Abu Dhabi United Arab Emirates ... · Level 15, Aldar HQ Tel: +971 2 417 1417 Abu Dhabi United Arab Emirates DigitalX1 High Assurance CA G4 F2 B7 81 70 44 18 CC 6D 4F 20 0F 74 F5

Level 15, Aldar HQ Tel: +971 2 417 1417 Abu Dhabi www.darkmatter.ae United Arab Emirates

DarkMatter MANAGEMENT’S ASSERTION as to its Disclosure of its Business Practices and its Controls

over its Certification Authority Operations during the period from 20 October 2017 to 30 September 2018

2 October 2018

DarkMatter LLC, a company under the United Arabic Emirates law, (hereafter: DarkMatter), provides the following Certification Authority (CA) services:

- Subscriber registration - Certificate renewal - Certificate rekey - Certificate issuance - Certificate distribution - Certificate revocation - Certificate validation

Its infrastructure consists of the following entities:

Common Name SHA256 hash

UAE Global Root CA G3 0A 9A 40 13 AF C0 56 50 94 5C CA 63 B9 2A 6B 26 58 57 CF 40 34 03 DE A5 2E 0E 68 CC 4E 1B F5 74

UAE Global Root CA G4 3E 83 A6 C7 80 B4 C5 B8 75 38 AD 2E 43 A2 03 70 8F F7 FF 29 BE DC 7B 20 62 6B F7 C0 09 19 9C 0A

DarkMatter Root CA G3 E6 87 29 01 3A 50 40 4D C1 BA F7 12 7B 3D 3C 98 A8 FF 39 2B 73 5D 0B 11 40 85 8D 5B 91 C3 BE 65

DarkMatter Root CA G4 51 58 69 A4 35 D6 D4 7D 3E B8 F3 8D 6F 91 98 EC 83 F2 A5 6A D3 1C C1 AE DE 4F 7B 89 DA 69 E4 BF

DarkMatter Audit CA 32 BE AD A3 34 52 87 81 0E A3 20 80 D4 F1 28 34 97 1C 90 E6 83 FF 28 9B 2C AC DD 55 61 3D C3 5E

DarkMatter High Assurance CA

3A E6 99 D9 4E 8F EB DA CB 86 D4 F9 0D 40 90 33 33 47 8E 65 E0 65 5C 43 24 51 19 7E 33 FA 07 F2

DarkMatter Secure CA A2 5A 19 54 68 19 D0 48 00 0E F9 C6 57 7C 4B CD 8D 21 55 B1 E4 34 6A 45 99 D6 C8 B7 97 99 D4 A1

DarkMatter Assured CA D8 88 8F 4A 84 F7 4C 97 4D FF B5 73 A1 BF 5B BB AC D1 71 3B 90 50 96 F8 EB 01 50 62 BF 39 6C 4D

DigitalX1 High Assurance CA G3

FD D7 C3 DB 9D 64 50 9E 00 83 60 40 2F CB 1B E1 C0 CB E2 20 D3 D2 82 AF 1F 9B 3D 8E 19 B3 E4 A4



F2 B7 81 70 44 18 CC 6D 4F 20 0F 74 F5 42 C8 45 C9 1A C7 7C 82 F0 88 91 2A A1 A3 D3 B3 07 F6 1F

DM X1 High Assurance CA G3

89 D3 BF 92 91 48 27 AF EC 62 16 DE 97 70 AC 43 7E E8 C5 F2 27 B3 B2 98 20 A9 EF 33 55 1D BF C6


27 44 26 9B E8 1D 48 0C 51 B2 1C 1C 26 B7 76 9A 90 56 4E 6D A0 AE 44 24 6D D7 79 CC AC 70 DA 34

DigitalX1 Assured CA G4 35 7F 52 F8 1E 5D AF 02 A0 1A 50 A7 73 7B 50 2F 77 06 72 91 51 63 05 B0 ED 67 50 F2 A0 38 8C 32

DM X1 Assured CA G4 10 FE EE 3F 39 97 3D BF 0A 06 BE 65 35 78 29 7D 8A 87 5C C3 A7 5A 55 7F 28 59 8D 59 D2 67 14 B4

The management of DarkMatter is responsible for establishing and maintaining effective controls over its CA operations, including its CA business practices disclosure on its website, CA business practices management, CA environmental controls, CA key lifecycle management controls, subscriber key lifecycle management controls, certificate lifecycle management controls, and subordinate CA certificate lifecycle management controls. These controls contain monitoring mechanisms, and actions are taken to correct deficiencies identified.

