I. INTRODUCTION
A. Overview
This GeoTrust, Inc. ("GeoTrust") Certificate Practice Statement
(the "CPS") presents the principles and procedures GeoTrust
employs in the issuance and life cycle management of GeoTrust Web Server
Certificates. This CPS and any and all amendments thereto are incorporated
by reference into all GeoTrust issued Certificates.
B. Definitions
For the purposes of this CPS, all capitalized terms used herein shall have
the meaning given to them in Section VII, Definitions, or elsewhere in
this CPS.
GeoTrust's QuickSSL™ Web Server Certificates: QuickSSL Web Server
Certificates are X.509 Certificates with SSL Extensions. QuickSSL Server
Certificates are signed by "Equifax Secure eBusiness CA-1".
C. Description and Use of Certificates
Operational Period of Certificates: GeoTrust's QuickSSL Web Server
Certificates have an Operational Period of one (1) year from the date of
issuance, unless another time period or expiration date is specified on
such QuickSSL Web Server Certificate, or unless the QuickSSL Web Server
Certificate is revoked prior to the expiration of the Certificate's
Operational Period.
Installation of Certificates: GeoTrust's QuickSSL Web Server Certificates
may not be installed on more than a single server at a time.
Technical Requirements of Certificates: In order to use an QuickSSL Web
Server Certificate, the appropriate server software must support SSLv1 or
higher.
II. GENERAL PROVISIONS
A. Obligations
- GeoTrust Obligations
GeoTrust will: (i) issue Certificates in accordance
with this CPS; (ii) perform limited authentication of Subscribers as
described in this CPS; (iii) revoke Certificates; and (iv) perform any
other functions which are described within this CPS.
- Subscriber Obligations
Subscribers will submit truthful information about
itself, its business entity, domain ownership and contacts, as
applicable. Subscribers will not install a Certificate on more than a
single server at a time. Subscribers will at all times abide by this
CPS and a Subscriber will immediately request revocation of a
Certificate if the related Private Key is Compromised. The Subscriber
will only use the QuickSSL Web Server Certificate for purposes of
initiating SSL sessions. The Subscriber is solely responsible for the
protection of its Private Key and for notifying GeoTrust immediately
in the event that its Private Key has been Compromised.
- Relying Party Obligations
With regard to GeoTrust's QuickSSL Web Server
Certificate, Relying Parties must verify that the Certificate is valid
by examining the Certificate Revocation List before initiating a
transaction involving such Certificate. GeoTrust does not accept
responsibility for reliance on a fraudulently obtained Certificate or
a Certificate that is on the CRL.
B. Limited Warranty/Disclaimer
GeoTrust provides the following limited warranty at the time of
Certificate issuance: (i) it issued the Certificate substantially in
compliance with this CPS; and (ii) the information contained within the
Certificate accurately reflects the information provided to GeoTrust by
the Applicant in all material respects. The nature of the steps GeoTrust
takes to verify the information contained in a Certificate is set for in
Section III of this CPS.
EXCEPT FOR THE LIMITED WARRANTY DESCRIBED ABOVE, GEOTRUST EXPRESSLY
DISCLAIMS AND MAKES NO REPRESENTATION, WARRANTY OR COVENANT OF ANY KIND,
WHETHER EXPRESS OR IMPLIED, EITHER IN FACT OR BY OPERATION OF LAW, WITH
RESPECT TO THIS CPS OR ANY CERTIFICATE ISSUED HEREUNDER, INCLUDING WITHOUT
LIMITATION, ALL WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
PURPOSE OR USE OF A CERTIFICATE OR ANY SERVICE PROVIDED BY GEOTRUST AS
DESCRIBED HEREIN, AND ALL WARRANTIES, REPRESENTATIONS, CONDITIONS,
UNDERTAKINGS, TERMS AND OBLIGATIONS IMPLIED BY STATUTE OR COMMON LAW,
TRADE USAGE, COURSE OF DEALING OR OTHERWISE ARE HEREBY EXCLUDED TO THE
FULLEST EXTENT PERMITTED BY LAW.
