Version 3.0 [Effective 30 June 2003]

Table of Contents

I. INTRODUCTION
A. Overview
B. Definitions
C. Description and Use of Certificates

II. GENERAL PROVISIONS
A. Obligations
B. Limited Warranty/Disclaimer
C. Limitation on Liability
D. Force Majeure
E. Financial Responsibility
F. Interpretation & Enforcement
G. Repository
H. Confidentiality Policy

III. OPERATIONAL REQUIREMENTS
A. Application Requirements
B. Certificate Information
C. Procedure for Processing Certificate Applications
D. Application Issues
E. Certificate Delivery
F. Certificate Acceptance
G. Certificate Renewal
H. Certificate Expiration
I. Certificate Revocation
J. Records Archival

IV. SECURITY CONTROLS
A. Equifax Physical Security Controls
B. Features of Equifax Electronic Commerce Solutions Operations Center

V. TECHNICAL SECURITY CONTROLS
A. Root Key Generation
B. Root Key Management

VI. CPS ADMINISTRATION
A. CPS Change Procedures

VII. GENERAL PROVISIONS
A. Conflict of Provisions
B. Waiver
C. Severance
D. Export

VIII. DEFINITIONS


I. INTRODUCTION

A. Overview

This Equifax SecureMark Certificate Practice Statement (the “CPS”) presents the principles and procedures that Equifax. (“Equifax”) and GeoTrust, Inc. (“GeoTrust”) employ in the issuance and life cycle management of Equifax SecureMark Certificates (SecureMark is the registered trade mark of [Equifax, Inc.]) (the “Services”).  This CPS and any and all amendments thereto are incorporated by reference into all Equifax SecureMark Certificates.

 

B. Definitions

For the purposes of this CPS, all capitalized terms used herein shall have the meaning given to them in Section VIII, Definitions, or elsewhere in this CPS.

C. Description and Use of Certificates

  1. Equifax Secure SecureMark Certificates
     

    Equifax SecureMark Certificates are X.509 Certificates that chain to a Root CA, which the CA has S/MIME enabled to permit a consistent way to send and receive S/MIME data and provide limited authentication of a Subscriber’s browser.  Acceptance of applications for SecureMark certificates will be based onthe following guidelines: HMG;s minimum requirements for validation and verification of the identity of individuals and organizations for Level 2 transactions as published on 12 February 2002 (www.e-envoy.gov.uk). Operational Period of Equifax SecureMark Certificates

    Equifax SecureMark Certificates have an Operational Period of three hundred and seventy-nine (379) days from the date of issuance, unless another time period or expiration date is specified on such Equifax SecureMark Certificate, unless the Equifax SecureMark Certificate is revoked prior to the expiration of its Operational Period.

  2.     Technical Requirements of Equifax SecureMark Certificates

    In order to use an Equifax SecureMark Certificate, a Subscriber must use Lotus Notes Web Navigator 5.x (or later version), Netscape Navigator 4.X (or later version) or Microsoft Internet Explorer 4.X (or later version) (provided that any such browsers can  accommodate 128 bit encryption).

II. GENERAL PROVISIONS

A. Obligations

1. Equifax and GeoTrust Obligations

Equifax will perform limited authentication of Subscribers as detailed in this CPS and GeoTrust will issue Equifax SecureMark Certificates to the Subscribers after their successful authentication by Equifax in accordance with this CPS.  Upon the revocation of an Equifax SecureMark Certificate, Equifax will notify GeoTrust, who will update the Certificate Revocation List accordingly, Equifax and GeoTrust will perform other functions which are described in more detail in this CPS.

2. Subscriber Obligations

Subscribers will submit truthful information about him/herself, their business entity, and contacts, as applicable.  Subscribers will at all times abide by this CPS and a Subscriber will immediately request revocation of an Equifax SecureMark Certificate if the related Private Key is Compromised.  The Subscriber will only use the Equifax SecureMark Certificate for authenticating the Subscriber and/or utilizing S/MIME applications..  The Subscriber is solely responsible for the protection of his/her Private Key and shall notify Equifax immediately in the event that his/her Private Key has been Compromised.

