Skip to main content

The Certification Practice Statement of the City of Osmio specifies how digital certificates are to be issued and validated.

 

 

Osmio Vital Records Department

Certification Policy and Practice Statement

Introduction

This document describes the Certification Policy (CP) of the Osmio Vital Records Department and related Certification Practice Statement (CPS):

 

This document, “Osmio Vital Records Department Certification Policy and Practice Statement”, is the principal statement of policy governing the Osmio Vital Records Department, hereby called and referred to as the Osmio VRD. The Certification Policy (CP) sets forth the business, legal, and technical requirements for providing certification services, to include: (1) approving, issuing, managing, using, revoking and renewing digital certificates to Subjects; (2) maintaining an X.509 Certificate-based public key infrastructure in accordance with the Certificate Policies determined by the Osmio Certification Practices Board; and (3) managing Osmio VRD repository operations, in accordance with the specific requirements of this Certification Policy. The CP also serves as a means of notification of roles and responsibilities for parties involved in Certificate-based practices within the Osmio VRD Public Key Infrastructure (PKI).

 

Many times the policy set forth in this document is also the practice employed by the Osmio VRD and therefore whenever needed, the certification policy is followed by the related certification practice statement.

 

Organization Definition

 

The Osmio Vital Records Department is a certification organization which provides digital certification in a manner that emulates the paper certification provided by certain paper-based certification organizations, particularly the birth and death records departments of municipalities and other government entities. Osmio maintains the Osmio VRD as a service to the public, in order to secure the identities of individuals and, in collaboration with other established Certificate Authorities (CAs), allow the free and secured flow of information and financial data over the Internet and elsewhere. The Osmio VRD intends eventually to become a unit of an established regulatory body or other instance of duly constituted public authority.

 

Third Parties

 

Some of the services and/or the practices described in this CP may be performed on the Osmio VRD’s behalf by third parties licensed by the Osmio VRD. Consequently, references in this CP to activities, practices, etc., of "The Osmio Vital Records Department" shall mean The Osmio Vital Records Department and/or its selected third-party vendors.

 

The Osmio Vital Records Department

 

Address:

This CP, related agreements and Certificate policies referenced within this document are maintained by the Osmio VRD Certification Practices Board. The Certification Practices Board may be contacted at the below addresses:

 

Worldwide:

Osmio Vital Records Department - Digital Certificates Support

25, Place du Bourg-de-Four
1204
Genève/Geneva

Suisse / Switzerland

 

USA:

The Village Group, Inc.

738 Main Street

Waltham, MA 02451

USA

Internet:

Osmio: http://www.osmio.org

Osmio VRD: http://osmio.org/?app=vitalrecords

IANA assigned OID: 31868

 

Email:

 

Osmio: vrdca@osmio.org

Phone:

USA: +1.781.647.7178

Geneva: +41.22.819.9621

 

Chief Administrative Officer:

Wes Kussmaul

Email: wes@osmio.org

Phone: +1.781.647.7178

 

Further Definition and Structure

The Osmio VRD is a Certification Authority (CA) that issues Identity Certificates (ICs) to individuals in accordance with this CP. In its role as a modified CA, the Osmio VRD performs functions associated with public key operations that include receiving requests, issuing, revoking and renewing ICs and the maintenance, issuance and publication of Certificate Revocation Lists (CRLs) for users within the Osmio VRD Public Key Infrastructure (PKI).

 

The Osmio VRD extends, under agreement, membership of its PKI to approved third parties known as Enrollment Authorities (EAs) and Registration Authorities (RAs). The international network of the Osmio VRD EAs and RAs share the Osmio VRD's policies and practices and utilize a CA infrastructure to issue Osmio VRD ICs. Commercial contractors whose services are retained by the Osmio VRD in the operation of its CA servers and software are also bound by the provisions of this CP.

 

 

Suitability, Amendments and Publication

The Certification Practices Board (CPB) of Osmio and its Osmio VRD is responsible for determining the suitability of certificate policies that are implemented by the CP. The CPB is also responsible for determining the suitability of proposed changes to the CP and for submitting such changes to the Osmio Council, for enactment into the Certification Ordinances (COs) of the Osmio VRD and simultaneous publication of an amended edition of the CP.

 

Upon CPB acceptance and Osmio Council enactment into COs of such changes deemed by the CPB to have significant impact on the users of this CP, an updated edition of the CP will be published in the Osmio VRD repository, with thirty days notice given of upcoming changes and suitable incremental version numbering used to identify new editions.

 

Revisions denoted "not significant" shall be those deemed by the CPB to have minimal or no impact on subscribers and relying parties using Certificates and CRLs issued by the VRD. Such revisions may be made without notice to users of the CP and without changing the version number of this CP. Controls are in place to reasonably ensure that the Osmio VRD CP is not amended and published without prior authorization by the CPB.

 

 

Copyright, Reserved Rights

The organization known as Osmio retains a copyright on the entirety of its websites and documents, and all rights are reserved. You may save to disk or print out individual pages or selections of information contained within Osmio’s properties for your own use, however you must refrain from copying/replicating substantial portions of Osmio material.

 

Purpose

Osmio is a nongovernmental organization (NGO) which is intended to become a duly chartered municipality upon resolution of the issues involved in chartering an entity whose jurisdiction includes logical space rather than physical space. The terms of this Certification Practice Statement shall continue to apply in unmodified form after such municipal chartering event. Subjects and Relying Parties agree that the authority applied by the Osmio VRD to ICs is duly constituted public authority, of the same legal significance for certification purposes as the authority of a sovereign state whose jurisdiction is global. Osmio's purpose is organize a source of duly constituted public authority for purposes of certifying digital identities and to enable those idenitities to be used for purposes of general authentication. Certified digital identities are also intended to be the basis of secondary certifications such as professional licenses, code audits, occupancy permits for online facilities, and in general to bring identity-borne authenticity to online and offline spaces.

Subjects

Subjects in the Osmio VRD identity PKI system are individuals that use the PKI system to facilitate Osmio VRD supported transactions, communications and online activities. Subjects are parties that are identified in a certificate and hold the private key corresponding to the public key that is listed in a Subject certificate. Prior to verification of identity and issuance of a certificate, a Subject is an applicant for the services of the Osmio VRD.

 

Relying Parties

A relying party is an individual or entity that acts in reliance on an Identity Certificate (IC) and/or a digital signature issued by the Osmio VRD. To verify the validity of DICs, relying parties must refer to the Certificate Revocation List (CRL) to ensure that the Osmio VRD has not revoked the certificate. The CRL location is detailed within the certificate.

 

A relying party may or may not also be a Subject in the Osmio VRD CA.

 

Relying parties use PKI services in relation with the Osmio Vital Records Department certificates and reasonably rely on such certificates and/or digital signatures verifiable with reference to a public key listed in a subscriber certificate.

 

Osmio VRD Certificates

Various CAs make available certificates that in combination with a Secure Socket Layer (SSL) web server, attest the public server's identity, providing full authentication, and enabling secure communication with corporate customers and partners. Such certificates are known as site certificates.

 

The Osmio Vital Records Department issues only Identity Certificates (ICs). The Osmio VRD ICs may be used to provide an individual's signature on a Web site or other online facility in order to apply personal accountability to the site or resource. However, the Osmio VRD does not provide site certificates. The Osmio VRD may update or extend its list of products, including the types of certificates it issues, as it sees fit.

 

The publication or updating of the list of the Osmio VRD services creates no claims by any third party. Upon the inclusion of a new certificate product in the Osmio VRD hierarchy, an amended version of this CP will be made public within two days, or as soon thereafter as is commercially practicable, on the official Osmio VRD websites. Issued certificates are published in Osmio VRD directories. Suspended or revoked certificates are appropriately referenced in CRLs and published in the Osmio VRD directories. The Osmio VRD does not perform escrow of Subject private keys.

 

Certificate Policy Overview

All certificates issued by the he Osmio VRD are Identity Certificates (ICs). An IC is formatted data that cryptographically binds a public key to a person whose identity has been established through an enrollment process. An IC allows such an enrolled and identified person to enter an online environment with the capability to prove his or her identity to others in the environment. ICs in this regard are used as digital equivalents of identification cards.

 

The Osmio VRD adheres to the principles and standards of the Quiet Enjoyment Infrastructure and is a signatory to the Quiet Enjoyment Alliance Membership Agreement. The principles and standards of the Quiet Enjoyment Infrastructure require that all certificates other than ICs are derivatives of ICs, signed by the subject individual, on behalf of herself or on behalf of an organization. In QEI these “derivative certificates” (also referred to as “attribute certificates”, “authorization certificates” or “site certificates”) must additionally be signed personally by an individual identified by an IC. Within the Quiet Enjoyment Infrastructure, derivative certificates are solely the concern of the individual who signs them on his or her own behalf or on behalf of an organization, and thus this CPS does not govern nor concern itself with the issuance of derivative certificates.

 

Depending upon the level of rigor of the enrollment process (see Identity Quality Score and Enrollment Practices Score), varying amounts of information that is used to establish the identity of the Subject are recorded at time of enrollment and kept in confidential and secure enrollment records. However, if the subject of an IC maintains an identity that is protected by the Personal Information Ownership Infrastructure component of the Quiet Enjoyment Infrastructure, the Internet address of Subject's Personal Nondisclosure Agreement may be the only element of personal identification in the IC other than its public key. Such an identity certificate's attestation may amount to the following: "An individual human being of unspecified gender was enrolled on this particular date, producing a credential with this specific six digit identity quality score and with a certificate whose public key is spedified herein." A relying party would either need to content itself with the knowledge that a real person is bound with a known level of confidence to that particular public key, or, if that confidence does not suffice for the needs of the relying party, would need to apply to the Subject's Personal Information Ownership Infrastructure to obtain whatever additional information the relying party needed and the Subject was willing to yield under nondisclosure provisions to the relying party.

 

In such case the only information in the IC would be as follows:

 

  • Internet Address (XRI) of Subject's Personal Nondisclosure Agreement, if it exists
  • Issuing certification authority (Osmio VRD).
  • Applicant's public key.
  • Osmio VRD digital signature.
  • Type of algorithm.
  • Validity period of the digital certificate.
  • Serial number of the digital certificate.
  • Six-digit Identity Quality Score
  • Date and time of enrollment

Notwithstanding the above provisions of the Personal Information Ownership Infrastructure, space is provided within the IC for inclusion of elements of personally identifying information according to the desires of the Subject, or at the direction of applicable law where the Subject resides or is enrolled. Subject is solely responsible for adherance to the provisions of applicable law regarding the use of cryptographic keys related to the Subject's IC, including the disclosure of personal information in the IC. In such cases the following additional data elements are available:

 

  • Subject's current full legal name.
  • Subject's full name at birth, if known.
  • IANA Code of applicant's first country of citizenship at time of birth.
  • IANA Code of applicant's second country of citizenship at time of birth.
  • IANA Code of applicant's first country of citizenship at time of enrollment.
  • IANA Code of applicant's second country of citizenship at time of enrollment.
  • Name of Enrollment Officer, if any
  • Public Key of Enrollment Officer, if any
  • Name and Jurisdiction of Notary, if enrollment was Face-To-Face (DBC™)
  • Subject's nicknames, aliases and previous names, if any
  • Subject's identity assertion name such as I-Name or OpenID.
  • Issuing certification authority (Osmio VRD).
  • Subject's public key.
  • Osmio VRD digital signature.
  • Type of algorithm.
  • Validity period of the digital certificate.
  • Serial number of the digital certificate.
  • Six-digit Identity Quality Score
  • Subject's mother's and father's full names at birth, if known
  • Subject's address at time of birth
  • Subject's date of birth and time of birth, if recorded
  • Subject's place of birth
  • Name of attending physician, midwife, or other signer of physical birth certificate
  • Subject's national ID number
  • Subject's country of citizenship at time of enrollment.
  • Public key of Enrollment Officer
  • Date and time of enrollment
  • Place of enrollment by address
  • Place of enrollment by geographic coordinates as recorded by enrollment workstation
  • Name of signed enrollment record file

 

While the only type of certificate issued by the Osmio VRD is an IC, ICs differ in the degree and manner in which they certify identity. Prospective Subjects are advised to understand their own requirements, those of anticipated relying parties, and local laws for their specific application before applying for a specific IC.

