qcp ctp e-trust pp lp v1 1 · comsign ltd. certificate policy for the issuance of electronic...
TRANSCRIPT
Comsign Ltd.
Certificate Policy
For the issuance of electronic certificates for qualified electronic signatures
and Domain Names and Internet Servers
Version 1.0
Dated: 22.10.2019
© All rights reserved. No part of this document may be used, reproduced or distributed, in any form including
electronically, without written permission of Comsign Ltd, Aditidim Technological Park, P.O.B 58077, Tel Aviv 6158001
Certificate Policy for Qualified Certificates and for
SSL Certificates
This document states the criteria for electronic certificates known as Qualified
Certificates under the Israeli Electronic Signature Law 2001 and its regulations
(the "Law") and for SSL electronic certificates for Internet Domain Names and Servers
(hereinafter referred to, together, as the “Certificate”) and describes the applications for
which a Certificate issued by Comsign Ltd. (hereinafter referred to as “Comsign”), acting
as a Certification Authority (CA), under this Certificate Policy (CP), may be used, as
well as the procedures to be followed and the responsibilities of the parties involved, in
accordance with the applicable Comsign's Certification Practice Statements (CPS). The
physical person or legal entity applying for a Certificate shall hereinafter be referred to as
the "Applicant".
A. Details of the Certificate Policy for Qualified Certificates and SSL
Certificates
1. The Qualified Certificate within its meaning under the Law provides a very high
degree of assurance of the electronic personal and professional identity of a physical
person or an authorized signatory of behalf of a Legal Entity. Evidence of the identity
shall be checked against a physical person either directly upon the initial issuance or
indirectly (only at renewal and with a valid Certificate that has not yet expired) using means
which provide equivalent assurance to physical presence such as previous personal
identification prior to the issue of a qualified certificate serving as basis for the present
identification. The Certificate holder could be a physical person or a legal entity acting
through a dully authorized representative in the form of a physical person. Comsign
also provides qualified certificates for legal entities as such as well as SSL certificates
for domain names and internet servers. However, these certificates, although qualified
under the European Telecommunications Standards Institute ("ETSI") and the
Certification Authority Browser Forum ("CAB Forum") standards and baseline
requirements, are not issued under the terms of the Law and are not recognized, as
such, by the Law. Notwithstanding, the link between the physical person or the Legal
Entity and the public key is certified.
2. In order for the application to be validated, the Applicant must submit proof of his
identity and valid documents proving his mandated responsibility, the existence of the
legal entity and control over the domain name or internet server, as applicable.
3. The private key corresponding to the public key certified in this way must be used
solely in the context of a Qualified Electronic Signature according to the Law
(when applicable) or a Qualified Digital Signature, according to the criteria of a
“Qualified Certificate” as specified in Regulation (EU) 910/2014 on electronic
identification and trust services and its corresponding national legislations related to
the legal framework for electronic signature and certification services and to the
technical standard ETSI TS 101 456 and can be used to create a qualified digital
signature which is equivalent to a written signature.
B. Identification of the Certificate Policy for Qualified Certificates
1. A CP is a specific set of rules that indicate a Certificate's applicability to a particular
community and/or type of application that shares the same security requirements. This
document sets out and identifies the Certificate Policy for Qualified Certificates.
These Certificates are compatible with, and meet the requirements laid down in,
the Law and in ETSI 101 456 (as applicable).
2. The Qualified Certificate holder is responsible under the Law for the generation of
the Private Key and Public Key.
3. The Certificates issued under this policy have a CP identifier. This can be used by
third parties to determine the applicability and trustworthiness of the Certificate for
a particular application. This identifier is as specified below:
Qualified Certificate for Qualified Electronic Signature by Physical Persons as
individuals or on behalf of a legal entity:
Qualified Certificate with SSCD
OID ETSI 101 456: 0.4.0.1456.1.1
Key generation by CA:
0.3.2062.7.1.1.101.x
Qualified Certificate without SSCD
OID ETSI 101 456: 0.4.0.1456.1.2
Key generation by CA:
0.3.2062.7.1.1.102.x
Qualified Certificate for Qualified Electronic Signature by Legal Entities
Qualified Certificate with SSCD
OID ETSI 101 456: 0.4.0.1456.1.1
Key generation by CA:
0.3.2062.7.1.1.112.x
Qualified Certificate without SSCD
OID ETSI 101 456: 0.4.0.1456.1.2
Key generation by Owner:
0.3.2062.7.1.1.111.x
C. Applicability
1. A qualified certificate provides a very high level of assurance of the electronic identity
of a Physical Person or a Legal Entity. It can therefore also be used to protect top
level applications in a client/server, browser/server model, such as major commercial
transactions, execution of contracts and signing of files, bank transactions and
interactions with public institutions.
2. The Certificates issued under this CP may be used for the creation of a Qualified
Electronic Signature as well as a Secure Electronic Signature.
3. The Certificates issued under this CP are issued by a Certificate Authority that
complies with the requirements of the Law (when applicable) and of Regulation (EU)
910/2014 on electronic identification and trust services and its corresponding national
legislations.
4. The private keys corresponding with certificates issued under this CP should be used
only in combination with a secure signature creation device (SSCD) as specified in the
Law (when applicable) and Regulation (EU) 910/2014 on electronic identification and
trust services and its corresponding national legislations.
