unicredit internal certification authority certificate ...ca.unicredit.eu/cps/ubis_2016_pki_cps_...

CP - CPS

of 41

UniCreditInternal Certification Authority

Certificate PolicyCertification Practice Statements

Author:

UniCredit Business Integrated Solutions

Review:

2.0

Attachment:

CP - CPS

of 41

Version updates

Rev Date Author Description

1.0 03/12/2012 Service Line ICT Security First Release

1.1 31/08/2016 Service Line Security Review

2.0 19/10/2016 Service Line Security Review

Version 1.1 review and corrections according to WebTrust Assessment 2016

CP - CPS

of 41

Index

1.1 Overview..........................................................................................................................................81.2 Document Name and Identification ....................................................................................................81.3 PKI Participants ................................................................................................................................9

1.3.1 Certification Authorities .................................................................................................................91.3.2 Registration Authorities .................................................................................................................91.3.3 Subscribers ..................................................................................................................................91.3.4 Relying Parties..............................................................................................................................91.3.5 Other Participants ....................................................................................................................... 10

1.4 Certificate Usage ............................................................................................................................ 101.4.1 Appropriate Certificate Usages..................................................................................................... 101.4.2 Prohibited Certificate Uses........................................................................................................... 10

1.5 Policy Administration....................................................................................................................... 111.5.1 Organization Administering the Document .................................................................................... 111.5.2 Contact Person ........................................................................................................................... 111.5.3 CPS Approval Procedure .............................................................................................................. 11

1.6 Definitions and Acronyms ................................................................................................................ 112.1 Repositories ................................................................................................................................... 122.2 Publication of Certificate Information ............................................................................................... 122.3 Time or Frequency of Publication..................................................................................................... 122.4 Access Controls on Repository ......................................................................................................... 123.1 Naming .......................................................................................................................................... 13

3.1.1 Types of Names.......................................................................................................................... 133.1.2 Need for Names to be Meaningful ................................................................................................ 143.1.3 Anonymity or Pseudonymity of Subscribers .................................................................................. 143.1.4 Rules for Interpreting Various Name Forms .................................................................................. 143.1.5 Uniqueness of Names ................................................................................................................. 143.1.6 Recognition, Authentication, and Role of Trademarks.................................................................... 14

3.2 Initial Identity Validation ................................................................................................................. 143.2.1 Method to Prove Possession of Private Key................................................................................... 143.2.2 Authentication of Organization Identity ........................................................................................ 153.2.3 Authentication of Individual Identity ............................................................................................ 153.2.4 Non-Verified Subscriber Information ............................................................................................ 153.2.5 Validation of Authority................................................................................................................. 153.2.6 Criteria for Interoperation............................................................................................................ 15

3.3 Identification and Authentication for Re-key Requests....................................................................... 153.4 Identification and Authentication for Revocation Requests................................................................. 154.1 Certificate Application ..................................................................................................................... 17

4.1.1 Who Can Submit A Certificate Application..................................................................................... 174.1.2 Enrollment Process and Responsibilities........................................................................................ 17

4.2 Certificate application processing ..................................................................................................... 174.2.1 Performing identification and authentication functions................................................................... 174.2.2 Approval or rejection of certificate applications ............................................................................. 174.2.3 Time to process certificate applications ........................................................................................ 17

4.3 Certificate issuance ......................................................................................................................... 184.3.1 CA actions during certificate issuance........................................................................................... 184.3.2 Notification to subscriber by the CA of issuance of certificate......................................................... 18

4.4 Certificate acceptance ..................................................................................................................... 184.4.1 Conduct constituting certificate acceptance .................................................................................. 184.4.2 Publication of the certificate by the CA ......................................................................................... 184.4.3 Notification of certificate issuance by the CA to otherentities ......................................................... 18

4.5 Key pair and certificate usage.......................................................................................................... 184.5.1 Subscriber private key and certificate usage ................................................................................. 18

CP - CPS

of 41

4.5.2 Relying party public key and certificate usage............................................................................... 184.6 Certificate renewal .......................................................................................................................... 19

4.6.1 Circumstance for certificate renewal............................................................................................. 194.6.2 Who may request renewal........................................................................................................... 194.6.3 Processing certificate renewal requests ........................................................................................ 194.6.4 Notification of new certificate issuance to subscriber..................................................................... 194.6.5 Conduct constituting acceptance of a renewal certificate ............................................................... 194.6.6 Publication of the renewal certificate by the CA ............................................................................ 194.6.7 Notification of certificate issuance by the CA to otherentities ......................................................... 19

4.7 Certificate Re-Key ........................................................................................................................... 194.7.1 Circumstances for Re-Key............................................................................................................ 204.7.2 Who May Request Certification of a New Public Key ...................................................................... 204.7.3 Processing Certificate Re-Keying Requests.................................................................................... 204.7.4 Notification of New Certificate Issuance to Subscriber ................................................................... 204.7.5 Conduct Constituting Acceptance of a Re-Keyed Certificate ........................................................... 204.7.6 Publication of the Re-Keyed Certificate by the CA ......................................................................... 204.7.7 Notification of Certificate Issuance by the CA to Other Entities....................................................... 20

4.8 Certificate Modification.................................................................................................................... 204.8.1 Circumstances for Certificate Modification..................................................................................... 204.8.2 Who May Request Certificate Modification .................................................................................... 204.8.3 Processing Certificate Modification Requests................................................................................. 204.8.4 Notification of New Certificate Issuance to Subscriber ................................................................... 204.8.5 Conduct Constituting Acceptance of Modified Certificate................................................................ 204.8.6 Publication of the Modified Certificate by the CA ........................................................................... 204.8.7 Notification of Certificate Issuance by the CA to Other Entities....................................................... 20

4.9 Certificate Revocation and Suspension ............................................................................................. 214.9.1 Circumstances for Revocation...................................................................................................... 214.9.2 Who Can Request Revocation...................................................................................................... 214.9.3 Procedure for Revocation Request ............................................................................................... 214.9.4 Revocation Request Grace Period................................................................................................. 214.9.5 Time within Which CA Must Process the Revocation Request ......................................................... 214.9.6 Revocation Checking Requirements for Relying Parties.................................................................. 224.9.7 CRL Issuance Frequency ............................................................................................................. 224.9.8 Maximum Latency for CRLs ......................................................................................................... 224.9.9 On-Line Revocation/Status Checking Availability ........................................................................... 224.9.10 On-Line Revocation Checking Requirements ............................................................................. 224.9.11 Other Forms of Revocation Advertisements Available ................................................................ 224.9.12 Special Requirements Regarding Key Compromise .................................................................... 224.9.13 Circumstances for Suspension ................................................................................................. 224.9.14 Who can Request Suspension .................................................................................................. 224.9.15 Procedure for Suspension Request ........................................................................................... 224.9.16 Limits of Suspension Period ..................................................................................................... 22

4.10 Certificate Status Services ............................................................................................................... 224.10.1 Operational Characteristics ...................................................................................................... 224.10.2 Service Availability .................................................................................................................. 234.10.3 Optional Features ................................................................................................................... 23

4.11 End of Subscription......................................................................................................................... 234.12 Key Escrow and Recovery................................................................................................................ 23

4.12.1 Key Escrow and Recovery Policy and Practices.......................................................................... 234.12.2 Session Key Encapsulation and Recovery Policy and Practices.................................................... 23

5.1 Physical Controls............................................................................................................................. 245.1.1 Site Location and Construction..................................................................................................... 245.1.2 Physical Access........................................................................................................................... 245.1.3 Power and Air Conditioning ......................................................................................................... 245.1.4 Water Exposures ........................................................................................................................ 24

CP - CPS

of 41

5.1.5 Fire Prevention and Protection..................................................................................................... 245.1.6 Media Storage ............................................................................................................................ 245.1.7 Waste Disposal ........................................................................................................................... 245.1.8 Off-Site Backup .......................................................................................................................... 24

5.2 Procedural Controls......................................................................................................................... 255.2.1 Trusted Roles ............................................................................................................................. 255.2.2 Number of Persons Required per Task ......................................................................................... 255.2.3 Identification and Authentication for Each Role............................................................................. 255.2.4 Roles Requiring Separation of Duties ........................................................................................... 25

5.3 Personnel Controls .......................................................................................................................... 265.3.1 Qualifications, Experience, and Clearance Requirements ............................................................... 265.3.2 Background Check Procedures..................................................................................................... 265.3.3 Training Requirements ................................................................................................................ 265.3.4 Retraining Frequency and Requirements ...................................................................................... 265.3.5 Job Rotation Frequency and Sequence ......................................................................................... 265.3.6 Sanctions for Unauthorized Actions .............................................................................................. 265.3.7 Independent Contractor Requirements......................................................................................... 265.3.8 Documentation Supplied to Personnel .......................................................................................... 26

5.4 Audit Logging Procedures................................................................................................................ 265.4.1 Types of Events Recorded ........................................................................................................... 265.4.2 Frequency of Processing Log ....................................................................................................... 265.4.3 Retention Period for Audit Log..................................................................................................... 275.4.4 Protection of Audit Log................................................................................................................ 275.4.5 Audit Log Backup Procedures ...................................................................................................... 275.4.6 Audit Collection System (Internal vs. External) ............................................................................. 275.4.7 Notification to Event-Causing Subject........................................................................................... 275.4.8 Vulnerability Assessments ........................................................................................................... 275.4.9 Archive Collection System (Internal or External) ........................................................................... 275.4.10 Procedures to Obtain and Verify Archive Information ................................................................ 27

