1.1 Overview
As an integral part of portfolio of services COMTRUST has
introduced digital certification services in the electronic
commerce marketplace under the brand name of COMTRUST Certification
Services (CCS). This service will involve introduction of
three types of digital certificates in the first phase catering
to the needs of all the major categories of users.
In order to explain the process involved in its Certification
Services, COMTRUST has developed the Certification Practice Statement
(CPS). This Certification Practice Statement defines the practices
utilized by COMTRUST Certification Authority (CA) & COMTRUST
Issuing Authority (IA) in issuing, managing, revoking, suspending
and renewal of digital certificates. COMTRUST issues these
digital certificates and provide other general security services
to facilitate secure business-to-consumer (B2C) and business-to-business
(B2B) electronic commerce. The Certification Practice Statement
also defines the operational and general technical procedures
followed by COMTRUST with respect to the managing the Certification
processes.
The users of CCS are expected to have reasonable knowledge
of digital certificates and signatures before they will be
actually able to use certificates issued by COMTRUST. Ample
amount of information on digital certificates and on
use these certificates with different e-mail clients can be
found on COMTRUST web-site http://www.comtrust.co.ae.
This CPS governs the services currently offered by COMTRUST
for CCS. In the future, this CPS will evolve to accommodate
other services that COMTRUST will introduce in response to
market demand, as regional electronic commerce marketplace
matures and use of digital certificates grows around the world.
CCS currently use the Public Key Infrastructure provided
by CyberTrust (Baltimore Technologies) for all
certification issuance related purposes.
1.1.1
COMTRUST's Role
COMTRUST will create, sign and issue digital certificates
as a trusted third party. The certificate issuance process
will cause binding of the public key of subscribers with certificates
issued to such subscribers. The parties relying on certificates
issued by COMTRUST will be able to check status of such certificates
on a Certification Revocation List (CRL) published by COMTRUST and updated regularly.
COMTRUST will also establish appropriate number of Registration
Authorities (RAs) to help address needs of diverse categories
of subscribers. COMTRUST Registration Authorities (RAs) will
carry out the registration and verification process for subscribers
at various locations and communities. COMTRUST may also appoint
Comtrust Service Representatives at various locations to help
Registration Authorities in verifying credentials.
Various COMTRUST Certification Authority processes are listed
below:
- Certificate Application and Enrollment Process
- Validation of Certificate Application by verifying credentials
- Issuance of Certificate
- Communication to Subscriber
- Certificate Revocation and Certificate Revocation List
- Expiry of Certificate and Renewal
- Repository and Directory Services
1.2
Identification
Certification Practice Statement Name: COMTRUST CPS Ver 1.1 dated June 2001
1.3
Community and Applicability
COMTRUST CPS is meant to provide a detailed description of
the processes and procedures put in place to operate COMTRUST
Certification Services (CCS) to deal with certificate application,
verification, issuance, acceptance, suspension, revocation
and renewal.
COMTRUST will abide by the procedures set in this CPS to
run CCS and thus the specific type of certificates issued
in accordance with this CPS will comply with the set of specific
rules set up to manage the same certificate type. This has
been essentially put in place to facilitate diverse usage,
and accordingly, the reliance levels for a specific type of
certificate.
1.3.1
Certification authorities
COMTRUST Certification Authority is currently providing the
following kinds of digital certificates.
a) Demo Digital Certificates
b) User Certificates Class 1
c) Business User Certificate
d) Server Certificates
Each class of certificates provides specific functionality, authentication and security features. Certificate applicants choose from this set of service qualities according to their needs; they must specify which class of certificate they desire. Depending on the class of certificate required, certificate applicants may apply electronically to COMTRUST, or they may be required to apply in person by visiting either of COMTRUST offices in Abu Dhabi or Dubai.
A brief description of the four types of digital certificates mentioned above is given below:
1.3.1.1
Demonstration Digital Certificates (Demo Certificate)
Any individual can apply for a demo Certs. After the completion
of an on-line enrolment process, an e-mail is sent to the
subscriber advising him of the availability of demo certificate
from a secured site of COMTRUST. Demo certificates are issued
without any reliance value with a validity period of one month.
These certificates can be used for web browsing and exchanging
e-mail messages in a secured manner. COMTRUST do not vouch
on the identity of individuals.