D. Rights, responsibilities and obligations of the parties
1. Rights, responsibilities and obligations of Comsign (the "CA")
a. The CA issues X509 v3-compatible Certificates (ISO 9594-8).
b. The CA issues qualified or secure electronic certificates as defined by the Law
(when applicable) and Regulation (EU) 910/2014 on electronic identification
and trust services and its corresponding national legislations. For this end, the
CA publishes the elements supporting this statement of compliance.
c. The CA guarantees that all the requirements set out in the CP (and indicated in the
Certificate in accordance with Section B of this document) are complied with. It
also assumes responsibility for ensuring such compliance and providing these
services in accordance with its CPS.
d. Information about the CA authorized to issue Certificates under this CP:
• Certification Practice Statements (CPS):
http://www.Comsign.co.il/cps
• Public Register of Certificates and Certificate Revocation Lists (CRL):
https://www.Comsign.co.il/repository
• Suspension/Revocation Authority: +972 (3) 6443620 (available 24 hours a
day, seven days a week).
e. To register persons applying for a Certificate, the CA may use Registration Agents
contractually bound that will act as registration authorities (RA's) for the
provision of authenticated Certificate applications files.
f. The CA guarantees that the key pair generation is performed in a secured way
and that the privacy of the private key is ensured according to the requirements
of the Law and the technical standard ETSI TS 102 042.
g. The CPS and the Law require the use of a Secure Signature Creation Device
(SSCD) thus the Key Pair must be generated using this device and the Certificate
must be used to create signatures solely by means of this device.
h. The sole guarantee provided by the CA is that its procedures are implemented in
accordance with its CPS and the verification procedures then in effect, and that all
Certificates issued with a CP Object Identifier (OID) have been issued in
accordance with the provisions of this CP, the verification procedures, and the CPS
then in effect.
i. In certain cases described in the CPS, the CA may revoke or suspend the
Certificate.
j. The CA must protect the privacy of the Certificate holder and the confidentiality
of its data not published in the Certificate and exercise all due care when handling
such data. This data may be used solely for the provision of certification services.
2. Rights, responsibilities and obligations of the Certificate Holder
The Certificate holder hereby agrees to and accepts all of the following:
a. The Certification Practice Statement (CPS) currently in effect, as drafted by the
CA and setting out the procedures used for providing electronic Certificates.
b. This CP.
c. Submitting to the Israeli law in all matters related to the contractual agreement with
the CA.
d. The data provided by the Applicant to the CA is accurate, complete,
precise and meets the requirements for the type of Certificate and the CP
referred to in Section B of this document, and in particular with the corresponding
registration procedures.
e. In using the Key Pair, the Certificate Holder must comply with any limits and
constraints indicated in the Certificate or in a contractual agreement.
f. The key-pair generation must be undertaken in accordance with the
current CPS and CP, using an algorithm and key length that meet the
criteria set out in the CP and the relevant contractual agreements.
g. The Certificate holder is the sole holder of the private key linked to the
public key to be certified.
h. When applicable, the key-pair must be generated using an SSCD and the
Certificate must be used to create signatures solely by means of this device.
i. The Certificate Holder must protect the Private Key at all times against loss,
disclosure, alteration or unauthorized use. Once the Private and Public key pair
have been created, the Certificate Holder is personally responsible for ensuring
the confidentiality and integrity of the Key Pair. The Certificate Holder is
deemed the sole user of the Private Key. The PIN (Personal Identity Number) or
password used to prevent unauthorized use of the Private Key must never be
compromised or stored under non-secure conditions. The Certificate Holder holds
sole liability for the use of the Private Key. The CA is not liable for the use
made of the Key Pair belonging to the Certificate Holder.
j. The Certificate Holder must demand the CA to suspend or revoke the Certificate
as required pursuant to the relevant CPS and the Subscriber's Agreement and
application forms.
k. Revocation of a Certificate takes place with immediate effect. The suspension and
revocation procedures are set out in the CPS and in Section J of this CP. The sole
remedy available to a certificate holder for a revoked certificate due to fault of the
CA is the issuance of a substitute certificate. No remedy is available for revocation
or suspension of a Certificate for any other reason.
l. The Certificate Holder agrees to the publication of the issued Certificate in the
relevant CA register (when applicable). The list of revoked (and suspended)
certificates (CRL) is open to the public. The list of valid certificates is not open to
public review.
m. The Certificate Holder must verify the accuracy of the content of the Certificate
published immediately following its receipt and prior to first use. The Certificate
Holder must immediately notify the CA of any inconsistency noted between the
information in the Subscriber Agreement and application forms and the content of
the Certificate. Use of the Certificate by its holder constitutes approval by the
holder of the Certificate, its operation and its contents.
n. The Certificate Holder agrees to the retention, for a period of 25 years from
the date of expiry of the Certificate, by the CA of all information used for the
purposes of registration, for the provision of a SSCD or for the suspension or
revocation of the Certificate, and, in the event that the CA ceases its activities,
the Certificate Holder permits this information to be transmitted to third parties
acting as substitute CAs under the same terms and conditions as those laid down
in this CP.