5.5 Records Archival ............................................................................................................................. 275.5.1 Types of Records Archived .......................................................................................................... 275.5.2 Retention Period for Archive ........................................................................................................ 275.5.3 Protection of Archive................................................................................................................... 275.5.4 Archive Backup Procedures.......................................................................................................... 285.5.5 Requirements for Time-Stamping of Records ................................................................................ 285.5.6 Archive Collection System (Internal or External) ........................................................................... 285.5.7 Procedures to Obtain and Verify Archive Information .................................................................... 28

5.6 Key Changeover ............................................................................................................................. 285.7 Compromise and Disaster Recovery ................................................................................................. 28

5.7.1 Incident and Compromise Handling Procedures ............................................................................ 285.7.2 Computing Resources, Software, and/or Data are Corrupted ......................................................... 285.7.3 Entity Private Key Compromise Procedures................................................................................... 295.7.4 Business Continuity Capabilities after a Disaster............................................................................ 29

5.8 CA or RA Termination ..................................................................................................................... 296.1 Key Pair Generation and Installation ................................................................................................ 30

6.1.1 Key Pair Generation .................................................................................................................... 306.1.2 Private Key Delivery to Subscriber................................................................................................ 306.1.3 Public Key Delivery to Certificate Issuer........................................................................................ 306.1.4 CA Public Key Delivery to Relying Parties...................................................................................... 306.1.5 Key Sizes.................................................................................................................................... 306.1.6 Public Key Parameters Generation and Quality Checking ............................................................... 306.1.7 Key Usage Purposes (as per x.509 v3 Key Usage Field)................................................................. 30

6.2 Private Key Protection and Cryptographic Module Engineering Controls .............................................. 316.2.1 Cryptographic Module Standards and Controls .............................................................................. 316.2.2 Private Key (m of n) Multi-Person Control..................................................................................... 31

CP - CPS

of 41

6.2.3 Private Key Escrow ..................................................................................................................... 316.2.4 Private Key Backup ..................................................................................................................... 316.2.5 Private Key Archival .................................................................................................................... 316.2.6 Private Key Transfer Into or From Cryptographic Module............................................................... 316.2.7 Private Key Storage on Cryptographic Module............................................................................... 316.2.8 Method of Activating Private Key ................................................................................................. 316.2.9 Method of Deactivating Private Key.............................................................................................. 316.2.10 Method of Destroying Private Key ............................................................................................ 316.2.11 Cryptographic Module Rating................................................................................................... 32

6.3 Other Aspects of Key Pair Management............................................................................................ 326.3.1 Public Key Archival...................................................................................................................... 326.3.2 Certificate Operational Periods and Key Pair Usage Periods ........................................................... 32

6.4 Activation Data ............................................................................................................................... 326.4.1 Activation Data Generation and Installation .................................................................................. 326.4.2 Activation Data Protection ........................................................................................................... 326.4.3 Other Aspects of Activation Data.................................................................................................. 32

6.5 Computer Security Controls ............................................................................................................. 326.5.1 Specific Computer Security Technical Requirements ...................................................................... 336.5.2 Computer Security Rating............................................................................................................ 33

6.6 Life Cycle Technical Controls ........................................................................................................... 336.6.1 System Development Controls ..................................................................................................... 336.6.2 Security Management Controls .................................................................................................... 336.6.3 Life Cycle Security Controls ......................................................................................................... 33

6.7 Network Security Controls ............................................................................................................... 336.8 Time Stamping ............................................................................................................................... 337.1 Certificate Profile ............................................................................................................................ 34

7.1.1 Version Number(s)...................................................................................................................... 347.1.2 Certificate Extensions.................................................................................................................. 347.1.3 Algorithm Object Identifiers......................................................................................................... 357.1.4 Name Forms............................................................................................................................... 357.1.5 Name Constraints ....................................................................................................................... 357.1.6 Certificate Policy Object Identifier ................................................................................................ 357.1.7 Usage of Policy Constraints Extension .......................................................................................... 357.1.8 Policy Qualifiers Syntax and Semantics......................................................................................... 357.1.9 Processing Semantics for the Critical Certificate Policies Extension ................................................. 35

7.2 CRL Profile ..................................................................................................................................... 357.2.1 Version Number(s)...................................................................................................................... 357.2.2 CRL and CRL Entry Extensions ..................................................................................................... 35

7.3 OCSP Profile ................................................................................................................................... 357.3.1 Version Number(s)...................................................................................................................... 357.3.2 OCSP Extensions......................................................................................................................... 36

8.1 Frequency and Circumstances of Assessment ................................................................................... 378.2 Identity/Qualifications of Assessor ................................................................................................... 378.3 Assessors Relationship to Assessed Entity......................................................................................... 378.4 Topics Covered by Assessment ........................................................................................................ 378.5 Actions Taken as a Result of Deficiency............................................................................................ 378.6 Communications of Results.............................................................................................................. 379.1 Fees............................................................................................................................................... 38

9.1.1 Certificate Issuance or Renewal Fees ........................................................................................... 389.1.2 Certificate Access Fees ................................................................................................................ 389.1.3 Revocation or Status Information Access Fees .............................................................................. 389.1.4 Fees for Other Services ............................................................................................................... 389.1.5 Refund Policy ............................................................................................................................. 38

9.2 Financial Responsibility.................................................................................................................... 389.2.1 Insurance Coverage .................................................................................................................... 38

CP - CPS

of 41

9.2.2 Other Assets............................................................................................................................... 389.2.3 Extended Warranty Coverage ...................................................................................................... 38

9.3 Confidentiality of Business Information............................................................................................. 389.3.1 Scope of Confidential Information................................................................................................ 389.3.2 Information Not Within the Scope of Confidential Information ....................................................... 389.3.3 Responsibility to Protect Confidential Information ......................................................................... 38

9.4 Privacy of Personal Information ....................................................................................................... 389.4.1 Privacy Plan................................................................................................................................ 389.4.2 Information Treated as Private .................................................................................................... 399.4.3 Information Not Deemed Private.................................................................................................. 399.4.4 Responsibility to Protect Private Information................................................................................. 399.4.5 Notice and Consent to Use Private Information............................................................................. 399.4.6 Disclosure Pursuant to Judicial or Administrative Process............................................................... 399.4.7 Other Information Disclosure Circumstances................................................................................. 39

9.5 Intellectual Property Rights ............................................................................................................. 399.5.1 Property Rights in Certificates and Revocation Information............................................................ 399.5.2 Property Rights in the CPS........................................................................................................... 399.5.3 Property Rights in Names ............................................................................................................ 399.5.4 Property Rights in Keys and Key Material...................................................................................... 39

9.6 Representations and Warranties ...................................................................................................... 399.6.1 CA Representations and Warranties ............................................................................................. 399.6.2 RA Representations and Warranties ............................................................................................. 399.6.3 Subscriber Representations and Warranties .................................................................................. 399.6.4 Relying Party Representations and Warranties .............................................................................. 399.6.5 Representations and Warranties of Other Participants ................................................................... 40

9.7 Disclaimer of Warranties ................................................................................................................. 409.8 Limitation of Liability ....................................................................................................................... 409.9 Indemnities .................................................................................................................................... 40

9.9.1 Indemnification by Subscribers .................................................................................................... 409.9.2 Indemnification by Relying Parties ............................................................................................... 40

9.10 Term and Termination .................................................................................................................... 409.10.1 Term...................................................................................................................................... 409.10.2 Termination............................................................................................................................ 409.10.3 Effect of Termination and Survival ........................................................................................... 40

9.11 Individual Notices and Communications with Participants .................................................................. 409.12 Amendments .................................................................................................................................. 40

9.12.1 Procedure for Amendment....................................................................................................... 409.12.2 Notification Mechanism and Period........................................................................................... 409.12.3 Circumstances under Which OID must be Changed................................................................... 40

9.13 Dispute Resolution Provisions .......................................................................................................... 419.13.1 Disputes among UniCredit S.p.A., Affiliates and Customers........................................................ 419.13.2 Disputes with End-User Subscribers or Relying Parties .............................................................. 41

9.14 Governing Law ............................................................................................................................... 419.15 Compliance with Applicable Law ...................................................................................................... 419.16 Miscellaneous Provisions ................................................................................................................. 41

9.16.1 Entire Agreement.................................................................................................................... 419.16.2 Assignment ............................................................................................................................ 419.16.3 Severability ............................................................................................................................ 419.16.4 Enforcement (Attorney’s Fees and Waiver of Rights) ................................................................. 419.16.5 Force Majeure ........................................................................................................................ 41

9.17 Other Provisions ............................................................................................................................. 41

CP - CPS

of 41

1 INTRODUCTIONThis document is the UniCredit Certificate Policy (“CP”) and Certification Practice Statement (“CPS”). It states thepractices that UniCredit internal certification authorities (“CAs”) employ in providing certification services thatinclude, but are not limited to, issuing, managing, revoking, and renewing certificates.

"The "UniCredit Subordinate External" CA conforms to the current version of the Baseline Requirements for theIssuanceand Management of Publicly Trusted Certificates published‐ at http://www.cabforum.org. In the event of anyinconsistencybetween this document and those Requirements, those Requirements take precedence over this document."

1.1 OverviewThis document describes procedures and rules used by UniCredit Business Integrated Solutions for operatingUniCredit CAs. Diagram 1 shows the schematic structure of UniCredit PKI, CA and RA infrastructure and also showsthe relation between this document and the infrastructure.

UniCredit CP/CPS

Low Assurance CA High Assurance CA

RegistrationAuthority

InternalEnd

Entities

Actalis RootCP/CPS

The statements described in this document apply to all the PKI Participants identified in paragraph 1.3.

1.2 Document Name and IdentificationThis document represents the CP and CPS of UniCredit CA. This document is based on RFC 3647 chapter 4.