 

Extensions and Naming

 

Digital Certificate Extensions

The Osmio VRD uses the standard X.509, version 3 to construct Digital Certificates for use within the Osmio VRD PKI. X.509v3 allows a CA to add certain certificate extensions to the basic certificate structure. The Osmio VRD uses a number of certificate extensions for the purposes intended by X.509v3 as per Amendment 1 to ISO/IEC 9594-8, 1995. X.509v3 is the standard of the International Telecommunications Union (ITU) for digital certificates.

 

Incorporation by Reference for Extensions and Enhanced Naming

Enhanced naming is the usage of an extended organization field in an X.509v3 certificate. Information contained in the Identity Quality fields are also included in the Certificate Policy extension that the Osmio VRD may use.

 

Subject Private Key Generation Process

The Enrollment Officer (EO) or the Subject is responsible for the generation of the private key used in the certificate request. The Osmio VRD does not provide key generation, escrow, recovery or backup facilities as part of its certification services.

 

Upon making a certificate application, either the Enrollment Officer or the Subject (depending upon the type of enrollment process) is responsible for the generation of an asymmetric key pair that is appropriate to the certificate type being applied for. During application the Enrollment Officer (or, in the case of unsupervised enrollments, the Subject) will be required to submit a public key and information supporting the attestation of identity in the form of a Certificate Signing Request (CSR).

 

Subject Private Key Protection and Backup

The Subject is solely responsible for protection of the Subject's private key. The Osmio VRD maintains no involvement in the generation, protection or distribution of such keys as part of its certification services. The Osmio VRD strongly urges Subjects to use a strong password or equivalent authentication method to prevent unauthorized access and usage of the Subject's private key.

 

Subject Public Key Delivery to The Osmio Vital Records Department

Certificate signing requests are generated using the Enrollment Officer's enrollment workstation software (or, in the case of unsupervised enrollments, the Subject's software) and the request is submitted to the Osmio VRD in the form of a PKCS #10 Certificate Signing Request (CSR). Submission is made electronically via the Osmio VRD website or through an Osmio VRD-approved RA.

 

Delivery of Issued Subject Certificate to Subject

Delivery of Subject certificates to the associated Subject is dependent on the certificate product type:

 

Remote Unsupervised Enrollment

Remote Enrollment certificates are delivered at the end of a successful enrollment session through the SSL connection established during the session.

 

Remotely Supervised Face-To-Face Enrollment

Certificates produced as the product of a Remotely Supervised Face-To-Face enrollment session are delivered at the end of the successful session through the SSL connection established during the session.

 

Face-To-Face Enrollment

Face-To-Face Enrollment certificates are provided at the end of a successful enrollment session,installed in the Subject's computer or digital wallet ("token") by the Enrollment Officer.

 

Certificate Profiles

An IC profile contains fields as specified below:

 

Certificate Contents

 

Osmio VRD issues X.509 Identity Certificates (ICs) to individuals upon completion of an enrollment procedure. Each IC includes the following information.

 

Identity Quality Score

 

Each IC issued by the Osmio VRD contains elements of information specified in the Osmio VRD Certificates section, which specification includes a six digit Identity Quality Score that is stored in the certificate itself.

 

In addition, the Identity Quality Score may also be stored in an external file that is identified by an XRI address, which provides for updates to the Identity Quality Score while binding it to the same public key. Thus the certificate includes a field called External Identity Quality Address, containing an XRI address where updated Identity Quality information may be found. If the Identity Quality Address is blank then the only Identity Quality information is in the certificate itself.

 

If an address of an Identity Quality Score External File is present, it will have an XRI address of the following format: xri://=johndoe/(urn:osmiovrdicpk:[certificate serial number])

The content of the Identity Quality Score is determined and entered by the Enrollment Officer according to the following standards:

 

Identity Quality Score Item 1:

 

Personal Asset Protection Score

Value: 0-9

 

The Personal Asset Protection Score is entered by the Enrollment Officer according to the instructions in the Enrollment Order. The meaning of the scores is as follows:

PAP Score Value

Meaning

0

The identity is not "owned" but is simply a username that was created by the user for access to a particular application or set of applications.

1

The identity was established by, and is owned by, a principal relying party such as an employer, strictly for use in a single application provided by the principal relying party.

2

The identity was established by, and is owned by, a principal relying party such as an employer, strictly for use in the principal relying party's limited set of applications or local area network.

3

The identity was established by, and is owned by, a principal relying party such as an employer, strictly for use in the principal relying party's local and wide area network.

4

The identity was established by, and is owned by, an independent enrollment authority only for use in the network of one principal relying party such as an employer.

5

The identity

  • was established by, and is owned by an independent enrollment authority principally for the benefit of one principal relying party such as an employer but is available for use elsewhere;
  • was established by, and is owned by, a government entity other than an intelligence agency; is characterized as "user centric single-sign-on" with ownership not specified.

6

Ownership of the identity is explicitly that of a bank or financial services firm, for use in the accounts with an available cash balance, with the bank or financial services firm as the sole relying party.

7

The identity is owned by a bank or financial services firm, for use in the accounts with an available cash balance and also for use in applications and networks of multiple relying parties.

8

Ownership of the identity is explicitly that of the Subject, for use in applications and networks of multiple relying parties.

9

The ownership of the identity is explicitly that of the Subject, for use in applications and networks of multiple relying parties, at least one of which is a bank or other financial services firm and provices access to an account with an available cash balance.

Identity Quality Score Item 2:

 

Enrollment Practices Score

Value: 0-9

 

Proper enrollment may take place in an online session where the enrollee is not at the same

location where the key pair is generated, or enrollment may take place in a face-to-face

setting with a signing agent, notary, enrollment officer or other public official. Generally remote enrollment is weaker than face-to-face enrollment. For the purpose of quantifying the strength of enrollment practices we have assigned a value from zero to nine for each of the following enrollment procedures.

 

Provisional Certificate

Each procedure begins with the creation of a Provisional Certificate. To obtain a Provisional Certificate the Subject, using a standard Web browser and Internet connection, opens an initial enrollment form which prompts for an email address that is under the control of the Subject and to which a validation code can be sent and received. Subject enters a suitable email address and clicks a button to initiate sending of a message containing a unique automatically generated validation code. Subject is instructed to check his or her email, and open the message with the validation code, and copy the code. The message instructs the user to click an accompanying link or to return to the Web page from which the email sending process was intitiated, verifies that he or she intended for the enrollment to take place. and pastes the received validation code into the appropriate space in the form, causing the issuance of a Provisional Certificate.

 

 

REMOTE ENROLLMENT

EP

EPS Value

Meaning

P

0

The Provisional Certificate (description in preceding paragraph)

VA

1

After receiving a Provisional Certificate, Subject is directed to an Osmio VRD SSL web page. A cookie is placed in the Subject's computer, MAC and IP addresses of user's computer are recorded for inclusion in enrollment records, A key pair is generated, with one of the keys being designated the public key. The public key, identity verification supporting information, and any additional Identity Quality information is made part of a certificate signing request, which is sent to Osmio VRD. Subsequently the X.509v3 identity certificate is created by the signing of the public key by Osmio VRD. The certificate is sent to the user's information appliance or wallet (computer, phone, token, smart card etc.) and recorded with supporting information in the Osmio VRD database.

VI

2

After receiving a Provisional Certificate, Subject is directed to an Osmio VRD SSL web page that invokes an identity validation session during which Subject is asked a series of questions which request national identity number (SSN in USA), address of primary residence, driver’s license number, and answers to a series of questions about personal history. Upon satisfactory completion of this PII corroboration session a key pair is generated, with one of the keys being designated the public key. The public key, identity verification supporting information, and any additional Identity Quality information is made part of a certificate signing request, which is sent to Osmio VRD. Subsequently the X.509v3 identity certificate is created by the signing of the public key by Osmio VRD. The certificate is sent to the user's information appliance or wallet (computer, phone, token, smart card etc.) and recorded with supporting information in the Osmio VRD database.

VB

2

After receiving a Provisional Certificate, Subject is directed to an Osmio VRD SSL web page. Subject is directed to a web form that prompts for name, address, and identity assertion network ID information and a telephone number or voip address that the host system is to call upon submission of the form. An automated system places a call to that number or voip address. Upon receipt of the call an automated voice prompt asks the Subject to look for a control number on his or her computer screen and enter it into the telephone handset. If the correct number is entered, a cookie is placed, MAC and IP addresses of user's computer are recorded. A key pair is generated, with one of the keys being designated the public key. The public key, identity verification supporting information, and any additional Identity Quality information is made part of a certificate signing request, which is sent to Osmio VRD. Subsequently the X.509v3 identity certificate is created by the signing of the public key by Osmio VRD. The certificate is sent to the user's information appliance or wallet (computer, phone, token, smart card etc.) and recorded with supporting information in the Osmio VRD database.

VC

3

Same as preceding enrollment procedure but with the addition of a voice recording step after the correct number is entered: the Subject is asked to recite a string of digits into the telephone. The recital of each digit is recorded separately in the enrollment record, which is signed by the automated enrollment system.

VD

4

After receiving a Provisional Certificate, Subject is directed to an Osmio VRD SSL web page where Subject fills in a web form that and enters the name of a published information source that lists a telephone number that is associated with the Subject, as in a directory publication or as disclosed by a principal relying party (employer, insurer, bank, etc.). At a randomy determined time the Enrollment Officer calls the published telephone number. The Subject answers the phone, verifies that he or she authorized the call and is asked to enter a one-time web address into his or her browser. A control number is presented in the browser window. Subject is asked to enter the control number into the telephone handset. If that is done correctly, the Subject is asked series of questions that the enrollment officer has retrieved from NCMS, ChoicePoint, Lexis Nexis, or other PII corroboration service. If the questions are answered satisfactorily the Subject is asked to recite a string of digits into the telephone. The recital of each digit is recorded separately in the database record. A key pair is generated, with one of the keys being designated the public key. The public key, identity verification supporting information, and any additional Identity Quality information is made part of a certificate signing request, which is sent to Osmio VRD. Subsequently the X.509v3 identity certificate is created by the signing of the public key by Osmio VRD. The certificate is sent to the user's information appliance or wallet (computer, phone, token, smart card etc.) and recorded with supporting information in the Osmio VRD database.

 

5

After receiving a Provisional Certificate, Subject is directed to an Osmio VRD SSL web page where Subject fills in a web form that produces an enrollment appointment that includes the name of a published information source that lists the telephone number that is associated with the Subject, as in a directory publication or as disclosed by a principal relying party (employer, insurer, bank, etc.) and username or other identifier for an online videoconference or video chat facility. At the agreed time the Enrollment Officer initiates a video communication with the Subject and calls the published telephone number. The Subject responds to the video communication request and answers the phone, verifies that he or she authorized the call and is asked to turn to his or her computer. The MAC and IP addresses of user's computer are recorded, and the Subject is asked to enter the control number into the telephone handset. If that is done correctly, the Subject is asked series of questions that the enrollment officer has retrieved from ChoicePoint, Lexis Nexis, or other PII corroboration service. If the questions are answered satisfactorily the Subject is asked to recite a string of digits into the telephone. The recital of each digit is recorded separately in the database record. A key pair and certificate signing request is generated. A key pair is generated, with one of the keys being designated the public key. The public key, identity verification supporting information, and any additional Identity Quality information is made part of a certificate signing request, which is sent to Osmio VRD. Subsequently the X.509v3 identity certificate is created by the signing of the public key by Osmio VRD. The certificate is sent to the user's information appliance or wallet (computer, phone, token, smart card etc.) and recorded with supporting information in the Osmio VRD database.