3. Relying Party Obligations

Relying Parties must verify that the Equifax SecureMark Certificate is valid by examining the Certificate Revocation List before initiating a transaction involving such Equifax SecureMark Certificate.

Equifax and GeoTrust do not accept any responsibility whatsoever for reliance on an Equifax SecureMark Certificate that is on the Certificate Revocation List.

B. Limited Warranty/Disclaimer

Equifax provides the following limited warranty at the time the Equifax SecureMark Certificate is issued; (i) the information contained within the Equifax SecureMark Certificate accurately reflects the information provided to Equifax by the Applicant in all material respects; and (ii) Equifax has taken reasonable steps to verify that the information within the Equifax SecureMark Certificate is accurate.  The nature of the steps Equifax takes to verify the information contained in an Equifax SecureMark Certificate is described in Section III of this CPS.

EXCEPT FOR THE LIMITED WARRANTY DESCRIBED ABOVE, EQUIFAX AND GEOTRUST EXPRESSLY DISCLAIM AND MAKE NO OTHER REPRESENTATIONS, WARRANTIES OR COVENANTS OF ANY KIND, WHETHER EXPRESS OR IMPLIED, EITHER IN FACT OR BY OPERATION OF LAW, WITH RESPECT TO THIS CPS OR ANY EQUIFAX SECUREMARK CERTIFICATE ISSUED HEREUNDER, INCLUDING WITHOUT LIMITATION, ALL WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE OR USE OF AN EQUIFAX SECUREMARK CERTIFICATE OR ANY SERVICE PROVIDED BY EQUIFAX OR GEOTRUST AS DESCRIBED HEREIN, AND ALL WARRANTIES, REPRESENTATIONS, CONDITIONS, UNDERTAKINGS, TERMS AND OBLIGATIONS IMPLIED BY STATUTE OR COMMON LAW, TRADE USAGE, COURSE OF DEALING OR OTHERWISE ARE HEREBY EXCLUDED TO THE FULLEST EXTENT PERMITTED BY LAW.  EXCEPT FOR THE LIMITED WARRANTY DESCRIBED ABOVE, EQUIFAX AND GEOTRUST FURTHER DISCLAIM AND MAKE NO REPRESENTATION, WARRANTY OR COVENANT OF ANY KIND, WHETHER EXPRESS OR IMPLIED, EITHER IN FACT OR BY OPERATION OF LAW, TO ANY APPLICANT, SUBSCRIBER OR ANY RELYING PARTY THAT THE RESULTS OF ANY CRYPTOGRAPHIC METHOD IMPLEMENTED IN CONNECTION WITH THE EQUIFAX SECUREMARK CERTIFICATE IS ACCURATE, AUTHENTIC, COMPLETE OR RELIABLE.

IT IS AGREED AND ACKNOWLEDGED THAT APPLICANTS ARE LIABLE FOR ANY MISREPRESENTATIONS MADE TO EQUIFAX AND/OR GEOTRUST.  NEITHER EQUIFAX NOR GEOTRUST WARRANTS OR GUARANTEES  UNDER ANY CIRCUMSTANCES THE “NON-REPUDIATION” BY A SUBSCRIBER AND/OR RELYING PARTY OF ANY TRANSACTION ENTERED INTO BY THE SUBSCRIBER AND/OR RELYING PARTY INVOLVING THE USE OF OR RELIANCE ON AN EQUIFAX SECUREMARK CERTIFICATE.

IT IS UNDERSTOOD AND AGREED UPON BY SUBSCRIBERS AND RELYING PARTIES THAT IN USING AND/OR RELYING ON AN EQUIFAX SECUREMARK CERTIFICATE THEY ARE SOLELY RESPONSIBLE FOR THEIR RELIANCE ON THAT EQUIFAX SECUREMARK CERTIFICATE AND THAT SUCH PARTIES MUST CONSIDER THE FACTS, CIRCUMSTANCES AND CONTEXT SURROUNDING THE TRANSACTION IN WHICH THE CERTIFICATE IS USED IN DETERMINING SUCH RELIANCE.

