|
V.03-06-30.01
Service Policy
Disclosure Statement
Contact
Information
SecureMark Help Desk
Hours of Operation:
9am (GMT) to 5 pm
(GMT) Monday through Friday excluding public holidays (UK). In
the event, that any of the service sites are not functioning
properly or appear to be not operating, please contact our
service centre.
Certificate
Characteristics, Authentication procedures, and Uses:
SecureMark
certificates are for use by individuals and businesses within
the community of the United Kingdom. Applications include
digitally signing and authenticating identities and other
attributes for e-mail, web forms, web sites, and
encrypting/decrypting information.
SecureMark
Certificates provide validation and verification of the
individual and the business listed in the certificate using
online authentication tools and other enhanced procedures.
Current examples of
how these certificates are used: Access and Registration for
government services, signing tax and other reporting forms,
secure email.
See
http://www.equifaxsecure.co.uk/policies/cps for more
information.
Obligations of the
subscribers: Subscribers must provide accurate
information on their certificate applications, review the
certificate to establish its accuracy before using it,
reasonably protect their private keys from theft and
unauthorized use by or disclosure to others, and notify
Equifax upon suspected private key compromise. If a
subscriber's private key is compromised, unauthorized persons
could decrypt or sign messages with the key and commit the
subscriber to unauthorized obligations.
Management of the Certificate
and Protection of the Private Key: It is important to
protect your private key because it is what authenticates your
identity on the Internet. You can make a copy of the private
key on a disk. It should be kept in a safe place. Protect
your private key as if it were a PIN for your debit or credit
card. Use of the private key is restricted to the Subscriber
named in the certificate and expressly authorised users. Do
not leave your computer unattended without securing it with a
password.
If you lose your
private key or otherwise feel that it was compromised, contact
Equifax immediately so the certificate can be revoked. For
more information about using and managing your SecureMark
Certificate, please visit:
www.equifaxsecure.co.uk.
Obligations of
Relying Parties: A relying party may justifiably rely
upon a certificate only after confirming that the certificate
has not been revoked or expired by using the URL listed in the
Certificate Distribution Point contained within the
subscriber’s certificate and determining that such certificate
provides adequate assurances for its intended use. The
following URLs hold complete Certificate Revocation Lists for
SecureMark Certificates:
http://crl.geotrust.com/crls/gttc64b.crl Equifax refreshes the
Certificate Revocation Lists at these sites approximately
every 24 hours. In the event that the Certificate Revocation
List posted to a given site is out of date or expired, please
contact our help desk during its hours of operations.
Liability:
You
agree that we shall not in any circumstances be liable for any
loss or damage at all arising from any inaccuracies, faults or
omissions in, or in the provision of, the Service unless
caused by our negligence or willful default.
Except to the extent caused by Equifax’s or GeoTrust’s
negligence, in no event shall the
aggregate liability of Equifax and GeoTrust to applicants,
subscriber and any relying party for all claims related to the
use of or reliance on an Equifax SecureMark certificate or for
the services provided hereunder including without limitation
any cause of action sounding in contract, tort (including
negligence), strict liability, for breach of a statutory duty
or in any other way exceed one thousand pounds sterling
(£1,000.00)
You acknowledge that Equifax and GeoTrust
provide the Services at a price that does not reflect any
benefit you may obtain from them, including any profit that
you may make or the amount of any credit that you may give.
You agree that we shall not in any circumstances (including if
we have been negligent) be liable for:
(I)
any indirect or consequential loss
or damage at all; or
(II) any loss of business, capital,
profit, reputation or goodwill, arising out of or in
connection with this Agreement or its subject matter..
in
any case whether or not such losses or damages were within the
contemplation of the parties at the time of the application
for use of or reliance on the Equifax SecureMark Certificate,
or arose out of any other matter under this Certificate Policy
Statement or with regard to the use of or reliance on the
Equifax SecureMark Certificate.
to the extent that some
jurisdictions do not allow the exclusion or limitation of
incidental or consequential damages, the above exclusions of
incidental and consequential damages may not apply to an
applicant, subscriber and/or a relying party but shall be
given effect to the full extent permitted by law.
the foregoing
limitations of liability shall apply on a
certificate-by-certificate basis, regardless of the number of
transactions or claims related to each Equifax SecureMark
Certificate, and shall be apportioned first to the earlier
claims to achieve final resolution.