The following are the distinct attributes of the CP/CPS:

Owner: UniCredit S.p.A.Owner Details: Via Alessandro Specchi 16

00186 Roma - ItalyPIVA 00348170101

This CPS is identified with IANA OID 1.3.6.1.4.1.37016.1.1.1.1

UniCredit S.p.A. holds intellectual property rights on this CP/CPS. All rights reserved.

CP - CPS

of 41

1.3 PKI Participants

1.3.1 Certification AuthoritiesThe term Certification Authority (CA) is a trusted third-party entity that issues Certificates and performs all of thefunctions associated with issuing such Certificates under this CPS.

CAs under this CPS are:

Subject Name: CN = UniCredit Subordinate Internal, O = UniCredit S.p.A., C = ITSubject Key ID: a6 63 28 98 b5 a5 e9 95 a6 7d 90 d4 20 c8 b9 ba 39 49 a1 9bAuthority Key ID: 3b 30 88 e3 ea 19 08 27 ae 6a d8 e9 99 ab 6d c5 5d d1 ca 55

Subject Name: CN = UniCredit Subordinate External, O = UniCredit S.p.A., C = ITSubject Key ID: f0 56 4f 75 77 1e 74 76 35 d3 40 14 a0 12 e6 0d 5d f5 3e 27Authority Key ID: 52 d8 88 3a c8 9f 78 66 ed 89 f3 7b 38 70 94 c9 02 02 36 d0

UniCredit Subordinate External CA is cross signed by an external public CA managed and operated by Actalis.Following the main data:

Subject Name: CN = Actalis Authentication Root CA O = Actalis S.p.A./03358520967 L = Milan C = ITSubject Key ID: 52 d8 88 3a c8 9f 78 66 ed 89 f3 7b 38 70 94 c9 02 02 36 d0Authority Key ID: 52 d8 88 3a c8 9f 78 66 ed 89 f3 7b 38 70 94 c9 02 02 36 d0

This document does not cover Actalis Authentication Root CA as such CA is operated under Actalis CP/CPS.

1.3.2 Registration AuthoritiesA Registration Authority is an entity that performs identification and authentication of certificate applicants for end-entity certificates, initiates or passes along revocation requests for certificates for end-entity certificates, andapproves applications for renewal or re-keying of certificates on behalf of a UniCredit CA. UniCredit CA has adedicated RA for certificates it issues.

1.3.3 SubscribersSubscribers include all end users (including entities) of certificates issued by internal UniCredit CAs. A subscriber isthe entity named as the end-user subscriber of a certificate. End-user Subscribers may be individuals, companybelong to the UniCredit group (such as subsidiaries) or infrastructure components such as firewalls, routers,trusted servers or other devices used to secure communications within an Organization.

CAs are technically also subscribers of UniCredit CA certificates either as a CA issuing a self-signed Certificate toitself, or as a CA issued a Certificate by a superior CA. References to “end entities” and “subscribers” in this CPS,however, apply only to end-user Subscribers.

Subordinate or intermediate CAs are not valid internal subscribers to the UniCredit CAs and are not issued for acertificate.UniCredit Subordinate External CA issues certificates only to companies of the UniCredit Group

1.3.4 Relying PartiesA Relying Party is an individual or entity that acts in reliance of a certificate and/or a digital signature issued by anInternal UniCredit CA. A Relying Party may, or may not also be a Subscriber of UniCredit CA certificates.

Common relying parties are, but not limited to, customers, business partners, employees and third partycompanies who access the UniCredit systems in a secure manner.

CP - CPS

of 41

1.3.5 Other ParticipantsNo stipulation.

1.4 Certificate Usage

1.4.1 Appropriate Certificate UsagesUniCredit CA Certificates are X.509 v3 Certificates with SSL/TLSExtensions, Code Signing and/or Client or ServerAuthentication Extensions (as appropriate) that chain to the UniCredit Root CA.

UniCredit CA general purposeSSL/TLSFamily Certificates are used on exposed systems and services (such as webportals, web services, public web site, etc.) directly managed by UniCredit, permitting SSL encrypted transactionsbetween a Relying Party's browser and the Subscriber's server. UniCredit may issue Wildcard Certificates, whichare X.509 Certificates with SSL/TLS Extensions that are vetted to a specified level domain and may be used inconnection with all next level higher domains that contain the specified vetted level domain. In addition, UniCreditmay also enable the Certificate for use as a client Certificate.

UniCredit CA Code Signing Certificates may only be used for the purposes of (i) identification of the Publisher asthe party accessing the code signing portal, and (ii) locally signing the code for subsequent resigning by theappropriate Code Confirmation certificate.

UniCredit CA S/MIME Certificates are X.509 v3 Certificates with S/MIME Extensions issued which facilitate secureelectronic commerce by providing limited authentication of a Subscriber's client and S/MIME communicationsbetween a Relying Party and the Subscriber’s client.

UniCredit CA Client Authentication Certificates are X.509 v3 Certificates permitting SSL Client Authentication, secureVPN access and network mutual authentication between a Relying Party and the Subscriber’s client and in someinstances may also be used for code signing and document signing.

UniCredit CA Server Authentication Certificates are X.509 v3 Certificates permitting SSL Server Authentication,secure services exposure and mutual authentication between a Relying Party and the Subscriber’s client and insome instances may also be used for code signing and document signing.

The UniCredit Subordinate External CA only issues SSL Server certificates, for enabling the TLS/SSL protocol onpublic web servers

1.4.2 Prohibited Certificate UsesCertificates shall be used only to the extent the use is consistent with applicable law, and in particular shall be usedonly to the extent permitted by applicable export or import laws.

UniCredit CA Certificates are not designed, intended, or authorized for resale or use outside UniCredit internalboundaries.

UniCredit CA Certificates can be “internal only” or “external”:

- Internal Only certificates are intended to be used in internal facilities including, but not limited to, LocalArea Networks, Intranet, Extranets (partners accessible networks), VPNs and other internally usedappliances (such as firewall, routers, etc.). Internal Only certificates must not be used on external systems;

- External certificates are intended to be used on publicly accessible facilities such as internet portals, webservices, web sites and third party/customers communication systems (mail or document systems).

CP - CPS

of 41

1.5 Policy Administration

1.5.1 Organization Administering the DocumentUniCredit S.p.A.Via Alessandro Specchi 1600186 Roma - Italy

1.5.2 Contact PersonAddress inquiries about the CPS to [email protected] or to the following address:

UniCredit Business Integrated SolutionKey Management (US91921) – SecurityVia Livio Cambi, 120151 – Milano – Italy

1.5.3 CPS Approval ProcedureThis CPS (and all amendments to this CPS) is subject to approval by UniCredit CA Office. Amendments to this CPSwill be evidenced by a new version number and date, except where the amendments are purely clerical.

1.6 Definitions and AcronymsSee Appendix A for a table of acronyms and definitions.

CP - CPS

of 41

2 Publication and Repository Responsibilities

2.1 RepositoriesUniCreditCA shall operate CRLs that will be available to both Subscribers and Relying Parties of UniCredit CACertificates. Each CRL is signed by the issuing CA. The procedures for revocation are as stated elsewhere in thisCPS.

2.2 Publication of Certificate InformationUniCreditCA retains copies of all Certificates for the life of the CA, but does not archive or retain expired orsuperseded CRLs.

2.3 Time or Frequency of PublicationUpdates to this CPS are published in accordance with Section 9.12. Certificates are published after issuance.Certificate status information is published in accordance with the provisions of this CPS. This CPS is reviewed atleast yearly for updates and status.

2.4 Access Controls on RepositoryInformation published in the repository portion of the UniCredit CA web site is publicly-accessible information. Readonly access to such information is unrestricted.

CP - CPS

of 41

3 Identification and Authentication

3.1 Naming

3.1.1 Types of NamesCertificates contain an X.501 distinguished name in the Subject name field and consist of the components specifiedin the table below.

Attribute Value

Country (C)* 2 letter ISO country code or not used. If used the attribute mustcontains the code of one of the countries where UniCredit S.p.A.operates.For certificates issued by the UniCredit Subordinate External CA, thisattribute specifies the country where the Organization has its legaladdress or headquarter.

Organization (O)* The Organization attribute is used as follows:- UniCredit S.p.A. as default value, or- The Organization name of the subscriber. Organization must

belong to the UniCredit S.p.A. group.- For certificates issued by the UniCredit Subordinate External CA,

this attribute must contain the exact legal name of theorganization in control of the web server(s), including the typeof company (eg. SpA, SA, GmbH, etc.).

Organizational Unit (OU) UniCredit CA Certificates may contain multiple OU attributes. Suchattributes may contain one or more of the following:

- Subscriber organizational unit (such as office, division orcompetence centre name);

- Text to describe the type of Certificate;- Text to describe the entity that performed the verification;- Business registration number, if available;- The address of the customer;

OU field must be used within “internal only” UniCredit CA Certificates.while it is optional in certificates issued by the UniCredit SubordinateExternal CA.

State or Province (S) Optional in “internal only” UniCredit CA Certificates.

Mandatory for all certificates issued by the UniCredit SubordinateExternal CA, contains the State or Province where the Organization hasits legal address or headquarter.

Locality (L)* Optional in “internal only” UniCredit CA Certificates.

Mandatory for all certificates issued by the UniCredit SubordinateExternal CA, contains the Locality where the Organization has its legaladdress or headquarter.

Common Name (CN)* In “internal only” UniCredit CA certificates, this attribute may include:- Fully Qualified Domain name;- Subscribers identifier (computer name, user id, etc);- Name of individual;- IP Address;- Host name;

CP - CPS

of 41

- In certificates issued by the UniCredit Subordinate External CAthis attribute MAY be missing. If it is included, it MUST containone of the FQDNs listed in the SAN extension.