There are inherent limitations in any controls, including the possibility of human error and the circumvention or overriding of controls. Accordingly, even effective controls can provide only reasonable assurance with respect to DarkMatter’ Certification Authority operations. Furthermore, because of changes in conditions, the effectiveness of controls may vary over time.

The management of DarkMatter has assessed its disclosure of its certificate practices and controls over its CA services. Based on that assessment, in DarkMatter management’s opinion, in providing its Certification Authority (CA) services in Abu Dhabi and Dubai, United Arabic Emirates, throughout the period 20 October 2017 to 30 September 2018, DarkMatter has:

Disclosed its business, key lifecycle management, certificate lifecycle management and CA environmental control practices in its Certification Practice Statement, version 1.7, dated September 2018 on the website of DarkMatter at https://ca.darkmatter.ae/CPS/index.html, and

maintained effective controls to provide reasonable assurance that:

o DarkMatter’s Certification Practice Statement is consistent with its Certificate Policy.


o the integrity of keys and certificates it manages is established and protected throughout their life cycles;

o the integrity of subscriber keys and certificates it manages is established and protected throughout their life cycles;


o Subscriber information is properly authenticated (for the registration activities performed by DarkMatter); and

o subordinate CA certificate requests are accurate, authenticated, and approved.


o logical and physical access to CA systems and data is restricted to authorized individuals;

o the continuity of key and certificate management operations is maintained; and

o CA systems development, maintenance, and operations are properly authorized and performed to maintain CA systems integrity.

based on the WebTrust® Principles and Criteria for Certification Authorities, version 2.0 – March 2011 including the following:

CA BUSINESS PRACTICES DISCLOSURE

Certification Practice Statement (CPS)

Certificate Policy (CP)

CA BUSINESS PRACTICES MANAGEMENT

Certificate Policy Management

Certification Practice Statement Management

CP and CPS Consistency

CA ENVIRONMENTAL CONTROLS

Security Management

Asset Classification and Management

Personnel Security

Physical and Environmental Security

Operations Management

System Access Management

Systems Development and Maintenance

Level 15, Aldar HQ Tel: +971 2 417 1417 Abu Dhabi www.darkmatter.ae United Arab Emirates Business Continuity Management

Monitoring and Compliance

Audit Logging

CA KEY LIFE CYCLE MANAGEMENT CONTROLS

CA Key Generation

CA Key Storage, Backup and Recovery

CA Public Key Distribution

CA Key Usage

CA Key Archival and Destruction

CA Key Compromise

CA Cryptographic Hardware Life Cycle Management

CA Key Escrow (if applicable)

SUBSCRIBER KEY LIFE CYCLE MANAGEMENT CONTROLS

CA-Provided Subscriber Key Generation Services

CA-Provided Subscriber Key Storage and Recovery Services

Requirements for Subscriber Key Management

CERTIFICATE LIFE CYCLE MANAGEMENT CONTROLS

Subscriber Registration

Certificate Renewal

Certificate Rekey

Certificate Issuance

Certificate Distribution

Certificate Revocation

Certificate Validation


SUBORDINATE CA CERTIFICATE LIFE CYCLE MANAGEMENT CONTROLS

Subordinate CA Certificate Life Cycle Management

For approval:

Scott Rea

SVP – Public Key Infrastructure,

DarkMatter LLC

KPMG N.V.P.O. Box 745001070 DB AmsterdamThe Netherlands

Laan van Langerhuize 11186 DS AmstelveenThe NetherlandsTelephone +31 (0)20 656 7890www.kpmg.com/nl

KPMG N.V., registered with the trade register in the Netherlands under number 34153857, is a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity.Document classification: KPMG Confidential

