Globalsign Certificate Policy

Total Page:16

File Type:pdf, Size:1020Kb

Globalsign Certificate Policy GlobalSign Certificate Policy Date: September 25, 2019 Effective date for Qualified Time Stamping, Qualified Web Authentication Certificates, Qualified Certificates for Electronic Signatures and Qualified Certificates for Electronic Seals: {normal date + 2 weeks} Version: v6.2 Table of Contents TABLE OF CONTENTS ................................................................................................................................ 2 DOCUMENT HISTORY ............................................................................................................................... 8 ACKNOWLEDGMENTS .............................................................................................................................10 1.0 INTRODUCTION ...........................................................................................................................11 1.1 OVERVIEW ........................................................................................................................................ 11 Additional requirements for Trusted Root Issuer CAs ............................................................ 13 1.2 DOCUMENT NAME AND IDENTIFICATION ................................................................................................. 13 1.3 PKI PARTICIPANTS .............................................................................................................................. 15 Certification Authorities (“Issuer CAs”) .................................................................................. 15 Registration Authorities ......................................................................................................... 16 Subscribers ............................................................................................................................. 16 Relying Parties ....................................................................................................................... 17 Other Participants .................................................................................................................. 17 1.4 CERTIFICATE USAGE ............................................................................................................................ 17 Appropriate Certificate Usage ............................................................................................... 17 Prohibited Certificate Usage .................................................................................................. 18 1.5 POLICY ADMINISTRATION ..................................................................................................................... 18 Organization Administering the Document ........................................................................... 18 Contact Person ....................................................................................................................... 18 Person Determining CP Suitability for the Policy ................................................................... 19 CP Approval Procedures ......................................................................................................... 19 1.6 DEFINITIONS AND ACRONYMS ............................................................................................................... 19 2.0 PUBLICATION AND REPOSITORY RESPONSIBILITIES .....................................................................27 2.1 REPOSITORIES .................................................................................................................................... 27 2.2 PUBLICATION OF CERTIFICATE INFORMATION ........................................................................................... 27 2.3 TIME OR FREQUENCY OF PUBLICATION .................................................................................................... 27 2.4 ACCESS CONTROLS ON REPOSITORIES ..................................................................................................... 28 3.0 IDENTIFICATION AND AUTHENTICATION .....................................................................................28 3.1 NAMING ........................................................................................................................................... 28 Types of Names...................................................................................................................... 28 Need for Names to be Meaningful ........................................................................................ 28 Anonymity or Pseudonymity of Subscribers ........................................................................... 28 Rules for Interpreting Various Name Forms .......................................................................... 28 Uniqueness of Names ............................................................................................................ 28 Recognition, Authentication, and Role of Trademarks .......................................................... 28 3.2 INITIAL IDENTITY VALIDATION ................................................................................................................ 28 Method to Prove Possession of Private Key ........................................................................... 29 Authentication of Organization Identity ................................................................................ 29 Authentication of Individual identity ..................................................................................... 30 Non Verified Subscriber Information ..................................................................................... 34 Validation of Authority .......................................................................................................... 35 Criteria for Interoperation ..................................................................................................... 36 Authentication of Domain Name ........................................................................................... 36 Authentication of Email addresses ........................................................................................ 36 3.3 IDENTIFICATION AND AUTHENTICATION FOR RE-KEY REQUESTS .................................................................... 36 Identification and Authentication for Routine Re-key ........................................................... 36 Identification and Authentication for Reissuance after Revocation ...................................... 37 Re-verification and Revalidation of Identity When Certificate Information Changes ............ 37 Identification and Authentication for Re-key After Revocation ............................................. 37 3.4 IDENTIFICATION AND AUTHENTICATION FOR REVOCATION REQUEST ............................................................. 38 GlobalSign CP (Certificate Policy) 2 of 73 Version: 6.2 4.0 CERTIFICATE LIFE CYCLE OPERATIONAL REQUIREMENTS .............................................................38 4.1 CERTIFICATE APPLICATION .................................................................................................................... 38 Who Can Submit a Certificate Application ............................................................................. 38 Enrollment Process and Responsibilities ................................................................................ 38 4.2 CERTIFICATE APPLICATION PROCESSING .................................................................................................. 38 Performing Identification and Authentication Functions ....................................................... 38 Approval or Rejection of Certificate Applications .................................................................. 38 Time to Process Certificate Applications ................................................................................ 39 4.3 CERTIFICATE ISSUANCE ........................................................................................................................ 39 CA Actions during Certificate Issuance .................................................................................. 39 Notifications to Subscriber by the CA of Issuance of Certificate ............................................ 39 Notification to North American Energy Standards Board (NAESB) Subscribers by the CA of Issuance of Certificate ........................................................................................................................... 39 4.4 CERTIFICATE ACCEPTANCE .................................................................................................................... 39 Conduct Constituting Certificate Acceptance ........................................................................ 39 Publication of the Certificate by the CA ................................................................................. 39 Notification of Certificate Issuance by the CA to Other Entities ............................................ 39 4.5 KEY PAIR AND CERTIFICATE USAGE ......................................................................................................... 39 Subscriber Private Key and Certificate Usage ........................................................................ 39 Relying Party Public Key and Certificate Usage ..................................................................... 40 4.6 CERTIFICATE RENEWAL .......................................................................................................................