Email Address (E) Not used, but admitted in “internal only” UniCredit CA Certificates.

UniCredit Subordinate External CA certificates must adhere to the Baseline Requirements of CAB Forum. FieldsCountry (C), Organization (O), State (S) and Locality (L) are mandatory under these Baseline Requirements andmust be included in request submitted to the UniCredit External Subordinate CA. Common Name (CN) isconsidered mandatory by the scope of this CPS and by the UniCredit External Subordinate CA operations.

All certificates issued by the UniCredit Subordinate External CA contain the Subject Alternative Names (SAN)extension, where this latter contains one or more FQDNs that are under control of the Organization (which must bea company of the UniCredit group). Being “under control” means that either that company is the Registrant Org ofthe Internet domain, or that company has been given (in writing) the right to use it by the Registrant Org.

Subject alternative names are admitted in the limited form of DNS name. No other subject alternative name typesare allowed.UniCredit Subordinate External does not issue certificates for Internal Server Names

The CA will reject any requests containing reserved IP addresses or Internal Server names.

3.1.2 Need for Names to be MeaningfulDomain names do not have to be meaningful or unique, but must match a second level domain name as posted byInterNIC.

3.1.3 Anonymity or Pseudonymity of SubscribersSubscribers are not permitted to use pseudonyms (names other than a Subscriber’s true personal or organizationalname).

3.1.4 Rules for Interpreting Various Name FormsNo stipulation.

3.1.5 Uniqueness of NamesNo stipulation.

3.1.6 Recognition, Authentication, and Role of TrademarksNo stipulation.

3.2 Initial Identity Validation

3.2.1 Method to Prove Possession of Private KeyThe certificate applicant must demonstrate that it rightfully holds the private key corresponding to the public key tobe listed in the Certificate. The method to prove possession of a private key shall be PKCS #10, anothercryptographically equivalent demonstration, or another UniCredit CA or RA approved method. This requirementdoes not apply where a key pair is generated by a CA on behalf of a Subscriber, for example where pre-generatedkeys are placed on smart cards.

CP - CPS

of 41

3.2.2 Authentication of Organization IdentityOrganization must belong to UniCredit S.p.A. group or must be included in the subsidiaries list. Country must beone of the countries where UniCredit S.p.A. is conducting business or where UniCredit S.p.A. or UniCreditsubsidiaries and branch offices have a location.

A subscriber request for certification to be used on external services is subordinated to an indemnify form thatmust be returned signed by accountable subject to UniCredit S.p.A.. Signed forms are kept as a part ofidentification process combined to the PPM or Change number to be provided in the request process.

Internal Only certificates are identified by the internal PPM or Change number. A random lookup process will checkthe consistency of data.

Accepted domain names in Certificate Requests, must be already owned by UniCredit S.p.A. or UniCreditsubsidiaries. No other domain names are normally accepted. In the case of non-owned domain name, the identityof requester must be verified and approved by UniCredit S.p.A. internal security office.

3.2.3 Authentication of Individual IdentityIndividuals can only apply for a certificate request internally. An individual must have a set of credentials to identifyversus one of the internals authentication facilities (portal, directory service, or else). No other individuals areadmitted.

Individuals must have a valorized Name (GN, MN, Second) and a valid email address.

3.2.4 Non-Verified Subscriber InformationNot needed information within “Internal Only” certificate requests are not verified. Those include OrganizationalUnits, State or Province, Locality and requester email address.

3.2.5 Validation of AuthorityAccepted request can be submitted by internal personnel only. No other request is accepted. Internal personnelrequested are validated according to the scope of certificate requests (Internal Only or External).

3.2.6 Criteria for InteroperationNo stipulation.

3.3 Identification and Authentication for Re-key RequestsPrior to the expiration of an existing Certificate, it is necessary for the Subscriber to obtain a new Certificate tomaintain continuity of Certificate usage. Subscribers have the option of generating a new Key Pair to replace theexpiring Key Pair (technically defined as “rekey”) or of creating a new CSR for an existing Key Pair (technicallydefined as “renewal”), depending on their preferences and the capabilities and restrictions of the Subscriber’s keygeneration tools. For purposes of this CPS, both a “rekey” and “renewal” as defined above will be treated as arenewal Certificate. Rekey is the preferred and recommended method to renew a Certificate.

New certificate information submitted for renewal Certificates are subject to the same authentication steps outlinedin this CPS as apply to initial issuance of a Certificate.

3.4 Identification and Authentication for Revocation RequestsThe only persons permitted to request revocation of a Certificate issued by UniCreditCA are the Subscriber(including designated representatives), the administrative contact or the technical contact, or an enterpriseAdministrator.

CP - CPS

of 41

To request revocation, a Subscriber or Authorized requester must provide revocation information usingtheUniCredit RA.

“Internal Only” certificates are immediately revoked. External certificates revocation requests are validated byUniCredit CA office before to be confirmed and included in CRL. The validation process could include a formsubmission that the subscriber must return signed.Upon receipt of the confirming e-mail message, UniCredit CA willrevoke the Certificate and the revocation will be posted to the appropriate CRL.

There is no grace period available to the Subscriber prior to revocation, and UniCreditCA office shall respond to therevocation request within the next business day and post the revocation to the next published CRL.

Under some conditions (force majeure) UniCredit CA office personnel may revoke certificates through a Web basedapplication without a request from subscriber is initiated.

CP - CPS

of 41

4 Certificate Life-Cycle Operations

4.1 Certificate Application

4.1.1 Who Can Submit A Certificate ApplicationBelow is a list of people who may submit certificate applications:

- Any authorized individual who is the subject of the certificate;- Any authorized representative of an Organization or entities;- Any authorized representative of a CA;- Any authorized representative of an RA;

4.1.2 Enrollment Process and ResponsibilitiesAll end-user Certificate Subscribers shall manifest assent to the relevant Subscriber Agreement and undergo anenrollment process consisting of:

- Completing a Certificate Application and providing true and correct information;- Generating, or arranging to have generated, a key pair;- Delivering his, her, or its public key through UniCredit RA;- Demonstrating possession of the private key corresponding to the public key delivered to the UniCredit CA;

Some types of server and client authentication could not require the UniCredit RA submission as they are semi-automatic or automatic certificate requests and issue.

4.2 Certificate application processing

4.2.1 Performing identification and authentication functionsUniCredit CA or RA shall perform identification and authentication of all required Subscriber information in terms ofSection 3.2. UniCredit CA and RA rely on internal authentication facilities (portal, directory services, or equivalent).

4.2.2 Approval or rejection of certificate applicationsUniCredit CA office or RA will approve an application for a certificate if the following criteria are met:

- Successful identification and authentication of all required Subscriber information in terms of Section 3.2;- Indemnify forms are signed and returned (external use certificates);- All the required attributes are submitted and validated (automatically or manually);

UniCredit CA office or RA will reject a certificate application if:

- Identification and authentication of all required Subscriber information in terms of Section 3.2 cannot becompleted;

- The Subscriber fails to furnish supporting documentation;- The Subscriber fails to respond to notices within a specified time;- Inexistent PPM or Change numbers were provided;

4.2.3 Time to process certificate applicationsUniCredit CA issues an “Internal Only” certificate immediately after the registration process is completed andvalidated.

External certificates are issued after the registration process is completed and validated in a business day.

CP - CPS

of 41

A certificate application remains active until rejected or issued.

4.3 Certificate issuance

4.3.1 CA actions during certificate issuanceA Certificate is created and issued following the manual or automatic approval of a Certificate Application byUniCredit CA office or following receipt of an RA’s request to issue the Certificate. UniCredit CA creates and issuesto a Certificate Applicant a Certificate based on the information in a Certificate Application following approval ofsuch Certificate Application.

4.3.2 Notification to subscriber by the CA of issuance of certificateUniCredit CA shall, either directly or through the RA, notify Subscribers that they have created such Certificates,and provide Subscribers with access to the Certificates by notifying them that their Certificates are available.

Certificates shall be made available to end-user Subscribers, either by allowing them to download them from a website, an application programming interface (API) or via a message sent to the Subscriber containing the Certificate.

4.4 Certificate acceptance

4.4.1 Conduct constituting certificate acceptanceThe applicant expressly indicates acceptance of a Certificate by downloading and/or using such Certificate.

4.4.2 Publication of the certificate by the CAUniCredit CA may publish the Certificates it issues in a publicly accessible repository.

4.4.3 Notification of certificate issuance by the CA to otherentitiesRAs may receive notification of the issuance of certificates they approve.

4.5 Key pair and certificate usage

4.5.1 Subscriber private key and certificate usageUse of the Private key corresponding to the public key in the certificate shall only be permitted when subscriberaccepts the certificate. The certificate shall be used lawfully in accordance with UniCredit CA internal proceduresand the terms of this CPS. Certificate use must be consistent with the KeyUsage field extensions included in thecertificate (e.g., if Digital Signature is not enabled then the certificate must not be used for signing).

Subscribers shall protect their private keys from unauthorized use and shall discontinue use of the private keyfollowing expiration or revocation of the certificate.

The Certificate could be installed on more than a single server at a time if provided in certificate type.

4.5.2 Relying party public key and certificate usageRelying Parties must verify that the Certificate is valid by examining the Certificate Revocation List (“CRL”) beforeinitiating a transaction involving such Certificate. Reliance on a certificate must be reasonable under thecircumstances. If the circumstances indicate a need for additional assurances, the Relying Party must obtain suchassurances for such reliance to be deemed reasonable.

Before any act of reliance, Relying Parties shall independently assess:

CP - CPS

of 41

- The appropriateness of the use of a Certificate for any given purpose and determine that the Certificatewill, in fact, be used for an appropriate purpose that is not prohibited or otherwise restricted by this CPS.