3. Rights, responsibilities and obligations of the CA Registration Agent (RA)
The RA must follow the registration procedures and the RA obligations detailed in
the CPS, in its contractual engagement with the CA and inter alia:
a. Accurately represent the information it prepares for a CA, to process requests
and responses timely and securely in accordance with the CPS, this CP and the
contractual agreement with Comsign.
b. Obliged to comply with all provisions in the CPS, this CP and the contractual
agreement with Comsign.
c. Assure that the Applicants are correctly identified and authenticated. With
respect to individuals acting on their behalf or on behalf of a legal entity, both to
their personal identity as natural persons and to their professional status and
authorization. With respect to legal entities, its valid existence. With respect to
SSL certificates, the control over the domain name/internet server.
Applications for Certificates submitted to the CA must be complete, accurate,
valid and duly authorized. The identity of the Certificate Holder must be verified
on the basis of valid identity documents. These documents shall indicate inter
alia the full name (last and first name), date and place of birth, when relevant
– a unique registration number, a photograph and the postal address at which
the Certificate Holder can be contacted.
d. When relevant, inform the Certificate Holder on the terms and conditions for
the use of the Certificate.
e. Comply with the requirements on the protection of personal data in connection
with Certificate registration procedures.
f. Take appropriate measures to assure the physical security of the registration
information and, where applicable, of the systems; the logical access to any
software; and the security awareness of the employees in charge of
registration.
g. Ensure that the registration data, in all formats, is managed, stored and
availably accessed in such a way as to avoid any loss of confidentiality,
integrity or even availability of this data.
4. Rights, responsibilities and obligations of the Legal Entity nominating an
authorized Certificate Holder
a. The legal entity, represented by its authorized officer, must give its consent to the
issue of a Certificate to an authorized Certificate Holder representative and for the
Certificate attesting to the professional status of the Certificate Holder with
respect to the legal entity.
b. When applicable, the legal entity accepts and assumes all liabilities and
responsibilities of the Certificate Holder authorized by the legal entity to
represent it and use the Certificate on behalf of the legal entity.
c. The legal entity must agree to:
• the CPS currently in effect provided by the CA, which sets out the practices
used to provide the Certificates;
• this CP
• the application form and subscriber's agreement.
• Choice of law – Israeli law.
• Being responsible for the accuracy of the data it transmits to the CA for the
purposes of registration of the Certificate Holder. The legal entity must
immediately inform the CA of any change to this data, and the latter will then
take appropriate action.
d. The CA may revoke or suspend a Certificate based on a request by the legal entity.
5. Rights, responsibilities and obligations of relying third parties
Third parties who rely on Certificates issued in accordance with this CP must:
a. Verify the validity of the Certificate and the Certificate of the CA that issued the
Certificate as well as the complete certification chain by checking against the
appropriate Certificate Revocation Lists (CRLs).
b. Fully consider all the limitations on the use of the Certificate specified in the
Certificate, in the contractual documents and this CP.
c. Take all other precautions with regard to use of the Certificate set out in the CP
or elsewhere.
E Identification and Authentication – Certified information
1. The following information for Qualified Certificates (SSL Certificates excluded) is
validated and certified (see Section G of this CP: Certificate application procedure)
Attribute Mandatory/
Optional/
Fixed
Value
Distinguished Name:
Country (C) Mandatory Country in which the entity's registered office is
established as stated in the official bylaws of the legal
entity
Locality (L) Mandatory Location in which the entity's registered office is
established as stated in the official bylaws of the legal
entity
Attribute Mandatory/
Optional/
Fixed
Value
Organization (O) Mandatory The official name of the entity to which the
Certificate Holder belongs
Organizational
Unit (OU)
Optional Organizational unit or department
Title Optional Role or function in the organization:
Either :
• Self employed
• Administrator
• C.E.O.
• Manager
• Employee
Or
Another professional status statement, if the necessary
proof is delivered during registration
Common
Name (CN)
Mandatory Physical Person:
Last name and first name(s), as indicated on the
identity document.
Legal Entity:
The organization name, followed by the KBO/BCE
or VAT or enterprise number. Optionally this
number can be preceded by the indication "BCE" or
“KBO” or “VAT”.
Optionally the intended use of the certificate could
be indicated in the common name between brackets
"(Sign)”.
Sur Name Optional Certificate Holder’s surname
Given Name Optional Certificate Holder’s given name
Rfc822 Name Optional Certificate Holder’s e-mail address.
Extensions (not critical unless specified otherwise)
Key Usage Fixed/Critical Digital Signature, Non Repudiation.
Attribute Mandatory/
Optional/
Fixed
Value
Subject Public
Key
Mandatory Physical persons and Legal persons
Public Key: Key length: at least 2048 bits (RSA)
public exponent: Fermat-4 (=010001).