EXCEPT FOR THE LIMITED WARRANTY DESCRIBED ABOVE, GEOTRUST FURTHER
DISCLAIMS AND MAKES NO REPRESENTATION, WARRANTY OR COVENANT OF ANY KIND,
WHETHER EXPRESS OR IMPLIED, EITHER IN FACT OR BY OPERATION OF LAW, TO ANY
APPLICANT, SUBSCRIBER OR ANY RELYING PARTY THAT (A) THE SUBSCRIBER TO
WHICH IT HAS ISSUED A CERTIFICATE IS IN THE FACT THE PERSON, ENTITY OR
ORGANIZATION IT CLAIMS TO HAVE BEEN (B) A SUBSCRIBER IS IN FACT THE
PERSON, ENTITY OR ORGANIZATION LISTED IN THE CERTIFICATE, OR (C) THAT THE
INFORMATION CONTAINED IN THE CERTIFICATES OR IN ANY CERTIFICATE STATUS
MECHANISM COMPILED, PUBLISHED OR OTHERWISE DISSEMINATED BY GEOTRUST, OR
THE RESULTS OF ANY CRYPTOGRAPHIC METHOD IMPLEMENTED IN CONNECTION WITH THE
CERTIFICATES IS ACCURATE, AUTHENTIC, COMPLETE OR RELIABLE.
IT IS AGREED AND ACKNOWLEDGED THAT APPLICANTS ARE LIABLE FOR ANY
MISREPRESENTATIONS MADE TO GEOTRUST AND RELIED UPON BY A RELYING PARTY.
GEOTRUST DOES NOT WARRANT OR GUARANTEE UNDER ANY CIRCUMSTANCES THE
"NON-REPUDIATION" BY A SUBSCRIBER AND/OR RELYING PARTY OF ANY
TRANSACTION ENTERED INTO BY THE SUBSCRIBER AND/OR RELYING PARTY INVOLVING
THE USE OF OR RELIANCE UPON A CERTIFICATE.
IT IS UNDERSTOOD AND AGREED UPON BY SUBSCRIBERS AND RELYING PARTIES THAT
IN USING AND/OR RELYING UPON A CERTIFICATE THEY ARE SOLELY RESPONSIBLE FOR
THEIR RELIANCE UPON THAT CERTIFICATE AND THAT SUCH PARTIES MUST CONSIDER
THE FACTS, CIRCUMSTANCES AND CONTEXT SURROUNDING THE TRANSACTION IN WHICH
THE CERTIFICATE IS USED IN DETERMINING SUCH RELIANCE. THE SUBSCRIBERS AND
RELYING PARTIES AGREE AND ACKNOWLEDGE THAT CERTIFICATES HAVE A LIMITED
OPERATIONAL PERIOD AND MAY BE REVOKED AT ANY TIME. SUBSCRIBERS AND RELYING
PARTIES ARE UNDER AN OBLIGATION TO VERIFY WHETHER A CERTIFICATE IS EXPIRED
OR HAS BEEN REVOKED. GEOTRUST HEREBY DISCLAIMS ANY AND ALL LIABILITY TO
SUBSCRIBERS AND RELYING PARTIES WHO DO NOT FOLLOW SUCH PROCEDURES. MORE
INFORMATION ABOUT THE SITUATIONS IN WHICH A CERTIFICATE MAY BE REVOKED CAN
BE FOUND IN SECTION III(I) OF THIS CPS.
GeoTrust provides no warranties with respect to another party's software,
hardware or telecommunications or networking equipment utilized in
connection with the issuance, revocation or management of Certificates or
providing other services with respect to this CPS. Applicants, Subscribers
and Relying Parties agree and acknowledge that GeoTrust is not responsible
or liable for any misrepresentations or incomplete representations of
Certificates or any information contained therein caused by another
party's application software or graphical user interfaces. The
cryptographic key-generation technology used by Applicants, Subscribers
and Relying Parties in conjunction with the Certificates may or may not be
subject to the intellectual property rights of third-parties. It is the
responsibility of Applicants, Subscribers and Relying Parties to ensure
that they are using technology which is properly licensed or to otherwise
obtain the right to use such technology.
