g) Performance of the obligations of an IA and supporting
the rights of the subscribers and relying parties who use
certificates in accordance with this CPS.
h) Suspension and revocation of certificates as detailed in
this CPS,
i) Facilitating of the expiration and renewal of certificates
as stated in this CPS.
j) Making a reasonable effort to comply with the provisions
contained in CPS sub section 2.1.1 and 2.1.2.
To avoid any ambiguity, COMTRUST guarantees that its own private
keys are not compromised. In case there is such a compromise
COMTRUST will provide notice to the contrary via the COMTRUST
repository and revoke all certificates issued by the CA
COMTRUST does not make any other warranties and has no further
obligations under this CPS.
2.1.2 RA (RA) obligations
COMTRUST shall appoint appropriate number of Registration
Authorities (RA) in different parts of United Arab Emirates keeping
in view the requirements of business. It shall be the responsibility
of RAs, to examine, approve or reject certificate applications
on behalf of COMTRUST CA.
Following are the obligations of COMTRUST RAs:
a) To accurately represent to CA, the information gathered
from the certificate applicants (persons or organizations
who have enrolled for a Demo, Class 1 User certificate or
Server certificate).
b) To process applicants’ and subscribers’ request in a prompt
and timely fashion in accordance with this CPS.
c) In the process of examining certificate applications, RAs
may rely upon appropriate credentials presented by the applicant.
These credentials may include passport, labour card, driving
license for individuals and trade license and similar other
documents for organizations.
d) To maintain the supporting evidence for certificate issuance
requests made to COMTRUST.
e) Comply with all the provisions of COMTRUST CPS and the
CCS business procedures.
f) Protect its private key and use it for its RA function
only.
2.1.3
Subscriber (End Entities) obligations
The following are the obligations of the subscribers of COMTRUST
CCS:
a) That all the information presented in certificate application
is accurate and up to date in all respects.
b) That the digital signatures generated using the private
key corresponding to public key relates to certificate obtained
by presenting accurate information. The subscriber further
represent that certificate is not revoked or cancelled.
c) That it is the sole responsibility of subscriber to safeguard
his or her private key.
d) That the subscriber acknowledges that he or she is aware
of contents of the certificate and information contained therein
is accurate. It shall be the responsibility of subscriber
to notify any change that renders part or all information
to be obsolete.
e) That the certificate is being used exclusively for authorised
and legal purposes, consistent with this CPS.
f) That the subscriber shall use the private key for the purpose
of generating digital signatures solely as an end-user.
g) That by enrolling for a certificate issued by COMTRUST,
the subscriber certifies and acknowledges that he, she or
it agrees to the terms and conditions contained in this CPS
and the applicable subscriber agreement relevant to the type
of certificate issued and accepted.
2.1.4
Relying party obligations
Relying parties' obligations are as follows:
a) Relying parties should use the certificate for the purpose
for which it was issued in the first place strictly in accordance
with this CPS.
b) Relying parties are obliged to check each certificate for
its validity as described in the X.509 standard. For validation
purposes COMTRUST directory services can be used.
c) A party receiving a digitally signed message may rely (relying
party) upon digital signature
if:
(i) the validity of certificate has been verified by the recipient
to the extent that the signatures were created within the
validity of certificate.
(ii) if the circumstances are such that a person of ordinary
prudence will be satisfied that no further assurance, other
than that provided by certificate, is necessary.
d) The relying party should ensure that the reliance is keeping
in view the class of certificate and associated liabilities
assumed by COMTRUST.
e) All the responsibility with respect to reliance on an unverifiable
signature shall rest with the relying party and COMTRUST assumes
no responsibility with respect to such reliance.
f) In case of a dispute, a relying party that is found to
have acted in a manner inconsistent with the obligations listed
above will have no valid claim against COMTRUST.
2.1.5
Repository obligations
CCS is obliged to timely publish the certificates and the
Certificate Revocation List. . On-line validations are available
through a link from Repository while certficate validation
can be performed through COMTRUST directory. Please refer
to LDAP procedures in Repository for validation services.
2.2
Liability
2.2.1 Warranties And Limitation on
Warranties
a) COMTRUST warrant that they will operate and provide their
certification services in accordance with the terms of this
CPS. COMTRUST promise to ensure that the technology implementation
and services performed as Certification Authority are in accordance
with the provisions of this CPS.
b) COMTRUST warrants that it will publish accepted certificates
and Certificate revocation list in accordance with this CPS.
c) COMTRUST warrant that they will only suspend and revoke
certificates as specified by this CPS, provide for the expiration,
and renewal of certificates as stated in this CPS.
d) COMTRUST warrant that their own private keys are not compromised
unless they provide notice to the contrary via the COMTRUST
repository.
e) COMTRUST makes no other warranties and has no further obligations
under this CPS.