Certificate
Policies - policy
Identifier
Fixed
Physical persons with SSCD: 0.3.2062.7.1.1.101.1
Physical persons without SSCD:
0.3.2062.7.1.1.102.1
Legal persons without SSCD: 0.3.2062.7.1.1.111.1
Legal persons with SSCD:
0.3.2062.7.1.1.112.1
Certificate
Policies-
policy
Qualifier-
user Notice
Fixed Physical persons with SSCD:
“Certificate Policy for Qualified Certificates for
Physical Persons. Supported by SSCD, Key
Generation by CA. GTC, CP and CPS:
www.comsign.co.il/repository
Physical persons without SSCD:
“Certificate Policy for Qualified Certificates for
Physical Persons. Not supported by SSCD, Key
Generation by CA. GTC, CP and CPS:
www.comsign.co.il/repository
Legal persons without SSCD:
“Certificate Policy for Qualified Certificates for
Legal Persons. Not supported by SSCD, Key
Generation by Owner. GTC, CP and CPS:
www.comsign.co.il/repository
Legal persons with SSCD:
“Certificate Policy for Qualified Certificates for
Legal Persons. Supported by SSCD, Key Generation
by CA. GTC, CP and CPS:
www.comsign.co.il/repository
Certificate
Policies- policy
Qualifier-CPS
Fixed www.comsign.co.il/repository
qcStatement Fixed 0.4.0.1862.1.1
Attribute Mandatory/
Optional/
Fixed
Value
Subject Key
Identifier
Fixed The Key Identifier comprises a four-bit field with
a 0100 value, followed by the least significant 60
bits of the SHA-1 hash of the value or
subjectPublicKey bit string (tag, not including the
length and number of unused bit-string bits).
CRL
Distribution
Points
Fixed Physical persons:
http://fedir.comsign.co.il/crl/ComSignCorporationsCAG2.crl
http://crl1.comsign.co.il/crl/ComSignCorporationsCAG2.crl
Legal persons:
http://fedir.comsign.co.il/crl/ComSignCorporationsCAG2.crl
http://crl1.comsign.co.il/crl/ComSignCorporationsCAG2.crl
http://_____________ Other information:
Issuer Fixed For example
“CN = C o ms i g n O r gan i za t i o n a l
O = Comsign C = IL”
Validity Fixed Up to 5 years
Serial Number Mandatory Certificate sequence number
Version Fixed 3
The Certification Authority’s signature is appended to this certified information and
relates to all of the information certified.
2. Authentication of organization identity:
The identification of an Applicant/authorized person on behalf of a corporation will be
performed by two Comsign registration clerks, solely on the basis of face to face
identification, as described below.
a. A corporation registered in Israel:
on the basis of: the incorporation certificate; an attorney’s statement confirming
the existence of the corporation, its name and registration number, or in lieu of the
statement – by verification in the appropriate registries; an certified copy of a
resolution of an authorized body in the corporation stating the authorized signatory
on behalf of the corporation or an attorney’s statement regarding the identity of
the said authorized signatory, using the text published on the Internet site of
Comsign from time to time.
b. A corporation not registered in Israel:
on the basis of: a certified copy of a document confirming that the corporation is
incorporated; a statement of an attorney confirming the existence of the
corporation, its name and registration number, or in lieu of the statement – by
verification in the appropriate registries; a certified copy of a resolution passed by
the authorized bodies of the corporation regarding the authorized signatories on
behalf of the corporation or an attorney’s statement regarding the identity of the
said authorized signatories, using the text published on the Internet site of Comsign
from time to time.
c. A corporation registered in the Palestinian Authority:
To be identified as a corporation not registered in Israel and in addition its
authorized signatory will be identified as per the process reserved for an individual
domiciled in the Palestinian Authority.
d. A public institution:
On the basis of an affidavit of the Applicant signed by its authorized signatory
identified by Comsign in the same manner that it identifies individual Applicants
residents of Israel, and in addition by the following documents:
(1) An identification document issued by the state carrying I.D. number and
photo.
(2) A written declaration by the employee of the public institution stating that he
is an authorized signatory on behalf of the public institution.
(3) A document confirming that the state employee is an authorized signatory on
behalf of the public institution.
For the purpose of this clause, "public institution" – government offices, local
authorities as well as other authorities, corporations and institutions established in
Israel under law.
Regarding corporations (whether or not registered in Israel) and public institutions
– the CA will identify the authorized signatory in the same manner that it identifies
individual Applicants either residents of Israel or non-residents, as applicable.
Regarding a corporation not registered in Israel or public institutions – if a
“certified copy” is required- it entails a copy identical to the original and
authenticated by one of the following:
• The authority issued the original document;
• An attorney licensed to practice law in Israel;
• An Israeli diplomatic or consular representative abroad.
3. Authentication Process for SSL certificates:
All authentication and verification procedures in this sub-section will be performed either
directly by Comsign personnel or by its Registration Agents.
a. Verifying the Applicant's domain name
For issuing Certificates to organizations requesting SSL certificates, Comsign
performs domain name owner's verification to detect cases of homographic spoofing
of IDNs. Comsign employs a process to find the owner of a particular domain. A
search failure result is flagged and the RA rejects the certificate request.
Orders for major corporations, well known trademarks and financial institutions will
be reviewed with special care and queued until full review is completed.
In the event an order is queued for review, the administrative contact must be a full
time employee of the company for successful issuance. Verification methods include
one of the following:
(1) Validating the Applicant as a Domain Contact
Confirming the Applicant's control over the FQDN by validating the Applicant
is the Domain Contact directly with the Domain Name Registrar. For this
method, Comsign will also authenticate the Applicant's identity and the authority
of the Applicant representative.
(2) Email, Fax, SMS, or Postal Mail to Domain Contact
Confirming the Applicant's control over the FQDN by sending a Random Value
via email, fax, SMS, or postal mail and then receiving a confirming response
utilizing a Random Value. The Random Value will be sent to an email address,
fax/SMS number, or postal mail address identified as a Domain Contact.
The Random Value will be unique in each email, fax, SMS, or postal mail.