- That the certificate is being used in accordance with the KeyUsage field extensions included in thecertificate (e.g., if Digital Signature is not enabled then the certificate may not be relied upon for validatinga Subscriber’s signature).

- The status of the certificate and all the CAs in the chain that issued the certificate. If any of the Certificatesin the Certificate Chain have been revoked, the Relying Party is solely responsible to investigate whetherreliance on a digital signature performed by an end user Subscriber Certificate prior to revocation of aCertificate in the Certificate chain is reasonable. Any such reliance is made solely at the risk of the Relyingparty.

Assuming that the use of the Certificate is appropriate, Relying Parties shall utilize the appropriate software and/orhardware to perform digital signature verification or other cryptographic operations they wish to perform, as acondition of relying on Certificates in connection with each such operation. Such operations include identifying aCertificate Chain and verifying the digital signatures on all Certificates in the Certificate Chain.

4.6 Certificate renewal

4.6.1 Circumstance for certificate renewalPrior to the expiration of an existing Certificate, it is necessary for the Subscriber to obtain a new Certificate tomaintain continuity of Certificate usage. Subscribers have the option of generating a new Key Pair to replace theexpiring Key Pair (technically defined as “rekey”) or of creating a new CSR for an existing Key Pair (technicallydefined as “renewal”), depending on their preferences and the capabilities and restrictions of the Subscriber’s keygeneration tools. For purposes of this CPS, both a “rekey” and “renewal” as defined above will be treated as arenewal Certificate. Rekey is the preferred and recommended method to renew a Certificate.

New certificate information submitted for renewal Certificates are subject to the same authentication steps outlinedin this CPS as apply to initial issuance of a Certificate.

4.6.2 Who may request renewalOnly the subscriber for an individual certificate or an authorized representative for an Organizational certificatemay request certificate renewal.

4.6.3 Processing certificate renewal requestsSee section 4.2.

4.6.4 Notification of new certificate issuance to subscriberNotification of issuance of certificate renewal to the Subscriber is in accordance with Section 4.3.2.

4.6.5 Conduct constituting acceptance of a renewal certificateConduct constituting Acceptance of renewed certificate is in accordance with Section 4.4.1.

4.6.6 Publication of the renewal certificate by the CAUniCredit CA may publish the Certificates it issues in a publicly accessible repository.

4.6.7 Notification of certificate issuance by the CA to otherentitiesRAs may receive notification of the issuance of certificates they approve.

4.7 Certificate Re-KeySee Section 3.3.

CP - CPS

of 41

4.7.1 Circumstances for Re-KeySee Section 3.3

4.7.2 Who May Request Certification of a New Public KeyOnly the subscriber for an individual certificate or an authorized representative for an Organizational certificatemay request certificate renewal/rekey.

4.7.3 Processing Certificate Re-Keying RequestsThe provisions of Section 4.6.3 apply.

4.7.4 Notification of New Certificate Issuance to SubscriberNotification of issuance of a re-keyed certificate to the Subscriber is in accordance with Section 4.3.2.

4.7.5 Conduct Constituting Acceptance of a Re-Keyed CertificateConduct constituting Acceptance of a re-keyed certificate is in accordance with Section 4.4.1

4.7.6 Publication of the Re-Keyed Certificate by the CAUniCredit CA may publish the Certificates it issues in a publicly accessible repository.

4.7.7 Notification of Certificate Issuance by the CA to Other EntitiesRAs may receive notification of the issuance of certificates they approve.

4.8 Certificate Modification

4.8.1 Circumstances for Certificate ModificationCertificate modification refers to the application for the issuance of a new certificate due to changes in theinformation in an existing certificate (other than the subscriber’s public key). Certificate modification is considereda Certificate Application in terms of Section 4.1.

4.8.2 Who May Request Certificate ModificationSee Section 4.1.1.

4.8.3 Processing Certificate Modification RequestsUniCredit CA or RA shall perform identification and authentication of all required Subscriber information in terms ofSection 3.2.

4.8.4 Notification of New Certificate Issuance to SubscriberSee Section 4.3.2.

4.8.5 Conduct Constituting Acceptance of Modified CertificateSee Section 4.4.1.

4.8.6 Publication of the Modified Certificate by the CASee Section 4.4.2.

4.8.7 Notification of Certificate Issuance by the CA to Other EntitiesSee Section 4.4.3.

CP - CPS

of 41

4.9 Certificate Revocation and Suspension

4.9.1 Circumstances for RevocationA Subscriber may request revocation of its Certificate at any time for any of the following reasons. A Subscribershall request UniCredit CA to revoke a Certificate:

- Whenever any of the information on the Certificate changes or becomes obsolete; or- Whenever the Private Key, or the media holding the Private Key, associated with the Certificate is

Compromised; or- Upon a change in the ownership of a Subscriber's web server.

Subscriber shall state the reason for requesting revocation upon submitting the request. UniCredit CA shall revokea Certificate:

- Upon request of a Subscriber as described above;- In the event of compromise of UniCredit CA's Private Key used to sign a certificate;- Upon the Subscriber's breach of either this CPS or other Agreements and procedures;- If UniCredit CA office determines that the certificate was not properly issued; or- If the subscriber has failed to meet its material obligations under the subscriber and/or enrolment

agreements or procedures;- If UniCredit CA determines in its sole discretion that any material fact contained in the Publisher Certificate

is no longer true;

In the event that UniCredit CA ceases operations and there is no plan for transition of UniCredit CA’s services to asuccessor or no plan to otherwise address such event, all Certificates issued by UniCredit CAs shall be revokedprior to the date that the CA ceases operations, and UniCredit CA Office shall notify the technical contact providedby publisher by e-mail message of the revocation and the reason for the revocation.

4.9.2 Who Can Request RevocationThe only persons permitted to request revocation of a certificate issued by UniCredit CA are the Subscriber(including designated representatives), the administrative contact or the technical contact, an enterpriseAdministrator, UniCredit CA office and other offices under certain circumstances.

4.9.3 Procedure for Revocation Request

4.9.3.1 Procedure for Requesting the Revocation of an End-User Subscriber Certificate

See Section 3.4.

4.9.3.2 Procedure for Requesting the Revocation of a CA or RA Certificate

No stipulation.

4.9.4 Revocation Request Grace PeriodRevocation requests shall be submitted as promptly as possible within a commercially reasonable time. There is nograce period available to the Subscriber prior to revocation.

4.9.5 Time within Which CA Must Process the Revocation RequestUniCredit CA process “Internal Only” revocation requests automatically.External certificates revocation request areprocessed in the next first business day.

CP - CPS

of 41

4.9.6 Revocation Checking Requirements for Relying PartiesRelying Parties shall check the status of Certificates on which they wish to rely. One method by which RelyingParties may check Certificate status is by consulting the most recent CRL from the CA that issued the Certificate onwhich the Relying Party wishes to rely. Certificate Revocation Lists are available at ca.unicredit.eu/CRL according tothe distribution points defined in certificates.

4.9.7 CRL Issuance FrequencyUniCredit CA shall post the CRL online at least weekly (but no later than twenty-four (24) hours after revocation ofa Certificate) in a DER format.

4.9.8 Maximum Latency for CRLsCRLs are automatically posted to the repository on every hour.

4.9.9 On-Line Revocation/Status Checking AvailabilityCertificate Revocation Lists are available at ca.unicredit.eu/CRL according to the distribution points defined incertificates.

4.9.10 On-Line Revocation Checking RequirementsA Relying Party must check the status of a certificate on which he/she/it wishes to rely.

4.9.11 Other Forms of Revocation Advertisements AvailableNo stipulation.

4.9.12 Special Requirements Regarding Key CompromiseIn the event of compromise of a UniCredit CA Private Key used to sign Certificates UniCredit CA office will send ane-mail message as soon as practicable to all Subscribers with Certificates issued off the Private Key stating that theCertificates will be revoked by the next business day and that posting the revocation to the appropriate CRL willconstitute notice to the Subscriber that the Certificate has been revoked.

4.9.13 Circumstances for SuspensionUniCredit CA supports Certificate suspension for the “Internal Only” Certificates. Suspension rules are identical tothe revocation rules.

4.9.14 Who can Request SuspensionSee Section 4.9.2.

4.9.15 Procedure for Suspension RequestSee Section 4.9.3.

4.9.16 Limits of Suspension PeriodNo limits are set for suspension period. Certificates remain suspended until the requester reinstate them ordefinitively revoke them.

4.10Certificate Status Services

4.10.1 Operational CharacteristicsThe status of certificates is available via CRL at public UniCredit web site (ca.unicredit.eu).

CP - CPS

of 41

4.10.2 Service AvailabilityCertificate Status Services are available 24 7 with scheduled and advised interruption.

4.10.3 Optional FeaturesNo stipulation.

4.11End of SubscriptionA subscriber may end a subscription for a UniCredit CA’s certificate by:

- Allowing his/her/its certificate to expire without renewing or re-keying that certificate;- Revoking of his/her/its certificate before certificate expiration without replacing the certificates;

4.12Key Escrow and RecoveryThe Root Keys for each CA Certificate were generated and are stored in hardware and are backed up but notescrowed. UniCredit CAs may escrow end-user subscriber private keys (this function is only available on certaintype of certificates).

4.12.1 Key Escrow and Recovery Policy and PracticesThe private keys of end-user Subscribers may be escrowed.

4.12.2 Session Key Encapsulation and Recovery Policy and PracticesEscrowed private keys are stored in the UniCredit CAs databases in an encrypted internally managed form.Escrowing process is described on Microsoft’s technical library, and it uses an external recovery agent to authorizethe recovery of private keys. Recovery of a private key and digital certificate requires the UniCredit CA office orother delegated entity, who has access to the Master Key Recovery Certificate to securely access their Enterpriseaccount with UniCredit CA and select the enrolment record associated with the private key that is to be recovered.