In no event will either
Equifax or GeoTrust be liable for any damages to Applicants,
Subscribers, Relying Parties or any other party arising out of
or related to the use or misuse of, or reliance on any Equifax
SecureMark Certificate issued under this Certificate Policy
Statement that: (i) has expired or been revoked; (ii) has been
used for any purpose other than as set forth in the
Certificate Practice Statement (See Section I (C) and II (A)
(2) for more detail); (iii) has been tampered with; (iv) with
respect to which the Key Pair underlying such Equifax
SecureMark Certificate or the cryptography algorithm used to
generate such Equifax SecureMark Certificate’s Key Pair, has
been Compromised by the action of any party other than Equifax
or GeoTrust (including without limitation the Subscriber or
Relying Party); or (v) is the subject of misrepresentations or
other misleading acts or omissions of any other party,
including but not limited to Applicants, Subscribers and
Relying Parties.
In no event shall
Equifax or GeoTrust be liable to the Applicant, Subscriber,
Relying Party or other party for damages arising out of any
claim that an Equifax SecureMark Certificate infringes any
patent, trademark, copyright, trade secret or other
intellectual property right of any party.
Equifax shall not be liable for failure to
perform or delay in performing any obligation under this
Certificate Policy if the failure or delay is caused by any
circumstances beyond its control, including but not limited to
acts of god, war, governmental act, fire, flood, explosion,
civil commotion or industrial dispute or, failure of
telecommunications systems.
Nothing in this Certificate Policy
Statement shall exclude or limit the liability of Equifax for
death or personal injury resulting from Equifax's negligence.
Applicable agreements:
Certificate Practice Statement
http://www.equifaxsecure.co.uk/policies/cps.html
Subscriber Agreement:
https://orgcert.equifaxsecure.com/orgcerts/mainukpublic.htm
Privacy Policy: Information
regarding Subscribers that is submitted on applications for
Certificates will be kept confidential by Equifax and Equifax
shall not release such information without the prior consent
of the Subscriber. The foregoing confidentiality obligation
shall not apply, however, to information appearing on
Certificates, or to information regarding Subscribers that is
already in the possession of or separately acquired by
Equifax.
Fee
Policy: Issuance, Renewal, Access, revocation, other,
Refund Policy: Equifax
will reissue SecureMark certificates for any reason within 7
days of original issuance. Equifax will refund the purchase
price of a certificate with 7 days of original issuance.
Dispute
Resolution Policy: Equifax
and the Subscriber shall use all reasonable endeavors to
resolve any disputes arising out of this Subscriber
Agreement. If Equifax and the Subscriber fail to resolve the
dispute within [30] working days of one party giving notice of
the dispute to the other party, the parties must submit to
mediation under the supervision of a mutually agreeable
mediator or, failing such agreement, under the supervision of
the Centre for Dispute Resolution.
Such Mediation shall be binding on
the parties as to submission to the mediation but not as to
its outcome. All negotiations connected with the dispute
shall be conducted in strict confidence and without prejudice
to the rights of the parties in any further legal proceedings.
Except
for any party's right to seek interlocutory relief in the
courts, no party may commence other legal proceedings under
the jurisdiction of the courts or any other form of
arbitration until 20 Working Days after the parties have
submitted the dispute to mediation.
If, with the assistance
of the mediator, the parties reach a settlement, such
settlement shall be put in writing and once signed by a duly
authorised representative of each of the parties, shall be
binding on the parties.
The parties shall bear
their own legal costs under this provision, except that the
costs and expenses of the mediator shall be equally shared
between the parties.
Revocation
Policy:
Subscribers must contact Equifax, either by a
national/regional postal service, facsimile or overnight
courier, and request revocation of a Certificate. Equifax may
also accept email requests to request revocation from
Subscribers but is not required to do so without supporting
verification. Equifax will verify order identification number
and full contact details to confirm which certificate the
request relates to, and that the request is from the
subscriber. Equifax shall revoke such Certificate within the
next business day.
In the event that
Equifax determines that the certificate should be revoked
independent of a request from the Subscriber, Equifax will
notify the subscriber that such action has been taken using
the contact information provided in the original application.
Only the subscriber will be notified of revocation of a
certificate.
Suspension of
Certificates: Equifax does
not include certificate suspension as a part of the SecureMark
service.
Applicable Law: Applicable
law and dispute resolution shall be governed by and construed
in accordance with English law and Subscribers irrevocably
submits to the non-exclusive jurisdiction of the courts of
England.
CA
and repository licenses, trust marks, and audit:
SAS 70,
Data Protection
Registrations:
Z6564696 (25 July
2004), Z4945077 (08 August 2004)
TruSecure Certificate
700500700E
Other
Certificate Polices
Applying
for and receiving a SecureMark Certificate:
To complete the
registration process, you'll need to provide information that
you and your company exist. You need to help us ensure that
no one is trying to impersonate you or your company. Your
company needs to authorise you to get a certificate
For your security, the
online enrolment process is conducted in an SSL web session.
What this means to you is that any information you provide is
strongly encrypted and cannot be understood or altered by
anyone other than Equifax Secure.