The Random Value will remain valid for use in a confirming response for no
more than 30 days from its creation.
(3) Constructed Email to Domain Contact
Confirming the Applicant's control over the requested FQDN by:
(a) Sending an email to one or more addresses created by using 'admin',
'administrator', 'webmaster', 'hostmaster', or 'postmaster' as the local part,
followed by the at‐sign ("@"), followed by an authorization domain name,
(b) Including a Random Value in the email, and
(c) Receiving a confirming response utilizing the Random Value. The Random
Value will be unique in each email. The Random Value will remain valid for
use in a confirming response for no more than 30 days from its creation.
4. Domain Authorization Document:
Confirming the applicant's control over the requested FQDN by relying upon the
attestation to the authority of the applicant to request a certificate contained in a Domain
Authorization Document. The Domain Authorization Document must substantiate that
the communication came from the domain contact. Comsign shall verify that the Domain
Authorization Document was either:
a. Dated on or after the date of the domain validation request, or
b. That the WHOIS data has not materially changed since a previously provided Domain
Authorization Document for the Domain Name Space.
5. Agreed‐Upon Change to Website:
Confirming the applicant's control over the requested FQDN by confirming one of the
following under the "/.well‐known/pki‐validation" directory, or another path registered
with IANA for the purpose of domain validation, on the authorization domain name that
is accessible by Comsign CA via HTTP/HTTPS over an Authorized Port:
a. The presence of Required Website Content of at least 112 bites provided by the CA
to the Applicant contained in the content of a file or on a web page in the form of a
meta tag, or
b. The presence of the request value generated in a manner as instructed by the CA and
linking it to the key of the application for the electronic certificate. The request value
may contain a date-time stamp as well as any other unique data.
6. DNS Change:
Confirming the Applicant's control over the requested FQDN by confirming the presence
of a Random Value or Request Token in a DNS TXT or CAA record for an authorization
domain name or an authorization domain name that is prefixed with a label that begins
with an underscore character.
7. TLS Using a Random Number:
Confirming the Applicant's control over the requested FQDN by confirming the presence
of a Random Value within a certificate on the authorization domain name which is
accessible by Comsign via TLS over an authorized port.
8. Authentication of Organization identity:
Before issuing an SSL certificate and whenever a certificate contains an organization
name, the identity of the organization and other enrolment information provided by
Certificate Applicants (except for Non-verified Subscriber Information) is confirmed in
accordance with the procedures set forth in Comsign's procedures. Comsign shall:
a. Determine that the organization exists by using at least one third party identity
proofing service or database, or alternatively, organizational documentation issued by
or filed with the applicable government agency or competent authority that confirms
the existence of the organization or an authorised lawyer that confirm the existence
of the organisation according to local laws or by using a comparable procedure.
b. Determine that the organization has authorized the certificate application request, and
that the person submitting the Certificate Application request on behalf of the
certificate applicant is authorized to do so.
c. Where a domain name is included in the SSL certificate - Comsign authenticates the
organization’s right to use that specific domain name as a fully qualified domain
name.
d. Comsign will verify the identity and address of the Applicant using at least one of the
following:
(1) A government database in the jurisdiction of the Applicant’s legal creation,
existence, or recognition;
(2) A third-party database that is periodically updated and considered a reliable data
source;
(3) An attestation letter signed by a lawyer, CPA or a government official.
Alternatively, Comsign may verify the address of the Applicant (but not the identity
of the Applicant) using a utility bill, bank statement or other form of identification
that Comsign determines to be reliable.
e. If the Applicant requests a certificate that will contain subject identity information
comprised only of the countryName field, then Comsign shall verify the country
associated with the subject. If the Applicant requests a certificate that will contain the
countryName field and other subject identity information, Comsign shall verify the
identity of the Applicant, and the authenticity of the Applicant representative’s
certificate. Comsign shall inspect any document relied upon under this Clause for
alteration or falsification.
9. Authentication for an IP Address:
For each IP Address listed in an SSL Certificate, Comsign shall confirm that, as of the
date the SSL Certificate was issued, the Applicant has control over the IP Address by:
1. Having the Applicant demonstrate practical control over the IP Address by
making an agreed‐upon change to information found on an online Web page
identified by a uniform resource identifier containing the IP Address. Or,
2. Obtaining documentation of IP address assignment from the Internet Assigned
Numbers Authority (IANA) or a Regional Internet Registry (RIPE, APNIC,
ARIN, AfriNIC, LACNIC). Or,
3. Performing a reverse‐IP address lookup and then verifying control over the
resulting Domain Name.
10. Wildcard Domain Validation:
Before issuing a certificate with a wildcard character (*) in a CN or subjectAltName of
type DNS‐ID, Comsign shall follow a procedure that determines if the wildcard
character occurs in the first label position to the left of a “registry‐controlled” label or
“public suffix”.
If a wildcard would fall within the label immediately to the left of a registry‐controlled
or public suffix, Comsign shall refuse issuance unless the Applicant proves its rightful
control of the entire Domain Namespace. In order to determine what is “registry‐controlled” versus the registerable portion of a country code Top‐Level Domain
Namespace Comsign shall consult a “public suffix list” such as http://publicsuffix.org.