THE SUBSCRIBERS AND RELYING PARTIES AGREE AND ACKNOWLEDGE THAT EACH EQUIFAX SECUREMARK CERTIFICATE HAS A LIMITED OPERATIONAL PERIOD AND MAY BE REVOKED AT ANY TIME. SUBSCRIBERS AND RELYING PARTIES ARE UNDER AN OBLIGATION TO VERIFY WHETHER AN EQUIFAX SECUREMARK CERTIFICATE IS EXPIRED OR HAS BEEN REVOKED.  EQUIFAX WE HEREBY DISCLAIM ANY AND ALL LIABILITY TO SUBSCRIBERS AND RELYING PARTIES WHO DO NOT FOLLOW SUCH PROCEDURES.  MORE INFORMATION ABOUT THE SITUATIONS IN WHICH AN EQUIFAX SECUREMARK CERTIFICATE MAY BE REVOKED CAN BE FOUND IN SECTION III I OF THIS CPS.

We do not provide any warranties with respect to another party’s software, hardware or telecommunications or networking equipment utilized in connection with the issuance, revocation or management of Equifax SecureMark Certificates or providing other services with respect to this CPS.  Applicants, Subscribers and Relying Parties agree and acknowledge that neither We are not responsible or liable for any misrepresentations or incomplete representations of Equifax SecureMark Certificates or any information contained therein caused by another party’s application software or graphical user interfaces. The cryptographic key-generation technology used by Applicants, Subscribers and Relying Parties in conjunction with the Equifax SecureMark Certificates may or may not be subject to the intellectual property rights of third parties. It is the responsibility of Applicants, Subscribers and Relying Parties to ensure that they are using technology which is properly licensed or to otherwise obtain the right to use such technology.

Except as expressly provided in this CPS, all representations, conditions and warranties whether express or implied (by statute or otherwise) are excluded to the fullest extent permitted by law.  In particular, but without limitation, we exclude any representation, condition or warranty that the operation of the Services will be uninterrupted or that the operation of any Software will be uninterrupted or error free.

C. Limitation on Liability

You agree that we shall not in any circumstances be liable for any loss or damage at all arising from any inaccuracies, faults or omissions in, or in the provision of, the Service unless caused by our negligence or wilful default.

 

EXCEPT TO THE EXTENT CAUSED BY OUR NEGLIGENCE, IN NO EVENT SHALL THE AGGREGATE LIABILITY OF EQUIFAX AND GEOTRUST TO APPLICANTS, SUBSCRIBER AND ANY RELYING PARTY FOR ALL CLAIMS RELATED TO THE USE OF OR RELIANCE ON AN EQUIFAX SECUREMARK CERTIFICATE OR FOR THE SERVICES PROVIDED HEREUNDER INCLUDING WITHOUT LIMITATION ANY CAUSE OF ACTION SOUNDING IN CONTRACT, TORT (INCLUDING NEGLIGENCE), STRICT LIABILITY, FOR BREACH OF A STATUTORY DUTY OR IN ANY OTHER WAY EXCEED ONE THOUSAND POUNDS STERLING (£1,000.00)

You acknowledge that WE provide the Services at a price that does not reflect any benefit you may obtain from them, including any profit that you may make or the amount of any credit that you may give.  You agree that we shall not in any circumstances (including if we have been negligent) be liable for:

 

(I)                   any indirect or consequential loss or damage at all; or

(II)        any loss of business, capital, profit, reputation or goodwill, arising out of or in connection with this Agreement or its subject matter..

IN ANY CASE WHETHER OR NOT SUCH LOSSES OR DAMAGES WERE WITHIN THE CONTEMPLATION OF THE PARTIES AT THE TIME OF THE APPLICATION FOR USE OF OR RELIANCE ON THE EQUIFAX SECUREMARK CERTIFICATE, OR AROSE OUT OF ANY OTHER MATTER UNDER THIS CPS OR WITH REGARD TO THE USE OF OR RELIANCE ON THE EQUIFAX SECUREMARK CERTIFICATE.

