificate Classes
HKUST CA currently supports distinct certificate classes within the CPS. Each class provides
for a designated level of trust. The following sections describe each certificate class in detail.
Please note that the descriptions for each certificate class do not represent an endorsement or
recommendation by HKUST CA for any particular application or purpose, and they must not
be relied upon as such. Users must independently assess and determine the appropriateness of
each class of certificate for any particular purpose.
2.2.1 Personal e-Cert
Personal e-Cert certificates are currently issued to individuals only. Personal e-Cert
certificates provide important assurances of the identity of individual certificate owners by
requiring their personal (physical) appearance before a Registration Authority Officer with a
valid proof of identity like HKUST Staff/Student ID card. They are typically used for email
services, online purchases, on-line subscription services or other web-based services.
 Hong Kong University of Science & Technology
3
2.2.2 Personal (Smartcard) e-Cert
Personal (Smartcard) e-Cert certificates are currently issued to individuals with a valid
HKUST Card. Personal (Smartcard) e-Cert certificates provide important assurances of the
identity of individual certificate owners who holds the HKUST Card specific to
himself/herself. They are typically used for email services, online purchases, on-line
subscription services or other web-based services.
2.2.3 Secure Server e-Cert
Secure Server e-Cert certificates are currently issued to departmental servers in HKUST only.
Department Head or Inter-departmental Liaison Person (IDLP) can submit a signed Secure
Server e-Cert certificates Request for servers in their department. Secure Server e-Cert
certificates can provide assurance of the existence and name of servers within HKUST.
Secure Server e-Cert certificates are used primarily for secure web servers communication on
a secure channel.
2.2.4 Developer e-Cert
Developer e-Cert certificates are currently issued to departments in HKUST only.
Department Head or Inter-departmental Liaison Person (IDLP) can submit a signed
Developer e-Cert certificates Request for developers of their department. Developer eCert certificates can provide assurance of the identity of the developer within HKUST.
Developer e-Cert certificates are used by developers primarily for the signature of
objects like software.
2.2.5 Role e-Cert
Role e-Cert certificates are currently issued to departments requiring a digital certificate to
carry out their administrative work. The Role e-Cert will, in general, bind to a Departmental
Network Account.
 Hong Kong University of Science & Technology
4
2.2.6 Certificate Class Properties
Personal e-Cert
Summary of
Confirmation of
Identity
Certificate
Applicant
Private Key
Protection
Possible
Applications
Summary of
Confirmation of
Identity
Certificate
Applicant
Private Key
Protection
Possible
Applications
Automated unambiguous
ITSC Network Account
authentication plus
personal presence plus
HKUST Staff / Student ID
Cards Verification
Encryption software (PIN
protected) required
Personal (Smartcard)
e-Cert
Automated unambiguous
ITSC Network Account
authentication plus
HKUST Card and/or
personal presence
Email, online purchases,
on-line subscription
services, password
replacement, software
validation
Encryption software (PIN
protected) required, Smart
Card as security tokens
supported
Email, online purchases,
on-line subscription
services, password
replacement, software
validation
Secure Server e-Cert
Developer e-Cert
Records provided by the
applicant and independent
call-backs
Encryption software (PIN
protected) required
Records provided by the
applicant and independent
call-backs
Encryption software (PIN
protected) required
Secure web-server
communication
Object signing
 Hong Kong University of Science & Technology
Role
e-Cert
Records provided by the
applicant and independent
call-backs
Encryption software (PIN
protected) required, Smart
Card as security tokens
supported
Email, online purchases,
on-line subscription
services, password
replacement, software
validation
5
2.3
Certification Authority (CA)
HKUST Certification Authority operates in accordance with this CPS and issues, manages,
and revokes Personal e-Cert, Personal (Smartcard) e-Cert, Secure Server e-Cert, Developer eCert and Role e-Cert certificates. Functions include the following:







