证书代码签名

change数安时代科技股份有限公司SM2证书策略版本:1.
0发布日期:2020年12月22日GlobalDigitalCybersecurityAuthorityCO.
,LTD.
SM2CertificatePolicy(CP)Version:1.
0ReleaseDate:December22,2020I目录Contents1.
引言Introduction.
91.
1.
概述Overview.
91.
1.
1.
公司简介CompanyProfile.
91.
1.
2.
SM2证书策略SM2CertificatePolicy(CP)101.
1.
3.
GDCA架构GDCAArchitecture.
111.
1.
4.
GDCA证书层次架构HierarchicalArchitectureofGDCACertificates.
131.
2.
文档名称与标识DocumentNameandIdentification161.
3.
PKI参与者PKIParticipants.
161.
3.
1.
电子认证服务机构CertificationAuthorities161.
3.
2.
注册机构RegistrationAuthorities.
171.
3.
3.
订户Subscribers171.
3.
4.
依赖方RelyingParties.
181.
3.
5.
其他参与者OtherParticipants181.
4.
证书应用CertificateUsage.
181.
4.
1.
适合的应用AppropriateCertificateUses181.
4.
2.
限制的证书应用ProhibitedCertificateUses231.
5.
策略管理PolicyAdministration241.
5.
1.
策略文档管理机构OrganizationAdministeringtheDocument241.
5.
2.
联系人ContactPerson.
241.
5.
3.
决定CP符合策略的机构CommitteesDeterminingCPSuitabilityforthePolicy.
.
.
.
.
251.
5.
4.
CP批准程序CPApprovalProcedures.
251.
5.
5.
CP修订CPRevision261.
6.
定义和缩写DefinitionsandAcronyms261.
6.
1.
术语定义一览表ListofTermDefinition.
261.
6.
2.
缩略语及其含义一览表ListofAbbreviationsandtheirMeaning282.
发布与信息库责任PublicationandRepositoryResponsibilities302.
1.
信息库Repositories302.
2.
信息的发布PublicationofInformation.
302.
3.
发布的时间和频率TimeorFrequencyofPublication.
302.
4.
信息库访问控制AccessControlsonRepositories.
313.
身份标识与鉴别IdentificationandAuthentication323.
1.
命名Naming323.
1.
1.
命名类型TypeofNames.
323.
1.
2.
对命名有意义的要求NeedforNamestobeMeaningful.
323.
1.
3.
订户的匿名或伪名AnonymityorPseudonymityofSubscribers323.
1.
4.
解释不同命名的规则RulesforInterpretingVariousNameForms323.
1.
5.
命名的唯一性UniquenessofNames333.
1.
6.
商标的识别、鉴别与角色Recognition,Authentication,andRoleofTrademarks.
.
.
.
33II3.
2.
初始身份确认InitialIdentityValidation333.
2.
1.
证明拥有私钥的方法MethodtoProvePossessionofPrivateKey.
333.
2.
2.
个人身份的鉴别AuthenticationofIndividualIdentity.
333.
2.
3.
机构身份的鉴别AuthenticationofOrganizationIdentity353.
2.
4.
设备身份的鉴别AuthenticationofEquipmentIdentity353.
2.
5.
SSL服务器身份的鉴别AuthenticationofSSLServerIdentity.
363.
2.
6.
代码签名身份的鉴别AuthenticationofCodeSigningIdentity373.
2.
7.
文档签名证书身份的鉴别AuthenticationofDocumentSigningCertificatesIdentity373.
2.
8.
E-mail证书身份的鉴别AuthenticationofE-mailCertificatesIdentity.
373.
2.
9.
时间戳证书身份的鉴别AuthenticationofTimestampIdentity383.
2.
10.
域名的确认和鉴别DomainnamerecognitionandValidation.
383.
2.
11.
机构商业名称验证VerificationofDBA/Tradename.
403.
2.
12.
所在国的确认与鉴别VerificationofCountry413.
2.
13.
IP地址的确认和鉴别AuthenticationofanIPAddress.
413.
2.
14.
数据来源的准确性DataSourceAccuracy.
413.
2.
15.
没有验证的订户信息Non-VerifiedSubscriberInformation423.
2.
16.
授权确认ValidationofAuthority.
423.
2.
17.
互操作准则CriteriaforInteroperation.
433.
3.
密钥更新请求的标识与鉴别IdentificationandAuthenticationforRekeyRequests.
433.
3.
1.
常规密钥更新的标识与鉴别IdentificationandAuthenticationforRoutineRekey.
.
443.
3.
2.
撤销后密钥更新的标识与鉴别IdentificationandAuthenticationforRekeyAfterRevocation443.
4.
撤销请求的标识与鉴别IdentificationandAuthenticationforRevocationRequest.
444.
证书生命周期操作要求CertificateLifeCycleOperationalRequirements454.
1.
证书申请CertificateApplication.
454.
1.
1.
证书申请实体WhoCanSubmitaCertificateApplication454.
1.
2.
注册过程与责任EnrollmentProcessandResponsibilities454.
2.
证书申请处理CertificateApplicationProcessing.
474.
2.
1.
执行识别与鉴别PerformingIdentificationandAuthenticationFunctions.
474.
2.
2.
证书申请批准和拒绝ApprovalorRejectionofCertificateApplications.
474.
2.
3.
处理证书申请的时间TimetoProcessCertificateApplications.
494.
2.
4.
认证机构授权(CAA)CertificationAuthorityAuthorization(CAA)494.
3.
证书签发CertificateIssuance.
504.
3.
1.
证书签发中RA和CA的行为CAActionsDuringCertificateIssuance504.
3.
2.
CA和RA通知订户证书的签发NotificationstoSubscriberbytheCAofIssuanceofCertificate.
504.
4.
证书接受CertificateAcceptance514.
4.
1.
构成接受证书的行为ConductConstitutingCertificateAcceptance514.
4.
2.
CA对证书的发布PublicationoftheCertificatebytheCA514.
4.
3.
CA通知其他实体证书的签发NotificationofCertificateIssuancebytheCAtoOtherEntities514.
5.
密钥对和证书的使用KeyPairandCertificateUsage514.
5.
1.
订户私钥和证书的使用SubscriberPrivateKeyandCertificateUsage51III4.
5.
2.
依赖方公钥和证书的使用RelyingPartyPublicKeyandCertificateUsage524.
6.
证书更新CertificateRenewal.
534.
6.
1.
证书更新的情形CircumstancesforCertificateRenewal534.
6.
2.
请求证书更新的实体WhoMayRequestRenewal544.
6.
3.
处理证书更新请求ProcessingCertificateRenewalRequests.
544.
6.
4.
通知订户新证书的签发NotificationofNewCertificateIssuancetoSubscriber.
.
.
.
.
.
.
544.
6.
5.
构成接受更新证书的行为ConductConstitutingAcceptanceofaRenewalCertificate554.
6.
6.
CA对更新证书的发布PublicationoftheRenewalCertificatebytheCA554.
6.
7.
CA通知其他实体证书的签发NotificationofCertificateIssuancebytheCAtoOtherEntities554.
7.
证书密钥更新CertificateRekey554.
7.
1.
证书密钥更新的情形CircumstancesforCertificateRekey554.
7.
2.
请求证书密钥更新的实体WhoMayRequestCertificationofaNewPublicKey.
.
.
.
564.
7.
3.
处理证书密钥更新请求ProcessingCertificateRekeyingRequests.
564.
7.
4.
通知订户新证书的签发NotificationofNewCertificateIssuancetoSubscriber.
.
.
.
.
.
.
564.
7.
5.
构成接受密钥更新证书的行为ConductConstitutingAcceptanceofaRekeyedCertificate.
564.
7.
6.
CA对密钥更新证书的发布PublicationoftheRekeyedCertificatebytheCA.
.
.
.
.
.
.
.
564.
7.
7.
CA通知其他实体证书的签发NotificationofCertificateIssuancebytheCAtoOtherEntities574.
8.
证书变更CertificateModification.
574.
8.
1.
证书变更的情形CircumstancesforCertificateModification.
574.
8.
2.
请求证书变更的实体WhoMayRequestCertificateModification.
574.
8.
3.
处理证书变更请求ProcessingCertificateModificationRequests574.
8.
4.
通知订户新证书的签发NotificationofNewCertificateIssuancetoSubscriber.
.
.
.
.
.
.
584.
8.
5.
构成接受变更证书的行为ConductConstitutingAcceptanceofModifiedCertificate584.
8.
6.
CA对变更证书的发布PublicationoftheModifiedCertificatebytheCA.
584.
8.
7.