Recommended publications
  • Certified Malware: Measuring Breaches of Trust in the Windows Code-Signing PKI
    Certified Malware: Measuring Breaches of Trust in the Windows Code-Signing PKI Doowon Kim Bum Jun Kwon Tudor Dumitras, University of Maryland University of Maryland University of Maryland College Park, MD College Park, MD College Park, MD [email protected] [email protected] [email protected] ABSTRACT To establish trust in third-party software, we currently rely on Digitally signed malware can bypass system protection mechanisms the code-signing Public Key Infrastructure (PKI). This infrastruc- that install or launch only programs with valid signatures. It can ture includes Certification Authorities (CAs) that issue certificates also evade anti-virus programs, which often forego scanning signed to software publishers, vouching for their identity. Publishers use binaries. Known from advanced threats such as Stuxnet and Flame, these certificates to sign the software they release, and users rely this type of abuse has not been measured systematically in the on these signatures to decide which software packages to trust broader malware landscape. In particular, the methods, effective- (rather than maintaining a list of trusted packages). If adversaries ness window, and security implications of code-signing PKI abuse can compromise code signing certificates, this has severe impli- are not well understood. We propose a threat model that highlights cations for end-host security. Signed malware can bypass system three types of weaknesses in the code-signing PKI. We overcome protection mechanisms that install or launch only programs with challenges specific to code-signing measurements by introducing valid signatures, and it can evade anti-virus programs, which often techniques for prioritizing the collection of code-signing certificates neglect to scan signed binaries.
    [Show full text]
  • Measuring Breaches of Trust in the Windows Code-Signing PKI
    Session F5: Understanding Security Fails CCS’17, October 30-November 3, 2017, Dallas, TX, USA Certified Malware: Measuring Breaches of Trust in the Windows Code-Signing PKI Doowon Kim Bum Jun Kwon Tudor Dumitras, University of Maryland University of Maryland University of Maryland College Park, MD College Park, MD College Park, MD [email protected] [email protected] [email protected] ABSTRACT To establish trust in third-party software, we currently rely on Digitally signed malware can bypass system protection mechanisms the code-signing Public Key Infrastructure (PKI). This infrastruc- that install or launch only programs with valid signatures. It can ture includes Certification Authorities (CAs) that issue certificates also evade anti-virus programs, which often forego scanning signed to software publishers, vouching for their identity. Publishers use binaries. Known from advanced threats such as Stuxnet and Flame, these certificates to sign the software they release, and users rely this type of abuse has not been measured systematically in the on these signatures to decide which software packages to trust broader malware landscape. In particular, the methods, effective- (rather than maintaining a list of trusted packages). If adversaries ness window, and security implications of code-signing PKI abuse can compromise code signing certificates, this has severe impli- are not well understood. We propose a threat model that highlights cations for end-host security. Signed malware can bypass system three types of weaknesses in the code-signing PKI. We overcome protection mechanisms that install or launch only programs with challenges specific to code-signing measurements by introducing valid signatures, and it can evade anti-virus programs, which often techniques for prioritizing the collection of code-signing certificates neglect to scan signed binaries.