Certificate Application
Certificate Issuance
Certificate Publication
Certificate Expiry
Certificate Revocation
Online Certificate Status Protocol (OCSP) support
Certificate Revocation List (CRL) Management
To ensure modest security level, Certification Authority will accept Certificate Request from
HKUST card owners or approved from Registration Authority Officer on the Registration
Authority Console only.
A Personal e-Cert is required to validate the identity of the Registration Authority Officer and
a Secure Server e-Cert is issued to Registration Authority Console to ensure secure server
communication.
HKUST CA NEITHER GENERATES NOR HOLDS the private keys of Certificate
Applicants. HKUST CA’s private key is secured against compromise via trustworthy
hardware products.
2.4
Registration Authority (RA)
HKUST Registration Authority evaluates and approves or rejects certificate applications,
exclusively on behalf of the HKUST CA that actually issues the certificates.
Registration Authority Officer is an assigned person to coordinate certificate applications and
validate certificate applicants’ identity and confirm the information they provide during the
application process. The type, scope and extent of confirmation depend upon the class of
certificate and various other factors.
Registration Authority Manager is an assigned person, who must be a different person other
than the Registration Authority Officer, to approve certificate applications, depend upon the
class of certificate, after the validation procedure performed by the Registration Authority
Officer and ensure that the whole certification application procedure is performed according
to the practice in this CPS.
 Hong Kong University of Science & Technology
6
Registration Authority Console is a console machine being setup for the Registration
Authority Officer to submit certificate request to the Certification Authority after getting the
approval from the Registration Authority Manager. The machine can communicate with
Certification Authority (CA) server to handle digital certificate request in a Certification
Process. It is installed on different machine from the Certification Authority Server that it
serves.
2.5
Certificate Repository
Certificate Internal Database is a database to keep track of the pending certificate request,
issued or revoked certificate, private Certificate Revocation List (CRL), etc. Only RA and CA
have the rights to update this database. A web user interface will be provided for users to
query the status of their certificate requests and any issued or revoked certificate. Various
fields in certificate, such as serial no, expiry date, subject name, etc will be indexed. This will
allow faster queries based on these standard attributes.
A high performance directory server, based on the IETF LDAP standard, is used as a public
repository of Certificate Revocation List (CRL), user and CA certificates. Its design is based
on the RFC 2587 schema. A standard LDAP interface will be provided to native client for
retrieving certificate for applications like S/MIME or SSL client authentication.
 Hong Kong University of Science & Technology
7
3. Certificate Application
3.1
Overview
This section describes the Certificate Application Process. It includes the requirements for
key pair generation and protection and lists the information required for each class of
certificate.
Currently, there are 5 types of certificate application for HKUST CA services.





3.2
Application for Personal e-Cert
Application for Personal (Smartcard) e-Cert
Application for Secure Server e-Cert
Application for Developer e-Cert
Application for Role e-Cert
Application for Personal e-Cert
All person desiring a Personal e-Cert shall contemporaneously complete the following
general procedures.






Authenticate with a valid ITSC Network Account and Password.
Submit a certificate application to HKUST CA and accept the Certificate Practice
Statement of HKUST CA via a web interface provided by HKUST CA on a secure
channel.
Generate a key pair and demonstrate to HKUST CA that it is a functioning key pair.
Protect the private key of this key pair from compromise.
Prove their identity to Registration Authority Officer in person with HKUST Staff /
Student ID Card.
Fill in a registration form and accept the Certificate Practice Statement acknowledge
by the Registration Authority Officer.
HKUST CA communicates an on-line enrolment process to the certificate applicant. By
completing this on-line enrolment process via a secure channel, the certificate applicant then
affirms that :

Certificate applicant information is accurate.
 Hong Kong University of Science & Technology
8


Certificate applicant has read, understands and accepts the Certificate Practice
Statement.
Certificate applicant accepts the certificates issued by HKUST CA.
The certificate applicant proves his / her identity by submitting a signed copy of the
registration form when going personally to the Registration Authority Officer.
Upon completion of specified validation procedures, HKUST CA sends an email to the email
address that was previously provided by the certificate applicant in the certification
application. This email contains an URL that authorises the certificate applicant to obtain the
certificate from HKUST CA.
3.3
Application for Personal (Smartcard) e-Cert
All person desiring a Personal (Smartcard) e-Cert shall contemporaneously complete the
following general procedures.