CA通知其他实体证书的签发NotificationofCertificateIssuancebytheCAtoOtherEntities584.
9.
证书撤销和挂起CertificateRevocationandSuspension.
584.
9.
1.
证书撤销的情形CircumstancesforRevocation.
584.
9.
2.
请求证书撤销的实体WhoCanRequestRevocation624.
9.
3.
证书撤销请求的处理程序ProcedureforRevocationRequest.
634.
9.
4.
撤销请求的宽限期RevocationRequestGracePeriod644.
9.
5.
CA处理撤销请求的时限TimeWithinWhichCAMustProcesstheRevocationRequest644.
9.
6.
依赖方检查证书撤销的要求RevocationCheckingRequirementsforRelyingParties644.
9.
7.
CRL发布频率CRLIssuanceFrequency644.
9.
8.
CRL发布的最大滞后时间MaximumLatencyforCRLs654.
9.
9.
在线状态查询的可用性OnlineRevocation/StatusCheckingAvailability.
654.
9.
10.
在线状态查询要求OnlineRevocationCheckingRequirements.
65IV4.
9.
11.
撤销信息的其他发布形式OtherFormsofRevocationAdvertisementsAvailable.
.
.
.
664.
9.
12.
密钥损害的特别要求SpecialRequirementsrelatedtoKeyCompromise664.
9.
13.
证书挂起的情形CircumstancesforSuspension.
664.
9.
14.
请求证书挂起的实体WhoCanRequestSuspension674.
9.
15.
挂起请求的程序ProcedureforSuspensionRequest674.
9.
16.
挂起的期限限制LimitsonSuspensionPeriod674.
10.
证书状态服务CertificateStatusServices674.
10.
1.
操作特征OperationalCharacteristics.
674.
10.
2.
服务可用性ServiceAvailability.
674.
10.
3.
可选特征OperationalFeatures.
684.
11.
订购结束EndofSubscription.
684.
12.
密钥托管与恢复KeyEscrowandRecovery.
684.
12.
1.
密钥托管与恢复的策略与行为KeyEscrowandRecoveryPolicyandPractices.
.
.
.
.
.
684.
12.
2.
会话密钥的封装与恢复的策略与行为SessionKeyEncapsulationandRecoveryPolicyandPractices685.
认证机构设施、管理和操作控制Facility,Management,andOperationalControls695.
1.
物理控制PhysicalControls695.
1.
1.
场地位置与建筑SiteLocationandConstruction.
695.
1.
2.
物理访问控制PhysicalAccess.
695.
1.
3.
电力与空调PowerandAirConditioning695.
1.
4.
防水WaterExposures.
705.
1.
5.
火灾防护FirePreventionandProtection705.
1.
6.
介质存放MediaStorage.
705.
1.
7.
废物处理WasteDisposal705.
1.
8.
异地备份Off-SiteBackup.
715.
2.
程序控制ProceduralControls715.
2.
1.
可信角色TrustedRoles.
715.
2.
2.
每项任务需要的人数NumberofPersonsRequiredperTask715.
2.
3.
每个角色的识别与鉴别IdentificationandAuthenticationforEachRole.
725.
2.
4.
需要职责分割的角色RolesRequiringSeparationofDuties.
725.
3.
人员控制PersonnelControls.
735.
3.
1.
资格、经历和清白要求Qualifications,Experience,andClearanceRequirements.
.
.
735.
3.
2.
背景调查程序BackgroundCheckProcedures.
735.
3.
3.
培训要求TrainingRequirements745.
3.
4.
再培训的频度和要求RetrainingFrequencyandRequirements.
755.
3.
5.
工作岗位轮换的频度和次序JobRotationFrequencyandSequence755.
3.
6.
未授权行为的处罚SanctionsforUnauthorizedActions755.
3.
7.
独立合约人的要求IndependentContractorRequirements765.
3.
8.
提供给人员的文件DocumentationSuppliedtoPersonnel.
765.
4.
审计记录程序AuditLoggingProcedures765.
4.
1.
记录事件的类型TypesofEventsRecorded765.
4.
2.
处理日志的频度FrequencyofProcessingLog775.
4.
3.
审计日志的保留期限RetentionPeriodforAuditLog785.
4.
4.
审计日志的保护ProtectionofAuditLog78V5.
4.
5.
审计日志的备份程序AuditLogBackupProcedures.
785.
4.
6.
审计收集系统AuditCollectionSystem(Internalvs.
External)785.
4.
7.
对导致事件主体的通知NotificationtoEvent-CausingSubject785.
4.
8.
脆弱性评估VulnerabilityAssessments.
785.
5.
记录归档RecordsArchival.
795.
5.
1.
归档记录的类型TypesofRecordsArchived.
795.
5.
2.
归档记录的保留期限RetentionPeriodforArchive795.
5.
3.
归档文件的保护ProtectionofArchive.
795.
5.
4.
归档文件的备份程序ArchiveBackupProcedures.
795.
5.
5.
记录时间戳要求RequirementsforTime-StampingofRecords805.
5.
6.
归档收集系统ArchiveCollectionSystem(InternalorExternal)805.
5.
7.
获得和检验归档信息的程序ProcedurestoObtainandVerifyArchiveInformation.
805.
6.
密钥变更KeyChangeover805.
7.
损害与灾难恢复CompromiseandDisasterRecovery.
815.
7.
1.
事故和损害处理程序IncidentandCompromiseHandlingProcedures815.
7.
2.
计算机资源、软件和/或数据的损坏ComputingResources,Software,and/orDataAreCorrupted815.
7.
3.
实体私钥损害处理程序EntityPrivateKeyCompromiseProcedures815.
7.
4.
灾难后的业务存续能力BusinessContinuityCapabilitiesAfteraDisaster825.
8.
CA或RA的终止CAorRATermination836.
认证系统技术安全控制TechnicalSecurityControls.
846.
1.
密钥对的生成与安装KeyPairGenerationandInstallation846.
1.
1.
密钥对的生成KeyPairGeneration846.
1.
2.
私钥传送给订户PrivateKeyDeliverytoSubscriber866.
1.
3.
公钥传送给证书签发机构PublicKeyDeliverytoCertificateIssuer866.
1.
4.
CA公钥传送给依赖方CAPublicKeyDeliverytoRelyingParties866.
1.
5.
密钥的长度KeySizes.
876.
1.
6.
公钥参数的生成和质量检查PublicKeyParametersGenerationandQualityChecking876.
1.
7.
密钥使用目的KeyUsagePurposes(asperX.
509v3KeyUsageField)876.
2.
私钥保护和密码模块工程控制PrivateKeyProtectionandCryptographicModuleEngineeringControls.
886.
2.
1.
密码模块的标准和控制CryptographicModuleStandardsandControls.
886.
2.
2.
私钥多人控制(m选n)PrivateKey(noutofm)Multi-PersonControl886.
2.
3.
私钥托管PrivateKeyEscrow886.
2.
4.
私钥备份PrivateKeyBackup.
896.
2.
5.
私钥归档PrivateKeyArchival896.
2.
6.
私钥导出、导入密码模块PrivateKeyTransferIntoorFromaCryptographicModule896.
2.
7.
私钥在密码模块的存储PrivateKeyStorageonCryptographicModule.
906.
2.
8.
激活私钥的方法MethodofActivatingPrivateKey.
906.
2.
9.
冻结私钥的方法MethodofDeactivatingPrivateKey916.
2.
10.
解除私钥激活状态的方法MethodofDestroyingPrivateKey.
916.
2.
11.
密码模块的评估CryptographicModuleCapabilities.
92VI6.
3.
密钥对管理的其他方面OtherAspectsofKeyPairManagement926.
3.
1.
公钥归档PublicKeyArchival.
926.
3.
2.
证书操作期和密钥对使用期限CertificateOperationalPeriodsandKeyPairUsagePeriods936.
4.
激活数据ActivationData.
946.
4.
1.
激活数据的产生和安装ActivationDataGenerationandInstallation.
946.
4.
2.
激活数据的保护ActivationDataProtection956.
4.
3.
激活数据的其他方面OtherAspectsofActivationData956.
5.
计算机安全控制ComputerSecurityControls.
966.
5.
1.
特别的计算机安全技术要求SpecificComputerSecurityTechnicalRequirements.
.
.
966.
5.
2.
计算机安全评估ComputerSecurityRating976.
6.
生命周期技术控制LifeCycleTechnicalControls.
976.
6.
1.
系统开发控制SystemDevelopmentControls976.
6.
2.
安全管理控制SecurityManagementControls976.
6.
3.
生命周期的安全控制LifeCycleSecurityControls986.
