4.2
Certificate Issuance & Application Refusal
Upon approving a certificate application, COMTRUST issues
a certificate. The issuance of a certificate indicates a complete
and final approval of the certificate application by COMTRUST.
4.2.1
Demonstration Certificates
Upon completion of specified validation procedures, COMTRUST
sends an e-mail to the certificate applicant communicating
a certificate reference number and URL-of a website from where
the respective Demo Cert can be downloaded by the applicant.
4.2.2
User Certs Class 1
Upon completion of specified validation procedures listed
under sub section 4.1 of this document, COMTRUST sends E-mail
to the E-mail address that was previously provided by the
certificate applicant in the certificate application. This
E-mail contains a URL that authorises the certificate applicant
to obtain a certificate from COMTRUST.
4.2.3
Business User Certificate
Upon completion of specified validation procedures listed under sub section 4.1 of this document, COMTRUST sends E-mail to the E-mail address that was previously provided by the certificate applicant in the certificate application. This E-mail contains a URL that authorises the certificate applicant to obtain a certificate from COMTRUST.
4.2.4
Server Certs
Upon completion of specified validation procedures listed
under sub section 4.1 of this document, COMTRUST sends E-mail
to the E-mail address that was previously provided by the
certificate applicant in the certificate application. This
E-mail contains a URL that authorises the certificate applicant
to obtain a certificate from COMTRUST. Alternatively, on COMTRUST’s
sole discretion, a certificate can also be provided to an
applicant on a computer diskette as required and paid for
by the applicant after completion of verification procedures.
4.2.5
Application Refusal
At its sole discretion, COMTRUST may refuse issuance of certificate
to any individual without assigning any reason and without
incurring any liability, whatsoever.
However, when a validation fails, COMTRUST shall reject the
certificate application and promptly notify the certificate
applicant of the validation failure and providing the reason
(except where prohibited by law) for such failure. Such notice
shall be communicated to the certificate applicant by COMTRUST
via e-mail or fax as appropriate.
A person or a business entity whose certificate application
has been rejected may re-apply later.
4.3
Certificate Acceptance
The certificate is deemed to be a valid certificate upon the
subscriber’s acceptance of it, which occurs when enrolment
is made, credentials verified and an e-mail containing relevant
URL & Certificate reference number is sent to the subscriber.
The relevant certificate will be published in COMTRUST directory,
once intimation relating to availability of certificate for
download is sent to the subscribers.
4.4
Certificate Suspension and Revocation
4.4.1 Circumstances
for revocation
COMTRUST shall make a reasonable effort to suspend or revoke
a certificate, if it determines any of the following:
a) Upon receiving a request from the subscriber after authenticating
that the requester is the subscriber or a legally authorised
representative of the subscriber.
b) A compromise (including: loss, theft, modification and
unauthorised disclosure) of the private key or system materially
affecting the certificate's reliability.
c) The subscriber has failed to meet any material obligation
under this CPS.
d) Any act of God, natural disaster, or any other factor beyond
human control rendering private key associated with certificate
being compromised or not usable.
e) Certain information submitted by the applicant are learned
to be inaccurate at any point after issuance of certificate
f) A condition relating to use of certificate are not satisfied.
g) Trade license of the organisation has expired and renewal
is not provided to COMTRUST within the grace period of one
month from expiry of such license. COMTRUST will notify
the organization to provide a copy of renewed trade certificate
on or about the date of such expiry.
In the event revocation happens due to CA compromise or
any human errors on behalf of CCS, CA will provide a new equivalent
certificate to the subscriber, free of charge. Moreover, suspension
and revocation services are not available for Demonstration
Certificates.
4.4.2
Who can request revocation
The revocation request can be made by:
- The subscriber in whose name this certificate has been issued.
- COMTRUST Registration Authority
- Authorised COMTRUST employee on finding out that Subscriber
has failed to meet his or her obligations.
- The organization concerned, in writing, for Business User Certificates issued to individual on its request.
4.4.3
Procedure for revocation request
a) Revocation can be a request in the form of an authenticated
record from the subscriber or its agent, authenticated by
means of a password or recitation of certain pre-submitted
enrolment information. An authenticated record is generated
by subscriber’s personal presence, phone call followed by
a letter in original, digitally signed e-mail message to RA@comtrust.ae,
by mail or by fax to be followed by a letter in original.
b) A completely documented and valid revocation request will be followed within a maximum period of 2 working days.
As a result of such an investigation, CCS will either authenticate
and validate the revocation request by revoking the certificate
or otherwise, unsuspend it. For clarity, revocation is an
irreversible process.
c) Revocation of a certificate shall not affect any underlying
contractual obligations created or communicated under this
CPS.
4.4.4
Revocation request grace period
As explained in sub section 4.4.3(b) of this CPS.
4.4.5
Circumstances for suspension
Not Available
4.4.6
Who can request suspension
Not Available
4.4.7
Procedure for suspension request
Not Available
4.4.8
Limits on suspension period
Not Available
4.4.9
CRL issuance frequency (if applicable)
CRL issuance frequency shall be once in every twenty-four
hour.
4.4.10
CRL checking requirements
The relying party must determine if any of the certificates
along the chain from the signer to an acceptable root within
the CCS has been revoked or suspended, because a revocation
or suspension has the effect of prematurely terminating the
operational period during which verifiable digital signatures
can be created. The COMTRUST repository may be queried for
the most up-to-date revocation status in CRLs. For Comtrust
Root CA, only offline CRL checking will be possible at the
moment, and can be verified by downloading the CRL from
Comtrust CRL repository (http://www.comtrust.ae/docs/repository.htm)
4.4.11 On-line revocation/status checking availability
Online Certificate Revocation List is published regularlyand is available through a link from Comtrust website www.comtrust.co.ae under PKI forms directory.
