Upload
department-of-labor
View
214
Download
0
Embed Size (px)
Citation preview
8/14/2019 Department of Labor: dst-aces-cps-v20040617
1/121
June 14, 2004
Certification Practices Statement ofDigital Signature Trust for the
Access Certificates for Electronic
Services Program
Digital Signature Trust, LLC
Version 4.1
June 14, 2004
8/14/2019 Department of Labor: dst-aces-cps-v20040617
2/121
TABLE OF CONTENTS
SECTION PAGE
SECTION 1 INTRODUCTION ........................................................................................... 1
1.1 OVERVIEW............................................................................................................. 1
1.2 POLICY IDENTIFICATION................................................................................... 1
1.3 COMMUNITY AND APPLICABILITY................................................................. 2
1.3.1 Certificate Service Providers............................................................................ 31.3.1.1 Certification Authorities (CAs) ............................................................................................31.3.1.2 Registration Authorities (RAs) and Trusted Agents.............................................................31.3.1.3 Certificate Manufacturing Authorities (CMAs) .......... .......... ........... .......... ........... .......... .....41.3.1.4 Repositories ..........................................................................................................................4
1.3.2 End Entities ...................................................................................................... 41.3.2.1 Subscribers ...........................................................................................................................41.3.2.2 Relying Parties......................................................................................................................41.3.2.3 Agency and Relying Party Applications...............................................................................51.3.2.3.1 Agency and Relying Party Application SSL Server Certificates................. .......... ........... ......51.3.2.3.2 Agency and Relying Party Application (Mutual Authentication and Signing) .......... ........... .51.3.2.3.3 Agency and Relying Party Application (Encryption) ........... .......... ........... .......... ........... ........51.3.2.3.4 Agency and Relying Party Application (Other) .......... .......... ........... ........... .......... ........... ......5
1.3.3 Policy Authority ............................................................................................... 5
1.3.4 Applicability..................................................................................................... 61.3.4.1 Purpose .................................................................................................................................61.3.4.2 Suitable Uses ........................................................................................................................8
1.4 CONTACT DETAILS.............................................................................................. 8
1.4.1 Organization Responsible for this Certification Practice Statement ................ 8
1.4.2 Contact Person.................................................................................................. 91.4.3 Person Determining Suitability of this CPS ..................................................... 9
SECTION 2 GENERAL PROVISIONS............................................................................ 10
2.1 OBLIGATIONS ..................................................................................................... 10
2.1.1 CAs Obligations ............................................................................................ 10
2.1.2 RA / Trusted Agent Obligations..................................................................... 11
2.1.3 CMA Obligations ........................................................................................... 11
2.1.4 Repository Obligations ................................................................................... 11
2.1.5 Subscriber Obligations ................................................................................... 12
2.1.6 Relying Party Obligations .............................................................................. 122.1.7 Policy Authority Obligations.......................................................................... 13
2.2 LIABILITIES ......................................................................................................... 13
2.2.1 DST Liability.................................................................................................. 15
2.2.2 RA, CMA, and Repository Liability .............................................................. 15
2.3 FINANCIAL RESPONSIBILITY.......................................................................... 15
2.3.1 Indemnification by Relying Parties ................................................................ 15
2.3.3 Fiduciary Relationships .................................................................................. 15
ii
8/14/2019 Department of Labor: dst-aces-cps-v20040617
3/121
2.3.4 Administrative Processes................................................................................ 15
2.4 INTERPRETATION AND ENFORCEMENT ...................................................... 15
2.4.1 Governing Law............................................................................................... 15
2.4.2 Severability, Survival, Merger, Notice........................................................... 16
2.4.3 Dispute Resolution Procedures ...................................................................... 16
2.5 FEES....................................................................................................................... 162.5.1 Certificate Issuance, Renewal, Suspension, and Revocation Fees................. 16
2.5.2 Certificate Access Fees................................................................................... 16
2.5.3 Revocation Status Information Access Fees (Certificate Validation
Services) 16
2.5.4 Fees for Other Services such as Policy Information ...................................... 16
2.5.5 Refund Policy ................................................................................................. 17
2.6 PUBLICATION AND REPOSITORY .................................................................. 17
2.6.1 Publication of Information ............................................................................. 17
2.6.2 Frequency of Publication................................................................................ 17
2.6.3 Access Controls .............................................................................................. 17
2.6.4 Repositories .................................................................................................... 172.7 INSPECTIONS AND REVIEWS .......................................................................... 18
2.7.1 Certification and Accreditation ...................................................................... 182.7.1.1 Frequency of Certification Authority Compliance Review .......... ........... .......... ........... ......182.7.1.2 Identity/Qualifications of Reviewer ...................................................................................182.7.1.3 Auditor's Relationship to Audited Party ......... ........... .......... ........... ........... .......... ........... ....182.7.1.4 Communication of Results .................................................................................................19
2.7.2 Quality Assurance Inspection and Review..................................................... 192.7.2.1 Topics Covered by Quality Assurance Inspection and Review..........................................192.7.2.2 Identity/Qualifications of Reviewer ...................................................................................192.7.2.3 Auditor's Relationship to Audited Party ......... ........... .......... ........... ........... .......... ........... ....192.7.2.4 Audit Compliance Report...................................................................................................19
2.7.2.5 Actions Taken as a Result of Deficiency............................................................................192.7.2.6 Communication of Results .................................................................................................19
2.8 CONFIDENTIALITY ............................................................................................ 20
2.8.1 Types of Information to Be Kept Confidential............................................... 202.8.1.1 Privacy Policy and Procedures ...........................................................................................202.8.1.2 Subscriber Information .......................................................................................................202.8.1.3 GSA and Other Government Information ..........................................................................21
2.8.2 Types of Information Not Considered Confidential....................................... 21
2.8.3 Disclosure of Certificate Revocation/Suspension Information ...................... 21
2.8.4 Release to Law Enforcement Officials........................................................... 21
2.9 SECURITY REQUIREMENTS............................................................................. 22
2.9.1 System Security Plan ...................................................................................... 22
2.9.2 Risk Management ........................................................................................... 222.9.3 Certification and Accreditation ...................................................................... 23
2.9.4 Rules of Behavior ........................................................................................... 23
2.9.5 Contingency Plan............................................................................................ 23
2.9.6 Incident Response Capability......................................................................... 23
2.10 INTELLECTUAL PROPERTY RIGHTS.............................................................. 23
iii
8/14/2019 Department of Labor: dst-aces-cps-v20040617
4/121
SECTION 3 IDENTIFICATION AND AUTHENTICATION ....................................... 24
3.1 INITIAL REGISTRATION ................................................................................... 24
3.1.1 Types of Names.............................................................................................. 243.1.1.1 ACES Unaffiliated Individual Digital Signature and Encryption Certificates ......... ..........24
3.1.1.2 ACES Business Representative Digital Signature and Encryption Certificates .................243.1.1.3 ACES Agency (Relying Party Applications) Digital Signature and EncryptionCertificates 253.1.1.4 Agency Application SSL Server Certificates .......... ........... .......... ........... .......... ........... ......253.1.1.5 ACES Federal Employee Digital Signature and Encryption Certificates .......... ........... ......25
3.1.2 Name Meanings.............................................................................................. 263.1.2.1 ACES Unaffiliated Individual Digital Signature and Encryption Certificates ......... ..........263.1.2.2 ACES Business Representative Digital Signature and Encryption Certificates .................263.1.2.3 ACES Agency (Relying Party Applications) Digital Signature and EncryptionCertificates 273.1.2.4 ACES DST Digital Signature Certificates..........................................................................273.1.2.5 Agency Application SSL Server Certificates .......... ........... .......... ........... .......... ........... ......273.1.2.6 ACES Federal Employee Digital Signature and Encryption Certificates .......... ........... ......27
3.1.3 Rules for Interpreting Various Name Forms .................................................. 273.1.4 Name Uniqueness........................................................................................... 27
3.1.5 Name Claim Dispute Resolution Procedures ................................................. 28