Val-ID™ Level 2

4

After receiving a Provisional Certificate, Subject is prompted for national identity number (SSN in USA), address, driver’s license, and answers to a series of questions about personal history. After satisfactory answering of questions, an Enrollment Officer places a telephone or VOIP call to the telephone number that is listed in Subject's name in a public directory or to Subject's place of employment at an established organization, asking questions to confirm Subject's identity. Satisfactory responses in both online and telephone sessions causes the Enrollment Officer to digitally signs an entry at the Osmio VRD Certification Authority authorizing the signing of a Val-ID Level 2 Certificate to the holder of the corresponding Provisional Certificate, that is, the Subject. Subject is instructed on the creation of a key pair and Certificate Signing Request. A key pair is generated, with one of the keys being designated the public key. The public key, identity verification supporting information, and any additional Identity Quality information is made part of a certificate signing request, which is sent to Osmio VRD. Subsequently the X.509v3 identity certificate is created by the signing of the public key by Osmio VRD. The certificate is sent to the user's information appliance or wallet (computer, phone, token, smart card etc.) and recorded with supporting information in the Osmio VRD database.

 

6

REMOTELY SUPERVISED FACE-TO-FACE ENROLLMENT (Patent Pending)

 

After receiving a Provisional Certificate, Subject fills in a web form that prompts for information to be included in an Affidavit of Identity and for preferred times and location(s) for a face-to-face enrollment appointment at either the Subject's location or the office of a Notary Public. The resulting affidavit, in the form of a pdf file, is emailed to both Subject and notary public, who prints the document. At the subsequent enrollment session a computer with video camera and microphone is made to join an online session with a similar computer at the office of an Enrollment Officer. The Notary Public uses proper procedures for verifying government-issued identity credentials (driver's license, passport) and birth certificate. (If the birth certificate is not available, that fact is noted in the certificate.) Over the video link, Enrollment Officer asks a series of questions that the enrollment officer has retrieved from ChoicePoint, Lexis Nexis, or other PII corroboration service. If the questions are answered satisfactorily, the Enrollment Officer prepares his or her computer to record a video of the subsequent proceedings, and instructs the Notary Public to administer an Oath of Identity, using the affidavit which was previously printed. The video continues to record the signing of the affidavit by the Subject and the signing and sealing of the accompanying jurat by the Notary Public. After the video recording is stopped and the file encrypted with the Enrollment Officer's key and saved to the Enrollment Officer's secure enrollment records database, the Notary Public is instructed to hold the identity documents to the camera; still images are taken, encrypted, and saved to the secure enrollment records database. If the Subject requests an unencrypted copy of the video and still enrollment records, the records are saved to a CD, a digitally signed certification by the Enrollment Officer that no other unencrypted copy of the enrollment records exists nor will the encrypted version be decrypted except under conditions defined by the Subject's personal information ownership infrastructure, is added to the CD, and the CD is sent via certified mail to the Subject. A key pair is generated according to the standards defined in this document (Credential Carrier Score).

 

A key pair is generated, with one of the keys being designated the public key. The public key, identity verification supporting information, and any additional Identity Quality information is made part of a certificate signing request, which is sent to Osmio VRD. Subsequently the X.509v3 identity certificate is created by the signing of the public key by Osmio VRD. The certificate is sent to the user's information appliance or wallet (computer, phone, token, smart card etc.) and recorded with supporting information in the Osmio VRD database.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

   

FACE-TO-FACE ENROLLMENT (Digital Birth Certificate)

 

7

After receiving a Provisional Certificate, In a subsequent online session, Subject completes an Affidavit Form which prompts for such information as is typically found on a traditional birth certificate, as well as national identity number (SSN in USA), address, driver’s license, and answers to a series of questions about personal history. Upon completion of the form, an Affidavit of Identity in the form of a pdf file is sent to Subject's email address. Subject prints the Affidavit of Identity and requests an appointment with a Notary Public. Enrollment Officer selects a Notary Public meeting QEI standards near Subject and makes the appointment. A copy of the Affidavit of Identity may be emailed to the selected Notary Public. Subject then takes this Affidavit and his/her identification documents to the notary where an oath is administered based upon the contents of the Affidavit of Identity and the certificate or jurat is sealed by the Notary Public. Enrollment Officer contacts the Notary Public, confirms that verification of documents and oath proceeded satisfactorily and requests copies of all documents including sealed Affidavit of Identity. Enrollment Officer digitally signs an entry at the Osmio VRD Certification Authority authorizing the signing of a Digital Birth Certificate to the holder of the corresponding Provisional Certificate, that is, the Subject. A key pair is generated, with one of the keys being designated the public key. The public key, identity verification supporting information, and any additional Identity Quality information is made part of a certificate signing request, which is sent to Osmio VRD. Subsequently the X.509v3 identity certificate is created by the signing of the public key by Osmio VRD. The certificate is sent to the user's information appliance or wallet (computer, phone, token, smart card etc.) and recorded with supporting information in the Osmio VRD database.

   

After receiving a Provisional Certificate, Subject fills in a web form that includes fields for entry of content of an Affidavit of Identity and a space for preferred times for a face-to-face enrollment appointment at the Subject's location or the enrollment officer's office. At the appointment the enrollment officer, a notary, examines the Subject's identity document(s) (driver's license and/or passport), the Subject is asked series of questions that the enrollment officer has retrieved from ChoicePoint, Lexis Nexis, or other PII corroboration service. If the questions are answered satisfactorily, administers an oath of identity wherein the Subject recites the content of the affidavit. The enrollment officer signs and seals the jurat attached to the affidavit. A key pair is generated, with one of the keys being designated the public key. The public key, identity verification supporting information, and any additional Identity Quality information is made part of a certificate signing request, which is sent to Osmio VRD. Subsequently the X.509v3 identity certificate is created by the signing of the public key by Osmio VRD. The certificate is sent to the user's information appliance or wallet (computer, phone, token, smart card etc.) and recorded with supporting information in the Osmio VRD database.

 

8

Digital Birth Certificate (DBC)

After receiving a Provisional Certificate, Subject fills in a web form that includes fields for entry of content of an Affidavit of Identity and a space for preferred times for a face-to-face enrollment appointment at the Subject's location or the enrollment officer's office. At the appointment the enrollment officer, a signing agent, examines the Subject's identity document(s) (driver's license and/or passport), the Subject is asked series of questions that the enrollment officer has retrieved from ChoicePoint, Lexis Nexis, or other PII corroboration service. If the questions are answered satisfactorily the enrollment officer administers an oath of identity wherein the Subject recites the content of the affidavit. The enrollment officer signs and seals the jurat attached to the affidavit and uses his or her specially equipped computer to capture biometric data including fingerprint, iris image, facial image and voice. A key pair is generated, with one of the keys being designated the public key. The public key, identity verification supporting information, and any additional Identity Quality information is made part of a certificate signing request, which is sent to Osmio VRD. Subsequently the X.509v3 identity certificate is created by the signing of the public key by Osmio VRD. The certificate is sent to the user's information appliance or wallet (computer, phone, token, smart card etc.) and recorded with supporting information in the Osmio VRD database.

 

9

After receiving a Provisional Certificate, Subject fills in a web form that includes fields for entry of content of an Affidavit of Identity and a space for preferred times for a face-to-face enrollment appointment at the Subject's location or the enrollment officer's office. At the appointment the enrollment officer, a Tabelio Officer, examines the Subject's identity document(s) (driver's license and/or passport), using a source of ultraviolet light that is part of the Tabelio Officer's enrollment workstation, compares the documents to examples in the ID Checking Guide, checks the data and barcodes, turns on a video camera with microphone that is connected to the Tabelio Officer's enrollment workstation and administers an oath of identity wherein the Subject recites the content of the affidavit on camera. The enrollment officer signs and seals the jurat attached to the affidavit and takes a fingerprint and iris image of the Subject. The enrollment workstation is used to sign in to an online facility.

A key pair is generated, with one of the keys being designated the public key. The public key, identity verification supporting information, and any additional Identity Quality information is made part of a certificate signing request, which is sent to Osmio VRD. Subsequently the X.509v3 identity certificate is created by the signing of the public key by Osmio VRD. The certificate is sent to the user's information appliance or wallet (computer, phone, token, smart card etc.) and recorded with supporting information in the Osmio VRD database.

The private key is embedded into a fingerprint-enabled USB token or smart card or wireless token or other multi-factor identity device. The Subject is given two copies of a DVD containing all information, including biometric data, encrypted using the Subject's key, from the session and is offered an escrow service to safeguard the private key from loss.

 

Both civil and criminal liability are assumed by the notary in the face-to-face enrollments. While there is also an assurance that that individual is the one named in the identity documents, a fake identity document of particularly high quality is undetectable and thus it is possible that an impostor's name will be bound to the resulting identity certificate. Even in that case, however, the relying party can be assured of a reliable identity because the public key that is issued and signed is bound inextricably to the human being who was enrolled. If it is subsequently shared in spite of on-token biometrics and other measures to prevent sharing, non-repudiation remains strong.

Identity Quality Score Item 3:

 

Means of Assertion Score

Value: 0-5, 8, 9

 

An Identity Certificate issued by the Osmio VRD may be used without the benefit of an assertion network, or may be presented subsequent to the assertion of an identity via one of the many assertion networks such as OpenID, Liberty Alliance, I-Name and others. The Means of Assertion Score represents the degree of universality of assertion of the identity through the various assertion networks at the time of issuance.

 

The Means of Assertion Score is applied at time of enrollment and therefore any subsequent changes in available means of assertion will not be reflected in the Means of Assertion Score.

 

 

 

MA

Score Value

Meaning

0

Certificate stands by itself and is not associated with an identity from an identity assertion networks

1

Assertable only as a username in a single organizational network

2

Assertable only on a single online resource such as a Web site

3

Assertable only through a proprietary group of online resources such as a group of related Web sites or a federated identity network

4

Assertable through OpenID, CardSpace or Liberty Alliance

5

Assertable through I-Name

6&7

Not Assigned

8

Assertable through multiple identity assertion networks

9

Assertable through all current identity assertion networks

 

 

Identity Quality Score Item 4:

 

Quality of Certification Score

Value: 0-9

 

Attestation

Score Value

Meaning

0

No certification, no independent IdP

 

Identity provided by traditional IdP after verification-code-do-email procedure or after a transaction-based process with subject

 

Identity provided by IdP using X.509v3 certificate after verification-code-do-email procedure or after a transaction-based process with subject

   

1

Provisional Certificate (also known as a "stub certificate") issued after a simple verification-code-do-email procedure. Can be used as a placeholder for certificate that is to be subsequently issued pursuant to an enrollment procedure.

 

No certification, no independent IdP

 

 

 

The following scores of 0 through 7 do not apply to Osmio VRD certificates and are included here only for illustration purposes.

0

No certification

0

Identity provided by IdP with no CA and no attestation

1

Identity provided by IdP with non-CA attestation

   
   
   
   
   

2

 

   
   
   
   
   
   
   

8

Normal Osmio VRD Certificate Attestation

9

For Future Use

 

 

 

Identity Quality Score Item 5:

 

Credential Quality Score

Value: 0-9

 

The Credential Quality Score describes the technology used to carry and assert the Subject's identity. It is the known and verified (by the enrollment officer) least secure means by which the private key corresponding to the IC will be stored. In other words if the private key resides in both a three factor hard token and on the hard drive of a typical network-connected computer running a personal computer operating system, then the Credential Carrier Score will be the lower of the two possible values, which in this case is zero or one.

 

 

CQ

Score Value

Meaning

0

N/A

(This is used only when Identity Quality Scores are stored in an external file and there is no certificate; the credential is a simple assertion (serial number, url, uri, etc.) with no use of asymmetric cryptography (no x.509 identity certificate.))

1

Private key is stored on the hard drive of a network-connected computer running a personal computer operating system without protection from intrusion.

2

Private key is stored on the hard drive of a network-connected computer running a personal computer operating system with an intrusion prevention mechanism whose quality has been verified by the enrollment officer; or in a verified “sandbox” area on a device such as a mobile phone but without isolation from the device's general operating system

3

Private key is stored in a verified isolated device with a separate operating environment on a device such as a mobile phone, isolated from the device's general operating system, as verified by the Enrollment Officer

4

Private key is stored in a verified isolated device with a separate operating environment on a device such as a mobile phone, isolated from the device's general operating system; all cryptographic operations are performed in the isolated portion of the device, as verified by the enrollment officer. Use of the private key is enabled by input of passcode from the keypad of the mobile device.