11. Authentication of Extended Validation (EV) Certificates:
The following are the standard methods of identity verification used to validate
organizations for EV SSL certificates. However, documentation requirements may vary
depending on the information available on various approved online databases.
a. Comsign requires a signed acknowledgement of agreement from the corporate
contact listed on any order for an EV SSL Certificate. A company registration
document may also be required if Comsign is unable to confirm the organization’s
details through a government database. A legal opinion letter may also be requested
to confirm the following details about the organization applying for the Extended
Validation SSL Certificate:
(1) Physical address of place of operation of the organisation requesting the SSL
certificate.
(2) Telephone number and email address of the organisation.
(3) Confirmation of exclusive right of the organisation to use the domain
(4) Additional confirmation of the organization’s existence and verification of the
corporate contact’s employment.
b. Authentication process for EV SSL certificates
For supplying SSL Certificates Comsign requires authentication verification of an
organization’s existence through a government issued business credential. With EV
Certificate, Comsign ensures that all Subject organization information to be included
in the EV Certificate are validated with these specifications:
(1) Verify the Applicant’s legal existence and identity
(a) Private Organization Subjects
(1) Legal Existence: Verify that the Applicant is a legally recognized
entity, in existence and validly formed (e.g., incorporated) with the
Incorporating or Registration Agency in the Applicant’s Jurisdiction
of Incorporation or Registration, and not designated on the records
of the Incorporating or Registration Agency by labels such as
“inactive”, “invalid”, “not current”, or the equivalent.
(2) Organization Name: Verify that the Applicant’s formal legal name as
recorded with the Incorporating or Registration Agency in the
Applicant’s Jurisdiction of Incorporation or Registration matches the
Applicant’s name in the EV Certificate Request.
(3) Registration Number: Obtain the specific Registration Number
assigned to the Applicant by the Incorporating or Registration
Agency in the Applicant’s Jurisdiction of Incorporation or
Registration. Where the Incorporating or Registration Agency does
not assign a Registration Number, Comsign will obtain the
Applicant’s date of Incorporation or Registration.
(4) Registered Agent: Obtain the identity and address of the Applicant’s
Registered Agent or Registered Office (as applicable in the
Applicant’s Jurisdiction of Incorporation or Registration).
(b) Government Entity Subjects
(1) Legal Existence: Verify that the Applicant is a legally recognized
Government Entity, in existence in the political subdivision in which
such Government Entity operates.
(2) Entity Name: Verify that the Applicant’s formal legal name matches
the Applicant’s name in the EV Certificate Request.
(3) Registration Number: Comsign will attempt to obtain the Applicant’s
date of incorporation, registration, or formation, or the identifier for
the legislative act that created the Government Entity. In
circumstances where this information is not available, enter
appropriate language to indicate that the Subject is a Government
Entity.
(c) Business Entity Subjects
(1) Legal Existence: Verify that the Applicant is engaged in business
under the name submitted by the Applicant in the Application.
(2) Organization Name: Verify that the Applicant’s formal legal name as
recognized by the Registration Authority in the Applicant’s
Jurisdiction of Registration matches the Applicant’s name in the EV
Certificate Request.
(3) Registration Number: Attempt to obtain the specific unique
Registration Number assigned to the Applicant by the Registration
Agency in the Applicant’s Jurisdiction of Registration. Where the
Registration Agency does not assign a Registration Number,
Comsign will obtain the Applicant’s date of Registration.
(4) Principal Individual: Verify the identity of the identified Principal
Individual.
(d) Non-Commercial Entity Subjects (International Organizations)
(1) Legal Existence: Verify that the Applicant is a legally recognized
International Organization Entity.
(2) Entity Name: Verify that the Applicant's formal legal name matches
the Applicant's name in the EV Certificate Request.
(3) Registration Number: Comsign will attempt to obtain the Applicant's
date of formation, or the identifier for the legislative act that created
the International Organization Entity. In circumstances where this
information is not available, Comsign will enter appropriate
language to indicate that the Subject is an International Organization
Entity.
(e) Verify the Applicant’s physical existence (business presence at a physical
address)
(1) Check the current version of either at least one Qualified Government
Information Source (other than that used to verify legal existence) or
Qualified Independent Information Source. OR
(2) Obtain documentation of a site visit to the business address, which
MUST be performed by a reliable individual or firm. The
documentation of the site visit MUST:
• Verify that the Applicant's business is located at the exact
address stated in the EV Certificate Request
• Identify the type of facility (e.g., office in a commercial building,
private residence, storefront, etc.) and whether it appears to be a
permanent business location,
• Indicate whether there is a permanent sign (that cannot be
moved) that identifies the Applicant,
• Indicate whether there is evidence that the Applicant is
conducting ongoing business activities at the site (not that it is
just, for example, a mail drop, P.O. Box, etc.),
• Include one or more photos of (i) the exterior of the site (showing
signage indicating the Applicant's name, if present, and showing
the street address if possible), and (ii) the interior reception area
or workspace.
(3) Comsign may alternatively rely on a Verified Legal Opinion or a
Verified Accountant Letter that indicates the address of the
Applicant's or a Parent/Subsidiary Company's Place of Business and
that business operations are conducted there.