3.1.6 Recognition, Authentication, and Role of Trademarks .................................. 29
3.1.7 Verification of Possession of Key Pair........................................................... 293.1.7.1 Hardware Tokens................................................................................................................293.1.7.2 Use of Shared Secrets .........................................................................................................29
3.1.8 Authentication of Sponsoring Organization Identity ..................................... 30
3.1.9 Authentication of Individual Identity ............................................................. 303.1.9.1 Authentication of ACES Unaffiliated Individual Digital Signature and EncryptionCertificates 313.1.9.2 Authentication of ACES Business Representative Digital Signature and EncryptionCertificates 323.1.9.3 Authentication of ACES Agency (Relying Party Applications) Digital Signature andEncryption Certificates ..........................................................................................................................333.1.9.4 Authentication of Component Identity .......... .......... ........... .......... ........... .......... .................333.1.9.5 Authentication of ACES Federal Employee Digital Signature and EncryptionCertificates 343.1.9.6 Other Certificates................................................................................................................35
3.2 CERTIFICATE RENEWAL, UPDATE AND ROUTINE REKEY..................... 35
3.2.1 Certificate Renewal ........................................................................................ 36
3.2.2 Certificate Rekey ................................................................................................. 36
3.2.3 Certificate Update........................................................................................... 36
3.3 REKEY AFTER REVOCATION .......................................................................... 37
3.4 REVOCATION REQUEST ................................................................................... 37
SECTION 4 OPERATIONAL REQUIREMENTS.......................................................... 38
4.1 CERTIFICATE APPLICATION ........................................................................... 38
4.1.1 Application Initiation ..................................................................................... 384.1.1.1 Application Form................................................................................................................394.1.1.2 Applicant Education and Disclosure ..................................................................................39
iv
8/14/2019 Department of Labor: dst-aces-cps-v20040617
5/121
4.1.2 Enrollment Process / DSTs Secure Registration Messaging Protocol.......... 39
4.1.3 Enrollment Process / Bulk Loading....................................................................... 39
4.1.4 Application Rejection..................................................................................... 40
4.2 CERTIFICATE ISSUANCE .................................................................................. 41
4.2.1 Certificate Delivery ........................................................................................ 41
4.2.2 Certificate Replacement ................................................................................. 424.3 CERTIFICATE ACCEPTANCE ........................................................................... 42
4.4 CERTIFICATE REVOCATION............................................................................ 43
4.4.1 Who Can Request Revocation ........................................................................ 43
4.4.2 Circumstances for Revocation........................................................................ 434.4.2.1 Permissive Revocation .......................................................................................................434.4.2.2 Required Revocation ..........................................................................................................43
4.4.3 Procedure for Revocation Request ................................................................. 44
4.4.4 Revocation Request Grace Period .................................................................. 45
4.4.5 Certificate Authority Revocation Lists/Certificate Revocation Lists ............ 454.4.5.1 CRL Issuance Frequency....................................................................................................45
4.4.5.2 CRL Checking Requirements .............................................................................................464.4.6 Online Revocation/Status Checking Availability........................................... 46
4.4.7 Online Revocation Checking Requirements .................................................. 47
4.4.8 Other Forms of Revocation Advertisements Available.................................. 47
4.4.9 Checking Requirements for Other Forms of Revocation Advertisements ..... 47
4.4.10 Special Requirements re Key Compromise.................................................... 47
4.5 CERTIFICATE SUSPENSION ............................................................................. 47
4.5.1 Circumstances for Suspension........................................................................ 47
4.5.2 Who Can Request Suspension ........................................................................ 48
4.5.3 Procedure for Suspension Request ................................................................. 48
4.6 COMPUTER SECURITY AUDIT PROCEDURES ............................................. 48
4.6.1 Types of Events Recorded.............................................................................. 484.6.2 Frequency of Processing Data ........................................................................ 48
4.6.3 Retention Period for Security Audit Data ...................................................... 48
4.6.4 Protection of Security Audit Data .................................................................. 48
4.6.5 Security Audit Data Backup Procedures ........................................................ 49
4.6.6 Security Audit Collection System (Internal vs. External).............................. 49
4.6.7 Notification to Event-Causing Subject........................................................... 49
4.6.8 Vulnerability Assessments ............................................................................. 49
4.7 RECORDS ARCHIVAL.............................................................................................. 49
4.7.1 Types of Events Recorded.............................................................................. 49
4.7.2 Retention Period for Archive.......................................................................... 50
4.7.3 Protection of Archive ..................................................................................... 504.8 KEY CHANGEOVER ........................................................................................... 51
4.9 COMPROMISE AND DISASTER RECOVERY ................................................. 51
4.9.1 Computing Resources, Software, and/or Data are Corrupted ........................ 51
4.9.2 DST Public Key Is Revoked........................................................................... 51
4.9.3 DST Private Key Is Compromised (Key Compromise Plan) ......................... 51
4.9.4 Secure Facility after a Natural or Other Disaster (Disaster Recovery Plan) .. 52
4.10 AUTHORIZED CA CESSATION OF SERVICES ............................................... 52
v
8/14/2019 Department of Labor: dst-aces-cps-v20040617
6/121
4.11 CUSTOMER SERVICE CENTER ........................................................................ 53
4.12 PRIVATE KEY RECOVERY............................................................................... 53
4.12.1 Circumstances for private key recovery......................................................... 54
4.12.2 Key Recovery Roles; Who can request private key recovery ........................ 54
4.12.3 Procedure for Private Key Recovery Request ................................................ 55
SECTION 5 PHYSICAL, PROCEDURAL, AND PERSONNEL SECURITY
CONTROLS.......................................................................................................................... 57
5.1 PHYSICAL SECURITY CONTROLS.................................................................. 57
5.1.1 Physical Access Controls ............................................................................... 57
5.1.2 Security Checks .............................................................................................. 58
5.1.3 Media Storage................................................................................................. 58
5.1.4 Environmental Security .................................................................................. 58
5.1.5 Off-Site Backup.............................................................................................. 59
5.2 PROCEDURAL CONTROLS ............................................................................... 60
5.2.1 Trusted Roles.................................................................................................. 605.2.1.1 Physical Security ................................................................................................................60
5.2.2 Number of Persons Required Per Task .......................................................... 60
5.2.3 Identification and Authentication for Each Role............................................ 61
5.2.4 Hardware/Software Maintenance Controls .................................................... 61
5.2.5 Documentation ............................................................................................... 61
5.2.6 Security Awareness and Training................................................................... 62
5.3 PERSONNEL SECURITY CONTROLS .............................................................. 63
5.3.1 Access Authorization...................................................................................... 63
5.3.2 Limited Access ............................................................................................... 635.3.2.1 Background Screening........................................................................................................63
5.3.2.2 Least Privilege ....................................................................................................................645.3.2.3 Separation of Duties ...........................................................................................................645.3.2.4 Individual Accountability ...................................................................................................65
SECTION 6 TECHNICAL SECURITY CONTROLS ................................................... 66
6.1 KEY PAIR GENERATION AND INSTALLATION ........................................... 66
6.1.1 Key Pair Generation ....................................................................................... 666.1.1.1 CA Key Pair Generation.....................................................................................................666.1.1.2 Hardware/Software Key Generation for Program Participants .......... .......... ........... .......... .66
6.1.2 Private Key Delivery to Entity/Owner ........................................................... 67
6.1.3 Subscriber Public Key Delivery to DST ........................................................ 67
6.1.4 CA Public Key Delivery to Users .................................................................. 676.1.5 Key Sizes ........................................................................................................ 67
6.1.6 Public Key Parameters Generation................................................................. 68
6.1.7 Parameter Quality Checking........................................................................... 68
6.1.8 Key Usage Purposes ....................................................................................... 68
6.1.9 Private Key Shared by Multiple Subscribers ....................................................... 68