5

Private key is stored in a verified isolated device with a separate operating environment on a device such as a mobile phone, isolated from the device's general operating system; all cryptographic operations are performed in the isolated portion of the device, as verified by the enrollment officer. Use of the private key is enabled by input of passcode or biometric on the isolated portion of the device and not from the keypad or biometric input of the mobile device.

6

Private key is stored in a verified isolated device with a separate operating system that meets the “Osmium” standard for isolated cryptographic operating systems or an equivalent standard for HSM devices on a device such as a mobile phone, isolated from the device's general operating system; all cryptographic operations are performed in the isolated portion of the device, as verified by the enrollment officer. Use of the private key is enabled by input of both a passcode and a biometric on the isolated portion of the device and not from the keypad or biometric input of the mobile device.

7

Private key is stored in a verified isolated device with a separate operating system that meets the “Osmium” standard for isolated cryptographic operating systems or an equivalent standard for HSM devices on a device such as a mobile phone, isolated from the device's general operating system; all cryptographic operations are performed in the isolated portion of the device, as verified by the enrollment officer. Use of the private key is enabled by input of both a passcode and a biometric on the isolated portion of the device and not from the keypad or biometric input of the mobile device. Additionally, the isolated device has a display, circuitry and Osmium-grade software that is suitable for image-verification of a remote facility for authenticity; and a system in which the verification image exists only in encrypted form, with all cleartext versions of the image having been destroyed

8

A score of 8 may be reached if incrementation warrants, with incrementation by one if multiple key pairs that are separate from an archived foundational private key are used in the establishment and operation of this identity

9

In addition, the CC Code is incremented by two if separate keys pairs used for signing, authentication, and encryption, with different key pairs used for different types of token usage (single factor, two factor, three factor, four factor,) all of which are bound to an archived foundational private key.

 

 

Identity Quality Score Item 6:

 

Assumption of Liability Score

Value: 0-9

 

The Assumption of Liability Score identifies the nature and degree to which one or more identified parties assume liability for the consequences of the use of an identity which was fraudulently obtained.

 

 

AL

Score Value

Meaning

0

No assumption of liability by any party

1

Used only for certificates produced by non-notarial enrollment processes: Enrollment Officer assumes at least $5,000 liability for the integrity of the enrollment process, meaning that the enrollment officer takes responsibility for the subject's correct identity.

2

The enrollment was notarial, which means Subject is under penalty of perjury for any false information in oath and affidavit and the enrolling notary (not necessarily the same person as the enrollment officer) assumes criminal liability against fraudulent enrollment. However, no financial liability is assumed.

3

The enrollment was notarial, and the subject assumes at least $10,000 liability for acts of fraudulent enrollment; however, such liability is not covered by insurance or bond.

4

The enrollment was notarial, and the subject assumes at least $5,000 bonded or insured liability for acts of fraudulent enrollment.

5

The enrollment was notarial, the subject, enrolling notary and enrollment officer (if different from enrolling notary) each assumes at least $5,000 bonded or insured liability for acts of fraudulent enrollment.

6

The enrollment was notarial, the subject, enrolling notary and enrollment officer (if different from enrolling notary) each assumes at least $25,000 bonded or insured liability for acts of fraudulent enrollment; and the subject assumes at least $100,000 liability, bonded or insured, for any fraudulent act committed with the use of this identity credential or any derivative credential or certificate.

7

The enrollment was notarial, the subject, enrolling notary and enrollment officer (if different from enrolling notary) each assumes at least $25,000 bonded or insured liability for acts of fraudulent enrollment; and the subject assumes at least $1,000,000 liability, bonded or insured, for any fraudulent act committed with the use of this identity credential or any derivative credential or certificate.

8

Enrollment Officer verifies initially and at least yearly thereafter that the subject of the identity certificate carries a bond of $5 million or more that insures not only the identity of subject but against fraud in all transactions and events that the subject signs with the identity credential or any derivative credential or certificate.

9

Subject is bonded and the bond applies to any instance where the credential is misused; subject assumes liability for any and all misuse of the credential. Bonding events, including commitments regarding the use of the bond, are are signed by the bond issuer and are updated at each bonding or bond usage event; and are made available in an authenticated online space to relying parties.

 

Key Usage extension field

Osmio VRD certificates are general purpose and may be used without restriction of geographical area or industry. In order to use and rely on an Osmio VRD certificate, the relying party must use X.509v3 compliant software. Osmio VRD certificates include key usage extension fields to specify the purposes for which the certificate may be used and also to technically limit the functionality of the certificate when used with X.509v3 compliant software. Reliance on key usage extension fields is dependent upon correct software implementations of the X.509v3 standard and is outside of the control of the Osmio VRD.

 

The possible key purposes identified by the X.509v3 standard are the following:

 

  1. Digital signature, for verifying digital signatures that have purposes other than those identified in b), f) or g), that is, for entity authentication and data origin authentication with integrity;

 

  1. Non-repudiation, for verifying digital signatures used in providing a non-repudiation service which protects against the signing entity falsely denying some action (excluding certificate or CRL signing, as in f) or g) below);

 

  1. Key encipherment, for enciphering keys or other security information, e.g. for key transport;

 

  1. Data encipherment, for enciphering user data, but not keys or other security information as in c);

 

  1. Key agreement, for use as a public key agreement key;

 

  1. Key certificate signing, for verifying a CA's signature on certificates, used in CA certificates only;

 

  1. CRL signing, for verifying a CA's signature on CRLs;

 

  1. Encipher only, public key agreement key for use only in enciphering data when used with key agreement;

 

  1. Decipher only, public key agreement key for use only in deciphering data when used with key agreement.
  2. Subordinate certificate signing, for creating subordinate identity credentials for day-to-day use and permitting the foundational private key to be archived in a secure facility.

 

Extension Criticality Field

The Extension Criticality field denotes two separate uses for the Key Usage field. If the extension is noted as critical, then the key in the certificate is only to be applied to the stated uses. To use the key for another purpose in this case would break the issuer's policy. If the extension is not noted as critical, the Key Usage field is simply there as an aid to help applications find the proper key for a particular use.

 

Basic Constraints Extension

The Basic Constraints Extension specifies whether the subject of the certificate may act as a CA or only as an end-entity certificate. The Extension Criticality field in the CA certificate is denotes that the field is critical.

 

Certificate Policy (CP)

Certificate Policy (CP) is a statement of the issuer that corresponds to the prescribed usage of a digital certificate within an issuance context. A policy identifier is a number unique within a specific domain that allows for the unambiguous identification of a policy, including a certificate policy. The Osmio VRD certificate profiles are as per the tables below:

 

 

The Osmio VRD Identity Certificate

 

Signature Algorithm

Sha1

Issuer

CN

Osmio VRD CA

O

Osmio VRD LLC

C

US

Validity

As assigned

Subject

CN

Subject’s Name

Authority Key Identifier

KeyID= 3c 41 e2 8f 08 08 a9 4c 25 89 8d 6d c5 38 d0 fc 85 8c 62 17

Key Usage (Non-critical)

Digital Signature, Key Encipherment(A0)

Basic Constraint

Subject Type=End Entity

Path Length Constraint=None

Certificate Policies

[1]Certificate Policy:

Policy Identifier=1.3.6.1.4.1.782.1.2.1.3.1

[1,1]Policy Qualifier Info:

Policy Qualifier Id=CPS

Thumbprint Algorithm

SHA1

 

 

 

 

Osmio VRD CRL Profile

The profile for the Osmio VRD CRL is as per the table below:

 

Version

[Version 2]

Issuer Name

commonName=[Root Certificate Common Name]

CN = Osmio VRD CA

O = Osmio VRD L.L.C.

C = US

Effective Date

[Date of Issuance]

Next Update

[Date of Issuance + 24 hours]

Revoked Certificates

CRL Entries

Certificate Serial Number

[Certificate Serial Number]

Date and Time of Revocation

[Date and Time of Revocation]

 

 

 

 

Osmio VRD Structure

The Osmio VRD, directly and/or through its third-party providers, has established the necessary secure infrastructure to fully manage the life-cycle of Identity Certificates within its PKI.

 

The Osmio VRD operates a Certification Authority as an Intermediate CA by, and on the premises of, the root certification authority of StartCom, Ltd, and is governed by the conditions and terms outlined in the StartCom Intermediate Certification Authority Policy Appendix.

 

The Osmio VRD makes its certification authority services available to its subscribers through its affiliated Enrollment Authorities (EA) and Registration Authorities (RA).

 

The Osmio VRD EAs and RAs:

 

  • Accept, evaluate, approve or reject the registration of certificate applications.
  • Verify the accuracy and authenticity of the information provided by the Subject at the time of application as specified in the Osmio VRD validation guidelines documentation.
  • Use official, notarized or other secured documents to evaluate a Subject application.
  • Verify the accuracy and authenticity of the information provided by the subscriber at the time of reissue or renewal as specified in the Osmio VRD validation guidelines documentation.
  • Act locally within their own context of geographical or business partnerships on approval and authorization by the Osmio VRD in accordance with the Osmio VRD practices and procedures.

EAs and RAs are restricted to operating within the set validation guidelines published by the Osmio VRD to the EA or RA upon being commissioned to perform in the EA or RA program. Certificates issued through an RA contain an amended Certificate Profile within an issued certificate to represent the involvement of the RA in the issuance process to the Relying Party.

 

 

Obligations

 

Osmio VRD Obligations

In its role as a Certification Authority (CA), the Osmio VRD provides certificate services within the Osmio VRD PKI. To the extent specified in the relevant sections of the CPS, The Osmio VRD will:

 

  • Comply with this CPS and its internal or published policies and procedures.
  • Protect private and individual data obtained in the enrollment process.
  • Issue, publish and distribute certificates in a timely manner in accordance with this CPS and fulfill its obligations presented herein.
  • Comply with applicable laws and regulations.
  • Provide (directly or through its selected third-party vendors) infrastructure and certification services, including but not limited to the establishment and operation of the Osmio VRD Repository and web site for the operation of PKI services.
  • Provide and validate application procedures for certificates.
  • Provide trust mechanisms, including a key generation mechanism, key protection, and secret sharing procedures regarding its own infrastructure.
  • Provide prompt notice in case of compromise of its private key(s).
  • Provide support to subscribers and relying parties as described in this CPS.
  • Revoke certificates according to this CPS.
  • Provide for the expiration and renewal of certificates according to this CPS.
  • Notify Subjects of certificate expiration and renewal according to this CPS.
  • Make available a copy of this CPS and applicable policies to requesting parties.
  • Publish and update CRLs in a timely manner, in accordance with the applicable Certificate Policy and with provisions described in this CPS.

 

The Osmio Vital Records Department has no further obligations under this CPS.

 

Enrollment Authority and Enrollment Officer Obligations

Entities licensed to act as Enrollment Authorities and individuals licensed to act as Enrollment Officers will perform services under the policies and practices detailed in this CPS. The RA is bound under contract to:

 

  • Receive applications for Osmio VRD certificates in accordance with this CPS.
  • Perform all identity verification actions prescribed by the Osmio VRD validation procedures and this CPS.
  • Report accurately all information called for in determining the Identity Quality Score for a particular IC.
  • Receive, verify and relay to the Osmio VRD all requests for revocation of Osmio VRD certificates in accordance with the Osmio VRD revocation procedures and the CPS.
  • Act according to relevant Law and regulations.