Important Notice:
In order to use Equifax SecureMark certificates for retrieval
and submission of forms through the Government Gateway
(www.gateway.gov.uk), the minimum system requirements are:
-
Windows 95 or NT 4
(SP3) or higher
-
Netscape Navigator
v4.7 or higher (v6 not yet supported)
-
Internet Explorer
version 5.01 or above.
What
You Need To Do Complete The Registration Process:
1. Complete
The Online Enrolment Form
You’ll be asked for
information about yourself: Your name, Your Address,
Telephone Number, and so on. You’ll also be asked to complete
information regarding your company such as its Name, Address,
and VAT number. The last part of the form requests payment
information. You may use VISA, MasterCard, Delta, and
Switch. No charges will be made to your account until your
application has been approved and a certificate issued.
2. Complete
the Interactive Query
After you’ve submitted
your enrolment form, you’ll be asked to complete a brief
questionnaire, the answers to which only you should know.
These questions are based on credit information held by
Equifax Secure. Before we retrieve your credit file, we
require your consent to use the information. We will only use
this data to help us authenticate you. This dialogue is
conducted within a strongly encrypted session between yourself
and Equifax alone. If you do not consent, no information is
retrieved and we will stop the enrolment process. If you
elect to continue, and you’ve completed the interactive query,
you’re almost finished.
3. Supply
Authorisation from your Company
After you’ve completed
the interactive query, you’ll be presented with your order ID
and some guidelines on completing the documents required that
authorise you to obtain a certificate on behalf of your
company.
We will review your
registration and documents of authorisation, usually the same
business day or following business day of receiving your
application. If the registration is complete and validated,
we’ll issue a certificate. It may be necessary for a
representative from Equifax to contact you and clarify details
in your application. For your own protection, please request
the order ID from the operator before providing any
information.
4.
Key Generation
You will be prompted for the
generation of a key pair. Your browser will generate a
public/private key-pair and a Certificate Signing Request.
Equifax will use the Certificate Signing Request to product
your eventual certificate. You private key and public key will
be placed within your browser’s certificate store. Equifax
never has access to your private key. The certificate key
length will be generated based on the highest length
compatible with your browser cipher strength. This is
commonly a key length of 1024.
5. Import
Your Certificate
Once Equifax has
validated your application (Step3), you will immediate be
issued an invitation to visit our website and retrieve your
certificate. A dedicated link for you to use will be included
in the e-mail. Please retain this e-mail if you require a VAT
receipt. Follow the instructions for importing the
certificate. Most of it happens automatically and the import
takes less than a minute.
6. Use Your
Certificate
Once you've imported
your certificate you're ready to use it.
Notification
of Issuance:
Subscribers – Upon
import of your certificate, the status of your order will
reflect that the certificate has been issued. You will
receive no further notices.
Relying Parties – No
notification of certificate issuances will be provided to
relying parties, or any other authority.
SecureMark certificates are issued with the
following fields and extensions:
|
Field Names and Extensions |
Definition |
|
Public
Key |
Signature
Verification Data |
|
Valid
From and Valid To dates |
Validity
Period |
|
Serial
Number of the Certificate |
Part of
the Identity Code of the Certificate |
|
Identification as an
Equifax
Secure Level 2 |
Identification that the certificate is issued in
accordance with Level 2 registration requirements as
outlined by the UK government |
|
Name of
the Certificate Issuer and Country of Origin |
The
Certificate Authority signing the Subscriber’s Public key |
|
Certificate Revocation List Distribution Point |
The URL
where relying parties can confirm whether a certificate
has been revoked |
|
Certificate Policies Point |
The URL
where relying parties and subscribers can review the
certificate practice statement under which the certificate
was issued |
|
Key Usage |
The
general practices that the certificate can be used for.
|
|
Certificate Path |
The
certificate chain that links the subscriber’s certificate
to the Trust Root loaded in the browser |
|
Certificate Version |
The
version of the X.509 standard used to generate the
certificate |
|
|
|
|
Name of
the Individual Subscriber |
Attribute
in the Distinguished Name |
|
Validated
Email Address |
Attribute
in the Distinguished Name |
|
City of
the Subscriber |
Attribute
in the Distinguished Name |
|
Country
of the Subscriber |
Attribute
in the Distinguished Name |
|
S/MIME
Extension |
Extension
for use with secure email |
Certificate
Revocation List Profile:
|
Field
Names and Extension |
Description |
|
Version |
The
version of the X.509 standard used to generate the
Certificate Revocation List |
|
Issuer |
The
Certificate Authority publishing the Certificate
Revocation List |
|
Effective
Date |
The
beginning of the validity period for the list |
|
Next
Update |
Then
ending of the validity period for the list |
Directories
for certificates issued under the SecureMark programme are not
published or made generally available. |