6.1.10 Date/Time Stamps .......................................................................................... 68
6.2 PRIVATE KEY PROTECTION ............................................................................ 69
vi
8/14/2019 Department of Labor: dst-aces-cps-v20040617
7/121
6.2.1 Standards for Cryptographic Module ............................................................. 69
6.2.2 Private Key Backup........................................................................................ 69
6.2.3 Private Key Archival ...................................................................................... 70
6.2.4 Private Key Entry into Cryptographic Module .............................................. 70
6.2.5 Method of Activating Private Keys ................................................................ 70
6.2.6 Method of Deactivating Private Keys ............................................................ 706.2.7 Method of Destroying Subscriber Private Signature Keys ............................ 70
6.3 GOOD PRACTICES REGARDING KEY PAIR MANAGEMENT .................... 71
6.3.1 Public Key Archival ....................................................................................... 71
6.3.2 Private Key Archival ...................................................................................... 71
6.3.3 Usage Periods for the Public and Private Keys (Key Replacement).............. 71
6.3.4 Restrictions on CA's Private Key Use ............................................................ 71
6.4 ACTIVATION DATA ........................................................................................... 71
6.4.1 Activation Data Generation and Installation.................................................. 71
6.4.2 Activation Data Protection ............................................................................. 71
6.5 COMPUTER SECURITY CONTROLS................................................................ 72
6.5.1 Audit ............................................................................................................... 726.5.2 Technical Access Controls ............................................................................. 73
6.5.3 Identification and Authentication ................................................................... 73
6.5.4 Trusted Paths .................................................................................................. 74
6.6 LIFE CYCLE TECHNICAL CONTROLS............................................................ 74
6.6.1 System Development Controls ....................................................................... 74
6.6.2 Security Management Controls ...................................................................... 74
6.6.3 Object Reuse................................................................................................... 75
6.7 NETWORK SECURITY CONTROLS.................................................................. 75
6.7.1 Remote Access/ Dial-Up Access.................................................................... 76
6.7.2 Firewalls ......................................................................................................... 76
6.7.3 Encryption ...................................................................................................... 76
6.7.4 Interconnections ............................................................................................. 766.7.4.1 Connectivity with Internet and Other WANs .......... ........... .......... ........... .......... ........... ......76
6.7.5 Router ............................................................................................................. 77
6.7.6 Inventory of Network Hardware and Software .............................................. 77
6.8 CRYPTOGRAPHIC MODULE ENGINEERING CONTROLS........................... 77
SECTION 7 CERTIFICATE AND CRL PROFILES ..................................................... 78
7.1 CERTIFICATE PROFILE ..................................................................................... 78
7.1.1 Version Numbers............................................................................................ 78
7.1.2 Certificate Extensions..................................................................................... 787.1.3 Algorithm Object Identifiers .......................................................................... 78
7.1.4 Name Forms ................................................................................................... 79
7.1.5 Name Constraints ........................................................................................... 79
7.1.6 Certificate Policy Object Identifiers............................................................... 79
7.1.7 Usage of Policy Constraints Extension .......................................................... 79
7.1.8 Policy Qualifiers Syntax and Semantics......................................................... 79
7.1.9 Processing Semantics for the Critical Certificate Policy Extension............... 79
vii
8/14/2019 Department of Labor: dst-aces-cps-v20040617
8/121
7.2 CRL PROFILE ....................................................................................................... 79
SECTION 8 POLICY ADMINISTRATION .................................................................... 80
8.1 POLICY CHANGE PROCEDURES ..................................................................... 80
8.1.1 List of Items.................................................................................................... 808.1.2 Comments ....................................................................................................... 80
8.2 PUBLICATION AND NOTIFICATION PROCEDURES.................................... 80
8.3 CPS APPROVAL PROCEDURES ........................................................................ 80
8.4 Waivers................................................................................................................... 80
SECTION 9 ACES PRIVACY POLICY AND PROCEDURES .................................... 81
9.1 Administrative, Technical, and Physical Safeguards ............................................ 81
9.1.1 Handling of Information........................................................................................ 81
9.1.2 Information Provided to Certificate Applicant...................................................... 82
9.1.3 Limitations on Collection, Maintenance and Dissemination of Data ................... 829.1.4 Notice of Existence of Records ............................................................................. 82
9.1.5 Access to Records by Covered Individual ............................................................ 83
9.1.6 Amendment of Records ......................................................................................... 849.1.6.1 Handling of Request to Amend Record .......... ........... .......... ........... .......... ........... ........... .......... .859.1.6.2 Handling of Request to Review Refusal to Amend Record ........... ........... .......... ........... .......... .869.1.6.3 Notification of Right to Appeal to GSA ......... ........... .......... ........... .......... ........... ........... .......... .86
9.1.7 Disclosure Accounting .......................................................................................... 87
9.1.8 Reports................................................................................................................... 87
9.1.9 Certificate Issuance Warrants................................................................................ 87
APPENDIX A RELYING PARTY AGREEMENT.................................................... 88
APPENDIX B ACRONYMS AND ABBREVIATIONS ............................................ 89
GLOSSARY .......................................................................................................................... 93
APPENDIX C AUDITABLE EVENTS TABLE ....................................................... 106
APPENDIX D APPLICABLE FEDERAL AND GSA REGULATIONS ............... 112
APPENDIX E CERTIFICATE PROFILES .................................................................. 113
viii
8/14/2019 Department of Labor: dst-aces-cps-v20040617
9/121
SECTION 1
INTRODUCTION
1.1 OVERVIEW
This Certification Practices Statement (CPS) describes the certification
practices of Digital Signature Trust, an Identrus company (DST), related to its
operations as a Certification Authority (CA) authorized to issue digital certificates in
accordance with the Certificate Policy (CP) for the Access Certificates for Electronic
Services (ACES) program of the United States Government. This CPS covers the
operation of systems and management of facilities used to provide public key
infrastructure (PKI) services described in the DST Concept of Operations, which include
Certification Authority (CA), Registration Authority (RA), and repository functionality.
In addition to this CPS, the ACES Certificate Policy (ACES CP) and the UnitedStates Government Common Policy CP may further specify requirements applicable to a
particular project, contract or set of contracts, or issuance of a class of certificates
undertaken by DST.
In particular, this CPS addresses the following:
(1) the roles, responsibilities, and relationships among DST, Trusted Agents,
Registration Authorities (RAs), Certificate Manufacturing Authorities (CMAs),
Repositories, Subscribers, Relying Parties, and the Policy Authority (referred to
collectively as Program Participants);
(2) obligations and operational responsibilities of the Program Participants; and
(3) DSTs policies and practices for the issuance, delivery, management, and use
of ACES Certificates to verify digital signatures.
In the event that there is any inconsistency between this CPS, the ACES CP, and DSTs
ACES Contract with GSA, the GSA ACES Contract provisions take precedence over the
CP, which will take precedence over the CPS, even though this CPS may describe in
more detail the policies, practices and procedures implemented by DST in order to
comply with the ACES CP and its ACES Contract with GSA.
1.2 POLICY IDENTIFICATION
This CPS is DSTs ACES CPS version 4.0. This CPS alone is not intended to provide
the basis for any contractual obligations. Certificates are differentiated by function
(signature or encryption), key storage method (software module or hardware token) and
by the certificate subject or holder (unaffiliated individual, business representative,
Federal employee, etc.) See Section 1.3. DST issues ACES certificates under the
following policy OIDS:
1
8/14/2019 Department of Labor: dst-aces-cps-v20040617
10/121
DSTs ACES CA Certificate: { 2 16 840 1 101 3 2 1 1 1}
ACESUnaffiliated Individual Digital Signature Certificates: { 2 16 840 1 101 3 2 1 1 2}
ACESUnaffiliated Individual Encryption Certificates: { 2 16 840 1 101 3 2 1 1 2}
ACES Business Representative Digital Signature Certificates:{2 16 840 1 101 3 2 1 1 3}
ACES Business Representative Encryption Certificates: { 2 16 840 1 101 3 2 1 1 3}
ACES Relying Party Digital Signature Certificates: {2 16 840 1 101 3 2 1 1 4}
ACES Relying Party Encryption Certificates: {2 16 840 1 101 3 2 1 1 4}
ACES Agency Application SSL Server Certificates: {2 16 840 1 101 3 2 1 1 5}
ACES Federal Employee Digital Signature Certificates: {2 16 840 1 101 3 2 1 1 6}
ACES Federal Employee Encryption Certificates: {2 16 840 1 101 3 2 1 1 6}
ACES Federal Employee Digital Signature Certificates on Hardware Token:
{2 16 840 1 101 3 2 1 1 7}
ACES Federal Employee Encryption Certificates on Hardware Token:
{2 16 840 1 101 3 2 1 1 7}
All ACES Certificates issued by DST under this CPS include the appropriate OID for the
applicable certificate in the Certificate Policies field of the Certificate. The foregoingOIDs are placed in certificates only as specifically authorized by the ACES CP. Upon
approval by the Federal PKI Policy Authority for cross certification with the Federal
Bridge Certification Authority (FBCA), ACES certificates issued by DST will support
interoperability between the ACES PKI and another PKI by asserting the appropriate
FBCA CP OIDS in thepolicyMappings extension. Certificates issued in accordance with
other approved federal government certificate policies may assert other OIDs upon
approval of the relevant policy authorities.