7.
网络的安全控制NetworkSecurityControls.
986.
8.
时间戳Time-Stamping987.
证书、证书撤销列表和在线证书状态协议Certificate,CRL,andOCSPProfiles.
997.
1.
证书描述CertificateProfile.
997.
1.
1.
版本号VersionNumber(s)1007.
1.
2.
证书扩展项CertificateExtensions.
1007.
1.
3.
算法对象标识符AlgorithmObjectIdentifiers.
1037.
1.
4.
名称形式NameForms1037.
1.
5.
名称限制NameConstraints1037.
1.
6.
证书策略对象标识符CertificatePolicyObjectIdentifier.
1037.
1.
7.
策略限制扩展项的用法UsageofPolicyConstraintsExtension.
1037.
1.
8.
策略限定符的语法和语义PolicyQualifiersSyntaxandSemantics1037.
1.
9.
关键证书策略扩展项的处理语义ProcessingSemanticsfortheCriticalCertificatePoliciesExtension.
1047.
2.
证书撤销列表CRLProfile.
1047.
2.
1.
版本VersionNumber(s)1057.
2.
2.
CRL和CRL条目扩展项CRLandCRLEntryExtensions.
1057.
3.
OCSP描述OCSPProfile.
1057.
3.
1.
版本号VersionNumber(s)1057.
3.
2.
OCSP扩展项OCSPExtensions.
1058.
认证机构审计和其他评估ComplianceAuditandOtherAssessments1068.
1.
评估的频度和情形FrequencyandCircumstancesofAssessment.
1068.
2.
评估者的身份/资格Identity/QualificationsofAssessor1078.
3.
评估者与被评估者之间的关系Assessor'sRelationshiptoAssessedEntity.
1078.
4.
评估的内容TopicsCoveredbyAssessment.
1078.
5.
对问题与不足采取的行动ActionsTakenasaResultofDeficiency.
1078.
6.
评估结果的传达与发布CommunicationsofResults1088.
7.
自评估Self-Audits.
108VII9.
法律责任和其他业务条款OtherBusinessandLegalMatters.
1089.
1.
费用Fees.
1089.
1.
1.
证书新增和更新费用CertificateIssuanceorRenewalFees1099.
1.
2.
证书查询费用CertificateAccessFees.
1099.
1.
3.
撤销和状态信息查询费用RevocationorStatusInformationAccessFees.
1099.
1.
4.
其他服务费用FeesforOtherServices.
1109.
1.
5.
退款策略RefundPolicy1109.
2.
财务责任FinancialResponsibility.
1119.
2.
1.
保险范围InsuranceCoverage1119.
2.
2.
其他财产OtherAssets.
1119.
2.
3.
对最终实体的保险或担保范围InsuranceorWarrantyCoverageforEnd-Entities.
1119.
3.
业务信息保密ConfidentialityofBusinessInformation.
1119.
3.
1.
保密信息范围ScopeofConfidentialInformation1119.
3.
2.
不属于保密的信息InformationNotWithintheScopeofConfidentialInformation1129.
3.
3.
保护保密信息的责任ResponsibilitytoProtectConfidentialInformation1129.
4.
个人隐私保密PrivacyofPersonalInformation1139.
4.
1.
隐私保密计划PrivacyPlan.
1139.
4.
2.
作为隐私处理的信息InformationTreatedasPrivate.
1139.
4.
3.
不被认为隐私的信息InformationNotDeemedPrivate.
1149.
4.
4.
保护隐私的责任ResponsibilitytoProtectPrivateInformation.
1149.
4.
5.
使用隐私信息的告知与同意NoticeandConsenttoUsePrivateInformation1149.
4.
6.
依法律或行政程序的信息披露DisclosurePursuanttoJudicialorAdministrativeProcess1159.
4.
7.
其他信息披露情形OtherInformationDisclosureCircumstances.
1159.
5.
知识产权IntellectualPropertyRights1159.
6.
陈述与担保RepresentationsandWarranties1169.
6.
1.
CA的陈述与担保CARepresentationsandWarranties1169.
6.
2.
RA的陈述与担保RARepresentationsandWarranties1189.
6.
3.
订户的陈述与担保SubscriberRepresentationsandWarranties1189.
6.
4.
依赖方的陈述与担保RelyingPartyRepresentationsandWarranties1209.
6.
5.
其他参与者的陈述与担保RepresentationsandWarrantiesofOtherParticipants.
.
.
1209.
7.
担保免责DisclaimersofWarranties.
1209.
8.
有限责任LimitationsofLiability.
1219.
9.
赔偿Indemnities1219.
9.
1.
认证机构的赔偿责任IndemnificationbyGDCA.
1219.
9.
2.
订户的赔偿责任IndemnificationbySubscribers1229.
9.
3.
依赖方的赔偿责任IndemnificationbyRelyingParties1239.
10.
有效期与终止TermandTermination.
1249.
10.
1.
有效期Term.
1249.
10.
2.
终止Termination.
1249.
10.
3.
终止的效果与存续EffectofTerminationandSurvival.
1249.
11.
对参与者的个别通告及信息交互IndividualNoticesandCommunicationswithParticipants.
1259.
12.
修订Amendments.
125VIII9.
12.
1.
修订程序ProcedureforAmendment.
1259.
12.
2.
通知机制和期限NotificationMechanismandPeriod1259.
12.
3.
必须修订的情形CircumstancesUnderWhichCPMustbeChanged.
1269.
13.
争议解决条款DisputeResolutionProvisions1269.
14.
管辖法律GoverningLaw1269.
15.
符合适用法律CompliancewithApplicableLaw.
1279.
16.
一般条款MiscellaneousProvisions.
1279.
16.
1.
完整协议EntireAgreement.
1279.
16.
2.
让渡Assignment.
1279.
16.
3.
分割性Severability.
1279.
16.
4.
强制执行Enforcement1289.
16.
5.
不可抗力ForceMajeure.
1289.
17.
其他条款OtherProvisions128附录:GDCA证书策略修订记录表Appendix:GDCACPRevisionRecords129GDCASM2证书策略(V1.
0版)91.
引言Introduction1.
1.
概述Overview1.
1.
1.
公司简介CompanyProfile数安时代科技股份有限公司(GlobalDigitalCybersecurityAuthorityCo.
,Ltd.
),简称GDCA或"数安时代")原为"广东数字证书认证中心有限公司",成立于2003年3月6日.
2005年9月,GDCA依法通过了国家密码管理局和原国家信息产业部的资格审查,成为全国首批八家获得《电子认证服务许可证》(许可证号:ECP44010215007)的电子认证服务机构之一;2008年12月,获得国家密码管理局颁发的《商用密码产品销售许可证》;2011年4月,通过了国家密码管理局电子政务电子认证服务能力评估,获得《电子政务电子认证服务机构》(编号:A021)资格.
2013年,对电子认证服务系统进行SM2算法升级,并通过了国家密码管理局组织的安全性审查.
2015年初,GDCA通过了WebTrust国际安全审计认证,具备了国际标准化的运营管理和服务水平,可以提供全球化的电子认证服务.
为适应业务发展需要,2016年5月,"广东数字证书认证中心有限公司"更名为"数安时代科技股份有限公司".
2017年8月11日,GDCA开始在新三板挂牌交易,股票简称:数安时代,股票代码:871932.
GlobalDigitalCybersecurityAuthorityCO.
,LTD.
(abbreviatedasGDCA,or"数安时代")withtheformernameofGuangdongDigitalCertificateAuthorityCO.
,LTDwasfoundedonMarch6,2003.
InSeptember2005,GDCApassedthesecurityreviewbytheStateCryptographyAdministration(abbreviatedasSCA)andtheformerMinistryofInformationIndustrybylaw,asoneofthefirsteightelectronicauthenticationauthoritieswith"ElectronicAuthenticationServiceLicense"(licensenumber:ECP44010215007)inChina.
InDecember2008,GDCAobtainedthe"CommercialCryptographyProductsSalesLicense"issuedbySCA.
GDCApassedthroughtheassessmentofE-governmentandElectronicAuthenticationServiceAbilitybySCAwiththequalificationcertificateof"E-governmentandElectronicAuthenticationServiceAuthority"(number:A021)inApril2011.
In2013,GDCAupgradedelectronicauthenticationservicesystemforSM2algorithmandpassedthroughthesecurityreviewbySCA.
In2015,GDCApassedtheassurancereviewforCertificationAuthoritybyWebTrustwiththeinternationallevelofoperationmanagementandservicetoprovidedigitalcertificationserviceglobally.