4.4.12
On-line revocation checking requirements
The Comtrust VA (Validation Authority) provides on-line validation services and revocation
information through the following
a) World Wide Web (WWW)- A URL will host the published CRL
b) Lightweight Directory Access Protocol (LDAP)
c) On line Certificate Status Protocol (OCSP)
4.4.13
Other forms of revocation advertisements available
Not Available
4.4.14
Checking requirements for other forms of revocation advertisements
Not Applicable.
4.4.15
Special requirements re key compromise
Please see sub section 4.8.2 of this CPS.
4.5
Security Audit Procedures
4.5.1
Types of event recorded
At the system level all the CA related activities are recorded.
Main archiving events are requests for certificate generation
/ revocation, creation / revocation of certificates, certificate
issuance, establishement of trusted roles on the CA, actions
of trusted personnel, CRL issuance and CA keys changes. Records
are also maintained for accesses at network level including
events logging at the firewall and the intrusion detection
systems.
4.5.2
Frequency of processing log
4.5.3 Unauthorized Access
COMTRUST’s system is heavily protected from unauthorized access
to back-end systems through a combination of firewalls and
intrusion detection systems. Attempts aimed at unauthorized
access of the system are logged and reported. Trusted employees
from COMTRUST’s network team undertake a bi-weekly review
of this processing log and take immediate action when alerted
by such an unauthorized attempt.
4.5.4
Retention period for audit log
The audit log is maintained for a period of three months.
4.5.5
Protection of audit log
The audit log at COMTRUST is protected from unauthorized access
through implementation of strict physical and logical security
controls. Furthermore, the periodic backups of the audit log
are maintained at a site away from the one housing the CA
equipment.
4.5.6
Audit log backup procedures
Audit log backups follow the same frequency and procedures
as detailed for the rest of the data. The audit log backups
are stored off-site for enhanced security.
4.5.7
Audit collection system (internal vs external)
COMTRUST's CA system collects audit data at three levels,
namely operating system, network, and application. Audit data
collection starts at system startup and ends at system shutdown
4.5.8
Notification to event-causing subject
Notification is made through email and SMS
4.5.9Vulnerability
assessments
COMTRUST carries out periodic security audits internally.
Furthermore, COMTRUST has also appointed an external security
auditor for carrying out vulnerability assessments. The external
security audit is carried out annually.
4.6
Records Archival
4.6.1 Types of event
recorded
At the system level all the CA related activities are recorded.
Main archiving events are requests for certificate generation
/ revocation, creation / revocation of certificates, certificate
issuance, establishment of trusted roles on the CA, actions
of trusted personnel, CRL issuance and CA keys changes. Records
are also maintained for accesses at network level including
events logging at the firewall and the intrusion detection
systems.
4.6.2
Retention period for archive
Archives are retained for a period of three months.
4.6.3
Protection of archive
A multilevel security scheme has been implemented at the COMTRUST site to ensure integrity of the archived data. This security scheme entails both physical (ID cards, smart cards, biometrics, retina scanners) and logical (segregation of sensitive data through Virtual LANs implementation) levels of security.
4.6.4
Archive backup procedures
Archives backups follow the same frequency and procedures as detailed for the rest of the data. The audit log backups are stored off-site for enhanced security.
4.6.5
Requirements for time-stamping of records
COMTRUST's CA system employs GPS based time stamping for the
purpose of records keeping.
4.6.6
Archive collection system (internal or external)
Archived data is on external storage media and is provided to the backup site through COMTRUST's trusted employees.
4.6.7
Procedures to obtain and verify archive information
COMTRUST employs Message Digest (MD5) log keeping scheme to ensure integrity of the archived data and to ensure that only authorized access to data takes place.
4.7
Key changeover
COMTRUST CA key pair will have a validity of five years. After every five years the key pair will be changed.
4.8
Compromise and Disaster Recovery
4.8.1 Computing resources,
software, and/or data are corrupted
COMTRUST shall implement, document, and periodically test appropriate contingency planning and disaster recovery capabilities and procedures, consistent with this CPS.
4.8.2
Entity public key is revoked
In the event that COMTRUST public key is revoked, Baltimore Technologies (Formely GTE Cybertrust) will list COMTRUST’s root CA on its CRL. COMTRUST will ensure that this revocation information is conveyed to all subscribers and through Comtrust web site. COMTRUST will then re-establish its operations, and will follow the same procedures that were employed for establishing the earlier operations and will re-key all certificates issued to subscribers.
4.8.3
Entity key is compromised
In the event that COMTRUST entity key is compromised, Baltimore Technologies (Formely GTE Cybertrust) will list COMTRUST’s entity key on its CRL. COMTRUST will ensure that this revocation information is conveyed to all subscribers and relying third parties. COMTRUST will then re-establish its operations under a new PKI.
4.8.4
Secure facility after a natural or other type of disaster
In the event of a natural or man-made disaster that would render COMTRUST un-operative, the damaged site along with the equipment will be secured by highly trained security personnel and the all sensitive materials will be salvaged and evacuated to another secure site.
4.9
CA Termination
If at any point COMTRUST Certification Authority find it necessary to terminate its operations, it will take the following actions to minimize the impact on all parties:
(i) Issue a minimum of 90 days notice to all subscribers of its intention to cease operations.
(ii) Revoke all un-expired and un-revoked certificates on the expiry of 90 days period.
(iii) Preserve all necessary records in accordance with applicable laws of UAE.
(iv) CRL will be maintained for at-least the period till expiry of all issued certificates which will occur within a maximum period of
two years as certificates are issued for a maximum validity period of
two years.