1.3 COMMUNITY AND APPLICABILITY
The ACES PKI is a bounded public key infrastructure. The ACES CP and this CPS
describe the rights and obligations of persons and entities authorized under the CP to
fulfill any of the following roles: Certificate Service Provider roles, End Entity roles, and
Policy Authority role. Certificate Service Provider roles are CA, Trusted Agent, RA,
CMA, and Repository. End Entity roles are Subscriber--Unaffiliated Individual,
Business Representative, Federal Employee, Server, Agency Application, State and
2
8/14/2019 Department of Labor: dst-aces-cps-v20040617
11/121
8/14/2019 Department of Labor: dst-aces-cps-v20040617
12/121
registration functions without use of automated RA interfaces with DSTs CA system.
1.3.1.3 Certificate Manufacturing Authorities (CMAs)
DST performs the role and functions of CMA. DST may also receive assistance in
performing its CMA functions from GSA-approved contracting third parties who agree tobe subject to and bound by the ACES CP with respect to CMA services.
1.3.1.4 Repositories
DST performs the role and functions of Repository. DST may also receive assistance in
performing its Repository functions from GSA-approved contracting third parties who
agree to be subject to and bound by the ACES CP with respect to Repository services.
1.3.2 End Entities
1.3.2.1 Subscribers
DST issues ACES Certificates to the following classes of Subscribers:
(a) Members of the general public (Unaffiliated Individuals);
(b) Individuals authorized to act on behalf of business entities (i.e., Sponsoring
Organizations) recognized by DST, such as employees, officers, and agents of
a Sponsoring Organization (Business Representatives);
(c) Government employees authorized to act on behalf of state and local
government organizations;
(d) Federal Employees1
authorized to act on behalf of federal Sponsoring
Organizations recognized by DST, such as employees, officers, and agents ofan Eligible Federal Agency, entity, or department. Eligible Federal agencies
and entities include all Federal agencies, authorized Federal Contractors,
agency-sponsored universities and laboratories, other organizations, and, if
authorized by law, state, local, and tribal governments. All organizations
listed in GSA Order ADM 4800.2D (as updated) are also eligible. The
Government has the right to add authorized users in these categories pursuant
to the ACES CP;
(e) Relying Parties that choose to use ACES; and
(f) Agency Application Servers.
1.3.2.2 Relying Parties
Relying Parties are those persons and entities authorized by either GSA or DST to accept
and rely upon ACES Certificates for purposes of verifying digital signatures on electronic
records and messages. Agencies desiring to become Relying Parties must enter into a
1Any Business Representative Certificates issued to Federal Employees prior to the implementation of
Federal Employee Certificates shall remain in effect until they expire.
4
8/14/2019 Department of Labor: dst-aces-cps-v20040617
13/121
GSA ACES Relying Party Agreement via a Memorandum of Understanding (MOA) to
accept ACES Certificates and agree to be bound by the terms of the ACES CP. The
Government may specify Relying Parties pursuant to the ACES CP. Any party other
than an Agency desiring to become a Relying Party must enter into a DST ACES Relying
Party Agreement with DST. DST shall have no liability to any Relying Party with
respect to any DST-issued ACES certificate unless that party has entered into a GSAACES Relying Party Agreement or a DST ACES Relying Party Agreement that remains
in force at the time the certificate is relied upon.
1.3.2.3 Agency and Relying Party Applications
DST issues certificates to federal, state and local Agency and Relying Party Applications
for various purposes as described below.
1.3.2.3.1 Agency and Relying Party Application SSL Server Certificates
DST issues Agency Application SSL Server Certificates for use on federal, state andlocal Agency Servers to allow mutual authentication and/or trusted SSL communications
with the federal, state or local agencys or Relying Partys customers. These certificates
are issued to the agency or Relying Party server where the common name is the
registered Domain Name of the Webserver and allow for server and client authentication
through the extended KeyUsage extension.
1.3.2.3.2 Agency and Relying Party Application (Mutual Authentication and
Signing)
DST issues signing-only certificates to federal, state and local agency and Relying Party
applications for mutual authentication and for the purpose of providing Agency andRelying Party Customers with signed return receipt notifications acknowledging that the
agency or relying party application received the customers transaction or to sign internal
data (customer transactions, Application log files or agency archive data) where required
by the agency policies.
1.3.2.3.3 Agency and Relying Party Application (Encryption)
DST issues data encryption certificates to federal, state and local agency and relying
party applications for the purpose of encrypting sensitive data where agency or relying
party policy dictates.
1.3.2.3.4 Agency and Relying Party Application (Other)
DST may issue other certificate types as needed by a federal, state or local agency,
relying party, or agency or relying party application. See Section 3.1.9.6 for further
information.
1.3.3 Policy Authority
5
8/14/2019 Department of Labor: dst-aces-cps-v20040617
14/121
GSA is the Policy Authority responsible for organizing and administering the ACES CP
and ACES Contract(s).
1.3.4 Applicability
1.3.4.1 Purpose
DST and its Subscribers may use ACES Digital Signature Certificates to mutually
authenticate Subscribers and Relying Party applications. Subscribers and Agency
Applications may use ACES Encryption Certificates to employ the confidentiality service
on the data exchanged. The following table summarizes the functional uses of ACES
Certificates:
ACES CertificateType
Subscriber Purpose Use of Certificate
Unaffiliated
Individual
Certificate
Unaffiliated
Individual
Digital
Signature
To enable an Unaffiliated
Individual ACES Subscriber and
Relying Parties to mutually
authenticate themselves
electronically for information
and transactions and to verify
digitally signed
documents/transactions
Encryption To enable an Unaffiliated
Individual ACES Subscriber to
use confidentiality services
(encryption and decryption) on
his/her information and
transactions
Business
Representative
Certificate
Business
Representative
authorized to
act on behalf of
a Sponsoring
Organization
Digital
Signature
To enable a Business
Representative to mutually
authenticate themselves to
conduct business-related
activities electronically and to
verify digitally signed
documents/ transactions
Encryption To enable a Business
Representative to use
confidentiality services
(encryption and decryption) on
his/her information and
transactions
6
8/14/2019 Department of Labor: dst-aces-cps-v20040617
15/121
ACES Certificate
Type
Subscriber Purpose Use of Certificate
State and Local
Governments
Government
Employee
authorized to
act on behalf ofa State or Local
Government
Digital
Signature
To enable a State or Local
Government Representative to
mutually authenticate themselves
to conduct business-relatedactivities electronically and to
verify digitally signed
documents/ transactions
Encryption To enable a State or Local
Government Representative to
use confidentiality services
(encryption and decryption) on
his/her information and
transactions
Relying Party
Certificate
Relying Party Digital
Signature
To enable a Relying Party and
Unaffiliated Individuals,
Business Representatives (non-
federal Employees), State and
Local Governments, Federal
Employees, and DSTto
mutually authenticate
themselves; to make signed
validation requests; and to sign
log files.
Encryption To enable a Relying Party to
provide confidentiality services(encryption and decryption) to
Subscribers on their information
and transactions
Agency / Relying
Party Application
SSL Server
Certificate
Server Authentication
and Encrypted
Data
Transmission
To enable authenticated
encrypted communications
between subscribers and servers
Federal Employee
Certificate
Federal
Employee
Digital
Signature
To enable a Federal Employee
and Relying Parties mutually
authenticate themselves and to
verify digitally signeddocuments/transactions
Federal
Employee
Encryption To enable a Federal Employee to
use confidentiality services
(encryption and decryption) on
his/her information and
transactions
7
8/14/2019 Department of Labor: dst-aces-cps-v20040617
16/121
ACES Certificate
Type
Subscriber Purpose Use of Certificate
CA
Certificate
N/A To enable the authorized CA to
issue subscriber certificates
1.3.4.2 Suitable Uses
ACES Certificates may be used by individuals, businesses, and state and local
governments to transact business with the Federal Government and non-Federal
Government participants who would otherwise be involved in such transactions provided
that the Federal Government does not incur any additional costs.