The Administrator then downloads the encrypted PKCS#12 (binary object) and initiates the Recovery process. Afterthe recovery, based on internal tools of the CAs, is completed the PKCS#12 is available and can be provided to therequester.

Recovery could be automated using an RA process.

CP - CPS

of 41

5 Facility, Management, and Operational Controls

5.1 Physical Controls

5.1.1 Site Location and ConstructionUniCredit Online CAs and RA operations are conducted in UniCredit CED building that provides a physicallyprotected environment that deters, prevents, and detects unauthorized use of, access to, or disclosure of sensitiveinformation and systems whether covert or overt.

UniCredit Root CA is physically located in a highly secure facility which is compliant to the last version of securitystandards such as Visa and Swift circuits.

5.1.2 Physical AccessOnly authorized GCC Key Management employees can access the UniCreditRoot CA facility using dual accesscontrols.

5.1.3 Power and Air ConditioningUniCredit CAs facility is equipped with primary and backup:

- Power systems to ensure continuous, uninterrupted access to electric power and- Heating/ventilation/air conditioning systems to control temperature and relative humidity;

5.1.4 Water ExposuresUniCredit S.p.A. facilities arelocated in reasonable safe water exposed locations.

5.1.5 Fire Prevention and ProtectionUniCredit S.p.A. buildings are equipped with fire prevention and protection devices and have been designed tocomply with local fire safety regulations.

5.1.6 Media StorageAll media containing production software and data, audit, archive, or backup information is stored within multipleUniCredit S.p.a. branch offices in dedicated safes with appropriate physical and logical access controls designed tolimit access to authorized personnel and protect such media from accidental damage.

5.1.7 Waste DisposalSensitive documents and materials are shredded before disposal. Media used to collect or transmit sensitiveinformation are rendered unreadable before disposal. Cryptographic devices are physically destroyed or zeroed inaccordance the manufacturers’ guidance prior to disposal. Other waste is disposed of in accordance with UniCreditS.p.A. normal waste disposal requirements.

5.1.8 Off-Site BackupUniCredit S.p.A. performs routine backups of critical system data, audit log data, and other sensitive information.Critical CA facility backup media, where needed, are stored in a physically secure manner at an offsite facility.

CP - CPS

of 41

5.2 Procedural Controls

5.2.1 Trusted RolesTrusted Persons include all employees, contractors, and consultants that have access to or control authenticationor cryptographic operations that may materially affect:

- The validation of information in Certificate Applications;- The acceptance, rejection, or other processing of Certificate Applications, revocation requests, renewal

requests, or enrolment information;- The issuance, or revocation of Certificates, including personnel having access to restricted portions of its

repository;- The handling of Subscriber information or requests.

Trusted Persons include, but are not limited to:

- Cryptographic business operations personnel;- Security personnel;- System administration personnel;- Designated engineering personnel; and- Executives that are designated to manage infrastructural trustworthiness.

Persons seeking to become Trusted Persons by obtaining a Trusted Position must successfully complete thescreening requirements set out in this CPS.

5.2.2 Number of Persons Required per TaskUniCredit S.p.A. CA office has established, maintains, and enforces rigorous control procedures to ensure thesegregation of duties based on job responsibility and to ensure that Trusted Persons are required to performsensitive tasks.

Policy and control procedures are in place to ensure segregation of duties based on job responsibilities. The mostsensitive tasks, such as access to and management of CA cryptographic hardware (cryptographic signing unit orCSU) and associated key material, require Trusted Persons and is subordinate to a dual control access. Theseinternal control procedures are designed to ensure that trusted personnel are required to have either physical orlogical access to the device. Access to CA cryptographic hardware is strictly allowed by the CA manager throughoutits lifecycle, from incoming receipt and inspection to final logical and/or physical destruction.

5.2.3 Identification and Authentication for Each RoleTrusted Persons identities are managed by the internal UniCredit S.p.A. HR procedures. Identity is furtherconfirmed through the background checking procedures in CPS § 5.3.1.

UniCredit S.p.A. ensures that personnel have achieved Trusted Status and departmental approval has been givenbefore such personnel are:

- Issued access devices and granted access to the required facilities;- Issued electronic credentials to access and perform specific functions on the UniCredit RootCA, RA, or

other it systems.

5.2.4 Roles Requiring Separation of DutiesRoles requiring Separation of duties include (but are not limited to):

- The validation of information in Certificate Applications;

CP - CPS

of 41

- The acceptance, rejection, or other processing of Certificate Applications, revocation requests, or renewalrequests, or enrollment information (certificate management);

- The execution, the management, and the conduction of Certification Authorities (CA management);

5.3 Personnel ControlsPersonnel controls are operated by UniCredit S.p.A. HR office.

5.3.1 Qualifications, Experience, and Clearance RequirementsQualifications, Experience and Requirements are established by UniCredit S.p.A. HR office.

5.3.2 Background Check ProceduresBackground of Trusted Personnel is granted by UniCredit S.p.A. HR office.

5.3.3 Training RequirementsPersonnel skills is granted by UniCredit S.p.A. HR office training programs.

5.3.4 Retraining Frequency and RequirementsSeeSection 5.3.3.

5.3.5 Job Rotation Frequency and SequenceJob rotation is managed by UniCredit S.p.A. HR office.

5.3.6 Sanctions for Unauthorized ActionsAppropriate disciplinary actions are taken for unauthorized actions or other violations of UniCredit S.p.A. policiesand procedures. Disciplinary actions may include measures up to and including termination and are commensuratewith the frequency and severity of the unauthorized actions.

5.3.7 Independent Contractor RequirementsIn limited circumstances, independent contractors or consultants may be used to fill Trusted Positions. Any suchcontractor or consultant is held to the same functional and security criteria that apply to a UniCredit S.p.A.employees in a comparable position.

Independent contractors and consultants who have not completed or passed the background check proceduresspecified in CPS Section 5.3.2 are permitted access to UniCredit S.p.A. secure facilities only to the extent they areescorted and directly supervised by Trusted Persons at all times.

5.3.8 Documentation Supplied to PersonnelUniCredit S.p.A. provides its employees the requisite training and other documentation needed to perform their jobresponsibilities competently and satisfactorily.

5.4 Audit Logging Procedures

5.4.1 Types of Events RecordedUniCredit S.p.A. records CA event data.

5.4.2 Frequency of Processing LogUniCredit S.p.A. CA event journal data is archived monthly. Event journals are subject to review.

CP - CPS

of 41

5.4.3 Retention Period for Audit LogAudit logs shall be retained onsite for at least seven (7) years after processing and thereafter archived inaccordance with Section 5.5.2.

5.4.4 Protection of Audit LogAudit logs are protected in accordance with Section 5.1.6.

5.4.5 Audit Log Backup ProceduresSee Section 5.4.3.

5.4.6 Audit Collection System (Internal vs. External)No stipulation.

5.4.7 Notification to Event-Causing SubjectWhere an event is logged by the audit collection system, no notice is required to be given to the individual,organization, device, or application that caused the event.

5.4.8 Vulnerability AssessmentsNo Stipulation.

5.4.9 Archive Collection System (Internal or External)No Stipulation.

5.4.10 Procedures to Obtain and Verify Archive InformationOnly authorized Trusted Personnel are able to obtain access to the archive. The integrity of the information isverified when it is restored.

5.5 Records Archival

5.5.1 Types of Records ArchivedUniCredit S.p.A. CAs archive the following type of records:

- Certificate application information;- Documentation supporting certificate applications;- Certificate lifecycle information e.g., revocation, rekey and renewal application information;

Records are kept in a dedicated database managed according to the internal databases procedures.

5.5.2 Retention Period for ArchiveRecords shall be retained for at least seven (7) years for CA key following the date the Certificate expires or isrevoked.

5.5.3 Protection of ArchiveUniCredit S.p.A. protects the archive so that only authorized Trusted Persons are able to obtain access to thearchive. The archive is protected against unauthorized viewing, modification, deletion, or other tampering bystorage within a Trustworthy System. The media holding the archive data and the applications required to processthe archive data shall be maintained to ensure that the archive data can be accessed for the time period set forthin this CPS.

CP - CPS

of 41

5.5.4 Archive Backup ProceduresBackups are managed by internal database procedures.

5.5.5 Requirements for Time-Stamping of RecordsCertificates, CRLs, and other revocation database entries shall contain time and date information. Such timeinformation need not be cryptographic-based.

5.5.6 Archive Collection System (Internal or External)No stipulation.

5.5.7 Procedures to Obtain and Verify Archive InformationOnly authorized Trusted Personnel are able to obtain access to the archive. The integrity of the information isverified when it is restored.

5.6 Key ChangeoverUniCredit S.p.A. CAs key pairs are retired from service at the end of their respective lifetimes as defined in thisCPS. UniCredit S.p.A. CAs Certificates may be renewed. New CA key pairs will be generated as necessary, forexample to replace CA key pairs that are being retired, to supplement existing, active key pairs and to support newservices.

When UniCredit S.p.A. CAs key pairs reach the end of their validity period, such CA key pairs will be archived for aperiod of at least 5 years. Archived CA key pairs will be securely stored using hardware cryptographic modules.Procedural controls will prevent archived CA key pairs from being returned to production use. Upon the end of thearchive period, archived CA private keys will be securely destroyed.