Authenticate with a valid ITSC Network Account and Password.
Submit a certificate application to HKUST CA and accept the Certificate Practice
Statement of HKUST CA via a web interface provided by HKUST CA on a secure
channel.
Generate a key pair and demonstrate to HKUST CA that it is a functioning key pair.
Protect the private key of this key pair from compromise on HKUST Card.
HKUST CA communicates an on-line enrolment process to the certificate applicant. By
completing this on-line enrolment process via a secure channel, the certificate applicant then
affirms that :



Certificate applicant information is accurate.
Certificate applicant has read, understands and accepts the Certificate Practice
Statement.
Certificate applicant accepts the certificates issued by HKUST CA.
For staff/students who have signed the acknowledgment slip receiving their HKUST Card
through Personnel Office or Admissions, Registration & Records Office, identity verification
process will be done automatically. The certificate will be downloaded to the HKUST Card if
the applicants choose an email address in their certification application same as their ITSC
network account suffixed by the @ust.hk or @stu.ust.hk email domain. For applicants have
choose their departmental email address in the certification application, HKUST CA sends an
 Hong Kong University of Science & Technology
9
email to their departmental email address and this email contains a token that authorises the
certificate applicant to obtain the certificate from HKUST CA.
For staff/students who did not sign any acknowledgment slip receiving their HKUST Card,
they will need to prove his / her identity by submitting a signed copy of the registration form
when going personally to the Registration Authority Officer. Upon completion of specified
validation procedures, HKUST CA sends an email to the email address that was previously
provided by the certificate applicant in the certification application. This email contains an
URL that authorises the certificate applicant to obtain the certificate from HKUST CA.
3.4
Application for Secure Server e-Cert
Department desiring a Secure Server e-Cert shall contemporaneously complete the following
general procedures.




Authenticate with ITSC Network Account and Password from a technical person in
their department.
Generate a key pair and demonstrate to HKUST CA that it is a functioning key pair.
Protect the private key of this key pair from compromise.
Submit a signed certificate application letter with hand-written signature of an
authorized person in the department like Department Head or Inter-departmental
Liaison Person and hand-written signature of the technical person to HKUST CA. A
sample letter can be found in Appendices for reference.
HKUST CA communicates an on-line enrolment process to the certificate applicant. By
completing this on-line enrolment process via a secure channel, the certificate applicant then
affirms that :



Certificate applicant information is accurate.
Certificate applicant has read, understands and accepts the Certificate Practice
Statement.
Certificate applicant accepts the certificates issued by HKUST CA.
Upon completion of specified validation procedures, HKUST CA sends an email to the email
address that was previously provided by the certificate applicant in the certification
application. This email contains an URL that authorises the certificate applicant to obtain the
certificate from HKUST CA.
 Hong Kong University of Science & Technology
10
3.5
Application for Developer e-Cert
Department desiring a Developer e-Cert shall contemporaneously complete the following
general procedures.




Authenticate with ITSC Network Account and Password from a technical person in
their department.
Generate a key pair and demonstrate to HKUST CA that it is a functioning key pair.
Protect the private key of this key pair from compromise.
Submit a signed certificate application letter with hand-written signature of an
authorized person in the department like Department Head or Inter-departmental
Liaison Person and hand-written signature of the technical person to HKUST CA. A
sample letter can be found in Appendices for reference.
HKUST CA communicates an on-line enrolment process to the certificate applicant. By
completing this on-line enrolment process via a secure channel, the certificate applicant then
affirms that :



Certificate applicant information is accurate.
Certificate applicant has read, understands and accepts the Certificate Practice
Statement.
Certificate applicant accepts the certificates issued by HKUST CA.
Upon completion of specified validation procedures, HKUST CA sends an email to the email
address that was previously provided by the certificate applicant in the certification
application. This email contains an URL that authorises the certificate applicant to obtain the
certificate from HKUST CA.
3.6
Application for Role e-Cert
Department desiring a Role e-Cert shall contemporaneously complete the following general
procedures.


Submit a signed email application of an authorized person in the department like
Department Head or Inter-departmental Liaison Person to HKUST CA.
A sample letter can be found in Appendices for reference.
Successful applicant shall receive notification from HKUST CA about collection of the
Departmental Admin Card and related e-Cert password. By acknowledge receipt of the Role
e-Cert (s), certificate applicant then affirms that :

Certificate applicant information is accurate.
 Hong Kong University of Science & Technology
11