1.4 CONTACT DETAILS
DST's Customer Service Center is available between 7 a.m. and 6 p.m. Mountain
Standard Time (MST), Monday through Friday, excluding Federal holidays. DST'sCustomer Service Center assists subscribers with certificate- and key-related issues.
Such issues include, but are not limited to, problems with key generation and certificate
installation. Problems and inquiries received that are not certificate-related are directed
to the relevant government agency for resolution with the subscriber. Those concerns can
include, but are not limited to, problems with accessing information and inquiries of a
general nature. For questions concerning ACES certificates, DST operations or the DST
ACES CPS, please contact:
Digital Signature Trust
ACES Program
255 Admiral Byrd RoadSalt Lake City, UT 84116-3703
Toll-free US: 888-339-8798
Outside of the US: 801 326 5974
Fax: 801-326-5438
Otherwise, assistance is available at the Web site above, 24 hours per day, including
Federal holidays, to individual subscribers, business representatives, and individuals
authorized to act on behalf of agency applications.
1.4.1 Organization Responsible for this Certification Practice Statement
DST's Change and Risk Management Committee ("CRMC") reviews CPs and approves
CPSs. The CRMC manages the audit and risk assessment function for DSTs CA
operations to ensure that the risks are accurately identified, that necessary mitigating
activities are identified, and that individual projects should proceed. The Chair of the
8
8/14/2019 Department of Labor: dst-aces-cps-v20040617
17/121
CRMC represents DST at meetings of the Audit Committee. The CRMC is comprised of
representatives from functional units across the organization.
1.4.2 Contact Person
Attn.: Keren CumminsDigital Signature Trust, LLC
15200 Shady Grove Road
Suite 350
Rockville, MD 20850
Phone: (301) 921-5977
1.4.3 Person Determining Suitability of this CPS
Attn: ACES Program Manager
Federal Technology ServiceGeneral Services Administration
Washington, D.C. 20407
9
8/14/2019 Department of Labor: dst-aces-cps-v20040617
18/121
SECTION 2
GENERAL PROVISIONS
2.1 OBLIGATIONS
This Section provides a general description of the roles and responsibilities of the ACES
Program Participants operating under the ACES CP and this CPS: DST, RAs, CMAs,
Repositories, Subscribers, Relying Parties, and the Policy Authority. Additional
obligations are set forth in other provisions of this CPS, DSTs ACES Contract, the
System Security Plan (the SSP), Privacy Practices and Procedures (the PPP),
Agreements with Relying Parties, Subscriber Agreements and other agreements with
Program Participants.
2.1.1 CAs Obligations
This section corresponds to Section 2.1.1. of the ACES CP and addresses the obligations
and responsibilities of DST and its Authorized RAs, CMAs, and Repositories and their
performance with respect to all ACES Certificates that DST issues.
DST is responsible for all aspects of the issuance and management of ACES Certificates,
including the application/enrollment process; the identification verification and
authentication process; the certificate manufacturing process; dissemination and
activation of the certificate; publication of the certificate (if required); renewal,
suspension, revocation, and replacement of the certificate; verification of certificate
status upon request; and ensuring that all aspects of DSTs services, operations and
infrastructure related to ACES Certificates are performed in accordance with therequirements, representations, and warranties of the ACES CP (except in circumstances
where government agencies or Relying Parties agree to provide defined RA roles and
functions).
DST assumes responsibility for ensuring that all work is performed under the supervision
of DST and responsible DST employees. DST provides assurance of the trustworthiness
and competence of its employees and their satisfactory performance of duties relating to
the provision of ACES services as described in this CPS and other relevant documents.
Each DST employee to whom information is made available or disclosed is notified in
writing by DST that information disclosed to such employee can be used only for the
purpose and to the extent authorized in the ACES CP and other relevant documents.
DST complies with all applicable Federal and GSA requirements set forth in its ACES
Contract with GSA, including the Federal Privacy Act, Appendices I and III of OMB
Circular A-130, and regulations governing the prevention and reporting of waste, fraud
and abuse, as supported by the documentation that it submits to GSA and/or other
Federal agencies. DST has standard forms for contracts, which contain DSTs obligations
among different classes of subscribers and relying parties. DSTs system architectures
10
8/14/2019 Department of Labor: dst-aces-cps-v20040617
19/121
support varying levels of workload, as set forth in DSTs ACES Contract.
2.1.2 RA / Trusted Agent Obligations
A Registration Authority (RA) is a person or entity responsible for the applicant
registration, certificate application, and authentication of identity functions forUnaffiliated Individuals, Business Representatives, State and Local Government
Representatives, Federal Employees, Servers, and Relying Parties. An Authorized RA
may also be responsible for handling suspension and revocation requests, and for aspects
of Subscriber education.
Authorized RAs retained under contract to perform RA services on behalf of DST are
required to comply with the provisions of this CPS and the ACES CP.
Trusted Agents are responsible for reviewing and collecting registration data and
completed in-person registration forms for submission to DST or its Authorized RA as
part of a bulk-loading registration process for applicants who are authorized by theTrusted Agents organization to hold an ACES Certificate. DST enters into contractual
agreements with some Trusted Agents and Authorized RAs requiring them to retain and
protect collected information in accordance with applicable requirements of the ACES
CP. DST and its Authorized RAs and Trusted Agents shall accurately verify subscriber
identity and process requests and responses timely and securely. DSTs Authorized RAs
and Trusted Agents shall comply with this CPS and the ACES CP. DST will monitor the
compliance of its Authorized RAs and Trusted Agents with this CPS and the ACES CP.
Failure to comply with the provisions of the CPS and the CP may subject DST, and any
Authorized RA or Trusted Agent, to sanctions, including termination as agent of DST
and possible civil and criminal sanctions.
2.1.3 CMA Obligations
A CMA is responsible for the functions of manufacturing, issuance, suspension, and
revocation of ACES Certificates. CMAs retained under contract to perform CMA
services on behalf of DST are required to comply with the provisions of this CPS and the
ACES CP.
2.1.4 Repository Obligations
A Repository is responsible for maintaining a secure system for storing and retrieving
currently valid ACES Certificates, a current copy of the ACES CP, and other information
relevant to ACES Certificates, and for providing information regarding the status of
ACES Certificates as valid or invalid that can be determined by a Relying Party.
Repositories retained under contract to perform Repository services on behalf of DST are
required to comply with the provisions of this CPS and the ACES CP.
11
8/14/2019 Department of Labor: dst-aces-cps-v20040617
20/121
2.1.5 Subscriber Obligations
Through a combination of online processes and printed forms, each applicant for an
ACES Certificate shall:
provide complete and accurate responses to all requests for information made
by DST (or a Trusted Agent or Authorized RA) during the applicant
registration, certificate application, and authentication of identity processes;
generate a key pair using a reasonably trustworthy system, and take
reasonable precautions to prevent any compromise, modification, loss,
disclosure, or unauthorized use of the private key;
upon issuance of an ACES Certificate naming the applicant as the Subscriber,
review the ACES Certificate to ensure that all Subscriber information
included in it is accurate, and to expressly indicate acceptance or rejection ofthe ACES Certificate;
promise to protect a private keys at all times, in accordance with the
applicable Subscriber Agreement, this CPS, the ACES CP and any other
obligations that the Subscriber may otherwise have;
use the ACES Certificate and the corresponding private key exclusively for
purposes authorized by the ACES CP and only in a manner consistent with the
ACES CP;
instruct DST (or an Authorized RA or employer) to revoke the ACES
Certificate promptly upon any actual or suspected loss, disclosure, or other
compromise of the private key, or, in the case of Business Representative and
Federal Employee ACES Certificates, whenever the Subscriber is no longer
affiliated with the Sponsoring Organization; and
respond as required to notices issued by DST or its authorized agents.
Subscribers who receive certificates from DST shall comply with these requirements as
well as those in the ACES CP. Additional information concerning the rights and
obligations of Subscribers may be found in Sections 1.3, 3.1 and 4.1 of this CPS.
2.1.6 Relying Party Obligations
The ACES CP and an applicable Relying Party Agreement (the Relying Party Agreement
contained in Appendix A to the ACES CP or a Relying Party Agreement entered into
between DST and a non-Agency Relying Party) is binding on each Relying Party and
govern its performance with respect to its application for, use of, and reliance on ACES
12
8/14/2019 Department of Labor: dst-aces-cps-v20040617
21/121
Certificates.