 

Obligations of Subject

  • Minimize internal risk of private key compromise by ensuring adequate understanding of its use and protection.
  • Generate private / public key pairs (to be used in association with certificate requests submitted to Osmio VRD or Osmio VRD RA) using a trustworthy method.
  • Ensure the public key submitted to the Osmio VRD / Osmio VRD EA or RA corresponds with the private key used.
  • Ensure the public key submitted to The Osmio VRD / Osmio VRD EA or RA is the correct one.
  • Provide correct and accurate information in its communications with the Osmio VRD / Osmio VRD EA or RA.
  • Alert Osmio VRD / Osmio VRD EA or RA if while the certificate is valid, any information originally submitted has changed since being submitted to the Osmio VRD.
  • Generate a new, secure key pair to be used in association with a certificate that it requests from the Osmio VRD / Osmio VRD EA or RA.
  • Refrain from tampering with any Osmio VRD certificate.
  • Use Osmio VRD SSL Certificates for legal and authorized purposes in accordance with this CPS.
  • Cease using an Osmio VRD SSL Certificate if any information in it becomes misleading, obsolete, or invalid.
  • Cease using an Osmio VRD certificate if such certificate is expired and remove it from any applications and/or devices it has been installed on.
  • Observe rules for using the Subject's private key corresponding to the public key in an Osmio VRD-issued certificate to sign end-entity SSL Certificates or other certificates.
  • Make reasonable efforts to prevent the compromise, loss, disclosure, modification, or otherwise unauthorized use of the private key corresponding to the public key published in an Osmio VRD certificate.
  • Request the revocation of a certificate in case of an occurrence that materially affects the integrity of an Osmio VRD certificate.
  • Be responsible for acts and omissions of partners and agents they use to generate, retain, escrow, or destroy their private keys.
  • Agree with the terms and conditions of this CPS and other agreements and policy statements of the Osmio VRD.
  • Abide by the laws applicable in his/her country or territory including those related to intellectual property protection, viruses, accessing computer systems, encryption, etc.
  • Comply with all export laws and regulations for dual usage goods as may be applicable.
  • Agree to defend, indemnify, save and hold the Osmio VRD, its agent(s) and contractors harmless from any acts or omissions resulting in liability, any loss or damage, and any suits and expenses of any kind, including reasonable attorneys' fees, that the Osmio VRD, and the above mentioned parties may incur, caused by the use or publication of a certificate, and that arises from:
      • Any false or misrepresented data supplied by the subscriber or agent(s).
      • Any failure of the Subject to disclose a material fact, if the misrepresentation or omission was made negligently or with intent to deceive the CA, the Osmio VRD, or any person receiving or relying on the certificate.
      • Failure to protect the subscriber's confidential data including their private key, or failure to take reasonable precautions necessary to prevent the compromise, loss, disclosure, modification, or unauthorized use of the subscriber's confidential data.
      • Breaking any laws applicable in his/her country or territory including those related to intellectual property protection, viruses, accessing computer systems etc.

 

Subject's Representations

Upon submitting an application for a certificate the Subject represents to the Osmio VRD and to relying parties that at such time and until further notice:

 

  • A digital signature created using the private key corresponding to the public key included in the certificate is the digital signature of the Subject and the certificate has been accepted and is properly operational at the time the digital signature is created.
  • No person other than the Subject has ever had access to the Subject’s private key.
  • All representations made by Subject to the Osmio VRD regarding the information contained in the certificate are accurate and true.
  • All information contained in the certificate is accurate and true to the best of the Subject’s knowledge or to the extent that the Subject had notice of such information. The Subject shall act promptly to notify the Osmio VRD of any material inaccuracies in information.
  • The certificate is used exclusively for authorized and legal purposes, consistent with this CPS.
  • An Osmio VRD certificate will only be used in conjunction with the entity named in the organization field of a SSL Certificate (if applicable).
  • The Subject retains control of her private key, uses a trustworthy system, and takes reasonable precautions to prevent its loss, disclosure, modification, or unauthorized use.
  • The Subject is an end-user subscriber and not a CA, and will not use the private key corresponding to any public key listed in the certificate for purposes of acting as a CA; however, the subject may add his or her signature to an SSL certificate that is also signed by a bona fide CA.

 

Relying Party Obligations

Relying Parties accept that in order to reasonably rely on Osmio VRD certificates they must:

 

  • Minimize the risk of relying on a digital signature created by an invalid, revoked, expired or rejected certificate.
  • Have reasonably made the effort to acquire sufficient knowledge on using Digital Certificates and PKI.
  • Study the limitations to the usage of Digital Certificates and be aware through the Relying Party Agreement of the maximum value of the transactions that can be made using an Osmio VRD Certificate.
  • Read and agree with the terms of the Osmio VRD CPS and Relying Party Agreement.
  • Verify an Osmio VRD certificate by referring to the relevant CRL and also the CRLs of intermediate CAs and root CAs as available in the Osmio VRD repository.
  • Trust an Osmio VRD certificate only if it is valid and has not been revoked or has expired.
  • Understand that an Osmio VRD attests only to identity and not to authorizations, privileges, reputations, trustworthiness, or other relationship-based attributes, which are only assigned or determined by Relying Parties and parties other than Osmio VRD.
  • Rely on an Osmio VRD certificate only as may be reasonable under the circumstances listed in this section and other relevant sections of this CPS.

 

Legal and Limitations

 

Liability

Osmio VRD and The Village Group, Inc. give no guarantees whatsoever about the security nor suitability of the services provided that are identified by the Osmio VRD or the use thereof, including but not limited to the use of its websites and programs or any other service currently offered or offered in the future.

 

Relying parties have sufficient information to make an informed decision as to the extent to which they choose to rely on the information in a certificate, and as such are solely responsible for the decision of whether or not to rely on such information, and therefore shall bear the legal consequences of any failure to perform the Relying Party Obligations outlined in this CPS.

 

Under no circumstances, including negligence, shall Osmio VRD, The Village Group Inc. or its contributors be liable for any direct, indirect, incidental, special, exemplary or consequential damages (including, but not limited to: procurement of substitute goods or services; loss of use, data or profits; business interruption) however caused and on any theory of liability, whether in contract, strict liability, or tort (including negligence or otherwise) arising in any way out of the use of this or other services, even if advised of the possibility of such damage.

 

Financial Responsibility

 

(see Startcom CPS - need insurance policy statement here)

 

Beyond the coverage of the insurance policy outlined above, Osmio VRD, The Village Group, Inc., and its contributors deny any responsibility for damages or impairments resultant from its operation, and assumes no financial responsibility with respect to the use of any issued certificate or provided service.

 

 

Copyright and Ownership of Certificates

Certificates issued by and through the operations of the Osmio VRD are the property of the Osmio VRD; the personal information in the certificates is the property of the Subject. Ownership of certificates issued by and through the operations of the Osmio VRD can not be claimed by Subjects, relying parties, software vendors, or any other party. Issuance of certificates to end users gives the Subjects the right to use the issued certificate(s), subject to: (1) the requirements and obligations set forth in this policy; (2) acceptance of the terms and conditions of the Osmio VRD as published on Osmio websites; and to the extent of the key usage and extended key usage fields of the certificate, until revocation or expiration of the certificate, whichever comes first. The Osmio VRD gives permission to reproduce and distribute certificates on a nonexclusive, royalty-free basis, provided that they are reproduced and distributed in full. The Osmio VRD reserves the right to revoke certificates at any time. Osmio LLC and The Village Group, Inc. exclusively retains the copyright of all certificates produced, created, published and issued by the Osmio VRD at all times. All rights are reserved.

 

 

Governing Law

This CPS shall be governed by and construed in accordance with the laws of Israel. This choice of law is made to ensure uniform interpretation of this CPS, regardless of the place of residence or place of use of Osmio VRD SSL Certificates or other products and services. Israeli law applies in all Osmio VRD commercial or contractual relationships in which this CPS may apply or be quoted implicitly or explicitly in relation to the Osmio VRD products and services where The Osmio VRD acts as a provider, supplier, beneficiary receiver or otherwise.

 

Jurisdiction

Each party, including Osmio VRD partners, Subjects and relying parties, irrevocably agrees to submit to the exclusive jurisdiction and venue of the courts in Eilat, Israel.

 

 

Fees

The Osmio VRD charges impost fees for some of the certificate services it offers, including issuance, renewal and reissues (in accordance with the Osmio VRD Reissue Policy stated in this CPS). The Osmio VRD does not charge fees for the revocation of a certificate or for a Relying Party to check the validity status of an Osmio VRD issued-certificate through the use of CRLs.

 

The Osmio VRD retains its right to affect changes to such fees. The Osmio VRD licensees will be suitably advised of impost fee amendments as detailed in the relevant license agreements.

 

Reissue Policy

The Osmio VRD offers a 30-day reissue policy. During a 30 day period (beginning when a certificate is first issued) the Subject may request a reissue of their SSL Certificate and incur no further fees for the reissue. If details other than just the public key require amendment, the Osmio VRD reserves the right to revalidate the application in accordance with the validation processes detailed within this CPS. If the reissue request does not pass the validation process, The Osmio VRD reserves the right to refuse the reissue application. Under such circumstances, the original SSL Certificate may be revoked and a refund provided to the applicant. The Osmio VRD is not obliged to reissue a certificate after the 30 day reissue policy period has expired.

 

Refund Policy

Except as otherwise expressly provided for herein, all payments made to the Osmio VRD are non-refundable.

 

 

Privacy

The Osmio VRD's Privacy Policy implements the certification provisions of the Quiet Enjoyment Infrastructure and in particular its constituent Personal Information Ownership Infrastructure. The Personal Information Ownership Infrastructure provides a Personal Nondisclosure Agreement (Personal NDA) form in which personally identifiable information (PII) is entered or referenced. All such information is treated as a "work" and is declared to be the confidential intellectual property of the Subject, and is subject to both copyright and trade secret law. The disclosure of Personally Identifiable Information in the use of the Osmio VRD CA constitutes the creation of the subject's Personal NDA and the Subject's issuance of a license to Osmio VRD to use such Personally Identifiable Information in the operation of this CA.

 

Information included in the Subject's Certificate is licensed to any and all relying parties who use the certificate in conformance with these Certification Policies; and therefore the Subject is advised to include only information which he or she expects will be immediately required by relying parties. All other Personally Identifiable Information should be kept in the Subject's Personal NDA and in referenced files, for disclosure under license to relying parties as the Subject sees fit from time to time.

 

 

Compliance Audit

The practices specified in this CPS have been designed to meet or exceed the requirements of generally accepted and developing industry standards including the AICPA/CICA WebTrust Program for Certification Authorities, ANS X9.79:2001 PKI Practices and Policy Framework, and other industry standards related to the operation of CAs. An annual audit is or will be performed by an independent external auditor to assess Osmio VRD compliance with the AICPA/CICA WebTrust program for CAs.

 

Topics covered by the annual audit include but are not limited to the following:

 

      • CA business practices disclosure
      • Service integrity
      • CA environmental controls

 

Security

 

Physical Infrastructure

Access to the secure part of Osmio VRD facilities is limited through the use of physical access control and is only accessible to appropriately authorized individuals (referred to herein as Trusted Personnel).

 

All secure facilities have a primary and secondary power supply and ensure continuous, uninterrupted access to electric power. Heating / air ventilation systems are used to prevent overheating and to maintain a suitable humidity level.

 

The Osmio VRD asserts that it makes every reasonable effort to detect and prevent material breaches, loss, damage or compromise of assets and interruption to business activities.

 

Root CA Signing Key Protection & Recovery

The Osmio VRD CA Infrastructure uses trustworthy systems to provide certificate services. A trustworthy system is computer hardware, software and procedures that provide an acceptable resilience against security risks, provide a reasonable level of availability, reliability and correct operation and enforce a security policy.

 

The Osmio VRD ensures the protection of its CA Root signing key pairs with the use of key storage and crypto processor devices for key generation, storage and use. The CA Root signing key pairs have a length of 4096 bits and were generated within the device using the RSA algorithm.

 

For CA Root key recovery purposes, the Root CA signing keys are encrypted and stored within a secure environment. The decryption key is split across m removable media and requires n of m to reconstruct the decryption key. Custodians in the form of 2 or more authorized Osmio VRD representatives are required to physically retrieve the removable media from the distributed physically secure locations.

 

Where CA Root signing keys are backed up to another cryptographic hardware security module, such keys are transferred between devices in encrypted format only.

 

(EDDY, PUT YOUR DESIRED WORDING IN HERE.)

 

The Osmio VRD CA Root key was generated in accordance with the guidelines detailed in the Root Key Generation Ceremony Reference. The Root Key Generation Ceremony activities and personnel are recorded for audit purposes. Subsequent Root Key Generation Ceremonies will follow the documented reference guide. When the Osmio VRD CA Root Signing Key pair expire they will be archived for at least 20 years. The keys will be archived in a secure cryptographic hardware module as per their secure storage prior to expiration.