C. Limitation on Liability
EXCEPT TO THE EXTENT CAUSED BY GEOTRUST'S WILLFUL MISCONDUCT, IN NO EVENT
SHALL THE CUMULATIVE LIABILITY OF GEOTRUST TO APPLICANTS, SUBSCRIBER
AND/OR ANY RELYING PARTY FOR ALL CLAIMS RELATED TO THE USE OF OR RELIANCE
UPON A CERTIFICATE OR FOR THE SERVICES PROVIDED HEREUNDER INCLUDING
WITHOUT LIMITATION ANY CAUSE OF ACTION SOUNDING IN CONTRACT, TORT
(INCLUDING NEGLIGENCE), STRICT LIABILITY, FOR BREACH OF A STATUTORY DUTY
OR IN ANY OTHER WAY EXCEED FIFTY U.S. DOLLARS ($50.00).
GEOTRUST SHALL NOT BE LIABLE IN CONTRACT, TORT (INCLUDING NEGLIGENCE),
STRICT LIABILITY, FOR BREACH OF A STATUTORY DUTY OR IN ANY OTHER WAY (EVEN
IF GEOTRUST HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES) FOR
(I) ANY ECONOMIC LOSS (INCLUDING, WITHOUT LIMITATION, LOSS OF REVENUES,
PROFITS, CONTRACTS, BUSINESS OR ANTICIPATED SAVINGS);
(II) TO THE EXTENT ALLOWED BY APPLICABLE LAW, ANY LOSS OR DAMAGE RESULTING
FROM DEATH OR INJURY OF SUBSCRIBER AND/OR ANY RELYING PARTY OR ANYONE
ELSE;
(III) ANY LOSS OF GOODWILL OR REPUTATION; OR
(IV) ANY OTHER INDIRECT, CONSEQUENTIAL, INCIDENTAL, MULTIPLE, SPECIAL,
PUNITIVE, EXEMPLARY DAMAGES IN ANY CASE WHETHER OR NOT SUCH LOSSES OR
DAMAGES WERE WITHIN THE CONTEMPLATION OF THE PARTIES AT THE TIME OF THE
APPLICATION FOR USE OF OR RELIANCE ON THE CERTIFICATE, OR AROSE OUT OF ANY
OTHER MATTER UNDER THIS CPS OR WITH REGARD TO THE USE OF OR RELIANCE ON
THE CERTIFICATE. BECAUSE SOME JURISDICTIONS DO NOT ALLOW THE EXCLUSION OR
LIMITATION OF INCIDENTAL OR CONSEQUENTIAL DAMAGES, THE ABOVE EXCLUSIONS OF
INCIDENTAL AND CONSEQUENTIAL DAMAGES MAY NOT APPLY TO AN APPLICANT,
SUBSCRIBER AND/OR A RELYING PARTY BUT SHALL BE GIVEN EFFECT TO THE FULL
EXTENT PERMITTED BY LAW.
THE FOREGOING LIMITATIONS OF LIABILITY SHALL APPLY ON A
CERTIFICATE-BY-CERTIFICATE BASIS, REGARDLESS OF THE NUMBER OF TRANSACTIONS
OR CLAIMS RELATED TO EACH CERTIFICATE, AND SHALL BE APPORTIONED FIRST TO
THE EARLIER CLAIMS TO ACHIEVE FINAL RESOLUTION.
In no event will GeoTrust be liable for any damages to Applicants,
Subscribers, Relying Parties or any other party arising out of or related
to the use or misuse of, or reliance on any Certificate issued under this
CPS that: (i) has expired or been revoked; (ii) has been used for any
purpose other than as set forth in the CPS (See Section I (C) for more
detail); (iii) has been tampered with; (iv) with respect to which the Key
Pair underlying such Certificate or the cryptography algorithm used to
generate such Certificate's Key Pair, has been Compromised by the action
of any party other than GeoTrust (including without limitation the
Subscriber or Relying Party); or (v) is the subject of misrepresentations
or other misleading acts or omissions of any other party, including but
not limited to Applicants, Subscribers and Relying Parties.