(a) Acceptance of Certificates. Each Relying Party will validate ACES Certificates
issued by all Authorized CAs;
(b) Certificate Validation. Each Relying Party will validate every ACES Certificateit relies upon with the Authorized CA that issued the certificate; and
(c) Reliance. A Relying Party may rely on a valid ACES Certificate for purposes of
verifying the digital signature only if:
the ACES Certificate was used and relied upon to authenticate a Subscribers
digital signature for an application bound by the ACES CP;
prior to reliance, the Relying Party (1) verified the digital signature by
reference to the public key in the ACES Certificate, and (2) checked the status
of the ACES Certificate by generating an appropriate status request via a
current CRL, OCSP, or other comparable validation method, as approved by
GSA, and (3) a check of the certificates status indicated that the certificate
was valid; and
the reliance was reasonable and in good faith in light of all the circumstances
known to the Relying Party at the time of reliance.
Relying Parties must evaluate the environment and the associated threats and
vulnerabilities and determine the level of risk they are willing to accept based on the
sensitivity or significance of the information. This evaluation is done by each Relying
Party for each application and is not controlled by the ACES CP or this CPS. Relying
Parties who rely on stale CRLs do so at their own risk. See Section 4.4 (Certificate
Revocation).
Parties who rely upon the certificates issued under the ACES CP or this CPS should
preserve original signed data, the applications necessary to read and process that data,
and the cryptographic applications needed to verify the digital signatures on that data for
as long as it may be necessary to verify the signature on that data.
2.1.7 Policy Authority Obligations
The Policy Authority is responsible for the terms and maintenance of the ACES CP.
2.2 LIABILITIES
Except as expressly provided in written contracts, including DSTs ACES Contract, and
according to specific certificate policies and other statutory and regulatory requirements,
DST disclaims all warranties and obligations of any type, including any warranty of
13
8/14/2019 Department of Labor: dst-aces-cps-v20040617
22/121
merchantability, any warranty of fitness for a particular purpose, and any warranty of
accuracy of information provided.
Nothing in the ACES CP or this CPS shall create, alter, or eliminate any other obligation,
responsibility, or liability that may be imposed on any Program Participant by virtue of
any contract or obligation that is otherwise determined by applicable law.
DST SHALL HAVE NO LIABILITY FOR LOSS DUE TO USE OF A DST-
ISSUED ACES CERTIFICATE, UNLESS THE LOSS IS PROVEN TO BE A
DIRECT RESULT OF A BREACH BY DST OF THIS CPS OR APROXIMATE
RESULT OF THE GROSS NEGLIGENCE, FRAUD OR WILLFUL
MISCONDUCT OF DST. DST SHALL HAVE NO LIABILITY FOR CLAIMS
ALLEGING ORDINARY NEGLIGENCE.
A Relying Party shall have no recourse against DST, its RAs, certificate manufacturing
authority or repository for any claim under any theory of liability (including negligence)
arising out of reliance upon an ACES certificate, unless such party shall have agreed toprovide such recourse under a contract with the relying party. Each Relying Party
assumes all risk of such reliance in the absence of such agreement, except that the
Subscriber may have liability under applicable law to the Relying Party with respect to a
message bearing his digital signature that is authenticated with an ACES certificate.
ACES certificates shall contain (non-critical field) notice that there is no recourse against
the issuer of the ACES certificate except as provided for under Paragraph 2.2 of the
ACES Certificate Policy, as stipulated in APPENDIX E of this Policy.
IN NO EVENT SHALL DST BE LIABLE FOR ANY CONSEQUENTIAL, INDIRECT,
REMOTE, EXEMPLARY, PUNITIVE, SPECIAL, OR INCIDENTAL DAMAGES, OR
DAMAGES FOR BUSINESS INTERRUPTION, LOSS OF PROFITS, REVENUES
SAVINGS, OPPORTUNITIES OR DATA, OR INJURY TO CUSTOMER
RELATIONSHIPS, REGARDLESS OF THE FORM OF ACTION AND
REGARDLESS OF WHETHER DST WAS ADVISED OF THE POSSIBILITY OF
SUCH DAMAGES.
DST SHALL INCUR NO LIABILITY IF DST IS PREVENTED, FORBIDDEN OR
DELAYED FROM PERFORMING, OR OMITS TO PERFORM, ANY ACT OR
REQUIREMENT BY REASON OF ANY PROVISION OF ANY APPLICABLE LAW,
REGULATION OR ORDER, THE FAILURE OF ANY ELECTRICAL,
COMMUNICATION OR OTHER SYSTEM OPERATED BY ANY PARTY OTHER
THAN DST OR ANY ACT OF GOD, EMERGENCY CONDITION OR WAR OR
OTHER CIRCUMSTANCE BEYOND THE CONTROL OF DST.
Any applicable limitation of DSTs liability contained in any DST Subscriber Agreement
DST Business Representative Authorization Form or DST Relying Party Agreement,
14
8/14/2019 Department of Labor: dst-aces-cps-v20040617
23/121
respectively, shall apply to any claim against DST by such Subscriber or Relying Party,
respectively.
2.2.1 DST Liability
See Section 2.2. Tort liability for claims by parties other than Program Participantsarising out of transactions involving Certificates issued under the ACES Contract is
governed by the Federal Tort Claims Act. DST asserts the Government Contractor
defense, which is applicable to DST to the extent that DST has met the standard of care
spelled out by the ACES Contract. Other limitations and disclaimers of liability may exist
in agreements between DST and Program Participants. Use of, or reliance upon, a DST
issued ACES Certificate other than pursuant to an agreement with GSA or DST is
prohibited and is at such partys own risk.
2.2.2 RA, CMA, and Repository Liability
See Section 2.2 and Section 2.2.1.
2.3 FINANCIAL RESPONSIBILITY
No stipulation.
2.3.1 Indemnification by Relying Parties
A Relying Party under a DST ACES Relying Party Agreement shall indemnify DST
under the applicable terms and conditions of any indemnification provision therein.
2.3.2 Indemnification by Subscriber
A Subscriber under a DST ACES Subscriber Agreement shall indemnify DST under the
applicable terms and conditions of any indemnification provision therein.
2.3.3 Fiduciary Relationships
Issuance of ACES Certificates by DST or its representatives or agents in accordance with
this CPS does not make DST or its representatives or agents, fiduciaries, trustees, or
representatives of Subscribers or Relying Parties.
2.3.4 Administrative Processes
No stipulation.
2.4 INTERPRETATION AND ENFORCEMENT
2.4.1 Governing Law
15
8/14/2019 Department of Labor: dst-aces-cps-v20040617
24/121
The laws of the United States and the State of Utah shall govern the enforceability,
construction, interpretation, and validity of this CPS.
2.4.2 Severability, Survival, Merger, Notice
Should it be determined that one section of this CPS is incorrect or invalid, the othersections of this CPS shall remain in effect until the CPS is updated.
2.4.3 Dispute Resolution Procedures
In the event of any dispute or disagreement between two or more of the Program
Participants (Disputing Parties) arising out of or relating to the ACES CP or ACES
Contracts, this CPS, or relevant Agreements related to this policy, which include Relying
Party Agreements and Subscriber Agreements, the Disputing Parties shall use their best
efforts to settle the dispute or disagreement through negotiations in good faith following
notice from one Disputing Party to the other(s). If the Disputing Parties cannot reach a
mutually agreeable resolution of the dispute or disagreement within sixty (60) daysfollowing the date of such notice, then the Disputing Parties may present the dispute to
the GSA ACES Contract Officer for resolution.
Any Contract dispute between DST and GSA shall be handled under the terms and
conditions of the ACES Contract.
2.5 FEES
2.5.1 Certificate Issuance, Renewal, Suspension, and Revocation Fees
Fees may be assessed for certificate issuance and for certificate renewal (re-key). Feeswill not be assessed for certificate suspension and revocation.
2.5.2 Certificate Access Fees
DST shall not impose any certificate access fees on Subscribers with respect to the
content of their own ACES Certificate(s) or the status of such ACES Certificate(s).
2.5.3 Revocation Status Information Access Fees (Certificate Validation
Services)
Fees may be assessed for certificate validation services based upon Relying Partyagreements negotiated between DST and the validating party.