Independent Accountant’s Report

Amstelveen, October 2018

To the management of DarkMatter LLC:We have examined the assertion by the management of DarkMatter LLC (hereafter called: DarkMatter) that for its Certification Authority (CA) operations in the United Arabic Emirates, throughout the period 20 October 2017 to 30 September 2018 for its infrastructure consisting of the following entities:



















DigitalX1 Assured CA G4

35 7F 52 F8 1E 5D AF 02 A0 1A 50 A7 73 7B 50 2F 77 06 72 91 51 63 05 B0 ED 67 50 F2 A0 38 8C 32


DarkMatter LLCIndependent Accountant’s Report

2

DarkMatter has:

disclosed its business, key lifecycle management, certificate life cycle management and CA environment control practices in its Certificate Practice Statement v1.7 of September 2018 onhttps://ca.darkmatter.ae/CPS/index.htmlmaintained effective controls to provide reasonable assurance that:

DarkMatter’s Certification Practice Statement is consistent with its Certificate PolicyDarkMatter provides its services in accordance with its Certificate Policy and Certification Practice Statement

maintained effective controls to provide reasonable assurance that:the integrity of keys and certificates it manages is established and protected throughout their lifecycles;the integrity of subscriber keys and certificates it manages is established and protected throughout their lifecycles;subscriber information is properly authenticated (for the registration activities performed by DarkMatter); andsubordinate CA certificate requests are accurate, authenticated, and approved

maintained effective controls to provide reasonable assurance that:logical and physical access to CA systems and data is restricted to authorized individuals;the continuity of key and certificate management operations is maintained; andCA systems development, maintenance, and operations are properly authorized and performed to maintain CA systems integrity

based on the WebTrust Principles and Criteria for Certification Authorities version 2.0.The management of DarkMatter is responsible for its assertion. Our responsibility is to express an opinion on management’s assertion based on our examination.

Our examination was conducted in accordance with attestation standards established by the American Institute of Certified Public Accountants and, accordingly, included:

obtaining an understanding of DarkMatter’s key and certificate life cycle management business and its controls over key and certificate integrity, over the authenticity and confidentiality of subscriber and relying party information, over the continuity of key and certificate lifecycle management operations and over development, maintenance and operation of systems integrity;

selectively testing transactions executed in accordance with disclosed key and certificate lifecycle management business practices;

testing and evaluating the operating effectiveness of the controls; and

performing such other procedures as we considered necessary in the circumstances.

We believe that our examination provides a reasonable basis for our opinion.

The relative effectiveness and significance of specific controls at DarkMatter and their effect on assessments of control risk for subscribers and relying parties are dependent on their interaction with the controls, and other factors present at individual subscriber and relying party locations.

3


We have performed no procedures to evaluate the effectiveness of controls at individualsubscriber and relying party locations.Because of the nature and inherent limitations of controls, DarkMatter’s ability to meet the aforementioned criteria may be affected. For example, controls may not prevent, or detect andcorrect, error, fraud, unauthorized access to systems and information, or failure to comply with internal and external policies or requirements. Also, the projection of any conclusions based onour findings to future periods is subject to the risk that changes may alter the validity of suchconclusions.In our opinion, throughout the period 20 October 2017 to 30 September 2018, DarkMattermanagement’s assertion as referred to above is fairly stated, in all material respects, based onthe WebTrust Principles and Criteria for Certification Authorities version 2.0.This report does not include any representation as to the quality of DarkMatter’ services beyondthose covered by the WebTrust for Certification Authorities Criteria, or the suitability of any ofDarkMatter’ services for any customer’s intended purpose.DarkMatter’s use of the WebTrust for Certification Authorities Seal constitutes a symbolicrepresentation of the contents of this report and it is not intended, nor should it be construed, toupdate this report or provide any additional assurance.

On behalf of KPMG Advisory N.V.Amstelveen, October 2018

drs. ing. R.F. Koorn RE CISAPartner



over its Certification Authority Operations during the period from 20 October 2017 to 30 September 2018

2 October 2018

DarkMatter LLC, a company under the United Arabic Emirates law, (hereafter: DarkMatter), provides its SSL Certification Authority (CA) services through its PKI infrastructure consisting of:



















DigitalX1 Assured CA G4 35 7F 52 F8 1E 5D AF 02 A0 1A 50 A7 73 7B 50 2F 77 06 72 91 51 63 05 B0 ED 67 50 F2 A0 38 8C 32



The management of DarkMatter is responsible for establishing and maintaining effective controls over its SSL CA operations, including its network and certificate security system controls, its SSL CA business practices disclosure on its website, SSL key lifecycle management controls, and SSL certificate lifecycle management controls. These controls contain monitoring mechanisms, and actions are taken to correct deficiencies identified.