UniCredit S.p.A. CAs key pairs are retired from service at the end of their respective maximum lifetimes and sothere is no key changeover. Certificates may be renewed as long as the cumulative certified lifetime of theCertificate key pair does not exceed the maximum CA key pair lifetime. New CA key pairs will be generated asnecessary, for example to replace CA key pairs that are being retired, to supplement existing, active key pairs andto support new services in accordance with this CPS.

UniCredit Root CA key pair lifetimes

- CN=UniCredit Root, O=UniCredit S.p.A., C=IT [thumbprint SHA1: 74 48 2b 38 f6 cb 97 7a be 3f 15 a8 2ea6 df e4 63 a0 59 7f] valid to 10th March 2031;

5.7 Compromise and Disaster Recovery

5.7.1 Incident and Compromise Handling ProceduresBackup copies of essential business and CA information are made routinely. In general, backups are performedevery time a Root CAs operation is accomplished (such as every time a new CRL is issued). Offsite backups arealso performed at the same time of the onsite backups.

5.7.2 Computing Resources, Software, and/or Data are CorruptedIn the event of the corruption of computing resources, software, and/or data, such an occurrence is reported toUniCredit S.p.A. CA office. Appropriate escalation, incident investigation, and incident response will ensue.

CP - CPS

of 41

5.7.3 Entity Private Key Compromise ProceduresIn the event of the compromise of the UniCredit Root Key, UniCreditS.pA. CA Office shall promptly notify allSubscribers via e-mail and notify Relying Parties and others via the CRL and additional notice posted atca.unicredit.eu, and shall revoke all Certificates issued with such UniCredit S.p.A. Root CA.

5.7.4 Business Continuity Capabilities after a DisasterUniCredit S.p.A. has business continuity plans (BCP) to maintain or restore the UniCredit S.p.A. Root CA businessoperations in a reasonably timely manner following interruption to or failure of critical business processes.

Backup copies of essential business and CA information are made routinely.

5.8 CA or RA TerminationNo stipulation.

CP - CPS

of 41

6 Technical Security Controls

6.1 Key Pair Generation and Installation

6.1.1 Key Pair GenerationCA Key Pair generation is performed by multiple trained and trusted individuals using secure systems andprocesses that provide for the security and required cryptographic strength for the keys that are generated. Theactivities performed in each key generation ceremony are recorded, dated and signed by all individuals involved.These records are kept for audit and tracking purposes for a length of time deemed appropriate by UniCredit S.p.A.management.

At a minimum, the cryptographic modules used for key generation and storage meet the requirements of FIPS140-1 level 3. The Root Keys for each CA Certificate are generated and are stored in hardware and are backed upbut not escrowed. The Root Keys for each of the CA Certificates may be used for Certificate signing, CRL signing,and off-line CRL signing.

UniCredit S.p.A. Root CA Key Pairs are maintained in a trusted and highly secured environment with backup andkey recovery procedures.

6.1.2 Private Key Delivery to SubscriberNo stipulation.

6.1.3 Public Key Delivery to Certificate IssuerEnd-user Subscribers and RAs submit their public key to UniCredit S.p.A. CAs for certification electronically throughthe use of a PKCS#10 Certificate Signing Request (CSR) or other digitally signed package in a session secured bySecure Sockets Layer (SSL). Where CA, RA, or end-user Subscriber key pairs are generated by UniCredit S.p.A. CAOffice, this requirement is not applicable.

6.1.4 CA Public Key Delivery to Relying PartiesUniCredit S.p.A. makes the CA Certificate available to Subscribers and Relying Parties through a public exposedweb site URL where Root CA and subordinated CAs certificates can be downloaded from.

Where possible other forms of Key Delivery are used (such as LDAP or file distribution). Relying Parties shouldinclude the certificates in their trusted containers according to the application requirements before to use themagainst an UniCredit S.p.A. CAs certificate.

6.1.5 Key SizesKey pairs shall be of sufficient length to prevent others from determining the key pair’s private key usingcryptanalysis during the period of expected utilization of such key pairs. The current UniCredit S.p.A. Standard forminimum key sizes is the use of key pairs equivalent in strength to 2048 bit RSA or higher for its Roots, CAs andend entities certificates.

6.1.6 Public Key Parameters Generation and Quality CheckingNo stipulation.

6.1.7 Key Usage Purposes (as per x.509 v3 Key Usage Field)Refer to section 7.1.2.1.

CP - CPS

of 41

6.2 Private Key Protection and Cryptographic Module Engineering ControlsUniCredit S.p.A. has implemented a combination of physical, logical, and procedural controls to ensure the securityof UniCredit S.p.A. CA private keys. Public subscribers (such as exposed web sites or services) are required bycontract to take necessary precautions to prevent the loss, disclosure, modification, or unauthorized use of privatekeys.

6.2.1 Cryptographic Module Standards and ControlsFor issuing Root CA key pair generation and CA private key storage, UniCredit S.p.A. uses hardware cryptographicmodules that, at a minimum, are certified at or meet the requirements of FIPS 140-1 Level 3.

6.2.2 Private Key (m of n) Multi-Person ControlCA Key Pair generation is performed by multiple trained and trusted individuals using secure systems andprocesses that provide for the security and required cryptographic strength for the keys that are generated. All CAKey Pairs are generated in pre-planned key generation ceremonies. The activities performed in each keygeneration ceremony are recorded, dated and signed by all individuals involved. These records are kept for auditand tracking purposes for a length of time deemed appropriate by UniCredit S.p.A. management.

6.2.3 Private Key EscrowThe Root Keys for each CA Certificate are backed up but not escrowed.

6.2.4 Private Key BackupUniCredit S.p.A. CA Key Pairs are maintained in a trusted and highly secured environment with backup procedures.

6.2.5 Private Key ArchivalWhen UniCredit S.p.A. CA Key Pairs reach the end of their validity period, such CA Key Pairs will be archived for aperiod of at least 5 years. Archived CA Key Pairs and all related cryptographic materials will be securely storedusing offline media. Procedural controls will prevent archived CA Key Pairs from being returned to production use.Upon the end of the archive period, archived CA Private Keys will be securely destroyed.

6.2.6 Private Key Transfer Into or From Cryptographic ModulePrivate key transfer into or from a cryptographic module is performed in secure fashion in accordance tomanufacturing guidelines of module.

6.2.7 Private Key Storage on Cryptographic ModulePrivate key storage on cryptographic modules is secure in accordance to manufacturing guidelines of module.

6.2.8 Method of Activating Private KeyAll UniCredit S.p.A. PKI Participants shall protect the activation data for their private keys against loss, theft,modification, unauthorized disclosure, or unauthorized use.

6.2.9 Method of Deactivating Private KeySubscribers have an obligation to adequately protect their private key(s).

6.2.10 Method of Destroying Private KeyArchived CA Key Pairs will be securely stored using offline media. Procedural controls will prevent archived CA KeyPairs from being returned to production use.

Cryptographic devices are physically destroyed or zeroed in accordance the manufacturers’ guidance prior todisposal.

CP - CPS

of 41

6.2.11 Cryptographic Module RatingSee Section 6.2.1.

6.3 Other Aspects of Key Pair Management

6.3.1 Public Key ArchivalNo stipulation.

6.3.2 Certificate Operational Periods and Key Pair Usage PeriodsA Certificate's period of validity typically begins on the date the Certificate is issued (or such later date as specifiedin the Certificate), and ends on the date and time it expires as noted in the Certificate unless the Certificate isrevoked before its expiration. The Operational Period for key pairs is the same as the Operational Period for theassociated Certificates, except that they may continue to be used for decryption and signature verification.

6.4 Activation Data

6.4.1 Activation Data Generation and InstallationUniCredit S.p.A. RA and CA users are required to select strong passwords to protect their private keys. Passwordselection guidelines require that system logon passwords are created according to the internal Password Policy.

6.4.2 Activation Data ProtectionWhere applicable:

- Shareholders are required to safeguard their Secret Shares and sign an agreement acknowledging theirShareholder responsibilities.

- RAs are required to store their Administrator/RA private keys in encrypted form using password protection.- End-user Subscribers are suggested to store their private keys in encrypted form and protect their private

keys through the use of a hardware token and/or strong passphrase. The use of two factor authenticationmechanisms (e.g., token and passphrase, biometric and token, or biometric and passphrase) isencouraged.

6.4.3 Other Aspects of Activation Data

6.4.3.1 Activation Data Transmission

To the extent activation data for private keys are transmitted, UniCredit S.p.A. CA/RA Participants shall protect thetransmission using methods that protect against the loss, theft, modification, unauthorized disclosure, orunauthorized use of such private keys.

To the extent Windows or network logon user name/password combination is used as activation data for an end-user Subscriber, the passwords transferred across a network shall be protected against access by unauthorizedusers.

6.4.3.2 Activation Data Destruction

When applicable, activation data for CA private keys shall be decommissioned using methods that protect againstthe loss, theft, modification, unauthorized disclosure, or unauthorized use of the private keys protected by suchactivation data.

6.5 Computer Security ControlsUniCredit S.p.A. performs all CA and RA functions using internal and trusted systems.

CP - CPS

of 41

6.5.1 Specific Computer Security Technical RequirementsComputers are configured according to the internal security procedures.

6.5.2 Computer Security RatingNo Stipulation.

6.6 Life Cycle Technical Controls

6.6.1 System Development ControlsNo Stipulation.

6.6.2 Security Management ControlsNo Stipulation.

6.6.3 Life Cycle Security ControlsNo Stipulation.

6.7 Network Security ControlsNo Stipulation.

6.8 Time StampingCertificates, CRLs, and other revocation database entries shall contain time and date information. Such timeinformation need not be cryptographic-based.