2.5.4 Fees for Other Services such as Policy Information
DST may charge for recovery of escrowed decryption keys, but shall not impose fees for
access to policy information.
16
8/14/2019 Department of Labor: dst-aces-cps-v20040617
25/121
2.5.5 Refund Policy
Refunds are not provided unless other arrangements are specifically made through
customer agreements.
2.6 PUBLICATION AND REPOSITORY
2.6.1 Publication of Information
ACES Certificates issued by DST contain pointers to locations where certificate-related
information is published. DSTs secure online Repository is available to Subscribers and
Relying Parties at DSTs LDAP repository directory, which contains: (1) all ACES
Certificates issued by DST that have been accepted by Subscribers; and (2) Authority
Revocation Lists / Certificate Revocation Lists (ARLs/CRLs), as specified by the ACES
Contract and the ACES Policy Office. Online certificate status information is available
through DSTs ACES validation services. DSTs Federal web pages for ACES contain
links to: (1) DSTs ACES Certificate for its signing key; (2) past and current versions ofDSTs ACES CPS; (3) a copy of the ACES CP; and (4) other relevant information about
ACES Certificates.
2.6.2 Frequency of Publication
All information to be published in the repository shall be published immediately after
such information is available to DST. DST will publish ACES Certificates immediately
upon acceptance of such ACES Certificates. Information relating to the status of an
ACES Certificate will be published in accordance with DSTs GSA ACES Contract.
2.6.3 Access Controls
DST does not impose any access controls on the ACES CP, DST's ACES Certificate for
its signing key, and past and current versions of this CPS as well as subscriber certificates
and status information. DST does, however, impose access controls to ensure
authentication of Subscribers with respect to their own certificate(s) and the status of
such certificate(s) and personal registration information, which is separately managed
from the public certificate and status repository. Access is restricted in accordance with
Section 2.8.1.1. Access to information in DSTs ACES repositories is otherwise
determined by the GSA pursuant to its authorizing and controlling statutes.
2.6.4 Repositories
Information in DSTs ACES repository is protected in accordance with the Privacy Act
of 1974 as set forth in DSTs Privacy Policies and Procedures (PPP), available at DSTs
Federal web pages for ACES and other privacy- and security-related documents that are
maintained internally by DST. See Section 2.8.1.1.
17
8/14/2019 Department of Labor: dst-aces-cps-v20040617
26/121
2.7 INSPECTIONS AND REVIEWS
DST is subject to inspections and reviews in accordance with Federal regulations and
GSA policy and security guidelines (See Appendix D to the ACES CP).DSTs system
security test and evaluation plan describes how the security features and controls of its
systems are to be tested and reviewed when significant modifications are made. DST isalso subject to examination and the regulatory authority of the Office of the Comptroller
of the Currency (OCC) under 12 U.S.C. 867(c). DST's commercial practices are
audited as required by the OCC and states where DST is licensed as a CA. Full or partial
audit results may be released to the extent permitted by law, regulation, contract or DST
management. DST is audited annually pursuant to the American Institute of Certified
Public Accountants (AICPAs) / Canadian Institute of Chartered Accountants (CICAs)
Web Trust Program for Certification Authorities. (CA Web Trust). In addition to
examination and regulation by the OCC, CA Web Trust, and other audits performed by
independent auditors, DST is subject to the GSAs Certification and Accreditation
(C&A) process.
2.7.1 Certification and Accreditation
In accordance with the ACES CP and the DST ACES Contract, DST and its CA system
subcontractors must undergo ACES Security C&A as a condition of obtaining and
retaining approval to operate as an Authorized CA under the ACES CP. The C&A
process verifies that DST has in place and follows a system that assures that the quality
of its CA Services conforms to the requirements of the ACES CP and its ACES Contract.
C&A is performed in accordance with Federal regulations and GSA policy and
supporting security guidelines. (See Appendix D to the ACES CP).
2.7.1.1 Frequency of Certification Authority Compliance Review
DST has passed previous C&As and has demonstrated compliance with the ACES CP, its
ACES CPS, and its GSA ACES Contract. The GSA and other authorized Federal entities
may perform periodic and aperiodic compliance audits or inspections of DST,
subordinate CA, or RA operations to validate that the subordinate entities are operating
in accordance with the security practices and procedures described in their respective
CPSs, Registration Practices Statements (RPSs), SSPs and PPPs.
2.7.1.2 Identity/Qualifications of Reviewer
See Section 2.7.1.2 of the ACES CP.
2.7.1.3 Auditor's Relationship to Audited Party
See Section 2.7.1.3 of the ACES CP.
18
8/14/2019 Department of Labor: dst-aces-cps-v20040617
27/121
2.7.1.4 Communication of Results
See Section 2.7.1.4 of the ACES CP.
2.7.2 Quality Assurance Inspection and Review
2.7.2.1 Topics Covered by Quality Assurance Inspection and Review
The purpose of a quality assurance inspection and review of DST is to verify that it is
operating in compliance with the requirements of the ACES CP, its ACES Contract, and
this CPS. Quality assurance inspections of DST are conducted pursuant to the
AICPA/CICAs Web Trust Program for Certification Authorities (CA Web Trust).
2.7.2.2 Identity/Qualifications of Reviewer
DSTs compliance auditors demonstrate competence in the field of compliance audits,
and are thoroughly familiar with the requirements that DST imposes on the issuance andmanagement of its certificates. The auditor performs such compliance audits as its
primary responsibility. See Sections 2.7.1.2, 2.7.1.3 and 2.7.2.3.
2.7.2.3 Auditor's Relationship to Audited Party
DSTs compliance auditors are representatives from the OCC, the GSA, firms
specializing in information systems and network security, and private, unaffiliated and
nationally recognized accounting firms.
2.7.2.4 Audit Compliance Report
The results of DSTs compliance audit are fully documented, and reports resulting from
Quality Assurance Inspections are submitted to GSA within 30 calendar days of the date
of their completion.
2.7.2.5 Actions Taken as a Result of Deficiency
DST shall correct any deficiencies noted during compliance reviews, as specified by
GSA. Also, if irregularities are found during OCC compliance audits, the OCC may
require appropriate remedial action or terminate DST operations after appropriate notice
to existing clients. The results of compliance audits will not be made public except as
described in Section 2.7.2.6.
2.7.2.6 Communication of Results
DST posts its auditors CA Web Trust certification on its web site in accordance with
applicable AICPA audit-reporting standards. Audit information that might pose an
immediate threat of harm to Program Participants or that could potentially compromise
the future security of DST's operations is not made publicly available.
19
8/14/2019 Department of Labor: dst-aces-cps-v20040617
28/121
2.8 CONFIDENTIALITY
DST implements appropriate administrative, technical, and physical safeguards to insure
the security and confidentiality of records and to protect against any anticipated threats or
hazards to their security or integrity which could result in substantial harm,
embarrassment, inconvenience, or unfairness to any individual on whom information ismaintained, in accordance with Title 5, U.S.C., Sec. 552a.
2.8.1 Types of Information to Be Kept Confidential
2.8.1.1 Privacy Policy and Procedures
DSTs written Privacy Policies and Procedures (PPP) , designed to ensure compliance
with the requirements of 5 U.S.C. 552a, Appendix I to OMB Circular A-130, and the
ACES Contract, may be found in Section 9 of this CPS.
2.8.1.2 Subscriber Information
Certificates issued by DST only contain information that is necessary for their effective
use. Non-Certificate information, however, is requested from applicants and is required
to identify Subscribers, issue Certificates and manage information on behalf of
Subscribers. Such information includes numeric identifiers of driver's licenses, credit
card accounts, passports, social security numbers and other identifiers, as well as
business or home addresses and telephone numbers. (See Section 3.1.9.1.) Such
personal information collected by DST is treated as private and is not disclosed unless
otherwise required by law or for auditing purposes. All non-Certificate, non-repository
information in DST records will be handled as sensitive, and access will be restricted to
those with business, operational or official needs. Certificate-restricted access willrequire presentation of a user's Certificate, and only the appropriate access permissions
will be granted to the user.