    [Show full text]
  • Security Economics in the HTTPS Value Chain
    Security Economics in the HTTPS Value Chain Hadi Asghari*, Michel J.G. van Eeten*, Axel M. Arnbak+ & Nico A.N.M. van Eijk+1 * [email protected], [email protected] Delft University of Technology, Faculty of Technology Policy and Management + [email protected], [email protected] University van Amsterdam, Faculty of Law, Institute for Information Law Abstract. Even though we increasingly rely on HTTPS to secure Internet communications, several landmark incidents in recent years have illustrated that its security is deeply flawed. We present an extensive multi-disciplinary analysis that examines how the systemic vulnerabilities of the HTTPS authentication model could be addressed. We conceptualize the security issues from the perspective of the HTTPS value chain. We then discuss the breaches at several Certificate Authorities (CAs). Next, we explore the security incentives of CAs via the empirical analysis of the market for SSL certificates, based on the SSL Observatory dataset. This uncovers a surprising pattern: there is no race to the bottom. Rather, we find a highly concentrated market with very large price differences among suppliers and limited price competition. We explain this pattern and explore what it tells us about the security incentives of CAs, including how market leaders seem to benefit from the status quo. In light of these findings, we look at regulatory and technical proposals to address the systemic vulnerabilities in the HTTPS value chain, in particular the EU eSignatures proposal that seeks to strictly regulate HTTPS communications. Keywords: HTTPS, Cybersecurity, Internet Governance, Constitutional Values, E-Commerce, Value Chain Analysis, Security Economics, eSignatures Regulation, SSL, TLS, Digital Certificates, Certificate Authorities.
    [Show full text]
  • PKI Under Attack
    DEVELOPING AND CONNECTING ISSA CYBERSECURITY LEADERS GLOBALLY PKI Under Attack By Jeff Stapleton – ISSA member, Fort Worth, USA Chapter In the September 2012 ISSA Journal, the author looked at a concise history of public key infrastructure and mentioned several Certificate Authority compromise incidents from 2011. This trend seems to be continuing as PKI continues to be under attack. This article explores various PKI vulnerabilities. PKI and SSL framework n the September 2012 ISSA Journal, we looked at a con- cise history of public key in- Ifrastructure (PKI) and mentioned several Certificate Authority (CA) compromise incidents from 2011. This trend seems to be continuing as PKI continues to be under attack. To explore this further, let’s first establish a typical PKI framework, shown in figure 1, to discuss the various vulnerability points and attack vectors. For Figure 1 – PKI and SSL framework this discussion we will focus on a secure socket layer (SSL) [1] scenario which includes a CA consisting of a root certificate of the Red subordinate CA. The Blue root CA typi- (Blue) and two subordinates (Red and Green), a server (S), cally operates in an offline manual mode, and does not issue and the relying parties consisting of the browser manufactur- any other certificates, except possibly to other Red peer-level er (M) and the browser (B). The most common PKI and SSL subordinate CAs not shown. Note that most root CAs have option is using the RSA algorithm for server-side certificates. numerous sub-CAs dedicated to various PKI techniques and As a quick refresher, the browser recognizes the SSL certifi- usage (e.g., RSA keys, other asymmetric algorithms, SSL, cate sent to it by the server.
    [Show full text]
  • Globalsign Certification Practice Statement
    GlobalSign Certification Practice Statement Date: December 29, 2020 Effective date for Qualified Timestamping, Qualified Web Authentication Certificates, Qualified Certificates for Electronic Signatures and Qualified Certificates for Electronic Seals: {normal date + 2 weeks} Version: v9.6 Table of Contents TABLE OF CONTENTS ................................................................................................................................ 2 DOCUMENT HISTORY ............................................................................................................................... 8 ACKNOWLEDGMENTS .............................................................................................................................10 1.0 INTRODUCTION ...........................................................................................................................11 1.1 OVERVIEW ........................................................................................................................................ 12 1.1.1 Certificate Naming ................................................................................................................. 15 1.2 DOCUMENT NAME AND IDENTIFICATION ................................................................................................. 17 1.3 PKI PARTICIPANTS .............................................................................................................................. 22 1.3.1 Certification Authorities ........................................................................................................