Forbusinessdevelopment,GDCAchangeditsnamefrom"GuangdongDigitalCertificateAuthorityCO.
,LTD.
"to"GlobalDigitalCybersecurityAuthorityCO.
,LTD.
"inMay,2016.
On11August2017,GDCAwasadmittedtotheNationalEquitiesExchangeandQuotations(NEEQ)ofChina,withastockabbreviationof"数安时代"andstockcode"871932".
GDCA更名后,原"广东数字证书认证中心有限公司"的资产、债务、权益和经营业务全部由"数安时代科技股份有限公司"承继.
在更名前与GDCA以"广东数字证书认证中心GDCASM2证书策略(V1.
0版)10有限公司"名义签订的合同、协议项下应由"广东数字证书认证中心有限公司"享有的权利和承担的义务均由"数安时代科技股份有限公司"承继.
Sincethen,allassets,debt,rightsandbusinessof"GuangdongDigitalCertificateAuthorityCO.
,LTD.
"wereinheritedbyGDCA.
Meanwhile,andalltherightsandobligationsofthecontractsandagreementssignedby"GuangdongDigitalCertificateAuthorityCO.
,LTD.
"wereinheritedbyGDCA.
数安时代秉持"权威、公信、专业、创新"的企业价值观,履行"信任联接天下"的企业使命,致力于成为"一流的网络信任服务商".
GDCAupholdsthecorporatevaluesof"Authority,Credibility,Professionalism,andInnovation",fulfilsthecorporatemissionof"TrustConnectsPartiesfromallovertheWorld",andiscommittedtobecominga"first-classonlinetrustserviceprovider".
1.
1.
2.
SM2证书策略SM2CertificatePolicy(CP)本文件描述GDCA的证书策略(SM2CP),是GDCA数字证书服务的策略声明,适用于所有由GDCA签发和管理的数字证书及相关参与主体.
为批准、签发、管理、使用、更新、撤销证书和相关的可信服务制定业务、法律和技术上的要求和规范.
这些要求和规范保护GDCA数字证书服务的安全性和完整性,包含一整套在GDCA范围内一致适用的单一规则集,因此在整个GDCA架构内能够提供同样的信任担保.
本CP并不是GDCA和各参与方之间的法律性协议,GDCA和各参与方之间的权利义务依靠他们之间签署的各类协议构成.
ThisdocumentdescribestheCertificatePolicy(SM2CP)ofGDCAandexplainsthepolicystatementforGDCAdigitalcertificateservice.
ItappliestoalldigitalcertificatesissuedandmanagedbyGDCAandtheirrelatedparticipants.
TheCPsetsforthbusiness,legalandtechnicalrequirementsandspecificationsforcertificateapproval,issuance,management,usage,renewal,revocationandrelatedtrustedservices.
TheserequirementsandspecificationsprotectsthesecurityandintegrityofGDCAdigitalcertificateservicesandincludesacomprehensivesetofconsistentlyapplicablesinglerulesetsintheGDCAscope.
ThereforeitprovidesthesameextentoftrustguaranteethroughouttheGDCAarchitecture.
TheCPisnotalegalagreementbetweenGDCAandallparticipants;contractualrightsandobligationsbetweenGDCAandparticipantsareestablishedbyothermeansofagreementswithsuchparticipants.
本CP满足《互联网X.
509公开密钥基础设施证书策略和证书业务框架》(InternetX.
509PublicKeyInfrastructureCertificatePolicyandCertificationPracticesFramework),即由互联网标准组织"互联网工程工作组"(InternetEngineeringTaskForce)制定的RFC3647标准的结构和内容要求,同时也满足《GB26855-2011-T信息安全技术公钥基础设施证书策略与认证业务声明框架》的结构和内容要求,并根据中国的法律法规和GDCA的运营要求进行适当的改变.
TheCPcomplieswiththestructureandcontentrequirementsofbothInternetX.
509PublicKeyInfrastructureCertificatePolicyandCertificationPracticesFramework,alsocalledRFC3647definedbyGDCASM2证书策略(V1.
0版)11TheInternetEngineeringTaskForce,andGB26855-2011-TInformationSecurityTechnologyPublicKeyInfrastructureCertificatePoliciesandCertificationPracticeStatementFramework.
ItwouldalsomakeappropriatechangesinaccordancewithChineselawsandregulationstogetherwithoperationalrequirementsofGDCA.
GDCA作为一个证书服务机构(CA),在本CP的约束下生成根证书和CA证书,签发订户证书.
基于不同的类型和应用范围,作为证书持有人的订户可以使用证书进行网络站点安全保护、代码签名、邮件签名、文档签名、身份认证等不同的应用.
依赖方依照本CP中关于依赖方的义务要求,决定是否信任一张证书.
GDCA的SM2电子认证业务规则(CPS)接受本CP的约束,详细阐述了GDCA作为电子认证服务机构提供的证书、如何提供证书以及相应的管理、操作和保障措施.
所有GDCA证书的订户及依赖方必须参照本CP及相关CPS的规定,决定对证书的使用和信任.
AsaCertificationAuthority(CA),GDCAgeneratesrootandintermediatecertificates,andissuescertificatestosubscribersunderCPrestrictions.
Basedondifferenttypesandapplicationscope,digitalcertificatesmaybeusedbysubscriberstoprocessSSL,CodeSigning,e-mailsigning,documentsigning,identityauthentication,andotherdifferentapplications.
Relyingpartycoulddecidewhethertotrustacertificateinaccordancewiththerequirementsoftherelyingparty'sobligationsinthisCP.
GDCASM2CertificationPracticeStatement(CPS)acceptthedisciplineofCP,elaboratesthedefinitionofGDCAdigitalcertificatesandthemethodstoprovidethesecertificatesaswellasthecorrespondingmanagerial,operationalandsecuritymeasures.
AllcertificatesubscribersandrelyingpartiesunderGDCAmustrefertototheprovisionsoftheCPanditsrelevantCPStodeterminetheusageandreliabilityofthecertificates.
1.
1.
3.
GDCA架构GDCAArchitecture本CP是GDCA最高的策略,GDCA的证书服务机构(CA)按照CP制定CPS,RA按照本CP及相关CPS进行证书服务申请鉴别,订户、依赖方及其他相关实体按照本CP及相关CPS决定对证书的使用、信任并履行相关的义务.
GDCA包含了根CA、中级CA,各相关注册机构、分中心、业务受理点,这些实体都是GDCA认证体系内不同层次的服务主体.
TheCPisthehigheststrategythroughouttheGDCAarchitecture.
Certificationauthority(CA)underGDCAformulatesCPSinaccordancewithCP.
RegistrationAuthority(RA)authenticatescertificationrequestsaccordingtothisCPanditsrelatedCPS.
Subscribers,relyingpartiesalongwithothercorrelativeentitiesdeterminetheirrightsforusingandtrustingthecertificatesaswellasperformcorrespondingobligationsonthebasisoftheCPanditsrelatedCPS.
GDCAhasestablishedservicesentitiesatdifferentlevels,includingrootCA,subordinateCA,relatedRA,registrationauthorityterminalsandbusinessacceptancepoints.
GDCASM2证书策略(V1.
0版)12GDCASM2证书策略(V1.
0版)131.
1.
4.
GDCA证书层次架构HierarchicalArchitectureofGDCACertificates1)ROOTCA(SM2)ROOTCA证书(SM2)是国家密码管理局的根证书,密码算法为SM2,根密钥长度为256-bit,下设GuangdongCertificateAuthority(GDCATrustAUTHE1CA)证书,密钥长度为256-bit,签发算法为SM2,密钥长度为256-bit的SSL证书.
GuangdongCertificateAuthority(GDCATrustAUTHE1CA)证书签发的其他类别的证书相关证书策略详见《数安时代科技股份有限公司证书策略》(https://www.
gdca.
com.
cn/cp/cp).
ROOTCA(SM2)certificateisarootcertificateofSCAusingSM2algorithmwithrootkeylengthof256-bit.
ThereisaGuangdongCertificateAuthority(GDCATrustAUTHE1CASM2)certificatewithkeylengthof256-bitunderthisrootCA,usedforissuingSSLcertificateswithSM2algorithm.
ForthecertificatepolicyofothertypesofcertificatesissuedbyGuangdongCertificateAuthority(GDCATrustAUTHE1CASM2),pleasereferto(https://www.
gdca.
com.
cn/cp/cp).
GDCA的SM2证书均由ROOTCA(SM2)下的GuangdongCertificateAuthority(GDCATrustAUTHE1CA)签发.