Certificate applicant has read, understands and accepts the Certificate Practice
Statement.
Certificate applicant accepts the certificates issued by HKUST CA.
 Hong Kong University of Science & Technology
12
4. Validation of Certificate Application
4.1
Overview
This section presents the requirements for validation of certificate applications to be
performed by HKUST CA. It also explains the procedures for applications that fail validation.
4.2
Validation Requirements for Certificate Application
Upon receipt of a certificate application, HKUST CA shall perform all required validations as
a prerequisite to certificate issuance. Particularly for Personal e-Cert Applications, the
applicants must appear personally before an Registration Authority Officer to facilitate the
confirmation of their identity.
Once a certificate is issued, HKUST CA shall have no continuing duty to monitor and
investigate the accuracy of the information in a certificate, unless HKUST CA is notified in
accordance with this CPS of that certificate’s compromise.
The following tables highlight certain differences between the validation requirements for
each certificate class. HKUST CA reserves the right to update these validation procedures to
improve the validation process.
 Hong Kong University of Science & Technology
13
Personal e-Cert
HKUST Card
Personal
Presence
ITSC Network
Account
Authentication
Submission of
Hard Copy
Application
Form
HKUST Staff /
Student ID
Card
Validation
Submission by
Department
Head or IDLP
Only
No
Yes
Personal (Smartcard)
e-Cert
Method 1 *
Method 2 **
Yes
Yes
No
Yes
Yes
Yes
Yes
Yes
No
Yes
Yes
Yes
(Automated)
Yes
No
No
No
* Method 1:
 Signed the acknowledgment slip receiving their HKUST Card through Personnel
Office or Admissions, Registration & Records Office
** Method 2:
 Did not sign any acknowledgment slip receiving their HKUST Card via Personnel
Office or Admissions, Registration & Records Office
 Hong Kong University of Science & Technology
14
Personal
Presence
ITSC Network
Account
Authentication
Submission of
Hard Copy
Application
Form
HKUST Staff /
Student ID Card
Validation
Submission by
Department
Head or IDLP
Only
4.3
Secure Server e-Cert
No
Developer e-Cert
No
Role e-Cert
No
Yes
Yes
No
Yes
Yes
No
(via signed email)
No
No
Yes
Yes
Yes
(During collection of
the Departmental
Admin Card)
Yes
(Signed email using
the HKUST e-Cert)
Approval of Certificate Application
Upon successful performance of all required validations of certificate application, HKUST
CA shall approve the application. Approval is demonstrated by issuing a certificate according
to this CPS.
4.4
Rejection of Certificate Application
If a validation fails, HKUST CA shall reject the certificate application by promptly notifying
the certificate applicant of the validation failure and providing a reason for such failure. Such
notice shall be communicated to the certificate applicant using the same method as was used
to communicate the certificate application to HKUST CA. A person whose certificate
application has been rejected may thereafter reapply.
 Hong Kong University of Science & Technology
15
5. Certificate Issuance
5.1
Overview
This section presents more information about the issuance of certificates.
5.2
Issuance & Publication
Upon approving a certificate application, HKUST CA issues a certificate. The issuance of a
certificate indicates a complete and final approval of the certificate application by HKUST
CA. The issued certificate and the corresponding public key will be published to the HKUST
Certificate Repository and the HKUST LDAP Directory server for public access. HKUST CA
NEITHER GENERATES NOR HOLDS the private keys of Certificate Applicants or
Certificate owners.
5.3
Refusal
HKUST CA may refuse to issue a certificate to any person, at its sole discretion, without
incurring any liability or responsibility for any loss or expenses arising out of such refusal.
5.4
Certificate Validity and Operational Periods
All certificates shall be considered valid upon:





Issued by HKUST CA, and
Published on HKUST LDAP Directory Server, and
Is not on the HKUST CA Certificate Revocation List, and
Has not expired, and
Can be verified by a valid HKUST Certification Authority certificate.
The standard operational periods for the various classes of certificates are as follows, subject
to earlier termination of the operational period due to revocation.
 Hong Kong University of Science & Technology
16
Personal
e-Cert
Validity
Period starting
from the date
of certificate
issuance by
HKUST CA
5.5
3 year
Personal
(Smartcard)
e-Cert
3 year
Secure
Server
e-Cert
3 year
Developer
e-Cert
Role
e-Cert
3 year
3 year
Certificate Format
The format of all certificates issued by HKUST CA is in accordance with ISO/IEC 9594 X.509
Version 3 plus any HKUST specific extensions.
 Hong Kong University of Science & Technology
17
6. Certificate Revocation
6.1
Overview
This section explains the circumstances under which a certificate may or must be revoked. It
also details the procedures for revoking certificates.
6.2
General Reasons for Revocation
A certificate shall be revoked if

There has been a loss, theft, modification, unauthorised disclosure, or other
compromise of the private key of the certificate’s subject.

The certificate’s subject has breached a material obligation under this CPS.