(f) Verify the Applicant’s Operational Existence – Comsign will verify that
the Applicant has the ability to engage in business:
(1) Verify that the Applicant, Affiliate, Parent Company, or Subsidiary
Company has been in existence for at least three years, as indicated
by the records of an Incorporating Agency or Registration Agency;
or,
(2) Verify that the Applicant, Affiliate, Parent Company, or Subsidiary
Company is listed in either a current Qualified Government
Information Source or a Qualified Independent Information Source;
or,
(3) Verify that the Applicant, Affiliate, Parent Company, or Subsidiary
Company has an active current Demand Deposit Account with a
Regulated Financial Institution by receiving authenticated
documentation of the Applicant's, Affiliate's, Parent Company, or
Subsidiary Company's Demand Deposit Account directly from a
Regulated Financial Institution; or,
(4) Rely on a Verified Legal Opinion or a Verified Accountant Letter to
the effect that the Applicant has an active current Demand Deposit
Account with a Regulated Financial Institution.
(g) Verify the Applicant is a registered holder or has control, of the Domain
Name(s) to be included in the EV Certificate.
(h) Verify a reliable means of communication with the entity to be named as
the Subject in the Certificate such as a telephone number, fax number,
email address, or postal delivery address as a Verified Method of
Communication with the Applicant.
(i) Verify that the Verified Method of Communication belongs to the
Applicant, or a Parent/Subsidiary or Affiliate of the Applicant, by
matching it with one of the Applicant's Parent/Subsidiary or Affiliate's
Places of Business in records provided by the applicable phone company,
Qualified Government Information Source, Qualified Independent
Information Source or a Verified Legal Opinion or Verified Accountant
Letter.
(j) Confirm the Verified Method of Communication by using it to obtain an
affirmative response sufficient to enable a reasonable person to conclude
that the Applicant, or a Parent/Subsidiary or Affiliate of Applicant, can
be contacted reliably by using the Verified Method of Communication.
12. DV SSL Certificate Policy identifiers:
The following Certificate Policy identifier is included in the certificate. It is reserved for
use by any CA as an optional means of asserting compliance with the CA Browser
Forum Requirements as follows:
a. {joint-iso-itu-t(2) international-organizations(23) ca-browser-forum(140) certificate-
policies(1) baselinerequirements(2) domain-validated(1)} (2.23.140.1.2.1). The
Certificate complies with these Requirements, and it lacks Subject Identity
Information except for the Domain Name authorization.
b. All DV-SSL Certificates also include a policy identifier in the Certificate’s
certificatePolicies extension that indicates the compliance with CA Browser Forum
Requirements. This Certificate Policy identifier points to the publically disclosed
Certificate Policy Statement of Comsign:
Policy Identifier=1.3.6.1.4.1.19389.3.1.1
[1,1]Policy Qualifier Info:
Policy Qualifier Id=CPS
Qualifier: http://www.Comsign.co.il/CPS
13. DV SSL Subject information fields
All DV-SSL certificates do not include organizationName, streetAddress, localityName,
state Or ProvinceName, or postalCode in the Subject field.
The following field is included in order to emphasize the lack of conformation of any of
these issues regarding the Certificate Applicant:
subject:organizationalUnitName: OU = “Domain Control Validated”
14. OV SSL Certificate Policy identifiers
a. The following Certificate Policy identifier is included in the certificate. It is reserved
for use by any CA as an optional means of asserting compliance with the CA Browser
Forum Requirements as follows:
{joint-iso-itu-t(2) international-organizations(23) ca-browser-forum(140) certificate-
policies(1) baselinerequirements(2) subject-identity-validated(2)} (2.23.140.1.2.2).
The Certificate complies with these Requirements, and it includes Subject Identity
Information.
b. All OV-SSL Certificates also include a policy identifier in the Certificate’s
certificatePolicies extension that indicates the compliance with CA Browser Forum
Requirements. This Certificate Policy identifier points to the publically disclosed
Certificate Policy Statement of Comsign:
Policy Identifier=1.3.6.1.4.1.19389.3.1.2
[1,1]Policy Qualifier Info:
Policy Qualifier Id=CPS
Qualifier: http://www.Comsign.co.il/CPS
15. Verifying the Applicant's e-mail address (SSL Certificates only):
a. As part of the identification process, a unique secret code (the "Secret Code" will be
mailed by Comsign's coordination clerk to the Applicant's e-mail address.
b. The Applicant must provide the Secret Code in the application form. The
identification clerk will verify the matching of the Secret Code in the application form
with the one e-mailed to the Applicant as well as the matching of the e-mail address
in the application form with the address reported by the coordination clerk..
c. Only the e-mail address to which the verified Secret Code was mailed will appear in
the electronic certificate issued by Comsign to the Applicant.
F. Key-generation procedure
1. The key size must be 2048 bits.
2. Key generation by the Certificate Holder
When the applicant for the Certificate generates the key pair himself, the applicant
must provide a PKCS#10 application for the Certificate when registering with
Comsign in accordance with the CPS.
3. Key generation by the CA (not applicable to Qualified Certificates under the Law)
When the CA generates the key pair on behalf of the Certificate Holder, it guarantees
that such key pair generation is performed in a secured way and that the confidentiality
of the private key is ensured according to the technical standard ETSI TS 101 456 (QCP).
G. Certificate application procedure
1. The applicant for the Certificate must submit a formal request and execute the
subscriber's agreement. These together with the CP and CPS constitute the Agreement
binding the parties.