In no event shall GeoTrust be liable to the Applicant, Subscriber, Relying
Party or other party for damages arising out of any claim that a
Certificate infringes any patent, trademark, copyright, trade secret or
other intellectual property right of any party.
D. Force Majeure
GeoTrust shall not be liable for any default or delay in the performance
of its obligations hereunder to the extent and while such default or delay
is caused, directly or indirectly, by fire, flood, earthquake, elements of
nature or acts of God, acts of war, terrorism, riots, civil disorders,
rebellions or revolutions in the United States, strikes, lockouts, or
labor difficulties or any other similar cause beyond the reasonable
control of GeoTrust.
E. Financial Responsibility
-
Fiduciary Relationships
GeoTrust is not an agent, fiduciary, trustee, or other representative
of the Applicant or Subscriber and the relationship between GeoTrust
and the Applicant and the Subscriber is not that of an agent and a
principal. GeoTrust makes no representation to the contrary, either
explicitly, implicitly, by appearance or otherwise. Neither the
Applicant nor the Subscriber has any authority to bind GeoTrust by
contract or otherwise, to any obligation.
-
Indemnification by Applicant and Subscriber
Unless otherwise set forth in this CPS and/or Subscriber Agreement,
Applicant and Subscriber, as applicable, hereby agrees to indemnify
and hold GeoTrust (including, but not limited to, its officers,
directors, employees, agents, successors and assigns) harmless from
any claims, actions, or demands that are caused by the use or
publication of a Certificate and that arises from (a) any false or
misleading statement of fact by the Applicant (or any person acting on
the behalf of the Applicant) (b) any failure by the Applicant or the
Subscriber to disclose a material fact, if such omission was made
negligently or with the intent to deceive; (c) any failure on the part
of the Subscriber to protect its Private Key and Certificate or to
take the precautions necessary to prevent the Compromise, disclosure,
loss, modification or unauthorized use of the Private Key or
Certificate; or (d) any failure on the part of the Subscriber to
promptly notify GeoTrust, as the case may be, of the Compromise,
disclosure, loss, modification or unauthorized use of the Private Key
or Certificate once the Subscriber has constructive or actual notice
of such event.
F. Interpretation & Enforcement
-
Governing Law
The enforceability, construction, interpretation, and validity of this
CPS and any Certificates issued by GeoTrust shall be governed by the
substantive laws of the State of Oregon, United States of America,
excluding (i) the conflicts of law provisions thereof and (ii) the
United Nations Convention on Contracts for the International Sale of
Goods.
-
Dispute Resolution Procedures
Any dispute, controversy or claim arising under, in connection with or
relating to this CPS or any Certificate issued by GeoTrust shall be
subject to and settled finally by binding arbitration in accordance
with the Arbitration Rules of the American Arbitration Association
(AAA). All arbitration proceedings shall be held in Portland, Oregon.
There shall be one arbitrator appointed by the AAA who shall exhibit a
reasonable familiarity with the issues involved or presented in such
dispute, controversy or claim. The award of the arbitrator shall be
binding and final upon all parties, and judgment on the award may be
entered by any court having proper jurisdiction thereof. This CPS and
the rights and obligations of the parties hereunder and under any
Certificate issued by GeoTrust shall remain in full force and effect
pending the outcome and award in any arbitration proceeding hereunder.
In any arbitration arising hereunder, each party to the preceding
shall be responsible for its own costs incurred in connection with the
arbitration proceedings, unless the arbitrator determines that the
prevailing party is entitled to an award of all or a portion of such
costs, including reasonable attorneys fees actually incurred.
-
Severability
If any provision of this CPS shall be held to be invalid, illegal, or
unenforceable, the validity, legality, or enforceability of the
remainder of this CPS shall not in any way be affected or impaired
hereby.
G. Repository
GeoTrust shall operate a CRL that will be available to both Subscribers
and Relying Parties. GeoTrust shall post the CRL at lease every seven (7)
days.
H. Subscriber Information
-
Individual Subscriber Information
GeoTrust may make individual Subscriber information available to
courts, law enforcement agencies or other third parties upon receipt
of a court order or subpoena or upon the advice of GeoTrust's legal
counsel. Individual Subscriber information may appear on the QuickSSL
Web Server Certificates issued pursuant to this CPS.