TO THE EXTENT THAT SOME JURISDICTIONS DO NOT ALLOW THE EXCLUSION OR LIMITATION OF INCIDENTAL OR CONSEQUENTIAL DAMAGES, THE ABOVE EXCLUSIONS OF INCIDENTAL AND CONSEQUENTIAL DAMAGES MAY NOT APPLY TO AN APPLICANT, SUBSCRIBER AND/OR A RELYING PARTY BUT SHALL BE GIVEN EFFECT TO THE FULL EXTENT PERMITTED BY LAW.

THE FOREGOING LIMITATIONS OF LIABILITY SHALL APPLY ON A CERTIFICATE-BY-CERTIFICATE BASIS, REGARDLESS OF THE NUMBER OF TRANSACTIONS OR CLAIMS RELATED TO EACH EQUIFAX SECUREMARK CERTIFICATE, AND SHALL BE APPORTIONED FIRST TO THE EARLIER CLAIMS TO ACHIEVE FINAL RESOLUTION.

In no event will we be liable for any damages to Applicants, Subscribers, Relying Parties or any other party arising out of or related to the use or misuse of, or reliance on any Equifax SecureMark Certificate issued under this CPS that: (i) has expired or been revoked; (ii) has been used for any purpose other than as set forth in the CPS (See Section I (C) and II (A) (2) for more detail); (iii) has been tampered with; (iv) with respect to which the Key Pair underlying such Equifax SecureMark Certificate or the cryptography algorithm used to generate such Equifax SecureMark Certificate’s Key Pair, has been Compromised by the action of any party other than Equifax or GeoTrust (including without limitation the Subscriber or Relying Party); or (v) is the subject of misrepresentations or other misleading acts or omissions of any other party, including but not limited to Applicants, Subscribers and Relying Parties.

In no event shall we be liable to the Applicant, Subscriber, Relying Party or other party for damages arising out of any claim that an Equifax SecureMark Certificate infringes any patent, trademark, copyright, trade secret or other intellectual property right of any party.

. D. Force Majeure

We  shall not be liable for any delay in, or failure of, performance of our obligations under this CPS arising from any cause beyond our reasonable control including any of the following: act of God, governmental act, war, fire, flood, explosion or civil commotion, failure in information technology or telecommunications services, failure of a third party (including failure to supply data) and industrial action.

 E. Financial Responsibility

1. Fiduciary Relationships

Neither Equifax nor GeoTrust is an agent, fiduciary, trustee, or other representative of the Applicant or Subscriber and the relationship between Equifax and GeoTrust and the Applicant and the Subscriber is not that of an agent and a principal.  Neither Equifax nor GeoTrust makes any representations to the contrary, either explicitly, implicitly, by appearance or otherwise.  Neither the Applicant nor the Subscriber has any authority to bind Equifax or GeoTrust by contract or otherwise, to any obligation.

2. Indemnification by Applicant and Subscriber

Unless otherwise set forth in this CPS and/or Subscriber Agreement, Applicant and Subscriber, as applicable, hereby agrees to indemnify and hold us (including, but not limited to, each of their officers, directors, employees, agents, successors and assigns) harmless from any claims, actions, or demands that are caused by the use or publication of an Equifax SecureMark Certificate and that arises from (a) any false or misleading statement of fact by the Applicant (or any person acting on the behalf of the Applicant) (b) any failure by the Applicant or the Subscriber to disclose a material fact, if such omission was made negligibly or with the intent to deceive; (c) any failure on the part of the Subscriber to protect its Private Key or Equifax SecureMark Certificate or to take the precautions necessary to prevent the Compromise, disclosure, loss, modification or unauthorized use of the Private Key or Equifax SecureMark Certificate; or (d) any failure on the part of the Subscriber to promptly notify Equifax and GeoTrust, as the case may be, of the Compromise, disclosure, loss, modification or unauthorized use of the Private Key or Equifax SecureMark Certificate once the Subscriber has constructive or actual notice of such event

F. Interpretation & Enforcement

1. Governing Law

The enforceability, construction, interpretation, and validity of this CPS and any Equifax SecureMark Certificate issued hereunder shall be governed by the -exclusive jurisdiction of the courts of England and Severability