 

The Osmio VRD CA root signing private key is valid until 23:59 on December 31, 2028. Towards the end of the private key's lifetime, a new CA signing key pair is commissioned and all subsequently issued certificates and CRLs are signed with the new private signing key. Both keys may be concurrently active. The corresponding new CA public key certificate is provided to subscribers and relying parties through the delivery methods detailed in this CPS. The Osmio VRD makes CA Root Certificates available in its repository and provides the full certificate chain to the Subject upon issuance and delivery of the Subject certificate.

 

Digital Certificate Management

Osmio VRD certificate management refers to functions that include but are not limited to the following:

 

  • Verification of the identity of an applicant of a certificate.
  • Authorizing the issuance of certificates.
  • Issuance of certificates.
  • Revocation of certificates.
  • De-commissioning of the corresponding private keys through a process involving the revocation of certificates.
  • Listing of certificates.
  • Distributing certificates.
  • Publishing certificates.
  • Storing certificates.
  • Retrieving certificates in accordance with their particular intended use.

The Osmio VRD conducts the overall certification management within the Osmio VRD PKI, either directly or through an Osmio VRD-approved EA or RA.

 

Directories, Repository and Certificate Revocation List

The Osmio VRD manages and makes publicly available directories of revoked certificates through the use of Certificate Revocation Lists (CRLs). Users and relying parties are strongly urged to consult the directories of issued and revoked certificates at all times prior to relying on information featured on a certificate. The Osmio VRD updates and publishes a new CRL every 24 hours or more frequently under special circumstances.

 

The Osmio VRD also publishes a repository of legal notices regarding its PKI services, including this CPS, agreements and notices references within this CPS as well as any other information it considers essential to its services.

 

 

Organization

The Osmio VRD operates worldwide. All sites relevant to the provision of the services described herein operate under a security policy designed to, within reason, detect, deter and prevent unauthorized logical or physical access to CA related facilities. This section of the CPS outlines the security policy, physical and logical access control mechanisms, service levels and personnel policy in use to provide trustworthy and reliable CA operations.

 

Conformance to this CPS

The Osmio VRD conforms to this CPS and other obligations it undertakes through adjacent contracts when it provides its services.

 

Termination of CA Operations

In case of termination of CA operations for any reason whatsoever, the Osmio VRD will provide timely notice and transfer of responsibilities to succeeding entities, maintenance of records, and remedies. Before terminating its own CA activities, the Osmio VRD will where possible take the following steps:

 

  • Providing subscribers of valid certificates with ninety (90) days notice of its intention to cease acting as a CA. Revoking all certificates that are still unrevoked or unexpired at the end of the ninety (90) day notice period without seeking subscriber's consent.
  • Giving timely notice of revocation to each affected subscriber.
  • Making reasonable arrangements to preserve its records according to this CPS.
  • Reserving its right to provide succession arrangements for the re-issuance of certificates by a successor CA that has all relevant permissions to do so and complies with all necessary rules, while its operation is at least as secure as the Osmio VRD.
  • The requirements of this article may be varied by contract, to the extent that such modifications affect only the contracting parties.

 

Form of Records

The Osmio VRD retains records in electronic or in paper-based format for a period detailed in this CPS. The Osmio VRD may require subscribers to submit appropriate documentation in support of a certificate application. The Osmio VRD RAs are required to submit appropriate documentation as detailed in the RA agreements, prior to being validated and successfully accepted as an approved Osmio VRD RA.

 

In their roles, Osmio VRD RAs may require documentation from subscribers to support certificate applications. In such circumstances, RAs are obliged to retain such records in line with the practices of record retention and protection as used by the Osmio VRD and as stated in this CPS.

 

Records Retention

The Osmio VRD retains the records of the Osmio VRD ICs and the associated documentation for a term of no less than 7 years. The retention term begins on the date of expiration or revocation. Copies of certificates are held, regardless of their status (such as expired or revoked). Such records may be retained in electronic, in paper-based format or any other format that the Osmio VRD sees fit. Such records are archived at a secure off-site location and are maintained in a form that prevents unauthorized modification, substitution or destruction.

 

Logs for Core Functions

For audit purposes, the Osmio VRD maintains electronic or manual logs of the following events for core functions. All logs are backed up on removable media and the media held at a secure off-site location on a daily basis. These media are only removed by the Osmio VRD staff or other authorized personnel on a visit to the data center, and when not in the data center are held either in a safe in a locked office within the development site, or offsite in a secure storage facility.

 

An audit log is maintained of each movement of the removable media. Logs are archived by the system administrator on a weekly basis and event journals reviewed on a weekly basis by CA management. Both current and archived logs are maintained in a form that prevents unauthorized modification, substitution or destruction. When the removable media reaches the end of its life it is wiped by a third party secure data destruction facility and the certificates of destruction are archived.

 

All logs include the following elements:

    • Date and time of entry
    • Serial or sequence number of entry
    • Method of entry
    • Source of entry
    • Identity of entity making log entry

 

 

CA & Certificate Lifecycle Management

CA Root signing key functions, including key generation, backup, recovery and destruction

  • Subject certificate life cycle management, including successful and unsuccessful certificate applications, certificate issuances, certificate re-issuances, certificate renewals
  • Subject certificate revocation requests, including revocation reason
  • Certificate Revocation List updates, generations and issuances
  • Custody of keys and of devices and media holding keys
  • Compromise of a private key

 

Security Related Events

System downtime, software crashes and hardware failures

  • CA system actions performed by the Osmio VRD or other authorized personnel, including software updates, hardware replacements and upgrades
  • Cryptographic hardware security module events, such as usage, de-installation, service or repair and retirement
  • Successful and unsuccessful Osmio VRD PKI access attempts
  • Secure CA facility visitor entry and exit

 

Certificate Application Information

The documentation and other related information presented by the applicant as part of the application validation process

 

  • Storage locations, whether physical or electronic of presented documents

 

Log Retention Period

The Osmio VRD maintain logs for 7 years, or as necessary to comply with applicable laws.

 

 

Business Continuity Plans and Disaster Recovery

To maintain the integrity of its services, the Osmio VRD implements, documents and periodically tests appropriate contingency and disaster recovery plans and procedures. Such plans are revised and updated as may be required at least once a year. This disaster recovery plan states that the Osmio VRD (and/or its selected third-party vendor(s)) will endeavor to minimize interruptions to its CA operations.

 

Availability of Revocation

The Osmio VRD publishes Certificate Revocation Lists (CRLs) to allow relying parties to verify a digital signature made using an Osmio VRD-issued SSL Certificate. Each CRL contains entries for all revoked unexpired certificates issued and is valid for 24 hours. The Osmio VRD issues a new CRL every 24 hours and includes a monotonically increasing sequence number for each CRL issued. Under special circumstances the Osmio VRD may publish new CRLs prior to the expiry of the current CRL. All expired CRLs are archived for a period of 7 years, or longer if applicable. The Osmio VRD supports OCSP (Online Certificate Status Protocol).

 

Publication of Critical Information

The Osmio VRD publishes: (1) revocation data for issued Identity Certificates; (2) this CPS; (3) certificate terms and conditions; (4) the relying party agreement; and (5) copies of all subscriber agreements, in the Osmio VRD repository. The Osmio VRD repository is maintained by the Certification Practices Board of the Osmio VRD and all updates, amendments and legal promotions are logged in accordance with the logging procedures referenced in this CPS.

 

Confidential Information

The Osmio VRD adheres to the provisions of the Personal Intellectual Property Infrastructure component of the Quiet Enjoyment Infrastructure. All information submitted by the Subject is considered to be Subject's intellectual property, licensed under Personal NDA to Osmio VRD for purposes specified in this CP. The terms of the license created under the Personal NDA include permission to use personal information in operation of the Osmio VRD CA including the following:

 

Types of Information deemed Confidential

The Osmio VRD keeps the following types of information confidential and maintains reasonable controls to prevent the exposure of such records to non-trusted personnel:

 

  • Subject agreements.
  • Certificate application records and documentation submitted in support of certificate applications whether successful or rejected.
  • Transaction records and financial audit records.
  • External or internal audit trail records and reports, except for WebTrust audit reports which may be published at the discretion of the Osmio VRD.
  • Contingency plans and disaster recovery plans.
  • Internal tracks and records on the operations of the Osmio VRD infrastructure, certificate management and enrollment services and data.

 

Types of Information deemed Not Confidential

Subjects acknowledge that revocation data of all certificates issued by the Osmio VRD CA is public information is periodically published every 24 hours at the Osmio VRD repository. Revocation data marked as "Public" in the relevant subscriber agreement and submitted as part of a certificate application is published within an issued Identity Certificate in accordance with this CPS.

 

Access to Confidential Information

All personnel in trusted positions handle all information in strict confidence. EAs and Personnel of RA/LRAs especially must comply with the requirements of the U.S. and/or English law on the protection of personal data.

 

Release of Confidential Information

The Osmio VRD is not required to release any confidential information, unless as otherwise required by law, without an authenticated, reasonably specific request by an authorized party specifying:

 

  1. The party to whom the Osmio VRD owes a duty to keep information confidential.
  2. The party requesting such information.
  3. A court order, if any.

 

Personnel Management and Practices

Consistent with this CPS, the Osmio VRD follows personnel and management practices that provide reasonable assurance of the trustworthiness and competence of its employees and of the satisfactory performance of their duties.

 

Trusted Roles

Trusted roles relate to access to the Osmio VRD account management system, with functional permissions applied on an individual basis.

 

Trusted Personnel

Trusted personnel must identify and authenticate themselves to the system before access is granted. Identification is via a username, with authentication requiring both a password and SSL Certificate.

 

Personnel Controls

All trusted personnel of the Osmio VRD or its selected third-party vendors, as applicable, have background checks before access is granted to Osmio VRD systems. These checks include, but are not limited to, credit history, employment history for references and a Companies House cross -reference to disqualified directors. Training of personnel is undertaken via a mentoring process involving senior members of the team to which they are attached.

 

 

Publication of information

The Osmio VRD certificate services and the Osmio VRD repository are accessible through several means of communication:

 

    1. On the web: www.osmio.org
    2. By email: vrdca@osmio.org
    3. By mail:

The Osmio Vital Records Department - Digital Certificates Support

Route de Colovrex 17

CH-1218 Le Grand-Saconnex

Genève

Suisse / Switzerland

 

 

 

Practices and Procedures

This section describes the certificate application process, including the information required to make and support a successful application.

 

Certificate Application Requirements

All Certificate applicants must complete the enrollment process which includes one of the following processes.

 

Proper enrollment may take place in an online session where the Subject is not at the same location where the credential is generated, or enrollment may take place in a face-to-face setting with an enrollment officer. Generally, remote enrollment is weaker than face-to-face enrollment. For the purpose of quantifying the strength of enrollment practices, an Enrollment Practices Score, which is part of the Identity Quality Score, has been established. The meaning of each value of the Enrollment Practices Score is specified on page 32 of this document.

 

Both civil and criminal liability are assumed by the enrollment officer in the more rigorous face-to-face enrollments. While there is also an assurance that that individual is the one named in the identity documents, a fake identity document of particularly high quality is undetectable and thus it is possible that an impostor's name will be bound to the resulting identity certificate. Even in that case, however, the relying party can be assured of a reliable identity because the public key that is issued and signed is bound inextricably to the human being who was enrolled. If it is subsequently shared in spite of on-token biometrics and other measures to prevent sharing, non-repudiation remains strong.

 

 

Methods of application

Generally, applicants will complete the online forms made available by the Osmio VRD and, in the case of person-to-person enrollment acted upon by an enrollment officer otherwise known as a Registration Authority.

 

 

Application Validation

See Identity Quality Scores section. The Osmio VRD may employ the data held in private databases to increase the integrity of the validation process. In any case, the application is processed manually by the Osmio VRD in accordance with the three-step process outlined in this CPS.

 

 

Validation Information for Certificate Applications

Applications for Osmio VRD Certificates are supported by appropriate documentation to establish the identity of an applicant. From time to time, the Osmio VRD may modify the requirements related to application information for individuals to respond to the Osmio VRD’s requirements, the business context of the usage of a SSL Certificate, or as it may be prescribed by law.

 

Application Information for Organizational Applicants

While the Osmio VRD may receive certification requests from organizations, it will only issue certificates in the name of individuals. The Osmio VRD does not issue certificates in the name of organizations.