2. The applicant applying for a Qualified Certificate must provide Comsign with the
following:
a. The formal request to obtain the Certificate including the identity information of
the applicant, and
b. Acceptance of the subscriber's agreement, CPS and CP by the applicant and the
legal representative (or mandated person) of the Organization, and
c. A copy of the identity documents of the applicant. The copy must be signed
by the person applying for the certificate; and
d. A signed copy of the registration certificate/documents of the applicant’s
organization, and
e. An authorization from a legal representative (or a mandated person) of the
organization that the applicant can obtain and use the requested professional identity
as an authorized person on behalf of the organization.
3. Comsign will verify the following based on the received documents:
a. The identity of the applicant and the legal representative (or mandated person) of
the organization for a Qualified Certificate. Identification of a physical person
requires face-to-face authentication based on two (2) original identification
documents carrying a recent photograph of the Certificate Applicant issued by a
governmental authority. Legal entity to be verified by excerpts of its registration
and written confirmation signed by its legal counsel.
b. The authorization of the applicant to obtain the certificate (directly or indirectly
via the provided mandate) based on an authorization by an authorized officer or
representative.
4. If the application is validated, Comsign collates all the documents submitted to create
a Registration File on the Certificate Holder.
The CA Certification Authority Auditor will perform a check of the file provided. The
information in the issued Certificates is checked to ensure that it corresponds with that
in the files received.
H. Issuing and delivery of the Certificate (applicable to SSL and EV-SSL
Certificates only)
1. Comsign will create the certificate and deliver it to the Certificate Holder. This delivery
includes the following:
a. Verification of the identity document of the Certificate Holder, and
b. Provision of a delivery receipt which needs to be signed by the Certificate Holder
and the legal representative (or the mandated person) of the organization.
2. The delivery receipt must be returned to Comsign immediately, otherwise, Comsign will
suspend the certificate and after 7 days from delivery – revoke it.
3. When relevant, the password or PIN code to access the Private Key associated with the
certificate is sent to the Certificate Holder via separate means.
I. Acceptance and publication of the Certificate (not applicable to Qualified
Certificates under the Law)
1. Once the Certificate has been issued by the CA, it is immediately published in the CA
Register of Certificates. This is in the public domain and is accessible at all times.
2. The Certificate Holder must agree to the publication of the digital Certificate in the CA
Register of Certificates immediately on creation. No Certificate will be publicly published
and accessible without the Certificate Holder written permission.
3. The Certificate is deemed to have been accepted by the Certificate Holder, as the case
may be, by executing a receipt or by its first use by the Holder or 7 days after its mailing
to the Certificate Holder electronic or physical mail address, whichever occurs first. In
the intervening period, the Certificate Holder is responsible for checking the accuracy of
the content of the Certificate published. The Certificate Holder must immediately notify
the CA of any inconsistency noted between the information in the contractual agreement
and the content of the Certificate. The CA then revokes the Certificate and takes the
appropriate measures to reissue a Certificate. This is the sole recourse available to the
Certificate Holder if the Certificate in the event of non-acceptance on its part.
J. Procedure for Certificate Suspension, Resumption and Revocation
1. The Certificate Holder or the legal representative (or his duly appointed proxy) of the
organization may apply for suspension, resumption or revocation of the Certificate.
2. Comsign makes information relating to the status of the suspension or revocation of a
Certificate available to all parties at all times.
3. Applications and reports relating to a suspension, resumption or revocation are processed
on receipt, and are authenticated and confirmed in the following manner. The applicant
shall notify, either by phone, by e-mail, by fax or other means acceptable by Comsign,
the Suspension and Revocation Authority (SRA) of Comsign and identify using the
challenge password pre-chosen upon issuance of the Certificate. If no challenge password
is supplied, Comsign's SRA will employ validation procedure to ascertain the identity and
authorization of the applicant.
4. Revocation of a Certificate shall be definitive.
K. Procedure for renewal of keys and Certificates and for updates
1. The CA ensures that the certificate applications submitted by a Certificate Holder who
has been duly registered in the past, are complete, valid and authorized. This also
applies if a certificate and keys are renewed following a revocation or close to the
expiry date, or if there is a change to the data certified.
2. The CA ensures that:
a. The information used to check the Certificate Holder’s identity is still valid, and, to
that end, that the same procedure is followed as that used for the initial registration.
b. If the CA changes the General Terms and Conditions, it must communicate those
changes to the Certificate Holder.
c. The CA never issues a certificate for a previously certified key. For every renewal
of a certificate a new key pair will be generated in accordance with point F.
L. Protection of privacy and personal data
Personal data communicated to Comsign by the applicant are entered into a file held
by Comsign. The data are used solely for the provision of Comsign CA services. The
Customer has the right to inspect and, where necessary, rectify this data.
M. Complaints and dispute settlement
In the event of technical problems relating to the Certificate or complaints about the
services provided under this CP, the Certificate Holder may contact the CA helpdesk:
Comsign Ltd.
Telephone number: +972 3 6443620
Fax number: +972 3 6491092
e-mail address: [email protected]
In the event of disputes relating to the validity, interpretation or performance of
the Agreement concluded between them, the CA and the Certificate Holder must
make every endeavor to find an amicable solution. If no amicable solution can be
found, any dispute concerning the validity, interpretation or performance of the
Agreement binding the parties must be brought before the courts of Tel Aviv, Israel.