If any provision of this CPS shall be held to be invalid, illegal, or unenforceable, the validity, legality, or enforceability of the remainder of this CPS shall not in any way be affected or impaired hereby

2. Dispute Resolution Procedures

Any dispute, controversy or claim arising under, in connection with or relating to this CPS or any Certificate issued by ESI shall be subject to and settled finally by binding arbitration in accordance with the Arbitration Rules of the American Arbitration Association (AAA). All arbitration proceedings shall be held in Atlanta, Georgia. There shall be one arbitrator appointed by the AAA who shall exhibit a reasonable familiarity with the issues involved or presented in such dispute, controversy or claim. The award of the arbitrator shall be binding and final upon all parties, and judgment on the award may be entered by any court having proper jurisdiction thereof. This CPS and the rights and obligations of the parties hereunder and under any Certificate issued by ESI shall remain in full force and effect pending the outcome and award in any arbitration proceeding hereunder. In any arbitration arising hereunder, each party to the preceding shall be responsible for its own costs incurred in connection with the arbitration proceedings, unless the arbitrator determines that the prevailing party is entitled to an award of all or a portion of such costs, including reasonable attorneys fees actually incurred.

G. Repository

h regard to Equifax SecureMark Certificates, GeoTrust shall operate a Certificate Revocation List that will be available to both Subscribers and Relying Parties.

The repository is the official store for CRLS, directories and other status information (the “Repository”). Relying Parties wishing to validate certificate status should refer to the CDP field within the SecureMark certificates for the location of the Repository.

GeoTrust shall post the Certificate Revocation List every twenty-four (24) hours in a DER format

H. Confidentiality Policy

1. Individual Subscriber Information

Information regarding Subscribers that is submitted on applications for Certificates will be kept confidential by us and we shall not release such information without the prior consent of the Subscriber. Notwithstanding the foregoing, we may make such information available to courts, law enforcement agencies, regulatory bodies or other third parties upon receipt of a court order or upon the advice of our legal counsel as the case may be.  The foregoing confidentiality obligation shall not apply, however, to information appearing on Equifax SecureMark Certificates, or to information regarding Subscribers that is already in the possession of or separately acquired by Equifax or GeoTrust or is already in the public domain.

 2. Aggregate Subscriber Information

Notwithstanding the previous Section, we may disclose Subscriber information on an aggregate basis, and the Subscriber hereby grants to us a license to do so, including the right to modify the aggregated Subscriber information and to permit third parties to perform such functions on its behalf.  We shall not disclose to any third party any personally identifiable information about any Subscriber that Equifax or GeoTrust, as applicable, obtains in its performance of services hereunder.

III. OPERATIONAL REQUIREMENTS

A. Application Requirements for an Equifax SecureMark Certificate

An Applicant for an Equifax SecureMark Certificate shall complete an Equifax SecureMark Certificate application in a form prescribed by Equifax.  All applications are subject to review, approval and acceptance by Equifax.  All Applicants are required to include a personal name and email address within an Equifax SecureMark Certificate application which will also appear on an Equifax SecureMark Certificate.  An Equifax SecureMark Certificate may contain additional information as well. 

B. Equifax SecureMark Certificate Information

2. Organisational Name
 

If an Equifax SecureMark Certificate contains an Organisational Name, Equifax will make a reasonable attempt to establish that a request made on behalf of that organization is legitimate and properly authorized.  Equifax will not include an Organisational Name in an Equifax SecureMark Certificate without first ensuring the following:  (a) the Organisational Name appears in conjunction with a country and possibly a state or province of other locality to sufficiently identify its place of registration or a place where it is currently doing business; and (b) in the case of an organization that could reasonably be expected to be registered with a local, state or national authority, in certain circumstances Equifax will obtain, view and verify copies of the registration documents.  For instance, Equifax may (i) verify the validity of the registration through the authority that issued it, or (ii) verify the validity of the registration through a reputable third party database or other resource, or (iii) verify the validity of the organization through a trusted third party, or (iv) confirm that the organization exists if such organization is not the type that is typically registered or is capable of being verified under sub-clause (iii) above.