AlloftheSM2certificatesfromGDCAareissuedbyGuangdongCertificateAuthority(GDCATrustAUTHE1CA).
ROOTCA证书(SM2)将于2042年7月7日到期.
ROOTCA(SM2)willexpireonJuly7,2042.
GuangdongCertificateAuthority(GDCATrustAUTHE1CA)证书将在2034年6月21日到期,2030年1月1日起,将不再使用该CA证书签发SSL证书.
GDCASM2证书策略(V1.
0版)14GuangdongCertificateAuthority(GDCATrustAUTHE1CA)certificatewillexpireonJune21,2034.
FromJanuary1,2030,GDCAwillnolongeruseittoissueSSLcertificates.
2)GDCAGMSM2ROOTGDCAGMSM2ROOT证书的密码算法为SM2,根密钥长度为256-bit,下设8个中级CA证书,其中:(1)GDCAEVSSLSM2CA,密钥长度为256-bit,签发密钥长度为256-bit的EVSSL服务器类证书;(2)GDCAOVSSLSM2CA,密钥长度为256-bit,签发密钥长度为256-bit的OVSSL证书;(3)GDCASSLSM2CA证书,密钥长度为256-bit,签发密钥长度为256-bit的IVSSL和DVSSL服务器类证书;(4)GDCAEVCodeSigningSM2CA,密钥长度为256-bit,签发密钥长度为256-bit的EV代码签名类证书;(5)GDCACodeSigningSM2CA,密钥长度为256-bit,签发密钥长度为256-bit的代码签名类证书;(6)GDCATimeStampSM2CA证书,密钥长度为256-bit,签发密钥长度为256-bit的时间戳证书;(7)GDCADocSignSM2CA证书,密钥长度为256-bit,签发密钥长度为256-bit的机构、个人类文档签名证书;(8)GDCAGenericSM2CA,密钥长度为256-bit,签发密钥长度为256-bit的E-mail证书、设备证书.
GDCAGMSM2ROOT证书将于2045年11月20日到期.
GDCAEVSSLSM2CA证书将于2035年11月23日到期,2032年1月1日起,将不再使用该CA证书签发订户证书.
GDCAOVSSLSM2CA证书将于2035年11月23日到期,2032年1月1日起,将不再使用该CA证书签发订户证书.
GDCASSLSM2CA证书将于2035年11月23日到期,2032年1月1日起,将不再使用该CA证书签发订户证书.
GDCAEVCodeSigningSM2CA证书将于2035年11月23日到期,2032年1月1日起,将不再使用该CA证书签发订户证书.
GDCACodeSigningSM2CA证书将于2035年11月23日到期,2032年1月1日起,将不再使用该CA证书签发订户证书.
GDCASM2证书策略(V1.
0版)15GDCATimeStampSM2CA证书将于2035年11月23日到期,2032年1月1日起,将不再使用该CA证书签发订户证书.
GDCADocSignSM2CA证书将于2035年11月23日到期,2032年1月1日起,将不再使用该CA证书签发订户证书.
GDCAGenericSM2CA证书将于2035年11月23日到期,2032年1月1日起,将不再使用该CA证书签发订户证书.
GDCAGMSM2ROOTcertificateuseSM2algorithmwithrootkeylengthof256-bit.
ThereareeightsubordinateCAsunderthisrootCA,including:(1)GDCAEVSSLSM2CAwithkeylengthof256-bit,usedforissuing256-bitEVSSLServerCertificates.
(2)GDCAOVSSLSM2CAwithkeylengthof256-bit,usedforissuing256-bitOVSSLcertificates.
(3)GDCASSLSM2CAwithkeylengthof256-bit,usedforissuing256-bitIVSSLandDVServerCertificates.
(4)GDCAEVCodeSigningSM2CAwithkeylengthof256-bit,usedforissuing256-bitEVCodeSigningCertificates.
(5)GDCACodeSigningSM2CAwithkeylengthof256-bit,usedforissuing256-bitCodeSigningCertificates.
(6)GDCATimeStampSM2CAwithkeylengthof256-bit,usedforissuing256-bitTimestampCertificates.
(7)GDCADocSignSM2CAwithkeylengthof256-bit,usedforissuing256-bitOrganizationandIndividualDocumentSigningCertificates.
(8)GDCAGenericSM2CAwithkeylengthof256-bit,usedforissuing256-bitEmailandEquipmentCertificates.
GDCAGMSM2ROOTcertificatewillexpireonNovember20,2045.
GDCAEVSSLSM2CAcertificatewillexpireonNovember23,2035.
FromJanuary1,2032,GDCAwillnolongeruseittoissuesubscribercertificates.
GDCAOVSSLSM2CAcertificatewillexpireonNovember23,2035.
FromJanuary1,2032,GDCAwillnolongeruseittoissuesubscribercertificates.
GDCASSLSM2CAcertificatewillexpireonNovember23,2035.
FromJanuary1,2032,GDCAwillnolongeruseittoissuesubscribercertificates.
GDCAEVCodeSigningSM2CAcertificatewillexpireonNovember23,2035.
FromJanuary1,2032,GDCAwillnolongeruseittoissuesubscribercertificates.
GDCACodeSigningSM2CAcertificatewillexpireonNovember23,2035.
FromJanuary1,2032,GDCAwillnolongeruseittoissuesubscribercertificates.
GDCATimeStampSM2CAcertificatewillexpireonNovember23,2035.
FromJanuary1,2032,GDCAwillnolongeruseittoissuesubscribercertificates.
GDCADocSignSM2CAcertificatewillexpireonNovember23,2035.
FromJanuary1,2032,GDCAwillnolongeruseittoissuesubscribercertificates.
GDCAGenericSM2CAcertificatewillexpireonNovember23,2035.
FromJanuary1,2032,GDCAwillnolongeruseittoissuesubscribercertificates.
依据IETFPKIXRFC3647CP/CPS框架,本CP共分为九个章节,涵盖GDCA证书服务所涉及的安全控制措施,业务规则及流程.
为保留RFC3647的整体大纲及格式,章节中含"不适用"描述的意为该章节不适用.
PursuanttotheIETFPKIXRFC3647CP/CPSframework,thisCPisdividedintoninepartsthatcovertheGDCASM2证书策略(V1.
0版)16securitycontrolsandpracticesandproceduresforGDCA'scertificateservices.
TopreservetheoutlinespecifiedbyRFC3647,sectionheadingsthatdonotapplyareaccompaniedwiththestatement"Notapplicable".
1.
2.
文档名称与标识DocumentNameandIdentification本文档称作《数安时代科技股份有限公司SM2证书策略》(简称"《GDCASM2CP》"、"本CP").
有关本版本CP的修订信息请参考附录.
本CP中为每类证书的证书策略项分配一个唯一的对象标识符,具体可参见本CP第1.
4.
1节.
Thisdocumentiscalled"GlobalDigitalCybersecurityAuthorityCO.
,LTD.
SM2CertificatePolicy"(abbreviatedas"GDCASM2CP"or"ThisCP").
PleaserefertoAppendixfordetailedrevisionsofthisversion.
ThisCPspecifiesauniqueobjectidentifierforCertificatePolicyofeachkindofcertificates(seeCPsection1.
4.
1fordetails).
本CP以中英文双语形式发布,若英文版本与中文版本出现任何歧义,概以中文版本为准.
ThisdocumentistheChinese-EnglishbilingualeditionofGDCACP.
IncaseanyinconsistencyorconflictbetweentheChineseandEnglishversions,theChineseversionshallprevailforallpurposes.
1.
3.
PKI参与者PKIParticipants1.
3.
1.
电子认证服务机构CertificationAuthorities电子认证服务机构(CertificationAuthority,简称CA)是颁发证书的实体.
GDCA是根据《中华人民共和国电子签名法》、《电子认证服务管理办法》规定,依法设立的可信第三方电子认证服务机构.
GDCA通过给从事电子交易活动的各方主体颁发数字证书、提供证书验证服务等手段而成为电子认证活动的参与主体.
CA是向最终订户或其下CA签发证书的实体的术语,它的一个特例是根CA,一个根CA是一类证书体系的最高层.
CertificationAuthority(abbreviatedasCA)isanentitywhichissuescertificates.
GDCAisatrustedthird-partyelectronicauthenticationserviceauthorityestablishedbylawbasedon"ElectronicSignatureLawofthePeople'sRepublicofChina"and"MeasuresfortheAdministrationofElectronicCertificationServices".
GDCAbecomesaparticipantinelectronicauthenticationactivitiesbyissuingcertificatesandprovidingcertificateverificationservicestothepartieswhoareengagedinelectronictransactionactivities.