There are inherent limitations in any controls, including the possibility of human error and the circumvention or overriding of controls. Accordingly, even effective controls can provide only reasonable assurance with respect to DarkMatter’ CA operations. Furthermore, because of changes in conditions, the effectiveness of controls may vary over time.

The management of DarkMatter has assessed the design of controls over its SSL-CA Services as scoped above. Based on that assessment, in DarkMatter management’s opinion, in providing its SSL-CA services throughout the period 20 October 2017 to 30 September 2018, DarkMatter has:

Disclosed its Certificate practices and procedures in its Certification Practice Statement, version 1.7, dated September 2018, including its commitment to provide SSL Certificates in conformity with the applicable CA/Browser Forum Guidelines on https://ca.darkmatter.ae/CPS/index.html, and provided such services in accordance with its disclosed practices

maintained effective controls to provide reasonable assurance that

o the integrity of keys and SSL certificates it manages is established and protected throughout their life cycles; and

o SSL subscriber information is properly collected, authenticated (for the registration activities performed by DarkMatter) and verified.

maintained effective controls to provide reasonable assurance that

o logical and physical access to CA systems and data is restricted to authorized individuals;

o the continuity of key and certificate management operations is maintained; and

o CA systems development, maintenance and operations are properly authorized and performed to maintain CA systems integrity.

maintained effective controls to provide reasonable assurance that it meets the Network and Certificate System Security Requirements as set forth by the CA/Browser Forum.

in accordance with the WebTrust® Principles and Criteria for Certification Authorities – SSL Baseline Requirements with Network Security – Version 2.2, including the following:

CA BUSINESS PRACTICES DISCLOSURE


CA SERVICE INTEGRITY

o Key Generation Ceremony o Certificate Content And Profile o Certificate Request Requirements o Verification Practices o Certificate Revocation And Status Checking o Employee And Third Parties o Data Records o Audit

CA ENVIRONMENTAL SECURITY

For approval:

Scott Rea


DarkMatter LLC

__________________________






To the management of DarkMatter LLC:We have examined the assertion by the management of DarkMatter LLC (hereafter called: DarkMatter) that for its Certification Authority (CA) operations in the United Arabic Emirates, throughout the period 20 October 2017 to 30 September 2018 for its infrastructure consisting of the following entities:








3A E6 99 D9 4E 8F EB DA CB 86 D4 F9 0D 40 90 33 33 47 8E 65 E0 65 5C 43 2451 19 7E 33 FA 07 F2











DigitalX1 Assured CA G4

35 7F 52 F8 1E 5D AF 02 A0 1A 50 A7 73 7B 50 2F 77 06 72 91 51 63 05 B0 ED 67 50 F2 A0 38 8C 32



2

DarkMatter has:

disclosed its SSL certificate lifecycle management business practices in its Certificate PracticeStatement v1.7 of September 2018, including its commitment to provide SSL certificates inconformity with the CA/Browser Forum Guidelines on https://ca.darkmatter.ae/CPS/index.htmlmaintained effective controls to provide reasonable assurance that:

the integrity of keys and SSL certificates it manages is established and protected throughouttheir lifecycles; andSSL subscriber information is properly authenticated (for the registration activities performedby DarkMatter)

maintained effective controls to provide reasonable assurance that:logical and physical access to CA systems and data is restricted to authorized individuals;the continuity of key and certificate management operations is maintained; andCA systems development, maintenance, and operations are properly authorized andperformed to maintain CA systems integrity

maintained effective controls to provide reasonable assurance that it meets the Network andCertificate System Security Requirements as set forth by the CA/Browser Forum

based on the WebTrust Principles and Criteria for Certification Authorities – SSL Baseline with Network Security v2.2.The management of DarkMatter is responsible for its assertion. Our responsibility is to express an opinion on management’s assertion based on our examination.