In addition, to prove that an Equifax SecureMark Certificate is duly authorized by the organization, Equifax will typically request the name of a contact person who is employed by or is an officer of the organization.  Equifax will also typically require a form of authorization from the organization confirming its intent to obtain an Equifax SecureMark Certificate and will usually document the organization’s contact person.  Equifax normally confirms the contents of this authorization with the listed contact person.

3. Personal Name

 In the case of a personal name (i.e., the name of the Subscriber), Equifax will require proof of identity.  Equifax will use all reasonable endeavours  to obtain corroboration and confirmation of the personal name.  For instance, Equifax may verify that the personal name is the name of the Subscriber by (a) the use of a Shared Secret or other similar form of identification, or (b) utilizing existing credit or other databases, or (c) corroboration of the identity by having a number of existing identified Equifax SecureMark Certificate users attest to the identity.

4. Email Address

 In the case of an email address, Equifax will use reasonable endeavours to ascertain that the email address belongs to the Subscriber.  At a minimum, Equifax will determine that the Subscriber has the ability to read email sent to that email address.  In addition, Equifax may validate that the email address belongs to the Subscriber by (a) the use of an Email Ping,or (b) obtaining proof that the Subscriber has the necessary mail server credentials to retrieve email sent to that email address, or (c) confirming from the email administrator or organization owning the email domain name that they regard the Subscriber as a legitimate holder of a Certificate containing that email address.

C. Procedure for Processing Certificate Applications

Equifax will process the Equifax SecureMark Certificate applications to confirm the information on the Equifax SecureMark Certificates as set out in paragraph B above.  However, Equifax reserves the right to waive such procedures and issue an Equifax SecureMark Certificate utilizing different authentication procedures in certain circumstances; provided that the general principles for verifying the application information is maintained.  In addition, Equifax or GeoTrust may use subcontractors or other third parties to assist in the performance of its operational requirements or any other obligation under this CPS.

D. Application Issues

At certain times during the application process in which Equifax is not able to verify information in an Equifax SecureMark Certificate application, a customer service representative may be assigned to the Applicant to facilitate the completion of the application process.  Otherwise, the Applicant may be required to correct its associated information with third parties and re-submit its application for an Equifax SecureMark Certificate

E. Certificate Delivery

If Equifax finds that the Applicant’s Equifax SecureMark Certificate application was sufficiently verified, then Equifax will notify GeoTrust and GeoTrust will sign the Applicant’s Equifax SecureMark Certificate.  Upon signing the Applicant’s Equifax SecureMark Certificate, GeoTrust will return the signed Equifax SecureMark Certificate to Equifax.  Equifax will notify the Applicant via email and send such email to the appropriate contact.  The email will include the date the Equifax SecureMark Certificate was issued, the date the Equifax SecureMark Certificate will expire and the relevant URL for the Applicant’s use in retrieving the Equifax SecureMark Certificate.  In certain circumstances the email may include an Equifax customer service representative telephone number and email address for any technical or customer service problems.

F. Certificate Acceptance

The Applicant expressly indicates acceptance of an Equifax SecureMark Certificate by using such Equifax SecureMark Certificate.

G. Certificate Renewal

The Subscriber is required to generate a new Public Key and complete a new Equifax SecureMark Certificate request before the Subscriber will be able to obtain a renewal Equifax SecureMark Certificate.

H. Certificate Expiration

Equifax will attempt to notify all Subscribers of the expiration date of their Equifax SecureMark Certificate.

I. Certificate Revocation

1. Circumstances For Revocation

Equifax SecureMark Certificate revocation is the process by which the Operational Period of an Equifax SecureMark Certificate is prematurely ended.

 

a.       Permissive Revocation

A Subscriber may request revocation of its Equifax SecureMark Certificate at any time for any reason.

b.       Required Revocation

A Subscriber shall inform Equifax and promptly request revocation of an Equifax SecureMark Certificate:

•           whenever any of the information on an Equifax SecureMark Certificate changes or becomes obsolete; or

•           whenever the Private Key, or the media holding the Private Key, associated with the Equifax SecureMark Certificate is Compromised; or

Equifax shall revoke a Certificate:

•           upon request of a Subscriber;

•           If the Private Key used to sign an Equifax SecureMark Certificate has been compromised;

•           upon the Subscriber’s breach of either this CPS or Subscriber Agreement;

•           if Equifax determines that the Equifax SecureMark Certificate was not properly issued or the Subscriber’s Private Key has been compromised.