2.2.2
Damages Covered and Disclaimers
Except as expressly provided in the foregoing (CPS sub section
2.2.1), COMTRUST disclaims all warranties and obligations
of any type, including any warranty of merchantability, warranty
of fitness for a particular purpose, and any warranty of the
accuracy of unverified information provided.
2.2.3
Loss Limitations
a) In no event shall COMTRUST be liable for any indirect,
incidental or consequential damages, or for any loss of profits,
loss of data, or other indirect, consequential or punitive
damages arising from or in connection with the use of CCS,
or any other transactions or services offered or contemplated
by this CPS.
b) The aggregate liability of COMTRUST to any and all parties
(including without limitation a subscriber, an applicant,
a recipient, or a relying party) concerning a specific certificate
shall be limited to an amount not to exceed the following
liability caps, for the aggregate of all digital signatures
and transactions related to such certificate:
2.3
Financial responsibility
2.3.1 Indemnification
by Relying Parties and subscibers
COMTRUST assumes no financial responsibility for improper
use of certificates. In addition to all other obligations
set-out in this CPS, the subscribers are liable for any misrepresentations
they may have made in certificate application or to third
parties. The Subscribers and Relying parties indemnify COMTRUST
from any loss, damage or liability resulting from improper
use of certificates and Certificate Revocation List (CRL).
2.3.2
Fiduciary Relationships
Neither COMTRUST nor the subscriber shall be treated as agent,
fiduciary, trustee, or other representative of subscribers
or relying parties. COMTRUST expressly denies any representation
to the contrary.
2.3.3
Administrative Processes
Not applicable.
2.4
Interpretation and Enforcement
2.4.1 Governing Law
The United Arab Emirates law shall govern the enforceability,
interpretation, and validity of this CPS.
2.4.2
Severability
In the event that any terms, conditions or provision of this
CPS are rendered invalid, unlawful or unenforceable, for whatever
reason, the remaining terms and conditions or provisions shall
remain valid and applicable. Each provision of this CPS shall
stand enforceable independent of other provisions.
2.4.3
Notice
All notices to COMTRUST shall be given in writing and sent
to COMTRUST Office in Dubai UAE at the address below:
General Manager
COMTRUST
P. O. Box 93939
Dubai
United Arab Emirates
Attention: Certification Services
Such notices shall be treated as valid 24 hours (Excluding week-end periods of Thursday and Friday) after the
delivery of notice to COMTRUST post box. Such notices can
also be sent through a digitally signed e-mail messages.
2.4.4
Dispute resolution procedures
Any dispute, controversy or claim arising out of or relating
to this CPS or the breach, termination or invalidity thereof
shall be resolved by conciliation. If such negotiations for
conciliation are not concluded within thirty (30) days of
written notice given by the party requesting negotiations,
either party may seek to resolve the dispute by means of arbitration
in accordance with the provisions contained herein.
The arbitration tribunal shall be composed of three arbitrators
(unless the parties agree on a single arbitrator) under UAE
arbitration laws. Proceeding shall be conducted in English
language unless the parties otherwise agree.
Arbitration awards made pursuant to this article shall be
final and binding upon the parties and shall be enforceable
in any court of competent jurisdiction. Each party shall bear
its own costs, including legal fees, except that the costs
of the arbitration shall be borne, as the arbitrators shall
determine.
2.5
Fees
All subscribers and other parties shall pay fees in accordance
with published tariff of COMTRUST, as amended from time to
time, for use of its certification services. All such schedules
and amendments thereof shall be published on COMTRUST web-site:
http://www.comtrust.co.ae.
All changes shall be effective 15 days after such changes
are published on the web-site.
2.5.1
Certificate issuance or renewal fees
Demo Certs will be provided to the applicants free-of-charge
while payment against issuance of User Certs Class 1 will
be made through credit cards only authorized on-line via COMTRUST
payment gateway on submission of certificate application.
However, Business User & Server Certificate subscribers will have an option
to pay either by a corporate credit card or by cheque to be
furnished with the credentials requested for submission by
COMTRUST.
2.5.2
Certificate access fees
Access to certificates on CCS directory is free of charge
except any communication costs that users may incur.
2.5.3
Revocation or status information access fees
Access to COMTRUST CRLs is free of charge except any communication
costs that users may incur.
2.5.4
Fees for other services such as policy information
Please refer to sub section 2.5.of this CPS titled Fees.
2.5.5
Refund policy
Not Available.
2.6
Publication and Repository
2.6.1 Publication
of CA information
a) CCS as a CA will publish the following in its repositories:
(i) COMTRUST CPS COMTRUST may amend or modify this CPS from
time to time. Each change shall become effective fifteen (15)
days after COMTRUST publishes the same in COMTRUST repository
unless (i) COMTRUST has published a notice of withdrawal of
the proposed change in the COMTRUST repository prior to the
end of such fifteen (15) day period, or (ii) failure by COMTRUST
to make the proposed change may result in a compromise of
the CCS or any portion of it, in which case, the proposed
change is effective upon publication in the COMTRUST repository.