DST protects the confidentiality of personal information regarding Subscribers that is
collected during the applicant registration, ACES Certificate application, authentication,
and certificate status checking processes in accordance with the Privacy Act of 1974,
Appendix III to Office of Management and Budget (OMB) Circular A-130, GSA Order
2100.1A, and supporting GSA security guidelines. Such information is used only for the
purpose of providing CA Services and carrying out the provisions of the ACES CP and
DSTs ACES Contract, and is not disclosed in any manner to any person without the
prior consent of the Subscriber, unless otherwise required by law, except as may benecessary for the performance of CA Services in accordance with DSTs ACES Contract.
In addition, personal information submitted by Subscribers:
(a) Shall be made available by DST to the Subscriber involved following an
appropriate request by such Subscriber;
(b) Shall be subject to correction and/or revision by such Subscriber;
(c) Shall be protected by DST in a manner designed to ensure the datas
20
8/14/2019 Department of Labor: dst-aces-cps-v20040617
29/121
8/14/2019 Department of Labor: dst-aces-cps-v20040617
30/121
2.9 SECURITY REQUIREMENTS
DST is required to have the following minimum security controls in place:
Technical and/or security evaluation complete
Risk assessment conducted
Rules of behavior established and signed by users
Contingency Plan developed and tested
Security Plan developed, updated, and reviewed
System meets all applicable Federal laws, regulations, policies, guidelines,
and standards
In-place and planned security safeguards appear to be adequate and
appropriate for the system, i.e., the level of controls should be consistent with
the level of sensitivity of the system.
DST shall not publish or disclose in any manner, without the GSA ACO's written
consent, the details of any safeguards either designed or developed by DST under the
ACES Contract or otherwise provided by the Government.
No party may use any software, program, routine, query, device or manual process in an
attempt to: bypass security measures (including attempting to probe, scan or test
vulnerabilities to breach security); access data for which they are unauthorized to access;
interfere with the proper working of DSTs CA systems; or impose a disproportionately
large load on (i.e., overload or crash) the infrastructure supporting DSTs systems (e.g.,
DOS/DDOS attacks, viruses, etc.). The unauthorized use of any robot, spider, software,
routine, meta-search, automated query to monitor, copy or make any other unauthorized
uses of DSTs systems is strictly prohibited and will be prosecuted to the fullest extent
allowed by law. DST reserves the right block any activity that it interprets as a runaway
application, attack or other event that might be an attempt to bring down DSTs ACES
PKI infrastructure and systems.
2.9.1 System Security Plan
DST has prepared and maintains a System Security Plan (SSP) in accordance with
requirements set forth in OMB Circular A-130, NIST 800-18, GSA Order 2100.1A and
all supporting GSA security guidelines, and the ACES Contract.
2.9.2 Risk Management
DST conducts periodic risk assessments and maintain its ACES systems at the level of
residual risk accepted by the designated approving authority in accordance with OMB
Circular A-130, NIST 800-18, GSA Order 2100.1A and all supporting GSA security
guidelines, and the ACES Contract.
22
8/14/2019 Department of Labor: dst-aces-cps-v20040617
31/121
2.9.3 Certification and Accreditation
Certification and Accreditation of DSTs ACES system shall be performed and
maintained in accordance with requirements set forth in OMB Circular A-130, NIST 800-
18, GSA Order 2100.1A and all supporting GSA security guidelines, and the ACESContract.
2.9.4 Rules of Behavior
The SSP includes the rules of conduct that will be used to instruct DSTs officers and
employees in compliance requirements and penalties for noncompliance. DSTs rules of
behavior are developed and implemented in accordance with requirements set forth in
OMB Circular A-130, NIST 800-18, GSA Order 2100.1A and all supporting GSA
security guidelines, and the ACES Contract.
2.9.5 Contingency Plan
DST develops, implements, maintains, and periodically tests its contingency plan for its
ACES system in accordance with guidelines provided in OMB Circular A-130, NIST
800-18, FIPS PUB 87, and GSA Order 2100.1A and all supporting GSA security
guidelines.
2.9.6 Incident Response Capability
DST is able to provide help to users when a security incident occurs in the system and to
share information concerning common vulnerabilities and threats. A security incident is
defined to be any adverse event that threatens the security of information resources.Adverse events include compromises of integrity, denial of service, compromises of
confidentiality, loss of accountability, or damage to any part of the system.
Incident response procedures and reporting of security incidents shall be in accordance
with guidelines provided in OMB Circular A-130, NIST 800-18, GSA Order 2100.1A
and all supporting GSA security guidelines, and the ACES contract.
2.10 INTELLECTUAL PROPERTY RIGHTS
Private keys shall be treated as the sole property of the legitimate holder of the
corresponding public key identified in an ACES Certificate. Access Certificates forElectronic Services, ACES, and the ACES OIDs are the property of GSA (or, if the
Subscriber is not a government employee or contractor to whom a Certificate is issued in
his capacity as such, the Subscriber), which may be used only by DST in accordance with
the provisions of the ACES CP and DSTs ACES Contract. Any other use of the above
without the express written permission of GSA is expressly prohibited.
23
8/14/2019 Department of Labor: dst-aces-cps-v20040617
32/121
SECTION 3
IDENTIFICATION AND AUTHENTICATION
3.1 INITIAL REGISTRATION
Subject to the requirements noted below, applications for ACES Certificates may be
communicated from the applicant to DST, a Trusted Agent, or an Authorized RA, and
authorizations to issue ACES Certificates may be communicated from an Authorized RA
or Trusted Agent to DST, (1) electronically, provided that all communication is secure,
(2) by U.S. Postal Service first-class mail, or (3) in person. Certificates issued to
business representatives and Federal employees require a face-to-face registration
process to validate identity credentials, which DST may perform through its Trusted
Agents or Authorized RAs.
3.1.1 Types of Names
DST-issued certificates contain an X.500 distinguished name for the subscriber
consisting of either the X.501 distinguished name specifying a geo-political name or an
Internet domain component name. When domain component naming is used, DST
reserves the right to issue certificates utilizing domain component naming to honor
contract obligations or where practical or required for proper application useage for
distinguished names in the following manner: dc=gov, dc=org0, [dc=org1],[
dc=orgN]; dc=mil, dc=org0, [dc=org1],[ dc=orgN]; etc.
3.1.1.1 ACES Unaffiliated Individual Digital Signature and Encryption
Certificates
The subject name used for ACES Certificate applicants shall be the Subscribers
authenticated common name and optional Subject Alternative Name if marked non-
critical.
3.1.1.2 ACES Business Representative Digital Signature and Encryption
Certificates
Certificates shall assert X.500 Distinguished Name, and optional Subject Alternative
Name if marked non-critical. Where required, DST may generate and sign certificates
that contain an X.500 Distinguished Name (DN); the X.500 DN may also contain domaincomponent elements. Where DNs are required, subscribers shall have them assigned
through DST, in accordance with a naming authority. ACES Business Representative
Digital Signature Certificates shall assert an alternate name form subject to requirements
set forth below intended to ensure name uniqueness.
24
8/14/2019 Department of Labor: dst-aces-cps-v20040617
33/121
3.1.1.3 ACES Agency (Relying Party Applications) Digital Signature and
Encryption Certificates
Certificates shall assert X.500 Distinguished Name, and optional Subject Alternative
Name if marked non-critical. Where required, DST may generate and sign certificates
that contain an X.500 Distinguished Name (DN); the X.500 DN may also contain domaincomponent elements. Where DNs are required, relying parties shall have them assigned
through DST, in accordance with the agencys naming scheme under government-wide
policy. ACES Relying Party Application Digital Signature and Encryption Certificates
shall assert an alternate name form subject to requirements set forth below intended to
ensure name uniqueness.
3.1.1.4 Agency Application SSL Server Certificates
Certificates shall assert X.500 Distinguished Name of the server including the
identification of the organization and organizational unit sponsoring the server.
Additionally, the distinguished name shall assert the registered fully qualified domainname of the server.
3.1.1.5 ACES Federal Employee Digital Signature and Encryption
Certificates
DST ACES Certificates shall assert an X.500 Distinguished Names, and optional Subject
Alternative Names, if marked non-critical. Where required, DST may generate and sign
certificates that contain an X.500 Distinguished Name (DN); the X.500 DN may also
contain domain component elements if required. Where DNs are required, subscribers
shall have them assigned through DST, in accordance with the applicable agencys
naming authorit