obtaining an understanding of DarkMatter’s SSL certificate life cycle management practices,including its relevant controls over the issuance, renewal and revocation of SSL certificates andobtaining an understanding of DarkMatter’s network and certificate system security to meet therequirements set forth by the CA/Browser Forum;

selectively testing transactions executed in accordance with disclosed SSL certificate lifecyclemanagement practices;




The relative effectiveness and significance of specific controls at DarkMatter and their effect on assessments of control risk for subscribers and relying parties are dependent on their interaction with the controls, and other factors present at individual subscriber and relying party locations. We have performed no procedures to evaluate the effectiveness of controls at individual subscriber and relying party locations.Because of the nature and inherent limitations of controls, DarkMatter’s ability to meet the aforementioned criteria may be affected. For example, controls may not prevent, or detect and correct, error, fraud, unauthorized access to systems and information, or failure to comply with

3


internal and external policies or requirements. Also, the projection of any conclusions based on ourfindings to future periods is subject to the risk that changes may alter the validity of such conclusions.In our opinion, throughout the period 20 October 2017 to 30 September 2018, DarkMattermanagement’s assertion as referred to above is fairly stated, in all material respects, based on the WebTrust Principles and Criteria for Certification Authorities – SSL Baseline with Network Security(version 2.2).This report does not include any representation as to the quality of DarkMatter’ services beyondthose covered by the WebTrust for Certification Authorities – SSL Baseline with Network SecurityCriteria, or the suitability of any of DarkMatter’ services for any customer’s intended purpose.DarkMatter’s use of the WebTrust for Certification Authorities – SSL Baseline with Network SecuritySeal constitutes a symbolic representation of the contents of this report and it is not intended, norshould it be construed, to update this report or provide any additional assurance.





over its Extended Validation Certification Authority Operations during the period from 20 October 2017 to 30 September 2018

2 October 2018

DarkMatter LLC, a company under the United Arabic Emirates law, (hereafter: DarkMatter), provides Extended Validation Certification Authority (EV-CA) services through its PKI infrastructure, consisting of:







DarkMatter High Assurance CA 3A E6 99 D9 4E 8F EB DA CB 86 D4 F9 0D 40 90 33 33 47 8E 65 E0 65 5C 43 24 51 19 7E 33 FA 07 F2

DigitalX1 High Assurance CA G3 FD D7 C3 DB 9D 64 50 9E 00 83 60 40 2F CB 1B E1 C0 CB E2 20 D3 D2 82 AF 1F 9B 3D 8E 19 B3 E4 A4

DigitalX1 High Assurance CA G4 F2 B7 81 70 44 18 CC 6D 4F 20 0F 74 F5 42 C8 45 C9 1A C7 7C 82 F0 88 91 2A A1 A3 D3 B3 07 F6 1F

DM X1 High Assurance CA G3 89 D3 BF 92 91 48 27 AF EC 62 16 DE 97 70 AC 43 7E E8 C5 F2 27 B3 B2 98 20 A9 EF 33 55 1D BF C6

DM X1 High Assurance CA G4 27 44 26 9B E8 1D 48 0C 51 B2 1C 1C 26 B7 76 9A 90 56 4E 6D A0 AE 44 24 6D D7 79 CC AC 70 DA 34

Level 15, Aldar HQ Tel: +971 2 417 1417 Abu Dhabi www.darkmatter.ae United Arab Emirates The management of DarkMatter is responsible for establishing and maintaining effective controls over its EV SSL CA operations, including its EV SSL CA business practices disclosure on its website, EV SSL key lifecycle management controls, and EV SSL certificate lifecycle management controls. These controls contain monitoring mechanisms, and actions are taken to correct deficiencies identified.

There are inherent limitations in any controls, including the possibility of human error and the circumvention or overriding of controls. Accordingly, even effective controls can provide only reasonable assurance with respect to DarkMatter’ EV-CA operations. Furthermore, because of changes in conditions, the effectiveness of controls may vary over time.