In the event that Equifax ceases operations, all Equifax SecureMark Certificates issued by Equifax shall be revoked prior to the date that Equifax ceases operations.

2. Who Can Request Revocation

The only persons permitted to request revocation of or revoke an Equifax SecureMark Certificate issued by Equifax are the Subscribers and Equifax.

3. Procedure For Revocation Request

The Subscriber must contact Equifax, either by a national/regional postal service, facsimile or overnight courier, and request revocation of an Equifax SecureMark Certificate.  Equifax may also accept email requests to request revocation from Subscribers but is not required to do so without supporting verification.  Equifax shall revoke such Equifax SecureMark Certificate within the next business day by notifying GeoTrust, who will then update the Certificate Revocation List.

J. Records Archival

Equifax shall maintain and archive records relating to the issuance of the Equifax SecureMark Certificates for seven (7) years following the issuance of the applicable Equifax SecureMark Certificate.

IV. SECURITY CONTROLS

A. Equifax Secure Physical Security Controls

Equifax and GeoTrust currently utilize one of the largest secure data centers in the world, in order to accommodate the special needs of operating a public key infrastructure.

B. Features of Equifax Electronic Commerce Solutions Operations Center

  • Slab to slab barriers

  • Electronic control access systems

  • Alarmed doors and video monitoring

  • Security logging and audits

  • Card key access for specially approved employees with defined levels of management approval required

  • Quarterly reviews for continued need of access

  • Annual re-certification of access privileges

  • Annual formal audit of all management processes and control processes

  • Conditions of employment guidelines for all employees


V. TECHNICAL SECURITY CONTROLS

A. Root Key Generation

Key Pair generation is performed on a highly secure hardware device (either nCipher or IBM 4758 cryptographic processor).

B. Root Key Management

The Root Keys are maintained in a trusted and highly secured environment with backup and key recovery procedures.  In the event of the Compromise of the Root Key(s), Equifax shall promptly notify the Subscribers and revoke all Equifax SecureMark Certificates issued with such Root Key(s).

VI. CPS ADMINISTRATION

A. CPS Change Procedures

From time to time it may be necessary to make changes to the Certificate

Practice Statement. Certificates are subject to the Certificate Practice

Statement in effect at the time the Certificate was issued. All active

Certificate Practice Statements will be published on the Equifax web site

under the related dates of applicability. In the event, a change in the

Certificate Practice Statement would be retroactively applicable, a notice

will be sent to the affected subscribers and a notice published to relying

parties at the Equifax web site.

VII. GENERAL PROVISIONS

A. Conflict of Provisions

This CPS represents the entire agreement between any Subscriber (including the Subscriber Agreement, if any) or Relying Party and us and supersedes any and all prior understandings and representations pertaining to its subject matter.  In the event, however, of a conflict between this CPS and any other express agreement a Subscriber has with Equifax with respect to an Equifax SecureMark Certificate, including but not limited to a Subscriber Agreement, such other agreement shall take precedence.

B. Waiver

A failure or delay in exercising any right or remedy hereunder shall not operate as a waiver of that right or remedy, nor shall any single or partial exercise of any right or remedy preclude any other or further exercise thereof or the exercise of any other right or remedy.

C. Severance

If any provision of this CPS is or becomes invalid or unenforceable it will be severed from the rest of this CPS so that it is ineffective to the extent that it is invalid or unenforceable and no other provision of this CPS shall be rendered invalid, unenforceable or be otherwise affected

D. Export

Subscribers and Relying Parties acknowledge and agree to use the Equifax SecureMark Certificates in compliance with all applicable laws and regulations, including without limitation U.S. export laws and regulations.  we may refuse to issue or may revoke an Equifax SecureMark Certificate if in our reasonable opinion such issuance or the continued use of such Equifax SecureMark Certificate would violate applicable laws and regulations.