 

Supporting Documentation for Organizational Applicants

Organizations may sponsor individuals in their enrollment process but the certification relationship is strictly between the CA and the individual. Therefore, there are no organizational applicants.

 

Certain enrollment quality scores may call for published information such as telephone directories which link then applicant to a published telephone number or other identifying information. The Osmio VRD may accept at its discretion other official organizational documentation supporting an application.

 

Application Information for Individual Applicants

The following elements are critical information elements for an Osmio VRD IC:

 

  1. Legal Name of the Individual
  2. Street, city, postal/zip code, country
  3. Server Software Identification
  4. Public Key (PUBLIC)
  5. Subject agreement, signed or agreed to online

 

Supporting Documentation

Documentation requirements for applicants shall include identification elements such as:

 

  1. Passport
  2. Driver's License
  3. Bank statement
  4. Primary Utility Bills
  5. Government-Issued Identity Card

 

The Osmio VRD and its commissioned Enrollment Officers may accept at their discretion other official documentation supporting an application.

 

Validation Requirements for Certificate Applications

Upon receipt of an application for an IC, and based on the submitted information, the Osmio VRD confirms the following information:

 

  1. The certificate applicant is the person identified in the certificate request.
  2. The certificate applicant holds the private key corresponding to the public key to be included in the certificate.
  3. The information to be published in the certificate is accurate.

 

With all types of ICs, the subscriber has a continuous obligation to monitor the accuracy of the submitted information and notify the Osmio VRD of any changes that may affect the validity of the Certificate. Failure to comply with the obligations as set out in the subscriber agreement will result in the revocation of the Subject's IC without further notice to the Subject and the Subject shall pay any Charges payable but not yet paid under the Agreement.

 

Serial Number Assignment

The Osmio VRD assigns certificate serial numbers that appear in ICs. Assigned serial numbers are unique.

 

Time to Confirm Submitted Data

Certificate issuance takes place at time of enrollment.

 

Approval and Rejection of Certificate Applications

Following successful completion of all required validations of a certificate application, the Osmio VRD approves an application for a Certificate. If the validation of a certificate application fails, The Osmio VRD rejects the certificate application. The Osmio VRD reserves its right to reject applications to issue a certificate to applicants if, on its own assessment, by issuing a certificate to such parties the good and trusted name of the Osmio VRD might get tarnished, diminished or have its value reduced and under such circumstances may do so without incurring any liability or responsibility for any loss or expenses arising as a result of such refusal. Applicants whose applications have been rejected may subsequently re-apply.

 

Certificate Issuance and Subject Consent

The Osmio VRD issues a Certificate upon approval of a certificate application. A SSL Certificate is deemed to be valid at the moment a subscriber accepts it. Issuing an IC means that the Osmio VRD accepts a certificate application.

 

Certificate Validity

Certificates are valid upon issuance by the Osmio VRD. Generally the certificate validity period will be 1, 2, 3 or 4 years, however the Osmio VRD reserves the right to offer validity periods outside of this standard validity period.

 

Certificate Acceptance by Subjects

A subscriber is deemed to have accepted a certificate when the certificate is either delivered to the Subject via email or installed on a subscriber's computer / hardware security module through an online collection method.

 

Verification of Digital Signatures

Verification of a digital signature is used to determine that:

  1. The digital signature was created by the private key corresponding to the public key listed in the signer's certificate.
  2. The signed data associated with this digital signature has not been altered since the digital signature was created.

 

Reliance on Digital Signatures

The final decision concerning whether or not to rely on a verified digital signature is exclusively that of the relying party. Reliance on a digital signature should only occur if:

 

  1. The digital signature was created during the operational period of a valid certificate and it can be verified by referencing a validated certificate.
  2. The relying party has checked the revocation status of the certificate by referring to the relevant Certificate Revocation Lists and the certificate has not been revoked.

 

Reliance is accepted as reasonable under the provisions made for the relying party under this CPS and within the relying party agreement. If the circumstances of reliance exceed the assurances delivered by the Osmio VRD under the provisions made in this CPS, the relying party must obtain additional assurances.

 

Certificate Suspension

The Osmio VRD does not utilize certificate suspension.

 

Certificate Revocation

Revocation of a certificate is to permanently end the operational period of the certificate prior to reaching the end of its stated validity period. The Osmio VRD will revoke an IC if:

 

  1. There has been loss, theft, modification, unauthorized disclosure, or other compromise of the private key associated with the certificate.
  2. The Subject or the Osmio VRD has breached a material obligation under this CPS or the Certificate and Site Seal Subject Agreement.
  3. Either the Subject's or The Osmio VRD's obligations under this CPS are delayed or prevented by a natural disaster, computer or communications failure, or other cause beyond the person's reasonable control, and as a result another person's information is materially threatened or compromised.
  4. There has been a modification of the information pertaining to the Subject that is contained within the certificate.
  5. An entity demonstrates that one or more items of information in the IC is incorrect.

 

Request for Revocation

The Subject or other appropriately authorized parties such as EOs or RAs can request revocation of a certificate. Prior to the revocation of a certificate The Osmio Vital Records Department will verify that the revocation request has been:

 

  1. Made by the individual entity that has made the certificate application.
  2. Made by the EO or RA on behalf of the individual who used the EO or RA to make the certificate application
  3. The Osmio VRD assesses the legitimacy of the revocation request. It it is deemed to be legitimate , Osmio VRD validation personnel will then command the revocation of the certificate and logging of the identity of validation personnel and reason for revocation will be maintained in accordance with the logging procedures covered in this CPS.

 

Effect of Revocation

Upon revocation of a certificate, the operational period of that certificate is immediately considered terminated. The serial number of the revoked certificate will be placed within the Certificate Revocation List (CRL) and remains on the CRL until some time after the end of the certificate's validity period. An updated CRL is published on the Osmio VRD website every 24 hours, however under special circumstances the CRL may be published more frequently.

 

Renewal

Depending on the option selected during application, and the actual certificate issuance date, and subject to the above, the validity period of Osmio VRD certificates is generally one to four years from the date of issuance and is detailed in the relevant field within the certificate. Renewal fees are detailed on the official Osmio VRD website and within communications sent to Subjects approaching the certificate expiration date.

 

Renewal application requirements and procedures are the same as those employed for the application validation and issuance requirements detailed for new customers unless the Subject had provided offline supporting documentation during the initial validation process. In such instances, the renewal process will include the Osmio VRD sending the Subject a copy of all supporting documentation including the initial offline supporting documentation that the Subject provided in order to secure a certificate. A Subject must review and confirm in writing to the Osmio VRD that such documentation is still valid and no changes have been made to the documentation.

 

Notice Prior to Expiration

The Osmio VRD shall make reasonable efforts to notify subscribers via e -mail, of the imminent expiration of a SSL Certificate. Notice shall ordinarily be provided within a 60 day period prior to the expiry of the certificate.

 

 

Legal Conditions of Issuance

This section describes the legal representations, warranties and limitations associated with Osmio VRD SSL Certificates. This CPS also incorporates the Osmio VRD Relying Party Guarantee.

 

Osmio VRD Representations

The Osmio VRD makes to all subscribers and relying parties certain representations regarding its public service, as described below. The Osmio VRD reserves its right to modify such representations as it sees fit or required by law.

 

Information Incorporated by Reference into a Certificate.

The Osmio VRD incorporates by reference the following information in every digital certificate it issues:

 

    • These statements of certification practices.
    • Any other applicable certificate policy as may be stated on an issued Certificate, including the location of this CPS.
    • The mandatory elements of the standard X.509v3.
    • Any non-mandatory but customized elements of the standard X.509v3.
    • Content of extensions and enhanced naming that are not fully expressed within a certificate.
    • Any other information that is indicated to be so in a field of a certificate.

 

Displaying Liability Limitations, and Warranty Disclaimers

ICs may include a brief statement describing limitations of liability, limitations in the value of transactions to be accomplished, validation period, intended purpose of the certificate and disclaimers of warranty that may apply. Subjects must agree to the Osmio Vital Records Department Certificate Agreement before signing-up for a certificate, and agree to bind their relying parties to the Osmio Vital Records Department Relying Party Agreement.

 

Publication of Certificate Revocation Data

Publication of certificate revocation data is essential to the effective operation of a CA and to its reliability. The Osmio VRD publishes certificate revocation data.

 

Duty to Monitor the Accuracy of Submitted Information

In all cases and for all types of ICs, the Subject has a continuous obligation to monitor the accuracy of submitted information and notify the Osmio VRD of any changes.

 

Publication of Information

Published critical information may be updated from time to time as prescribed in this CPS. Such updates shall be indicated through appropriate version numbering and publication date on any new version.

 

Interference with Osmio VRD Implementation

Subjects, relying parties and any other parties shall not interfere with, or reverse engineer the technical implementation of Osmio VRD PKI services including the key generation process, the public web site and the Osmio VRD repositories except as explicitly permitted by this CPS or upon prior written approval of the Osmio VRD. Failure to comply with this as a subscriber will result in the revocation of the Subject's SSL Certificate without further notice to the Subject and the Subjects shall pay any Charges payable but not yet paid under the SSL Certificate and Site Seal Subject Agreement. Failure to comply with this as a relying party will result in the termination of the agreement with the relying party, the removal of permission to use or access the Osmio VRD repository and any Certificate or service provided by The Osmio VRD.

 

Standards

The Osmio VRD assumes that user software that is claimed to be compliant with X.509v3 and other applicable standards enforces the requirements set out in this CPS. The Osmio VRD cannot warrant that such user software will support and enforce controls required by the Osmio VRD, and the user should seek appropriate advice.

 

The Osmio VRD Partnerships Limitations

Partners of the Osmio VRD network shall not undertake any actions that might imperil, put in doubt or reduce the trust associated with the Osmio VRD products and services. The Osmio VRD partners shall specifically refrain from seeking partnerships with other root authorities or apply procedures originating from such authorities. Failure to comply with this will result in the termination of the agreement with the relying party, the removal of permission to use or access the Osmio VRD repository and any SSL Certificate or service provided by The Osmio VRD.

 

The Osmio VRD Limitation of Liability for Partners

As the Osmio VRD network includes EAs and RAs that operate under the Osmio VRD practices and procedures, the Osmio VRD guarantees to all Relying Parties, pursuant and subject to the terms of the Relying Party Guarantee, the integrity of any certificate issued under its own root.

 

Choice of Cryptographic Methods

Parties are solely responsible for and have exercised independent judgment and employed adequate training in choosing security software, hardware, and encryption/digital signature algorithms, including their respective parameters, procedures, and techniques as well as PKI as a solution to their security requirements.

 

Reliance on Unverified Digital Signatures

Parties relying on a SSL Certificate must verify a digital signature at all times by checking the validity of a SSL Certificate against the relevant CRL published by the Osmio VRD. Relying parties are alerted that an unverified digital signature cannot be assigned as a valid signature of the subscriber.

 

Relying on an unverifiable digital signature may result to risks that the relying party, and not The Osmio VRD, assume in whole.

 

By means of this CPS, the Osmio VRD has adequately informed relying parties on the usage and validation of digital signatures through this CPS and other documentation published in its public repository or by contacting via the contact address as specified in the Document Control section of this CPS.

 

Rejected SSL Certificate Applications

The private key associated with a public key which has been submitted as part of a rejected Certificate application may not under any circumstances be used to create a digital signature if the effect of the signature is to create conditions of reliance upon the rejected certificate. The private key may also not be resubmitted as part of any other certificate application.

 

Refusal to Issue an Certificate

The Osmio VRD reserves its right to refuse to issue a Certificate to any party as it sees fit, without incurring any liability or responsibility for any loss or expenses arising out of such refusal. The Osmio VRD reserves the right not to disclose reasons for such a refusal.

 

Legality of Information

Subjects shall solely be responsible for the legality of the information they present for use in certificates issued under this CPS, in any jurisdiction in which such content may be used or viewed.

 

Subject Liability to Relying Parties

Without limiting other Subject obligations stated in this CPS, Subjects are liable for any misrepresentations they make in certificates to third parties that reasonably rely on the representations contained therein and have verified one or more digital signatures with the certificate.