CAalsomeansanelementincertificatearchitecturethatisissuingcertificatestoterminalsubscribersorsubordinateCAs.
RootCAisaspecialentity,whichisatthetopofcertificatearchitecture.
GDCASM2证书策略(V1.
0版)171.
3.
2.
注册机构RegistrationAuthorities注册机构(RegistrationAuthority,简称RA)代表CA建立起注册过程,确认证书申请者的身份,批准或拒绝证书申请者.
在订户获得证书前,它必须以申请者的身份来注册证书.
证书申请者必须从CA或RA建立的注册过程来完成注册,并将注册信息提交给CA或RA.
CA或RA将对申请者的身份及其它属性进行确认,然后决定是签发还是拒绝该请求.
如果签发证书,则证书将被发送给申请者.
RA还可以根据订户需要撤销证书,尽管是CA完成最终的撤销工作,并将证书加入到证书撤销列表(CRL)中.
RegistrationAuthority(RA)establishesregistrationprocess,confirmstheidentityofcertificateapplicants,andapprovesorrejectstherequestofcertificateapplicantsonbehalfofCA.
Beforeasubscriberobtainscertificate,he/shemustapplyforacertificateasanapplicant.
CertificateapplicantsmustfollowregistrationprocessestablishedbyCAorRA,andsubmitregistrationformsandrelatedapplicationdocumentstoCAorRA.
CAorRAwillauthenticateapplicant'sidentityandotherattributes,andthendecidewhetheracceptorrejectthisapplication.
IfCAissuesthecertificate,thecertificatewillbesenttotheapplicant.
WhileRAcouldinitiatecertificaterevocationprocessaccordingtosubscriber'srequests,CAwouldbetheonlyentitytocompletetherevocationoperationandaddthecertificatetothecertificaterevocationlist(CRL).
1.
3.
3.
订户Subscribers订户,即从CA接收证书的实体,包括所有接受GDCA证书的个人、单位.
订户和申请人很多时候并不一致,如果订户和申请人不一致,则需要申请人保证获得明确、适当的授权.
个人又分为自然人和从属于某一个单位的个人;单位包括各类政府组织、企事业单位和其它社会团体,一般而言,单位应该具有法人资格或者组织机构代码证号码;对于设备类证书,由于证书中包含主体的特殊性,订户通常应被理解为拥有该设备的单位或者个人,并由拥有该设备的单位或者个人承担相应的义务.
Subscribers,theentitiesthatreceivecertificatesfromCA,includeindividualsandorganizationsacceptingcertificatesfromGDCA.
Subscribersandapplicantswouldnotalwaysbethesame;inthiscase,applicantsneedtoensurethattheyhaveobtainedexplicitandappropriateauthorization.
Individualscanbedividedintoanaturalpersonandpersonwhobelongtoanorganization;Organizationcontainsallkindsofgovernmentorganizations,enterprisesandinstitutionsandothersocialgroups.
Usually,anorganizationhasalegalpersonalityorNationalOrganizationCode;forequipmentcertificates,duetotheparticularityoftheentitycontainedincertificates,subscribersareusuallyorganizationsorindividualswhoowntheequipment,andwouldassumethecorrespondingobligations.
订户代表着证书中公钥所绑定的唯一实体,拥有对与其证书唯一对应的私钥的最终控制权.
订户在本CP的范围内使用证书,并承担本CP约定的义务.
SubscriberistheuniqueentitywithcorrespondingpublickeyincertificateandhasultimaterightstocontrolGDCASM2证书策略(V1.
0版)18controlcorrespondingprivatekeyincertificate.
SubscribershouldusecertificatesunderCPrestrictions,andassumetheobligationsagreedinthisCP.
1.
3.
4.
依赖方RelyingParties依赖方是指信任证书、使用证书的个人和单位.
依赖方可以是证书订户,也可以不是证书订户.
Relyingpartiesareentitieswhotrustandusethecertificates.
Theseentitiesmay,ormaynotbeacertificatesubscriber.
要信任或者使用一张证书,依赖方必须验证证书的撤销信息,包括查询证书撤销列表(CRL)或使用OCSP方式查询证书状态.
依赖方必须经过合理的审核后才能够信任一张证书.
Totrustoruseacertificate,arelyingpartymustverifyrevocationinformationofthecertificatebylookinguptheCertificateRevocationList(CRL)orsearchingthecertificatestatuswithOCSPservers.
Beforerelyingpartytrustsacertificate,aproperreviewprocessmustbeexecuted.
1.
3.
5.
其他参与者OtherParticipants其他参与者是指为GDCA的电子认证活动提供相关服务的其他实体.
OtherparticipantsaretheentitiesthatproviderelatedservicesinelectronicauthenticationactivitiesofGDCA.
1.
4.
证书应用CertificateUsage1.
4.
1.
适合的应用AppropriateCertificateUsesGDCA订户证书可以广泛应用在电子政务、电子商务及其他应用,以实现身份认证、电子签名、关键数据加密等目的.
GDCAsubscribercertificatecanbewidelyusedine-government,e-commerceandothersocialactivitiestorealizeidentityauthentication,electronicsignature,andencryptionofdataetc.
Meanwhile,itcanbeusedtoensurethevalidityandauthenticityofidentitybetweenpeersofcommunicationviaInternetaswellastheintegrityandconfidentialityofinformation.
GDCA订户证书,从功能上可以满足下列安全需要:CertificatesissuedbyGDCAcanmeetthefollowingsecurityrequirementsbyfunctionalities:身份真实性,保证采用GDCA信任服务的证书持有者身份的合法性.
Authenticityofidentity:thecertificationcanensurethevalidityofcertificateholderusingGDCAtrustGDCASM2证书策略(V1.
0版)19services.
验证信息完整性,保证采用GDCA数字证书和数字签名时,可以验证信息在传递过程中是否被篡改,发送和接收的信息是否一致.
Verificationofintegrity:theassurancetoanentitythatdatahasnotbeenalteredandfurtherverifiestheconsistencyofinformationbetweensenderandreceiverusingcertificateofGDCA.
信息的机密性,保证传送方和接收方信息的机密性,不会泄露给其它未合法授权方.
Confidentiality:thecertificationcanensuretheconfidentialityofinformationduringtransmission,andavoidtheleakagetoothernon-authorizedparties.
抗抵赖性,对信任体交易不可抵赖性的依据即数字签名进行验证.
Non-repudiation:thecertificationcanensurethenon-repudiationoftransactionentitiesbyverifyingthedigitalsignatures.
根据证书类型,GDCA所签发的证书包括SSL服务器证书、代码签名证书、文档签名证书、E-mail证书、设备证书、时间戳证书等.
Accordingtothetypeofcertificate,thecertificatessignedbyGDCAincludeSSL/TLSServerCertificates,CodeSigningCertificates,DocumentSigningCertificates,E-mailCertificates,EquipmentCertificatesandTimestampCertificatesetc.
订户可以根据实际需要,自主判断和决定采用相应合适的证书类型,不同的证书具有不同的应用范围.
Subscribercanchoosesuitabletypeofcertificatesbasedonactualrequirement.
Differentcertificatesareapplicablefordifferentcases.
1.
4.
1.
1.
SSL服务器类证书SSLServerCertificatesSSL/TLS服务器类证书标识Web网站或者Web服务器的身份,可以用于证明网站的身份或者资质、提供SSL/TLS加密通道,不得用于各类交易、支付的签名或验证.
SSL/TLSservercertificateisadigitalcertificatethatidentifiesthewebsiteorserver,applicableforverificationofwebsitecertificatesandprovidesSSL/TLSchannel.
Itcannotbeusedforsignatureorverificationoftransactionandpayment.
GDCA所签发的SSL服务器类证书包括以下四种:SSLservercertificatesofGDCAincludethefollowing:EVSSL证书(ExtendedValidationSSLCertificates),即扩展验证型服务器证书EVSSLcertificate(ExtendedValidationSSLCertificates),theextendedvalidationSSLcertificates.
OVSSL证书(OrganizationValidationCertificates),即需要验证网站所有机构真实身份的标准型SSL证书GDCASM2证书策略(V1.
0版)20OVSSLcertificate(OrganizationValidationCertificates),theSSLcertificaterequirestoverifytheidentityoftheorganizationthatownsthewebsite.
IVSSL证书(IndividualsValidationSSLCertificates),即需要验证网站经营者个人身份的标准型SSL证书IVSSLcertificate(IndividualsValidationSSLCertificates),theSSLcertificaterequirestoverifytheindividualidentityofwebsiteowner.
