Certificate Policy for
 
Certification Services

Version 1.0

January 2000

Copyright © 2000,2001 VillageMall Pty Ltd.
ALL RIGHTS RESERVED
1. Introduction

This document outlines the policies for VillageMall Pty Ltd ( "VillageMall") Certificate Services. It assumes the reader has a basic understanding of digital certificates and signatures. It covers certificate application, validation of applicants, certificate issuance,  use, and revocation.

1.1 Definitions

Certificate Revocation List ("CRL") means the register from time to time of information regarding the status of Digital Certificates or a facility which enables the revocation status of a Digital Certificate to be checked.

Certification Authority ("CA") means VillageMall or any other entity expressly authorised by VillageMall to issue Digital Certificates to VillageMall network members.

Token mans a VillageMall supplied token or other VillageMall approved token that VillageMall issues a certificate for use with.

2. General Disclaimer

As a Certification Authority, VillageMall  binds the name and any other required information to a subscriber's public key and signs this information with VillageMall's Certification Authority private key. By issuing a certificate to a particular certificate policy, VillageMall is confirming that it has followed the rules associated with the certificate policy  (please see signing procedures for details of minimum checks).

It must be noted that VillageMall makes no acknowledgment of the merchantability or credibility of products or services provided by an organisation or individual for whom it signs a digital certificate. Issuance of a certificate does not guarantee the authority of the person who has the associated private key to act on behalf of the subscriber.

3. Certification Infrastructure

3.1 Certificate Policy(ies)

VillageMall issues certificates with different certificate policies. Each certificate policy has been designed for a specific use. VillageMall certificate policies have a global unique Object Identifier (OID) allocated under the ISO registration authority, this certificate policy (OID)  is included within the certificate policy extension of the VillageMall Certification Authority certificate.

VillageMall network certificates are issued to individuals and organisations and provide assurance about the identity of the certificate holder, to the level identified within the Identification section of the Certificate Practice Statement. VillageMall Certificates have a limited use,  and may only be used within the VillageMall network, and in conjunction with a VillageMall service.
This certificate policy is identified as:
 {iso(1) member-body(2) Australia (36) VillageMall (88024560) info(1) pki(1) certificate-policy (0) VillageMall-network (1) } 
also shown within a certificate viewer  in dot notation as {1.2.36.88024560.1.1.0.1}

4. Certificate Management

4.1 Generation

The generation of certificates by VillageMall are assessed and processed on an individual basis. VillageMall reserves the right not to proceed with the generation of a certificate for any individual or organisation which does not fulfil the requirements for the required certificate policy.  VillageMall also reserves the right to withhold the reason for non-provision of certificates. Certificates generated by VillageMall are valid for the period as determined by VillageMall.

4.2 Distribution, Storage and Retrieval

Once generated, certificates are available to VillageMall subscribers. VillageMall does not make certificates available to the public.

4.3 Certificate Status

VillageMall also provides up to date information concerning the status of digital certificates issued by VillageMall, i.e. whether they are on a Certificate Revocation List (CRL). This CRL may be accessed by relying parties, however, before relying on a certificate issued by VillageMall, users must read and agree to the terms of VillageMall's Relying Party  Agreement.

4.4 Revocation

Certificates may be revoked for a variety of reasons such as, but not limited to, the corresponding private key being compromised or the original subscriber no longer requiring it. It is the responsibility of a subscriber to notify VillageMall if, for any reason, a certificate requires revoking. A certificate can be revoked without reason, to meet VillageMall's commercial operations such as, but not limited to, the non payment of outstanding accounts, or leaving the VillageMall Network.. 

4.5 Renewal

As VillageMall certificates are valid for a fixed period, each certificate will need to be renewed prior to its expiration. The subscriber is responsible for renewing their certificate.

5. Legal Aspects

5.1 Warranty

VillageMall warrants that, in relation to a particular certificate, it will have carried out the validation procedures appropriate to that certificate policy. 

Except as stated above, VillageMall does not warrant the accuracy, authenticity, reliability or competence of the information contained in certificates or otherwise held by VillageMall.

The attention of subscribers and relying parties is drawn to the terms of the Relying Party Agreement as appropriate.

5.2 Agency

VillageMall is not the agent or representative of any subscriber or relying party and no subscriber or relying party shall make any representations to the contrary.