The performance of a person’s obligations under this CPS is delayed or prevented by a
natural disaster, computer or communications failure, or other cause beyond the
person’s reasonable control, and as a result another person’s information is materially
threatened or compromised.

There has been a modification of the information contained in the certificate of the
certificate’s subject.
6.3
Revocation of a HKUST CA Certificate
HKUST CA must make a reasonable effort to revoke a certificate if it determines any of the
following:

A material fact represented in the certificate is known or reasonably believed by
HKUST CA to be false.

A material prerequisite to certificate issuance was not satisfied.

The private key or trustworthy system was compromised in a manner materially
affecting the certificate’s reliability.
 Hong Kong University of Science & Technology
18

6.4
The certificate’s subject has breached a material obligation under this CPS.
Revocation at Certificate Owner’s Request
The certificate Owner must make a formal request to HKUST CA to revoke their certificate.
The request must be made either the following ways.
 Sending a paper Certificate Revocation Request form to HKUST CA. The form must be
signed with the same signature as on the original application for the certificate and/or with
a valid proof of identity.
 On-Line Submission of a digitally signed Certificate Revocation Request Form. The online
submission of the Certificate Revocation Request Form must be digitally signed by a valid
HKUST CA certificate.
 Hong Kong University of Science & Technology
19
7. Certificate Expiration
7.1
Overview
This section provides information about Certificate Expiry and Renewal procedures.
7.2
Certificate Expiry
HKUST CA will undertake a reasonable effort to notify certificate Owners thirty (30) days
before the expiration date, via email, of the impending expiration of their certificates. Such
notice is intended solely for the convenience of the certificate Owner in the renewal process.
7.3
Certificate Renewal
Personal e-Cert or Personal (Smartcard) e-Cert certificate can be renewed via the HKUST
Certificate Management System before the expiration of the certificate.
For Secure Server e-Cert, Developer e-Cert and Role e-Cert certificate renewal, certificate
Owner should submit a signed written request to HKUST CA before the expiration. Request
received after the expiration of the certificate will not be accepted.
Requirements for renewal are subject to change at HKUST CA’s discretion.
 Hong Kong University of Science & Technology
20
8. Rights and obligations
8.1
Rights and obligations of Certificate Owners
HKUST user acknowledges that HKUST CA has provided him/her with sufficient
information to become familiar with digital certificates before applying for, using, and relying
upon a certificate.
By applying a certificate issued by HKUST CA, the applicant certifies to and agrees with
HKUST CA and to all who reasonably rely on the information contained in the certificate
that, at the time of acceptance and throughout the operational period of the certificate, until
notified otherwise by the certificate owner, of the following points:




All representations made by the certificate owner to HKUST CA regarding the
information contained in the certificate are true. All information contained in the
certificate is true to the extent that the certificate owner had knowledge or notice of
such information.
Each digital certificate created using the private key corresponding to the public key
listed in the certificate is the digital certificate of the certificate owner and the
certificate has been accepted and is operational (not expired or revoked) at the time
the digital certificate is created.
No unauthorised person has ever had access to the certificate owner's private key.
The certificate owner is an end-user certificate owner and not an Issuing Authority,
and will not use the private key corresponding to any public key listed in the
certificate for purposes of signing any certificate (or any other format of certified
public key) or CRL, as an Issuing Authority or otherwise, unless expressly agreed in
writing between certificate owner and HKUST CA.
By accepting a certificate, the certificate owner assumes a duty to retain control of the
certificate owner's private key, to use a trustworthy system, and to take reasonable precautions
to prevent its loss, disclosure, modification, or unauthorized use. The user must revoke his /
her certificate when there has been a loss, theft, modification, unauthorized disclosure, or
other compromise of the private key of the certificate with HKUST CA.
By accepting a certificate, the certificate owner agrees to indemnify and hold HKUST CA
harmless from any acts or omissions resulting in liability, any loss or damage, and any suits
and expenses of any kind that HKUST CA may incur, that are caused by the use or
publication of a certificate and that arises from:

Falsehood or misrepresentation of fact by the certificate owner.
 Hong Kong University of Science & Technology
21