1.3.1.2
User Certificates Class 1
Class 1 User Certificates (User Certs) are currently issued to individuals only. These certificates confirm that the information contained on the certificate is consistent with with information on the copy of the passport, residence visa number, credit card number, telephone number, Emirates Internet User ID information or other information submitted by the applicant.
Class 1 user certificates provide reasonable degree of assurance of the identity of an individual based on verification undertaken by COMTRUST. This off-line verification compares the information provided by the applicant during enrolment process with identification documents of subscriber. These identification documents may include copy of passport with residence visa, labour card, driver's license and similar other identification papers. This authentication process is detailed in section 3 of this CPS.
Currently UAE Nationals, ETISALAT Emirates Internet users and all UAE residents and their dependants are eligible to apply for Class 1 User Certificates .
1.3.1.3
Business User Certificates
Business User certificates are issued to individuals but purchased by organizations, guaranteeing identity of individual as their employees or important customers, or business partners. These certificates confirm that the information contained on the certificate is consistent with information provided by the organization. This information includes name as contained in passport, organization and organization unit.
Business User Certificates provide reasonable degree of assurance of the identity of an individual based on confirmation of identity provided by respective organization contained in the certificate and reviewed by Comtrust.
Currently employees and key customers of all UAE organizations, and leading & known organizations of Gulf Cooperative Council countries are eligible to apply for Business User Certificates. The application has to be confirmed by the respective organization through a letter of introduction.
1.3.1.4
Server Certificates
Server Certificates are issued to
government (including government owned departments) enterprises or business entities only. These
certificates provide assurances on the existence of the organization to whom it is issued. These are secure server certificates. Validation of Server Certificate applications for
organizations includes a thorough review by COMTRUST of credentials presented by the applicant, business databases, e-mail and domain name services. The validation process may also include personal contacts by COMTRUST Account Managers to ensure identity of organizations. These contacts provide a high degree of assurance on the existence of an organization.
The following entities can apply and
subscribe to Comtrust Server Certificates.
1.3.2
Registration authorities
As and when business conditions so dictate, COMTRUST may appoint Registration Authorities in various parts of the UAE. All Registration Authorities shall conform to the provisions of this CPS.
1.3.3
End entities
Currently only UAE Nationals, UAE Residents and businesses holding a valid trade license within the UAE are allowed to apply for and subscribe to Class 1 User Certs.
However, leading organizations from Gulf Cooperative Council
countries may purchase Business User Certificates for their
employees, key customers and business partners and may have
such employees, customers and partners enroll for certificate.
The following entities can apply and subscribe to Comtrust
Server Certificates.
-
Businesses holding a valid trade license within the UAE
-
Foreign governments and government owned departments (upon
presentation of evidence of authority of the applicant to bind
the particular government / department)
Demonstration Certificates , are issued to applicants irrespective of their nationality and origin. End entities are also referred to as Customers or Subscribers and shall include only individuals subscribing to one of four kinds of certificates.
1.3.4
Applicability
Demo Certs merely represent that the owner of the Certificate is the user of the e-mail account. Demo certificate do not provide assurance on the identity of individual to whom it is issued. As such these certificates are issued without any reliance value for third parties are only intended for demonstration purposes.
User Certs can be used to exchange e-mail in a secured environment, as a secured replacement of passwords, to facilitate authentication where proof of identity is required, on-line purchasing, payment of on-line bills and similar other on-line applications.
Business user Certificate can also be used to exchange e-mail in a secured environment, as a secured replacement of password to access applications, or facilitate authentication of proof of identity and association with an organization is important
Server Certificates are issued primarily to establish identity of web-site on the net and to facilitate business transactions on this site in a secured manner. Typical applications of Server Certificates include; e-tailing, e-banking, on-line payments, membership based services and similar other applications.
1.4
Contact Details
1.4.1 Specification administration
organization
This CPS is administered by COMTRUST Certification Services in accordance with section 8 of this CPS.
1.4.2
Contact person
Comments, suggestions and all queries concerning this CPS must be addressed to:
General Manager
COMTRUST
P. O. Box 93939
Dubai
United Arab Emirates
Attn: Certification Services
Phone: +9714-222-2777
Fax: +971-4-222-4888
http://www.comtrust.co.ae
1.4.3
Person determining CPS suitability for the policy
COMTRUST Certification Services is responsible for determining the suitability of this CPS and can be contacted as stated in sub section 1.4.2 of this CPS.