    [Show full text]
  • Globalsign Certificate Policy
    GlobalSign Certificate Policy Date: 16th June 2016 Version: v5.2 GlobalSign Certificate Policy Table of Contents TABLE OF CONTENTS ................................................................................................................................ 2 DOCUMENT HISTORY ............................................................................................................................... 8 ACKNOWLEDGMENTS .............................................................................................................................. 8 1.0 INTRODUCTION ............................................................................................................................ 9 1.1 OVERVIEW .......................................................................................................................................... 9 Additional requirements for Trusted Root Issuer CAs ............................................................ 11 1.2 DOCUMENT NAME AND IDENTIFICATION ................................................................................................. 11 1.3 PKI PARTICIPANTS............................................................................................................................... 12 Certification Authorities (“Issuer CAs”) .................................................................................. 12 Registration Authorities ......................................................................................................... 12 Subscribers ............................................................................................................................
    [Show full text]
  • Download As A
    Security Economics in the HTTPS Value Chain Hadi Asghari*, Michel J.G. van Eeten*, Axel M. Arnbak+ & Nico A.N.M. van Eijk+1 * [email protected], [email protected] Delft University of Technology, Faculty of Technology Policy and Management + [email protected], [email protected] University van Amsterdam, Faculty of Law, Institute for Information Law Abstract. Even though we increasingly rely on HTTPS to secure Internet communications, several landmark incidents in recent years have illustrated that its security is deeply flawed. We present an extensive multi-disciplinary analysis that examines how the systemic vulnerabilities of the HTTPS authentication model could be addressed. We conceptualize the security issues from the perspective of the HTTPS value chain. We then discuss the breaches at several Certificate Authorities (CAs). Next, we explore the security incentives of CAs via the empirical analysis of the market for SSL certificates, based on the SSL Observatory dataset. This uncovers a surprising pattern: there is no race to the bottom. Rather, we find a highly concentrated market with very large price differences among suppliers and limited price competition. We explain this pattern and explore what it tells us about the security incentives of CAs, including how market leaders seem to benefit from the status quo. In light of these findings, we look at regulatory and technical proposals to address the systemic vulnerabilities in the HTTPS value chain, in particular the EU eSignatures proposal that seeks to strictly regulate HTTPS communications. Keywords: HTTPS, Cybersecurity, Internet Governance, Constitutional Values, E-Commerce, Value Chain Analysis, Security Economics, eSignatures Regulation, SSL, TLS, Digital Certificates, Certificate Authorities.
    [Show full text]
  • Qualified Website Authentication Certificates Promoting Consumer Trust in the Website Authentication Market
    Qualified Website Authentication Certificates Promoting consumer trust in the website authentication market DECEMBER 2015 www.enisa.europa.eu European Union Agency For Network And Information Security Qualified Website Authentication Certificates December 2015 About ENISA The European Union Agency for Network and Information Security (ENISA) is a centre of network and information security expertise for the EU, its member states, the private sector and Europe’s citizens. ENISA works with these groups to develop advice and recommendations on good practice in information security. It assists EU member states in implementing relevant EU legislation and works to improve the resilience of Europe’s critical information infrastructure and networks. ENISA seeks to enhance existing expertise in EU member states by supporting the development of cross-border communities committed to improving network and information security throughout the EU. More information about ENISA and its work can be found at www.enisa.europa.eu. Author(s) This report was elaborated by a group of experts: Arno Fiedler (Nimbus Technologieberatung), Jon Shamah (EJ Consultants), Inigo Barreira (Izenpe), Wanko Clemens (TÜViT), Arthur Miękina (PWPW), Slawomir Gorniak (ENISA), Clara Galan Manso (ENISA). Editor(s) European Union Agency for Network and Information Security ENISA responsible officer: Clara Galan Manso. For contacting the authors please use [email protected]. For media enquiries about this paper, please use [email protected]. Acknowledgements We would like to express our gratitude to the following individuals for providing valuable comments as external reviewers of the report: Marco Fernandez Gonzalez (European Commission), Ben Wilson (Digicert), Lionel Antunes (Centre des technologies de l’information de l’État, Luxembourg), Marcin Fijalkowski (Ministry of Economy, Poland), Herbert Leitold (Secure Information Technology Centre, Austria) and Tanel Kuusk (Certification Centre, Estonia).