 

Duty to Monitor Agents

The subscriber shall control and be responsible for the data that an agent supplies to the Osmio VRD. The subscriber must promptly notify the issuer of any misrepresentations and omissions made by an agent. The duty of this article is continuous.

 

Use of Agents

For certificates issued at the request of a subscriber's agent, both the agent and the subscriber shall be bound by the Certificate and Site Seal Subject Agreement and shall jointly and severally indemnify the Osmio VRD and its agents and contractors.

 

Conditions of usage of the Osmio VRD Repository and Web site

Parties (including Subjects and relying parties) accessing the Osmio VRD Repository and official web site(s) agree with the provisions of this CPS and any other conditions of usage that the Osmio VRD may make available. Parties demonstrate acceptance of the conditions of usage of the CPS by using an Osmio VRD-issued certificate.

 

Failure to comply with the conditions of usage of the Osmio VRD Repositories and web site may result in terminating the relationship between the Osmio VRD and the party.

 

Accuracy of Information

The Osmio VRD, recognizing its trusted position, makes all reasonable efforts to ensure that parties accessing its Repositories receive accurate, updated and correct information.

The Osmio VRD cannot however accept any liability beyond the limits set in this CPS and the Osmio VRD insurance policy.

 

Failure to comply with the conditions of usage of the Osmio VRD Repositories and web site may result in terminating the relationship between The Osmio VRD and the party.

 

Fitness for a Particular Purpose

The Osmio VRD disclaims all warranties and obligations of any type, including but not limited to any warranty of fitness for a particular purpose, warranty of merchantability, warranty of non-infringement, and any warranty of the accuracy of unverified information provided, except as expressly provided otherwise herein or as cannot be excluded at law.

 

Other Warranties

The Osmio VRD does not warrant:

 

    • The accuracy, authenticity, completeness or fitness of any unverified information contained in certificates or otherwise compiled, published, or disseminated by or on behalf of the Osmio VRD except as it may be stated in the relevant product description below in this CPS and in the Osmio VRD insurance policy.

 

    • The accuracy, authenticity, completeness or fitness of any information contained in any Osmio VRD Personal certificates, class 1, free, trial or demo certificates. And shall not incur liability for representations of information contained in a certificate except as otherwise expressly provided for herein.

 

    • The quality, functions or performance of any software or hardware device.

 

    • The validity, completeness or availability of directories of certificates issued by a third party (including an agent) unless that is specifically stated by the Osmio VRD.

 

Although the Osmio VRD is responsible for certificate revocation, it cannot be held liable except as expressly provided for herein.

 

Non-Verified Subject Information

Without limiting in any way the limitations of warranties and liabilities under this CPS, the Osmio VRD shall not be responsible for non-verified subscriber information submitted to the Osmio VRD, the Osmio VRD directory, or otherwise submitted with the intention to be included in a certificate.

 

Exclusion of Certain Elements of Damages

In no event shall the Osmio VRD be liable to any person or entity for:

 

    • Any indirect, incidental or consequential damages;
    • Any loss of profits;
    • Any loss of data;
    • Any other indirect, consequential or punitive damages arising from or in connection with the use, delivery, license, performance or non performance of certificates or digital signatures;
    • Any other transactions or services offered within the framework of this CPS;
    • Any other damages except for those of a Relying Party due to the Relying Party's reasonable reliance on a Certificate or Site Seal, and then only as provided in the Relying Party Guarantee;
    • Any liability incurred in this case or any other case if the fault in this verified information is due to fraud or willful misconduct of the applicant;
    • Any liability that arises from the usage of a certificate that has not been issued or used in conformance with this CPS;
    • Any liability that arises from the usage of a certificate that is not valid;
    • Any liability that arises from usage of a certificate that exceeds the limitations in usage and value and transactions stated upon it or on the CPS;
    • Any liability that arises from security, usability, integrity of products, including hardware and software a subscriber uses;
    • Any liability that arises from compromise of a subscriber's private key.

 

Relying Party Guarantee

The cumulative maximum liability accepted by the Osmio VRD under the Relying Party Guarantee (which can be found in the Repository) is set forth in the Assumption of Liability Score specifications section of this CPS.

 

Financial Limitations on Certificate Usage

Osmio VRD certificates may only be used in connection with data transfer and transactions having a US dollar (US$) value no greater than $10,000 (ten thousand dollars).

 

Conflict of Rules

When this CPS conflicts with other rules, guidelines, or contracts, this CPS shall prevail and bind the subscriber and other parties except as to:

 

    • Contracts predating the first public release of the present version of this CPS;
    • Contracts expressly superseding this CPS which such contract shall govern as to the parties thereto, and to the extent permitted by law; or
    • Relying Party Agreements, Certificate and Site Seal Subject Agreements, and the terms of the Relying Party Guarantee.

 

Intellectual Property Rights

Except as otherwise set forth herein, all right, title and interest in and to all, (i) registered and unregistered trademarks, service marks and logos; (ii) patents, patent applications, and patentable ideas, inventions, and/or improvements; (iii) know-how; (iv) all divisions, continuations, reissues, renewals, and extensions thereof now existing or hereafter filed, issued, or acquired; (v) registered and unregistered copyrights including, without limitation, any forms, images, audiovisual displays, text, software ("The Osmio Vital Records Department Intellectual Property Rights") are owned by the Osmio VRD or its licensors, and you agree to make no claim of interest in or ownership of any such intellectual property rights. You acknowledge that no title to The Osmio Vital Records Department Intellectual Property Rights is transferred to you, and that you do not obtain any rights, express or implied, in the Osmio VRD or its licensors' service, other than the rights expressly granted in this Agreement. To the extent that you create any Derivative Work (any work that is based upon one or more preexisting versions of a work provided to you, such as an enhancement or modification, revision, translation, abridgement, condensation, expansion, collection, compilation or any other form in which such preexisting works may be recast, transformed or adapted) such Derivative Work shall be owned by the Osmio VRD and all right, title and interest in and to each such Derivative Work shall automatically vest in The Osmio VRD. The Osmio VRD shall have no obligation to grant you any right in any such Derivative Work.

 

Infringement and Other Damaging Material

The Osmio VRD represent and warrant that when submitting to the Osmio VRD and using a domain and distinguished name (and all other certificate application information) they do not interfere with or infringe any rights of any third parties in any jurisdiction with respect to their trademarks, service marks, trade names, company names, or any other intellectual property right, and that they are not seeking to use the domain and distinguished names for any unlawful purpose, including, without limitation, tortuous interference with contract or prospective business advantage, unfair competition, injuring the reputation of another, and confusing or misleading a person, whether natural or incorporated.

 

Although the Osmio VRD will provide all reasonable assistance, certificate subscribers shall defend, indemnify, and hold the Osmio VRD harmless for any loss or damage resulting from any such interference or infringement and shall be responsible for defending all actions on behalf of the Osmio VRD.

 

Dispute Resolution

Before resorting to any dispute resolution mechanism including adjudication or any type of Alternative Dispute Resolution (including without exception mini-trial, arbitration, binding expert's advice, co-operation monitoring and normal expert's advice) all parties other than the Osmio VRD agree to notify the Osmio VRD of the dispute with a view to seek dispute resolution.

 

Successors and Assigns

This CPS shall be binding upon the successors, executors, heirs, representatives, administrators, and assigns, whether express, implied, or apparent, of the parties. The rights and obligations detailed in this CPS are freely assignable by the Osmio VRD, but not by any other party.

 

Severability

If any provision of this CPS, or the application thereof, is for any reason and to any extent found to be invalid or unenforceable, the remainder of this CPS (and the application of the invalid or unenforceable provision to other persons or circumstances) shall be interpreted in such manner as to affect the original intention of the parties. Each and every provision of this CPS that provides for a limitation of liability, disclaimer of or limitation upon any warranties or other obligations, or exclusion of damages is intended to be severable and independent of any other provision and is to be enforced as such.

 

Interpretation

The headings, subheadings, and other captions in this CPS are intended for convenience and reference only and shall not be used in interpreting, construing, or enforcing any of the provisions of this CPS. Appendices, if any, and definitions to this CPS, are for all purposes an integral and binding part of the CPS.

 

No Waiver

This CPS shall be enforced as a whole, whilst failure by any person to enforce any provision of this CPS shall not be deemed a waiver of future enforcement of that or any other provision.

 

Notice

The Osmio VRD accepts notices related to this CPS by means of digitally signed messages or in paper form. Upon receipt of a valid, digitally signed acknowledgment of receipt from the Osmio VRD, the sender of the notice shall deem their communication effective. The sender must receive such acknowledgment within five (5) days, or else written notice must then be sent in paper form through a courier service that confirms delivery or via certified or registered mail, postage prepaid, return receipt requested, addressed as follows:

 

Osmio Vital Records Department - Digital Certificates Support

25, Place du Bourg-de-Four
1204 Genève / Geneva

Suisse / Switzerland

 

URL: http://www.osmio.org

E-mail: vrdca@osmio.org

 

This CPS, related agreements and Certificate policies referenced within this document are available at (??)

 

 

General Issuance Procedure

 

General

The Osmio VRD offers Identity Certificates to enable its users to make use of SSL and S/MIME technology for secure online transactions and facilities access and for secure email respectively. Prior to the issuance of a certificate, the Osmio VRD will validate an application in accordance with this CPS, particularly as defined below.

 

Osmio VRD certificates are issued to individuals only, regardless of whether the party which sponsors the enrollment is an individual or an organization.

 

The Osmio VRD may issue certificates for any validity period, including periods which extend past the anticipated lifetime of the identified individual.

 

Enrollment and Certificate Issuance Requests

An IC request can be made according to procedures defined below. The applicant must notify the Osmio VRD of any inaccuracy or defect in a SSL Certificate promptly after receipt of the SSL Certificate or earlier notice of informational content to be included in the certificate.

 

Object Certificates

The Osmio VRD does not directly offer site certificates or primary certificates that identify an object rather than a natural human being. Instead, all object certificates, professional license certificates, appointment-to-office certificates and any certificate other than a personal identity certificate are signed by one or more holders of a personal identity certificate using the corresponding private key(s) to those certificates.

 

Attribute Certificates

The Osmio VRD does not offer certificates that identify an attribute rather than an identity of a natural human being. However, the Osmio Professional Licensing Department (Osmio PLD) issues professional license certificates and municipal appointment certificates that are issued only as derivative certificates to individuals who have Osmio VRD Identity Certificates.

 

 

Issuing Procedure

The following steps describe the milestones to issue an Identity Certificate:

 

  1. The applicant chooses either on his or her own or at the direction of a sponsoring organization the type of enrollment desired. The applicant fills out the corresponding enrollment appointment request with required information on the Osmio VRD website.
  2. If the applicant chooses an enrollment method with Enrollment Practice Score 1, 2 or 3, the enrollment will take place immediately from the current location of the Subject. For enrollments with all other Enrollment Practice Scores, an appointment request is generated. For enrollments with Enrollment Practice Scores 6-9, the applicant additionally fills in an affidavit form, the completion of which generates an Affidavit with accompanying Jurat in pdf form. The resulting form is sent via email to both the applicant and to the enrollment officer whose availability fits the requested appointment place and time.
  3. After successful performance of the remote or notarial (face-to-face) enrollment process, the enrollment officer generates a Certificate Signing Request (CSR), which causes a key pair to be generated by the Osmio VRD and the public key of the pair to be signed by the Osmio VRD Certification Authority Server.
  4. If the enrollment is successful, the applicant pays the impost fees if they have not been previously paid by the sponsoring organization.
  5. The Osmio VRD may issue the certificate to the applicant or should the application be rejected, the Osmio VRD will alert the applicant that the application has been unsuccessful.
  6. Renewal is conducted as per the procedures outlined in this CPS and the official Osmio VRD websites.
  7. Revocation is conducted as per the procedures outlined in this CPS.

 

Document Control

This document constitutes Osmio Ordinance 080721CERT. Along with any amendments, it is available at osmio.ch. Please visit the Repository or contact the Osmio Vital Records Department for the publication date of this version.

 

Osmio Vital Records Department - Digital Certificates Support

URL: http://osmio.ch/