The management of DarkMatter has assessed its disclosures of its certificate practices and controls over its EV SSL CA services. Based on that assessment, in DarkMatter management’s opinion, in providing its EV SSL CA services at Abu Dhabi and Dubai, United Arabic Emirates, throughout the period 20 October 2017 to 30 September 2018, DarkMatter has:

Disclosed its extended validation SSL (“EV SSL”) Certificate life cycle management practices in its certificate practice statement, version 1.7, dated September 2018, including its commitment to provide EV SSL certificates in conformity with the CA/Browser Forum Guidelines on https://ca.darkmatter.ae/CPS/index.html, and provided such services in accordance with its disclosed practices


o The integrity of keys and EV certificates it manages is established and protected throughout their life cycles; and

o EV SSL subscriber information is properly collected, authenticated (for the registration activities performed by DarkMatter) and verified

based on the AICPA/CICA WebTrust for Certification Authorities Extended Validation SSL Audit Criteria (version 1.6), including the following:

CA Business Practices Disclosure Service Integrity

o EV Certificate Content and Profile

o EV Certificate Request Requirements

o Information Verification Requirements

o Certificate Status Checking and Revocation

o Employee and Third Party Issues

Level 15, Aldar HQ Tel: +971 2 417 1417 Abu Dhabi www.darkmatter.ae United Arab Emirates For approval:

Scott Rea


DarkMatter LLC

__________________________






To the management of DarkMatter LLC:

We have examined the assertion by the management of DarkMatter LLC (hereafter called: DarkMatter) that for its Certification Authority (CA) operations in the United Arabic Emirates, throughout the period 20 October 2017 to 30 September 2018 for its infrastructure consisting of the following entities:

















DarkMatter has:

disclosed its extended validation SSL (“EV SSL”) certificate lifecycle management businesspractices in its Certificate Practice Statement v1.7 of September 2018, including itscommitment to provide EV SSL certificates in conformity with the CA/Browser Forum


2

Guidelines on https://ca.darkmatter.ae/CPS/index.html, and provided such services in accordance with its disclosed practices.maintained effective controls to provide reasonable assurance that:

the integrity of keys and EV SSL certificates it manages is established and protectedthroughout their lifecycles; andEV SSL subscriber information is properly authenticated (for the registration activitiesperformed by DarkMatter)

based on the AICPA/CICA WebTrust for Certification Authorities - Extended Validation Audit Criteria (version 1.6).The management of DarkMatter is responsible for its assertion. Our responsibility is to express an opinion on management’s assertion based on our examination.


obtaining an understanding of DarkMatter’s EV SSL certificate life cycle managementpractices, including its relevant controls over the issuance, renewal and revocation of EV SSLcertificates;

selectively testing transactions executed in accordance with disclosed EV SSL certificatelifecycle management practices;




The relative effectiveness and significance of specific controls at DarkMatter CA and their effect on assessments of control risk for subscribers and relying parties are dependent on their interaction with the controls, and other factors present at individual subscriber and relying party locations. We have performed no procedures to evaluate the effectiveness of controls at individual subscriber and relying party locations.Because of the nature and inherent limitations of controls, DarkMatter’s ability to meet the aforementioned criteria may be affected. For example, controls may not prevent or detect and correct, error, fraud, unauthorized access to systems and information or failure to comply with internal and external policies or requirements. Also, the projection of any conclusions based on our findings to future periods is subject to the risk that changes may alter the validity of such conclusions.In our opinion, throughout the period 20 October 2017 to 30 September 2018, DarkMatter management’s assertion as referred to above is fairly stated, in all material respects, based on the WebTrust for Certification Authorities - Extended Validation Criteria (version 1.6). This report does not include any representation as to the quality of DarkMatter’ services beyond those covered by the WebTrust for Certification Authorities - Extended Validation Criteria, or the suitability of any of DarkMatter’ services for any customer’s intended purpose.

3


DarkMatter’s use of the WebTrust for Certification Authorities – Extended Validation SSL Sealconstitutes a symbolic representation of the contents of this report and it is not intended, norshould it be construed, to update this report or provide any additional assurance.



Documents

Abu Dhabi United Arab Emirates ... · Level 15, Aldar HQ Tel: +971 2 417 1417 Abu Dhabi United Arab Emirates DigitalX1 High Assurance CA G4 F2 B7 81 70 44 18 CC 6D 4F 20 0F 74 F5