    [Show full text]
  • Globalsign Certification Practice Statement
    GlobalSign Certification Practice Statement Date: March 31, 2020 Effective date for Qualified Timestamping, Qualified Web Authentication Certificates, Qualified Certificates for Electronic Signatures and Qualified Certificates for Electronic Seals: {normal date + 2 weeks} Version: v9.3 Table of Contents TABLE OF CONTENTS ................................................................................................................................ 2 DOCUMENT HISTORY ............................................................................................................................... 8 ACKNOWLEDGMENTS .............................................................................................................................. 9 1.0 INTRODUCTION ...........................................................................................................................11 1.1 OVERVIEW ........................................................................................................................................ 11 1.1.1 Certificate Naming ................................................................................................................. 14 1.2 DOCUMENT NAME AND IDENTIFICATION ................................................................................................. 15 1.3 PKI PARTICIPANTS .............................................................................................................................. 17 1.3.1 Certification Authorities ........................................................................................................
    [Show full text]
  • Network Security and Privacy
    18733: Applied Cryptography SSL/TLS Anupam Datta slide 1 Outline Today SSL/TLS core protocol Authenticity of public keys Next two lectures Password schemes Accountable public key infrastructure slide 2 What Is SSL / TLS? Secure Sockets Layer and Transport Layer Security protocols • Same protocol design, different crypto algorithms De facto standard for Internet security • “The primary goal of the TLS protocol is to provide privacy [confidentiality] and data integrity between two communicating applications” Deployed in every Web browser; also VoIP, payment systems, distributed systems, etc. slide 3 SSL / TLS Guarantees End-to-end secure communications in the presence of a network attacker • Attacker completely 0wns the network: controls Wi-Fi, DNS, routers, his own websites, can listen to any packet, modify packets in transit, inject his own packets into the network Scenario: you are reading your email from an Internet café connected via a r00ted Wi-Fi access point to a dodgy ISP in a hostile authoritarian country slide 4 History of the Protocol SSL 1.0 – internal Netscape design, early 1994? • Lost in the mists of time SSL 2.0 – Netscape, Nov 1994 • Several weaknesses SSL 3.0 – Netscape and Paul Kocher, Nov 1996 • Fixed issues with SSL 2.0; TLS 1.0 – Internet standard, Jan 1999 • Based on SSL 3.0, but not interoperable (uses different cryptographic algorithms) TLS 1.1 – Apr 2006 TLS 1.2 – Aug 2008 slide 5 SSL Basics SSL consists of two protocols Handshake protocol • Uses public-key cryptography to establish several shared secret keys between
    [Show full text]
  • Globalsign Certificate Policy
    GlobalSign Certificate Policy Date: December 29, 2020 Effective date for Qualified Timestamping, Qualified Web Authentication Certificates, Qualified Certificates for Electronic Signatures and Qualified Certificates for Electronic Seals: {normal date + 2 weeks} Version: v6.6 Table of Contents TABLE OF CONTENTS ................................................................................................................................ 2 DOCUMENT HISTORY ............................................................................................................................... 8 ACKNOWLEDGMENTS .............................................................................................................................10 1.0 INTRODUCTION ...........................................................................................................................11 1.1 OVERVIEW ........................................................................................................................................ 12 Additional requirements for Trusted Root Issuer CAs ............................................................ 15 1.2 DOCUMENT NAME AND IDENTIFICATION ................................................................................................. 16 1.3 PKI PARTICIPANTS .............................................................................................................................. 21 Certification Authorities (“Issuer CAs”) .................................................................................. 21
    [Show full text]
  • Globalsign Certification Practice Statement
    GlobalSign Certification Practice Statement Date: September 25, 2019 Effective date for Qualified Time Stamping, Qualified Web Authentication Certificates, Qualified Certificates for Electronic Signatures and Qualified Certificates for Electronic Seals: {normal date + 2 weeks} Version: v9.2 Table of Contents TABLE OF CONTENTS ................................................................................................................................ 2 DOCUMENT HISTORY ............................................................................................................................... 8 ACKNOWLEDGMENTS .............................................................................................................................. 9 1.0 INTRODUCTION ...........................................................................................................................10 1.1 OVERVIEW ........................................................................................................................................ 10 1.1.1 Certificate Naming ................................................................................................................. 13 1.2 DOCUMENT NAME AND IDENTIFICATION ................................................................................................. 14 1.3 PKI PARTICIPANTS .............................................................................................................................. 15 1.3.1 Certification Authorities ........................................................................................................
    [Show full text]