DVSSL证书(DomainValidationSSLCertificates),即只验证网站域名所有权的简易型SSL证书DVSSLcertificate(DomainValidationSSLCertificates),theSSLcertificatethatonlyverifiestheownershipofthewebsite.
其中,EVSSL证书是经严苛的身份验证后签发的一种扩展型服务器证书,其验证方式符合CA/浏览器论坛发布的增强型身份验证标准.
OVSSL证书、IVSSL证书可实现网站机密信息的加密以及网站身份的验证功能,DVSSL证书只提供网站机密信息的加密功能.
GDCAperfomrsrigorousindentityvalidationpriortoissuinganEVSSLcertificates,suchvalidationprocesscomplieswiththeextendedvalidationrequirementspublishedbytheCA/Browserforum.
OVSSLcertificateandIVSSLcertificateprovidethefunctionsofinformationencryptionandverificationofwebsiteidentity.
DVSSLcertificateonlyprovidesinformationencryption.
SSL服务器证书不限制域名的种类,如商业域名、政府域名等.
ThetypesofdomainnamesinSSL/TLSservercertificatesarenotrestricted,e.
g.
.
com,.
govetc.
1.
4.
1.
2.
代码签名类证书CodeSigningCertificates代码签名类证书标识软件代码的来源或者所有者,只能用于各类代码的数字签名,不得用于各类交易、支付、加密等应用.
CodeSigningcertificateisadigitalcertificatethatidentifiesthesourceorownerofthesoftwarecode.
Itcanonlybeusedfordigitalsignatureandcannotbeusedfortransaction,paymentandencryption,etc.
代码签名类证书订户必须承诺,不得将代码签名类证书用于对恶意软件、病毒代码、侵权软件、黑客软件等的签名.
Subscribermustcommitnottosignmalicioussoftware,viruscode,infringementsoftwareandhackersoftwareusingCodeSigningcertificate.
1.
4.
1.
3.
文档签名证书DocumentSigningCertificates文档签名证书适用于需要确保文档的真实性、完整性和机密性的场景应用.
GDCA的文档签名证书签发给机构和个人,分别对应为OV文档签名证书和IV文档签名证书.
GDCASM2证书策略(V1.
0版)21OV文档签名证书需要对机构身份真实性进行验证;IV文档签名证书需要对个人的身份真实性进行验证.
DocumentSigningCertificatesapplytothesituationswheretheauthenticity,integrity,andconfidentialityofadocumentarerequired.
GDCAissuesdocumentsigningcertificatestoorganizationsandindividuals,namelytheOVdocumentsigningcertificatesandIVdocumentsigningcertificatesrespectively.
OVdocumentsigningcertificatesrequiresvalidationontheidentitiesoftheorganizations,IVdocumentsigningcertificatesreuiqrevalidationontheidentitiesofindividuals.
1.
4.
1.
4.
E-mail证书E-mailCertificatesGDCA所签发的邮件证书包括基础E-mail证书、IVE-mail证书和OVE-mail证书.
基础E-mail证书仅验证E-mail地址的所有权或控制权,不对E-mail地址所有者的身份进行验证,可以确保E-mail传输过程中不被他人阅读及篡改,确保E-mail内容的完整性.
IVE-mail证书除验证E-mail地址的所有权或控制权外,还需验证该E-mail地址所属个人使用者身份的真实性.
OVE-mail证书除验证E-mail地址的所有权或控制权外,还需验证该E-mail地址所属机构身份的真实性.
Thee-mailcertificatesissuedbyGDCAincludePrimaryE-mailcertificates,IVE-mailcertificates,andOVE-mailcertificates.
ForthePrimaryE-mailcertificates,onlytheownershiporcontrolofane-mailaddresswillbevalidated,andtheidentityofthee-mailaddressownerwillnotbevalidated.
Suchcertificatesensuretheintegrithyofthee-mailandmakesurethatitwillnotbetamperedorreadbythoseotherthanthetargetedrecipientduringthetransmission.
PriortoissuinganIVE-mailcertificate,GDCAvalidatestheownershiporcontrolofane-mailaddressandtheindividualidentityassociatedtosuche-mailaddress.
PriortoissuinganOVE-mailcertificate,GDCAvalidatestheownershiporcontrolofane-mailaddressandtheorganizationidentityassociatedtosuche-mailaddress.
1.
4.
1.
5.
设备类证书EquipmentCertificates即颁发给设备的数字证书,设备包括服务器、防火墙、路由器等,此类证书通常用于网上设备的身份认证,设备之间安全信息的传递.
例如,给服务器颁发的证书使浏览器可以鉴别网站服务器的身份,并创建SSL/TLS加密通道以使双方进行加密会话.
Equipmentcertificateisadigitalcertificatethatisissuedtoequipment,includingservers,firewalls,routers,andetc.
Itisusuallyusedfornetworkequipmentidentificationandsecurecommunications.
Forexample,certificatesissuedtoserversenablebrowserstoauthenticatetheidentityofwebsitewithcertificateandGDCASM2证书策略(V1.
0版)22createSSL/TLSchannelforsecuresession.
1.
4.
1.
6.
时间戳证书TimestampCertificates目前GDCA只签发OV时间戳证书,主要用于时间戳服务器,提供数字签名服务.
OV时间戳证书需验证申请机构身份的真实性.
GDCAcurrentlyissuesOVtimestampcertificatesfortimestampserverstoprovidedigitalsignatureservice.
OVtimestamprequiresthevladationofanorganizationidentity.
1.
4.
1.
7.
各类证书的证书策略对象标识符CPObjectIdentifiersofCertificates在本CP中为每类证书的证书策略项分配一个唯一的对象标识符,具体如下:WeassignauniqueobjectidentifiertocertificatepolicyitemsofdifferenttypesinthisCP,theregulationisasfollows:OVSSL证书策略对象标识符:1.
2.
156.
112559.
1.
3.
1.
1DVSSL证书策略对象标识符:1.
2.
156.
112559.
1.
3.
1.
2IVSSL证书策略对象标识符:1.
2.
156.
112559.
1.
3.
1.
3EVSSL证书策略对象标识符:1.
2.
156.
112559.
1.
3.
2.
1普通代码签名类证书策略对象标识符:1.
2.
156.
112559.
1.
3.
4.
1EV代码签名证书策略对象标识符:1.
2.
156.
112559.
1.
3.
3.
1OV文档签名证书策略对象标识符:1.
2.
156.
112559.
1.
3.
5.
1IV文档签名证书策略对象标识符:1.
2.
156.
112559.
1.
3.
5.
2OV邮件证书策略对象标识符:1.
2.
156.
112559.
1.
3.
6.
1IV邮件证书策略对象标识符:1.
2.
156.
112559.
1.
3.
6.
2基础邮件证书策略对象标识符:1.
2.
156.
112559.
1.
3.
6.
3设备证书策略对象标识符:1.
2.
156.
112559.
1.
3.
7.
1时间戳证书策略对象标识符:1.
2.
156.
112559.
1.
3.
8.
1OVSSLservercertificatepolicy:1.
2.
156.
112559.
1.
3.
1.
DVSSLservercertificatepolicy:1.
2.
156.
112559.
1.
3.
1.
2IVSSLservercertificatepolicy:1.
2.
156.
112559.
1.
3.
1.
3EVSSLservercertificatepolicy:1.
2.
156.
112559.
1.
3.
2.
1GeneralCodeSigningcertificatepolicy:1.
2.
156.
112559.
1.
3.
4.
1GDCASM2证书策略(V1.
0版)23EVCodeSigningcertificatepolicy:1.
2.
156.
112559.
1.
3.
3.
1OVDocumentSigningcertificatepolicy:1.
2.
156.
112559.
1.
3.
5.
1IVDocumentSigningcertificatepolicy:1.
2.
156.
112559.
1.
3.
5.
2OVE-mailcertificatepolicy:1.
2.
156.
112559.
1.
3.
6.
1IVE-mailcertificatepolicy:1.
2.
156.
112559.
1.
3.
6.
2PrimaryE-mailcertificatepolicy:1.
2.
156.
112559.
1.
3.
6.
3Equipmentcertificatepolicy:1.
2.
156.
112559.
1.
3.
7.
1Timestampcertificatepolicy:1.
2.
156.
112559.
1.
3.
8.
11.
4.
2.
限制的证书应用ProhibitedCertificateUses一般而言,GDCA证书是一般性目的的证书,可以和不同的依赖方之间相互操作.
尽管如此,GDCA证书在功能上是受到限制的,如个人证书只能用于个人用户的应用,而不能作为服务器或机构证书使用.
与应用类型不一致的证书,不应被本CP识别为可信任.