A subscriber’s decision not to request revocation of his,
her, or its certificate following the publication of a proposed
change shall constitute agreement to the change.
This CPS can be accessed on COMTRUST repository at: http://www.comtrust.co.ae/repository.htm
(ii) Certificate Revocation List
Upon suspending or revoking a certificate, COMTRUST will publish
notice of the suspension or revocation in the COMTRUST repository.
COMTRUST may publish a certificate revocation list (CRL) containing
revoked certificates.
(iii) All certificates issued
Upon notifying the subscriber of the availability of certificate
for download, COMTRUST shall publish a copy of the certificate
in the COMTRUST directory Servers. By publishing a certificate,
COMTRUST certifies to all who reasonably rely on the information
contained in the certificate that it has issued the certificate
to the subscriber and that the subscriber has accepted the
certificate.
2.6.2
Frequency of publication
a) CPS publication per sub section 8 of this CPS.
b) CRL publication per section 4.4.9 of this CPS.
2.6.3
Access controls
COMTRUST CPS, respective Subscriber Agreements, certificates,
certificates’ status and CRLs are pieces of publicly available
information and shall be published at COMTRUST repository.
However, where deemed appropriate, COMTRUST may implement
access control to certain publications in such a way that
only subscribers and other parties, on the basis of pre-determined
criteria, are given the privilege to access all or part of
this information.
2.6.4
Repositories
The COMTRUST shall take immediate action to publish certificates
issued, amendments in CPS, updated certificate revocation
list, notices, tariff and all other information, consistent
with this CPS and applicable law on its web-site. Most of
this information shall be available in COMTRUST repository,
which is accessible at http://comtrust.co.ae/repository.htm.
2.7
Compliance audit
2.7.1 Frequency of entity compliance
audit
a) COMTRUST Certification Authorities may undergo an Internal
Audit at any time to monitor and ensure that CA and RAs are
operating in accordance with the practices and procedures
set in this CPS and in other internal documents.
b) Compliance audit by an external party will be conducted
at a frequency, deemed appropriate by COMTRUST, to ensure
that CA is operating strictly in accordance with this CPS
and other applicable agreements, guidelines, procedures, and
standards.
2.7.2
Identity/qualifications of auditor
An independent third party public accountant with demonstrated
expertise in computer security or an accredited & professional
computer security company shall audit the operations of COMTRUST
to evaluate its compliance with this CPS.
2.7.3
Auditor's relationship to audited party
The Independent auditor shall be an organization, separate
from COMTRUST and independent of any influence by COMTRUST.
Since COMTRUST is not the author of such audit reports it
is, therefore, not responsible for their content. COMTRUST
does not express any opinion on such audit reports and shall
not be held responsible for any damages to anyone resulting
from reliance on such audit reports.
2.7.4
Topics covered by audit
Please refer to sub section 2.7.1 of this CPS.
2.7.5
Actions taken as a result of deficiency
COMTRUST Certification Services shall be responsible to prescribe an appropriate remedy as soon as it is made aware of a discrepancy as a result of compliance audit. The remedy proposed by COMTRUST Certification Services will largely depend on the type of discrepancy reported.
2.7.6
Communication of results
Audit results will be communicated to COMTRUST Certification Services, CA and the RAs. The results thus communicated will not have the details that can breach the trust of certificates issued by the CA.
2.8
Confidentiality
2.8.1 Types of information to
be kept confidential
The following information shall be considered confidential by COMTRUST and may not be disclosed to third parties except on the consent of the subscriber or required by a court of law:
a) Signed Subscriber agreements
b) Application related information and records
c) Transactional records
d) Audit reports results of sensitive nature
e) Information on operation of COMTRUST CA
f) Contingency planning and disaster recovery plans
g) Details of Security measures controlling the operations of COMTRUST CCS.
h) Information relating to applicants other than as stipulated in this agreement.
2.8.2
Types of information not considered confidential
Information related to subscribers typically given in a certificate, CRLs and revocation and suspension are not considered confidential.
All other information appearing in COMTRUST repository per this CPS is also not considered confidential.
2.8.3
Disclosure of certificate revocation/suspension information
Information related to certificate revocation and suspension is not considered confidential and therefore will be disclosed in accordance with this CPS.
2.8.4
Release to law enforcement officials
COMTRUST warrants that all confidential information will not be disclosed without an authenticated request made prior to such disclosure from the person who has provided such information to COMTRUST, or required through a court order.
2.9
Intellectual Property Rights
All Intellectual Property Rights shall remain vested in the party creating or owning the same and nothing in this CPS shall confer or be deemed to confer on any party any rights or licenses of the Intellectual Property Rights of the other party.
It is the responsibility of Certificate applicants and subscribers to ensure that information submitted by them, use of a domain name and other names, etc. do not infringe upon any form of property rights of third parties. The certificate applicants and subscribers indemnify COMTRUST from any claim, losses, damages or liabilities arising any act of such property right violations.