8.2
Failure by the certificate owner to disclose a material fact, if the misrepresentation or
omission was made negligently or with intent to deceive HKUST CA or any person
receiving or relying on the certificate.
Failure to protect the certificate owner's private key, to use a trustworthy system, or to
otherwise take the precautions necessary to prevent the compromise, loss, disclosure,
modification or unauthorized use of the certificate owner's private key.
Rights and obligations of HKUST CA
HKUST CA neither generates nor holds the private keys of certificate owners. Also HKUST
CA cannot ascertain or enforce any particular private key protection requirements of any
applicant or certificate owner. Upon receipt of a certificate application, HKUST CA shall
perform all required validations as a prerequisite to certificate issuance, as follows:


The certificate applicant is the person identified in the request (in accordance with and
only to the extent provided in the certificate class descriptions).
The information to be listed in the certificate is accurate, except for non-verified
certificate owner information.
Once a certificate is issued, HKUST CA shall have no continuing duty to monitor and
investigate the accuracy of the information in a certificate. Unless otherwise provided in the
CPS or mutually agreed upon by both HKUST CA and the certificate owner in an
authenticated record, HKUST CA promises to the certificate owner named in the certificate
that



There are no mis-representations of fact in the certificate known to HKUST CA or
originating from HKUST CA,
There are no data transcription errors as received by HKUST CA from the certificate
applicant resulting from a failure of HKUST CA to exercise reasonable care in
creating the certificate.
The certificate meets all material requirements of the CPS.
Unless otherwise provided in this CPS or mutually agreed upon by both HKUST CA and the
certificate owner in an authenticated record, HKUST CA promises to the certificate owner to
make reasonable efforts:


To promptly revoke certificates upon request of the certificate owner.
To notify certificate owners of any facts known to it that materially affect the validity
and reliability of the certificate it issued to such certificate owner.
 Hong Kong University of Science & Technology
22
Upon certificate owner's acceptance of the certificate, and checking by HKUST CA, HKUST
CA shall publish a copy of the certificate in the HKUST CA repository and in one or more
other repositories, as determined by HKUST CA. Certificate owners may publish their
HKUST CA certificates in other repositories.
HKUST CA provides the controls and foundation for PKI.
 Hong Kong University of Science & Technology
23
9. Liability
9.1
Liability of Certificate Owner
Without limiting other certificate owner obligations stated in the CPS, certificate owners are
liable for any mis-representation they make in certificates to third parties that, reasonably rely
on the representations contained therein.
9.2
Liability of HKUST CA
HKUST CA



Does not warrant the accuracy, authenticity, completeness or fitness of any unverified
information contained in certificates or otherwise compiled, published, or
disseminated by or on behalf of HKUST CA.
Shall not incur liability for representations of information contained in a certificate,
provided the certificate content substantially complies with the CPS.
Does not warrant "non-repudiation" of any certificate or message (because nonrepudiation is determined exclusively by law and the applicable dispute resolution
mechanism).
 Hong Kong University of Science & Technology
24
10. Use of Certificates
HKUST CA and "users" of the certificate, (i.e., the certificate owner and the relying parties),
are notified of the following rules governing the respective rights and obligations of the
parties among themselves:
Verification of Digital Certificates
Verification of a digital certificate shall be undertaken as follows:



Checking with the HKUST CA (or other) repository for revocation of certificates.
To verify a digital certificate, it is necessary to know precisely what data has been
signed. In the case of public key cryptography standards (PKCS), a standard signed
message format is specified to accurately denote the signed data.
To support non-repudiation, the data to which the corresponding digital certificate is
attached must include, or reference, a time stamp. The time stamp shall reflect the
time at which date and time the digital certificate is affixed.
Failure of Digital Certificate Verification
A person relying on an unverifiable digital certificate assumes all risks with regard to it and is
not entitled to any presumption that the digital certificate is effective as the certificate of the
certificate owner.
Security Measures
Any person using or relying upon a HKUST CA certificate in conjunction with a message
shall apply reasonable security measures to the message to provide message authentication
and, as required, to support data confidentiality.
Revocation
A certificate shall be revoked under circumstances like:



There has been a loss, theft, modification, unauthorised disclosure, or other
compromise of the private key of the certificate's subject.
The certificate's subject (whether HKUST CA or a certificate owner) has breached a
material obligation under the CPS.
The performance of a person's obligations under the CPS is delayed or prevented by
an act of God, natural disaster, computer or communications failure, or other cause
 Hong Kong University of Science & Technology
25
beyond the person's reasonable control, and as a result another person's information is
materially threatened or compromised.
HKUST CA must make a reasonable effort to revoke a certificate, if it determines any of the
following:




A material fact represented in the certificate is known or reasonably believed by
HKUST CA to be false.
A material prerequisite to certificate issuance was neither satisfied nor waived.
The private key or trustworthy system was compromised in a manner materially
affecting the certificate's reliability.
The certificate's subject has breached a material obligation under the CPS.
 Hong Kong University of Science & Technology
26
11. Appendices
11.1
Sample Letter for Secure Server e-Cert Application
<Department Letter Head>
Attention: HKUST Certification Authority
Information Technology Services Center
Hong Kong University of Science and Technology
Clear Water Bay
Kowloon
Hong Kong
<Date>
Application for Secure Server e-Cert
I, <Name of Applicant>, hereby approve the use of a HKUST CA Secure Server e-Cert for
secure and authenticated electronic transactions. I hereby represent that I am fully authorized
to make such approval, and that I understand that a digital certificate acts as a department
stamp or director’s signature for the purposes of electronic commerce, and that the
management of the private keys associated with such certificates is the responsibility of our
technical staff or contractors.
The contents of that certificate are as follows:
Server Domain Name : <Server Name> e.g. ccms01.ust.hk
Department : <Department Name> e.g. Information Technology Services Center
The person responsible for key management and security is fully authorized to install and
utilise the certificate to represent this organization’s electronic presence.
Authorizing Signatory
<Full Name>
<Post>
<Telephone Number>
<Email address>
<Signature>
Technical Signatory
<Full Name>
<Post>
<Telephone Number>
<Email address>
<Signature>
Our department stamp appears below.
<Department Stamp>
 Hong Kong University of Science & Technology
27
11.2
Sample Letter for Developer e-Cert Application
<Department Letter Head>
Attention: HKUST Certification Authority
Information Technology Services Center
Hong Kong University of Science and Technology
Clear Water Bay
Kowloon
Hong Kong
<Date>
Application for Developer e-Cert
I, <Name of Applicant>, hereby approve the use of a HKUST CA Developer e-Cert for
secure and authenticated electronic software distribution. I hereby represent that I am fully
authorized to make such approval, and that I understand that a digital certificate acts as a
department stamp or director’s signature for the purposes of electronic commerce, and that
the management of the private keys associated with such certificates is the responsibility of
our technical staff or contractors.
The contents of that certificate are as follows:
Developer Description : <Name of Developer and Project Team>
Department : <Department Name> e.g. Information Technology Services Center
The person responsible for key management and security is fully authorized to install and
utilise the certificate to represent this organization’s electronic presence.
Authorizing Signatory
<Full Name>
<Post>
<Telephone Number>
<Email address>
<Signature>
Technical Signatory
<Full Name>
<Post>
<Telephone Number>
<Email address>
<Signature>
Our department stamp appears below.
<Department Stamp>
 Hong Kong University of Science & Technology
28
11.3
Sample Letter for Role e-Cert Application
[Signed email addressed to hkustra@ust.hk, signed by applicant’s HKUST Personal
(Smartcard) e-Cert or HKUST Personal e-Cert]
Email Subject: Application for Role e-Cert
Email Body:
Attention:
HKUST Certification Authority
Information Technology Services Center, HKUST
On behalf of <Department>, I would like to
apply for HKUST CA Role e-Cert for the following departmental
account(s):
Departmental Admin Card ID
-------------------------1. N/A
2. N/A
3. D0000123
Departmental Account(s)
----------------------<Account A>, <Account B>
<Account A>
<Account B>
By digitally signed this email, I understand that a digital
certificate acts as a department stamp for the purposes of
electronic commerce, and that the management of the Departmental
Admin Card(s) and the private key associated with the certificate(s)
are the responsibility of the applicant.
Digitally Signed by Applicant:
<Full Name>
<Post> e.g. IDLP of <Department>
<Telephone Number>
<Email address>
 Hong Kong University of Science & Technology
29
Related documents
SCHOOL BOARD RECOGNITION
SCHOOL BOARD RECOGNITION
Child Protection study day 12th June 2007
Child Protection study day 12th June 2007
Application for Land Value Tax Rate Applicable to Land Used for
Application for Land Value Tax Rate Applicable to Land Used for
ANIMAL CARE CERTIFICATE
ANIMAL CARE CERTIFICATE
PAFCPIC "We Care Abuloy"
PAFCPIC "We Care Abuloy"
pdf - De La Salle University
pdf - De La Salle University
Download
advertisement