5.3 Subscribing party's obligations

The subscribing party must ensure that the certificate is not used for any purpose which is fraudulent or in any other way illegal. If a certificate is used for such a purpose then VillageMall may revoke the certificate without notice.

5.4 Protection of Privacy and Personal Data

VillageMall and third parties may make use of information supplied by a subscriber for the purposes issuing and using the subscriber's certificate. VillageMall may also use the information supplied by a subscriber for the purposes, as outlined within our Privacy Statement.

6. Application

6.1 Procedure

Every prospective subscriber must complete the application form appropriate to the certificate policy for which they wish to apply. Failure to complete the application completely and accurately may lead to that application being delayed or rejected.

6.2 Key Pairs

The prospective subscriber key pairs must be generated within their VillageMall Token.

6.3 Subscribers Agreement

Before submitting an application, every prospective subscriber must familiarise themselves with the terms of VillageMall's  Subscribers Agreement. Submission of an application form indicates that the prospective subscriber has agreed to be bound by that Agreement.

6.4 Further Information

VillageMall reserves the right to request further background information from a prospective subscriber where it, at its discretion, feels such additional information is appropriate or desirable in relation to the certificate policy for which the prospective subscriber has applied.

6.5 VillageMall Procedures

VillageMall retrieves certificate requests and conducts the following verification checks on each application according to the certificate policy.

VillageMall will only issue a Certificate to an Australian resident under this policy, this is indicated, and attested to by the Subscriber  on the application form.

6.6 Privacy

Before submitting an application, every prospective subscriber must familiarise themselves with the contents of VillageMall's Privacy Policy. This Privacy policy is also incorporated by reference into the VillageMall Certification Practice Statement.

6.7 Private Key Storage

Prospective subscribers are responsible for ensuring that their private key only on the VillageMall token and keep the token a secure fashion so are to ensure it is not subject to loss, disclosure, corruption, modification or unauthorised use.

7. Issuance

If VillageMall agrees to issue a certificate, it will sign the subscriber's certificate and return the certificate to the users token for storage.

8. Acceptance

Once a subscriber has downloaded and installed their certificate, or upon first use of their private key associated with the certificate,  they are bound by the terms and conditions of the Subscribers Agreement.

9. Use

Use of any digital certificate issued by VillageMall must be in accordance with the Subscribers Agreement.

10. Revocation

VillageMall reserves the right to revoke any certificate which use contravenes the terms and conditions of the Subscribers Agreement.

11 Obligations

11.1 The following are the Certification Authority obligations:

  • Practice and Procedures- To follow the procedures within the Certification Practice Statement.
  • Accuracy of representations – The CA is obligated to all who reasonably rely on the information contained in the certificate that it has issued the certificate to the named subscriber.
  • Notification of certificate issuance - The CA is obligated to ensure that the subscriber who is the subject of the certificate is  notified of the certificate issuance.
  • Notification of revocation of a certificate – The CA is obligated to ensure that the subscriber who is the subject of the certificate and others who reasonably rely on that certificate are notified of the certificate revocation.
  • Accurately represent the information provided as part of the registration request.

11.2 The following are subscriber’s obligations:

  • Accuracy of representations in certificate applications – Subscribers are obligated to accurately represent the information required of them on the certificate application.
  • Protection of subscriber private key – Subscribers are obligated to protect their private keys, and Token PINs at all times.
  • Notification of CA upon private key compromise – Subscribers are obligated to notify the CA that issued their certificate upon realisation that their private key is compromised.
  • Proper use of certificate – Subscribers are obligated to abide by all restrictions levied upon the use of their private key and certificate.

11.3 The following are the relying parties’ obligations:

  • Proper use of certificates – Relying parties are obligated to rely upon the certificate, only for the purpose for which it was issued.
  • Digital signature verification responsibilities – Relying parties are obligated to verify the digital signature of the CA who issued the certificate they are about to use. 
  • Checking  CRL's– Relying parties are obligated to check that no certificates within the certification path are included within any VillageMall CA CRL(s).
  • Establishing trust in CA – Relying parties are obligated to establish trust in the CA who issued the certificate they are about to use by verifying the chain of certificates at root of which a trusted CA exist. The path processing should be based on the guidelines set by the  X.509 for version 3 certificates.
  • Identifying  the certificate policy under which the certificate was issued, and determination of appropriateness for the intended use.