-
Aggregate Subscriber Information
GeoTrust may also disclose Subscriber information on an aggregate
basis, and the Subscriber hereby grants to GeoTrust a license to do
so, including the right to modify the aggregated Subscriber
information and to permit third parties to perform such functions on
its behalf.
III. OPERATIONAL REQUIREMENTS
A. Application Requirements
QuickSSL Web Server Certificate Application: All Applicants are required
to include a Domain Name within the QuickSSL Certificate application.
B. Certificate Information
-
Domain Name
GeoTrust will verify that the Subscriber had the right to use such
Domain Name at the time it submitted its application. For example,
GeoTrust may perform verification by confirming that the subscriber is
the same person that holds the Domain Name registration or that the
subscriber is authorized to use the Domain Name.
-
Organization Unit
GeoTrust will insert an Organization Unit field "Organization Not
Validated" or similar language for all QuickSSL Web Server
Certificates.
GeoTrust will process the QuickSSL Application to confirm the
information on the QuickSSL Certificates as discussed above. However,
GeoTrust reserves the right to waive such procedures and issue an
QuickSSL Certificate utilizing different authentication procedures in
certain circumstances; provided that the general principles for
verifying the application information is maintained. In addition,
GeoTrust may use subcontractors or other third parties to assist in
the performance of its operational requirements or any other
obligation under this CPS.
If GeoTrust finds that the Applicant's QuickSSL Certificate
application was sufficiently verified, then the Applicant's QuickSSL
Certificate Request will be signed by GeoTrust. Upon signing the
Applicant's QuickSSL Certificate, GeoTrust will attach such
Certificate to an email and send such email to the appropriate
contact(s).
The Applicant expressly indicates acceptance of a Certificate by using
such Certificate.
The Subscriber is required to generate a new Public Key and complete a
new Certificate request before the Subscriber will be able to obtain a
renewal Certificate.
C. Certificate Expiration
GeoTrust will attempt to notify all Subscribers of the expiration date of
their Certificate but cannot guarantee to do so.
-
Circumstances For Revocation
Certificate revocation is the process by which GeoTrust prematurely
ends the Operational Period of a Certificate.
a. Permissive Revocation
A Subscriber may request revocation of its
Certificate at any time for any reason.
b. Required Revocation
A Subscriber shall inform GeoTrust and promptly
request revocation of a Certificate: whenever any of the
information on the Certificate changes or becomes obsolete; or
whenever the Private Key, or the media holding the Private Key,
associated with the Certificate is compromised;, or upon a change
in the ownership of a Subscriber's web server; or in the event the
Certificate is installed on more than a single server at a time.
GeoTrust shall revoke a Certificate: upon request of a Subscriber;
upon Compromise of GeoTrust's Private Key used to sign a
Certificate; upon the Subscriber's breach of either this CPS or
Subscriber Agreement; or if GeoTrust determines that the
Certificate was not properly issued.
In the event that GeoTrust ceases operations, all Certificates
issued by GeoTrust shall be revoked prior to the date that
GeoTrust ceases operations.
-
Who Can Request Revocation
The only persons permitted to request revocation of or revoke a
Certificate issued by GeoTrust are the Subscribers and GeoTrust.
-
Procedure For Revocation Request
Subscriber must contact GeoTrust, either by a national/regional postal
service, facsimile or overnight courier, and request revocation of a
Certificate. GeoTrust may also accept email requests to request
revocation from Subscribers, but is not required to do so without
supporting verification. If applicable, such contact must be made by
the Subscriber's technical contact. GeoTrust shall revoke such
Certificate within the next business day.
D. Records Archival
GeoTrust shall maintain and archive records relating to the issuance of
the Certificates for three (3) years following the issuance of the
applicable Certificate.
IV. TECHNICAL SECURITY CONTROLS
GeoTrust Root Keys are maintained in a trusted and
highly secured environment with backup and key recovery procedures. In the
event of the Compromise of the GeoTrust Root Key(s), GeoTrust shall
promptly notify the Subscribers and revoke all Certificates issued with
such GeoTrust Root Key(s).