CP - CPS

of 41

7 Certificate, CRL, and OCSP Profiles

7.1 Certificate ProfileUniCredit S.p.A. Certificates generally conform to

- ITU-T Recommendation X.509 Version 3 (1997): Information Technology - Open Systems Interconnection- The Directory: Authentication Framework, June 1997;

- RFC 5280: Internet X.509 Public Key Infrastructure Certificate and CRL Profile, April 2002 (RFC 5280);

Certificate extensions and their criticality, as well as cryptographic algorithm object identifiers, are populatedaccording to the IETF RFC5280 standards and recommendations.All certificates issued by UniCredit Subordinate External contains SAN extension as required by BaselineRequirementsAll certificates issued by UniCredit Subordinate External use SHA2 algorithm

The name forms for Subscribers are enforced through UniCredit S.p.A.’s internal policies and the authenticationsteps described elsewhere in this CPS. Name constraint enforcement is not through the name constraint extension,but through the authentication steps followed and contractual limitations with each Subscriber. The policyconstraints extensions and policy qualifiers syntax and semantics, when used, conform to the RFC 5280 standards.

7.1.1 Version Number(s)CA certificates shall be X.509 Version 3 CA Certificates. End-user Subscriber Certificates shall be X.509 Version 3.

7.1.2 Certificate Extensions

7.1.2.1 Key Usage

X.509 Version 3 Certificates key usages are generally populated in accordance with RFC 5280.

7.1.2.2 Certificate Policies Extension

CertificatePolicies extension of X.509 Version 3 Certificates are not generally used.

7.1.2.3 Subject Alternative Names

The subjectAltName extension of X.509 Version 3 Certificates, when used, is populated in accordance with RFC5280.

7.1.2.4 Basic Constraints

End-user Subscriber Certificates BasicConstraints extension, shall be populated with a value of an empty sequence.

7.1.2.5 Extended Key Usage

X.509 Version 3 Certificates extended key usages are generally populated in accordance with RFC 5280.

7.1.2.6 CRL Distribution Points

UniCredit S.p.A. X.509 Version 3 end user Subscriber Certificates and CA Certificates include thecRLDistributionPoints extension containing the URL of the location where a Relying Party can obtain a CRL to checkthe CA Certificate’s status.

7.1.2.7 Authority Key Identifier

UniCredit S.p.A. generally populates the Authority Key Identifier extension of X.509 Version 3 end user SubscriberCertificates and Intermediate CA Certificates.

CP - CPS

of 41

7.1.2.8 Subject Key Identifier

UniCredit S.p.A. populates X.509 certificates with a subjectKeyIdentifier extension, the keyIdentifier is based on thepublic key of the Subject of the Certificate and is generated in accordance with one of the methods described inRFC 5280.

7.1.3 Algorithm Object IdentifiersCryptographic algorithm object identifiers, are populated according to the IETF RFC5280 standards andrecommendations.

7.1.4 Name FormsUniCredit S.p.A. populates Certificates in accordance with Section 3.1.1.

7.1.5 Name ConstraintsNo stipulation.

7.1.6 Certificate Policy Object IdentifierNo stipulation.

7.1.7 Usage of Policy Constraints ExtensionNo stipulation.

7.1.8 Policy Qualifiers Syntax and SemanticsNo stipulation.

7.1.9 Processing Semantics for the Critical Certificate Policies ExtensionNo stipulation.

7.2 CRL ProfileUniCredit S.p.A. Certificate Revocation Lists generally conform to

- RFC 5280: Internet X.509 Public Key Infrastructure Certificate and CRL Profile, April 2002 (RFC 5280);

7.2.1 Version Number(s)CRLs shall be X.509 Version 2 in compliance with RFC 5280.

7.2.2 CRL and CRL Entry ExtensionsCRLs includes an incremental progressive number and Authority Key Identifier.

7.3 OCSP ProfileOCSP (Online Certificate Status Protocol) is a way to obtain timely information about the revocation status of aparticular certificate. UniCredit S.p.A. provides OCSP for checking certificate status requests. The OCSP respondersconform to RFC 2560.

7.3.1 Version Number(s)OCSP certificates are X.509 Version 3 CA Certificates issued by the UniCredit Internal Subordinate CA and UniCreditExternal Subordinate CA.

CP - CPS

of 41

7.3.2 OCSP ExtensionsNo Stipulation.

CP - CPS

of 41

8 Compliance Audit and Other Assessments

8.1 Frequency and Circumstances of AssessmentCompliance Audits are conducted internally at least every year over “internal-only” UniCredit CA certificates.For certificates issued by the UniCredit Subordinate External CA, UniCredit conducts internal audits, on at least aquarterly basis, against a randomly selected sample at least 3% of the Certificates issued during the observationperiod.

8.2 Identity/Qualifications of AssessorUniCredit S.p.A. CA compliance audits are performed internally by internal audit office.

8.3 Assessors Relationship to Assessed EntityNo stipulation

8.4 Topics Covered by AssessmentNo stipulation

8.5 Actions Taken as a Result of DeficiencyWith respect to compliance audits of UniCredit S.p.A. operations, significant exceptions or deficiencies identifiedduring the Compliance Audit will result in a determination of actions to be taken. For less serious exceptions ordeficiencies, UniCredit S.p.A.Management will evaluate the significance of such issues and determine theappropriate course of action.

This applies only for certificates issued by the “internal-only” UniCredit CA.

For certificates issued by the UniCredit Subordinate External: in case of any non-compliance to this CPS and/or tothe CAB Forum’s Baseline Requirements, UniCredit will:

• promptly revoke the affected certificate(s);• promptly notify the Root CA of the problem(s) found;• adopt remedial measures, shared with the Root CA, suitable for avoiding the re-occurrence of the same

problem(s) in the future.

8.6 Communications of ResultsNo stipulation for certificates issued by the “internal-only” UniCredit CA

For certificates issued by the UniCredit Subordinate External: any non-compliance to this CPS and/or to the CABForum’s Baseline Requirements, shall be made known to the Root CA within 24 hours from their discovery.

CP - CPS

of 41

9 Other Business and Legal Matters

9.1 Fees

9.1.1 Certificate Issuance or Renewal FeesNo stipulation.

9.1.2 Certificate Access FeesNo stipulation.

9.1.3 Revocation or Status Information Access FeesNo stipulation.

9.1.4 Fees for Other ServicesNo stipulation.

9.1.5 Refund PolicyNo stipulation.

9.2 Financial Responsibility

9.2.1 Insurance CoverageUniCredit S.p.A, maintains commercial general liability insurance coverage.

9.2.2 Other AssetsNo stipulation.

9.2.3 Extended Warranty CoverageNo stipulation.

9.3 Confidentiality of Business Information

9.3.1 Scope of Confidential InformationNo stipulation.

9.3.2 Information Not Within the Scope of Confidential InformationNo stipulation.

9.3.3 Responsibility to Protect Confidential InformationNo stipulation.

9.4 Privacy of Personal Information

9.4.1 Privacy PlanNo stipulation.

CP - CPS

of 41

9.4.2 Information Treated as PrivateNo stipulation.

9.4.3 Information Not Deemed PrivateNo stipulation.

9.4.4 Responsibility to Protect Private InformationNo stipulation.

9.4.5 Notice and Consent to Use Private InformationNo stipulation.

9.4.6 Disclosure Pursuant to Judicial or Administrative ProcessNo stipulation.

9.4.7 Other Information Disclosure CircumstancesNo stipulation.

9.5 Intellectual Property RightsNo stipulation.

9.5.1 Property Rights in Certificates and Revocation InformationNo stipulation.

9.5.2 Property Rights in the CPSNo stipulation.

9.5.3 Property Rights in NamesNo stipulation.

9.5.4 Property Rights in Keys and Key MaterialNo stipulation.

9.6 Representations and Warranties

9.6.1 CA Representations and WarrantiesNo stipulation.

9.6.2 RA Representations and WarrantiesNo stipulation.

9.6.3 Subscriber Representations and WarrantiesNo stipulation.

9.6.4 Relying Party Representations and WarrantiesNo stipulation.

CP - CPS

of 41

9.6.5 Representations and Warranties of Other ParticipantsNo stipulation.

9.7 Disclaimer of WarrantiesNo stipulation.

9.8 Limitation of Liability

9.9 Indemnities

9.9.1 Indemnification by SubscribersNo stipulation.

9.9.2 Indemnification by Relying PartiesNo stipulation.

9.10Term and Termination

9.10.1 TermNo stipulation.

9.10.2 TerminationNo stipulation.

9.10.3 Effect of Termination and SurvivalNo stipulation.

9.11 Individual Notices and Communications with ParticipantsNo stipulation.

9.12Amendments

9.12.1 Procedure for AmendmentNo stipulation.

9.12.2 Notification Mechanism and PeriodNo stipulation.

9.12.2.1 Comment Period

No stipulation.

9.12.2.2 Mechanism to Handle Comments

No stipulation.

9.12.3 Circumstances under Which OID must be ChangedNo stipulation.

CP - CPS

of 41

9.13Dispute Resolution Provisions

9.13.1 Disputes among UniCredit S.p.A., Affiliates and CustomersNo stipulation.

9.13.2 Disputes with End-User Subscribers or Relying Parties

9.14Governing LawNo stipulation.

9.15Compliance with Applicable LawNo stipulation.

9.16Miscellaneous Provisions

9.16.1 Entire AgreementNo stipulation.

9.16.2 AssignmentNo stipulation.

9.16.3 SeverabilityNo stipulation.

9.16.4 Enforcement (Attorney’s Fees and Waiver of Rights)No stipulation.

9.16.5 Force Majeure

9.17Other ProvisionsNo stipulation.

unicredit internal certification authority certificate ...ca.unicredit.eu/cps/ubis_2016_pki_cps_...

Documents