VIII. DEFINITIONS

Applicant. A person or authorized agent that requests the issuance of an Equifax SecureMark Certificate.

Certificate. A record that, at a minimum: (a) identifies the CA issuing it; (b) names or otherwise identifies its Subscriber; (c) contains a Public Key that corresponds to a Private Key under the control of the Subscriber; (d) identifies its Operational Period; and (e) contains a Certificate serial number and is digitally signed by the CA.

Certificate Revocation List. A time-stamped list of revoked Certificates that has been digitally signed by the CA.

CA/Certification Authority. An entity which issues Certificates and performs all of the functions associated with issuing such Certificates.

Certificate Distribution Point (CDP). Also known as CRL Distribution Point or Certificate Revocation List Distribution Point. This field is within the certificate and contains a URL that provides access to the current published Certificate Revocation List.

Compromise. Suspected or actual unauthorized disclosure, loss, loss of control over, or use of a Private Key associated with Certificate.

CRL. See Certificate Revocation List.

DER (Distinguished Encoding Rules).  A standard used to format information within the Repository for access by Relying Parties and Subscribers.

Email Ping.  A correspondence sent to the email address to which the recipient of the email must reply as proof of receipt

Extension. A means to place additional information about a Certificate within a Certificate. The X.509 standard defines a set of Extensions that may be used in Certificates.

Key Pair. Two mathematically related keys, having the following properties: (i) one key can be used to encrypt a message that can only be decrypted using the other key, and (ii) even knowing one key, it is computationally impractical to discover the other key.

Operational Period. A Certificate's period of validity. It would typically begin on the date the Certificate is issued (or such later date as specified in the Certificate), and ends on the date and time it expires as noted in the Certificate or is earlier revoked unless it is suspended.

Private Key. The key of a Key Pair used to create a digital signature. This key must be kept a secret.

Public Key. The key of a Key Pair used to verify a digital signature. The Public Key is made freely available to anyone who will receive digitally signed messages from the holder of the Key Pair. The Public Key is usually provided via a Certificate issued by the CA.  A Public Key is used to verify the digital signature of a message purportedly sent by the holder of the corresponding Private Key.

Relying Party. A recipient of a digitally signed message who relies on a Certificate to verify the digital signature on the message.  Also, a recipient of a Certificate who relies on the information contained in the Certificate.

Repository.   The database where certificates and revocation status information such as CRLs are stored.  The official designation of a database as a repository is intended to signal that the operation of the facility is reliable and trustworthy.

Root CA (Root Certificate Authority).  The authority that the certificate-using application trusts and has securely imported and stored its public key.  These roots are often pre-loaded in browsers and shipped or downloaded to the user as part of installing the browser.

Root Key(s).  The Private Key used by GeoTrust to sign the Equifax SecureMark Certificates.

S/MIME(Secure Multipurpose Internet Mail Exchange).  A set of specifications that provides a way to securely enable multimedia email among many different computer systems that use Internet mail standards.

Shared Secret. Information not in the public domain and known only by the applicant or Subscriber

Subscriber. A person or entity who (1) is the subject named or identified in a Certificate issued to such person or entity, (2) holds a Private Key that corresponds to a Public Key listed in that Certificate, and (3) the person or entity to whom digitally signed messages verified by reference to such Certificate are to be attributed. For the purpose of this CPS, a person or entity who applies for a Certificate by the submission of an application is also referred to as a Subscriber.

X.509.  An International Telecommunication Union / Telecommunication Standardisation Secure and ISO/International Electro-technical Commission (IEC) certificate format standard with versions published in 1988 (v1), 1993 (v2), and 1996(v3) to allow additional extension fields.  An X.509v3 certificate encompasses a set of basic, predefined fields and zero or more extensions fields.

 
 
©2000 Equifax Secure. All Rights Reserved.
Sales: 0845 603 3000
Support: 0845 745 6000
Email: esecure.vetuk@equifax.com
Browsers
Revoke a certificate
Check revocation status
Certificate Policies
Technical Support/Contact