V. CPS ADMINISTRATION
CPS Change Procedures. GeoTrust may change this CPS at
any time without notice. The CPS and any amendments thereto is available
through www.geotrust.com/quickssl/cps.asp
VI. GENERAL PROVISIONS
A. Conflict of Provisions
This CPS represents the entire agreement between any Subscriber (including
the Subscriber Agreement, if any) or Relying Party and GeoTrust and
supersedes any and all prior understandings and representations pertaining
to its subject matter. In the event, however, of a conflict between this
CPS and any other express agreement a Subscriber has with GeoTrust with
respect to a Certificate, including but not limited to a Subscriber
Agreement, such other agreement shall take precedence.
B. Waiver
A failure or delay in exercising any right or remedy hereunder shall not
operate as a waiver of that right or remedy, nor shall any single or
partial exercise of any right or remedy preclude any other or further
exercise thereof or the exercise of any other right or remedy.
C. Survival
The following sections shall survive, along with all definitions required
thereby: Sections I, II, VI and VII.
D. Export
Subscribers and Relying Parties acknowledge and agree to use Certificates
in compliance with all applicable laws and regulations, including without
limitation U.S. export laws and regulations. GeoTrust may refuse to issue
or may revoke Certificates if in the reasonable opinion of GeoTrust such
issuance or the continued use of such Certificates would violate
applicable laws and regulations.
VII. DEFINITIONS
Applicant. A person or authorized agent that
requests the issuance of a Certificate. CA. Certification Authority.
Certificate. A record that, at a minimum:
(a) identifies the CA issuing it;
(b) names or otherwise identifies its Subscriber;
(c) contains a Public Key that corresponds to a Private Key under the
control of the Subscriber;
(d) identifies its Operational Period; and
(e) contains a Certificate serial number and is digitally signed by the
CA. The term Certificate, as referred to in this CPS, means a Certificate
issued by GeoTrust pursuant to this CPS.
Certificate Revocation List. A time-stamped list of revoked
Certificates that has been digitally signed by the CA.
Certification Authority. An entity which issues Certificates and
performs all of the functions associated with issuing such Certificates.
Compromise. Suspected or actual unauthorized disclosure, loss, loss
of control over, or use of a Private Key associated with Certificate.
CRL. See Certificate Revocation List.
Extension. A means to place additional information about a
Certificate within a Certificate. The X.509 standard defines a set of
Extensions that may be used in Certificates.
GeoTrust. GeoTrust, Inc.
GeoTrust Root Key(s). The Private Key used by GeoTrust to sign the
Certificates.
Key Pair. Two mathematically related keys, having the following
properties:
(i) one key can be used to encrypt a message that can only be decrypted
using the other key, and
(ii) even knowing one key, it is computationally impractical to discover
the other key.
Operational Period. A Certificate's period of validity. It would
typically begin on the date the Certificate is issued (or such later date
as specified in the Certificate), and ends on the date and time it expires
as noted in the Certificate or is earlier revoked unless it is suspended.
Private Key. The key of a Key Pair used to create a digital
signature. This key must be kept a secret.
Public Key. The key of a Key Pair used to verify a digital
signature. The Public Key is made freely available to anyone who will
receive digitally signed messages from the holder of the Key Pair. The
Public Key is usually provided via a Certificate issued by GeoTrust. A
Public Key is used to verify the digital signature of a message
purportedly sent by the holder of the corresponding Private Key.
Relying Party. A recipient of a digitally signed message who relies
on a Certificate to verify the digital signature on the message. Also, a
recipient of a Certificate who relies on the information contained in the
Certificate.
SSL. An industry standard protocol that uses public key
cryptography for Internet security.
Subscriber. A person or entity who (1) is the subject named or
identified in a Certificate issued to such person or entity, (2) holds a
Private Key that corresponds to a Public Key listed in that Certificate,
and (3) the person or entity to whom digitally signed messages verified by
reference to such Certificate are to be attributed. For the purpose of
this CPS, a person or entity who applies for a Certificate by the
submission of an application is also referred to as a Subscriber.
|