Ingeneral,GDCAcertificatesaregeneralcertificates.
Thesecertificatescanbeusedamongdifferentrelyingpartiesformutualoperations.
However,somefeaturesofthecertificatesareprohibited.
Forexample,theIndividualCertificatecanonlybeusedasindividualcaseratherthanthecasesbeingusedasEquipmentorOrganizationCertificate.
CertificatesshallnotbedeemedastrustedbythisCPSiftheyarenotcorrespondingtotheirrespectiveusages.
证书不设计用于、不打算用于、也不授权用于危险环境中的控制设备,或用于要求防失败的场合,如核设备的操作、航天飞机的导航或通讯系统、空中交通控制系统或武器控制系统中,因为它的任何故障都可能导致死亡、人员伤害或严重的环境破坏.
Specialnotehere,thecertificateisnotdesignedfor,notintendedfor,notauthorizedforcontrolequipmentindanger,orfortheoccasionwherethefailureisrequiredtoavoid,suchasoperationofnuclearequipment,navigationorcommunicationsystemsofshuttles,controlsystemsofairtrafficorweapons,sincethesefaultsorfailuresmayleadtodeath,personalinjuryorseriousenvironmentaldamage.
证书禁止在任何违反国家法律、法规或破坏国家安全的情形下使用,也禁止在任何违法犯罪活动或法律禁止的相关业务下使用,否则由此造成的法律后果由用户自己承担.
Thecertificateisprohibitedtobeusedinsuchcircumstances,suchasanyviolationofstatelaws,regulationsandnationalsecurityorlegalconsequences,inaddition,acertificateisprohibitedtobeusedinbusinessthatinvolvescriminalactivities,orinbusinessforbiddenbylaws,otherwisealllegalliabilitythattriggeredbythiswillbetakenconsciouslybyuserthemselves.
GDCASM2证书策略(V1.
0版)241.
5.
策略管理PolicyAdministration1.
5.
1.
策略文档管理机构OrganizationAdministeringtheDocumentGDCA安全策略委员会是GDCA电子认证服务所有策略的最高管理机构,负责制定、维护和解释本CP.
GDCASecurityPolicyCommitteeisthehighestmanagementauthorityresponsibleforreviewandapprovalofelectroniccertificateservices,aswellasthehighestdecisionorganizationtoperforminspectionandsupervisionoftheCP.
GDCA安全策略委员会由来自于公司管理层、行政中心、营销中心、技术中心、客户服务中心等拥有决策权的合适代表组成.
GDCASecurityPolicyCommitteeisassignedasthedocumentmanagementauthorityresponsibleforestablishing,publishingandupdatingthisCP.
Thecommitteeconsistsoftherelevantrepresentativeswiththerightofdecision-makingfromGDCA'smanagement,administrativecenter,marketingcenter,technologycenter,andandcustomerservicecenter,etc.
GDCA安全策略委员会的所有成员在就证书策略进行管理和批准时,均享有一票决定权,如果选票相同,委员会主任可拥有双票决定权.
MemberofGDCASecurityPolicyManagementCommitteehastherighttovoteovermanagementandapprovalofcertificatepolicy.
TheChairmanofthecommitteemayhavetwovotesfordecisionincaseoftieofvotes.
本策略文档的对外咨询服务等日常工作由行政管理部门负责.
Consultationofthispolicydocumenttotheexternalpartiesandotherroutinejobsareundertakenbytheadministrativecernter.
1.
5.
2.
联系人ContactPerson1.
5.
2.
1.
证书问题报告CertificateProblemReport证书问题报告及证书撤销请求须通过以下方式提交,且证书撤销请求必须以书面形式提交:发邮件至:capoc@gdca.
com.
cnAnycertificateproblemreportsorcertificaterevocationrequestsshallbesubmittedthroughthefollowingwaysandcertificaterevocationrequestsmustbesubmittedinwriting:E-mailto:capoc@gdca.
com.
cnGDCASM2证书策略(V1.
0版)251.
5.
2.
2.
CPS问题CPSRelatedIssues联系部门:GDCA行政管理部门ContactDepartment:GDCAAdministrativeDepartment联系人:王女士Contact:Ms.
Wang邮件地址:gdca@gdca.
com.
cnE-mail:gdca@gdca.
com.
cn联系电话:+8620-83487228Tel:+8620-83487228传真:+8620-83486610Fax:+8620-83486610地址:中华人民共和国广东省广州市越秀区东风中路448号成悦大厦第23楼Address:23F,448DongfengZhongRoad,Guangzhou,Guangdong,thePeople'sRepublicofChina邮编:510030PostalCode:5100301.
5.
3.
决定CP符合策略的机构CommitteesDeterminingCPSuitabilityforthePolicy本CP由GDCA安全策略委员会批准,包括本CP的修订和版本变更.
ThisCPandthecorrespondingmodificationsandversionchangesshouldbeapprovedbyGDCASecurityPolicyCommittee.
GDCA安全策略委员会负责评估GDCA的CPS是否符合本CP,是批准和决定GDCA的CPS是否与本CP相适应的机构.
GDCASecurityPolicyCommitteeisresponsibleforassessingwhetherGDCACPSisinaccordancewiththisCPaswellasapprovinganddecidingwhethertheCPSofGDCAcorrespondswiththeCPornot.
1.
5.
4.
CP批准程序CPApprovalProcedures本CP由GDCA安全策略委员会主任组织相关人员拟定文档,提交GDCA安全策略委员会批准审核.
TheCPisdraftedbytheteamdesignatedbythedirectorofGDCASecurityPolicyCommittee,andwillbeGDCASM2证书策略(V1.
0版)26submittedtoGDCASecurityPolicyCommitteeforreviewafterthedraft.
1.
5.
5.
CP修订CPRevisionGDCA将对CP进行严格的版本控制,并由安全策略委员会负责相关事宜.
GDCA根据国家的政策法规、技术要求、标准的变化及业务发展情况及时修订本CP,CP编写小组根据相关的情况拟定CP修订建议,提交GDCA安全策略委员会审核,经该委员会批准后,正式在GDCA官方网站上发布.
本CP至少每年修订一次.
如果无内容改动,则递增版本号、更新发布时间、生效时间及修订记录.
GDCAwillimplementstrictversioncontrolsonthisCP,andsuchworkwillbearrangedbytheGDCASecurityPolicyCommittee.
TheproposedsuggestionofrevisionwillbesubmittedbytheteamwhichisresponsibleforwritingCPbasedonrelevantchanges,thenitwouldbereviewedbytheGDCASecurityPolicyCommittee.
Afterapprovedbythecommittee,GDCAwillpublishtheupdatedCPonitsofficialwebsite.
ThisCPisupdatedatleastonceeveryyear.
EvenifnootherchangesaremadetothecontentsofthisCP,GDCAwillincrementtheversionnumberandupdatethereleasedate,effectivedate,andtherevisionrecordsofthisCP.
1.
6.
定义和缩写DefinitionsandAcronyms1.
6.
1.
术语定义一览表ListofTermDefinition术语定义GDCA安全策略委员会GDCA认证服务体系内的最高策略管理监督机构和CP一致性决定机构电子认证服务机构负责建立,签发,撤销及管理证书的某个机构.
该术语适用于根CAs及中级CAs.
注册机构注册机构(RegistrationAuthority,RA)负责处理证书申请者和证书订户的服务请求,并将之提交给认证服务机构,为最终证书申请者建立注册过程的实体,负责对证书申请者进行身份标识和鉴别,发起或传递证书撤销请求,代表电子认证服务机构批准更新证书或更新密钥的申请.
证书使用数字签名的电子文件,用于将公钥与身份绑定.
证书撤销列表由签发证书的电子认证服务机构(CA)创建并进行数字签名,且定期更新的已撤销证书的带时间戳列表.
电子认证业务规则构成证书建立,签发,管理及使用管理框架的一份文件.
域名域名系统中分配至某个节点的标签.
完全限定域名包括互联网域名系统中所有高级节点标签的域名.
GDCASM2证书策略(V1.
0版)27在线证书状态协议在线证书检查协议,可使依赖方应用软件判断某指定证书的状态.
私钥由密钥对持有者严格保密的密钥对中的密钥,用于创建数字签名,及/或解密通过相应公钥加密的电子记录或文件.
公钥密钥对中可由相应私钥持有者公开的密钥,可被某个依赖方使用,以核实与持有人相应私钥一并创建的数字签名,及/或可用于加密信息,以便仅相应私钥持有者可对此类信息进行解密.
公钥基础设施一组包括硬件、软件、人员、流程、规则及责任的合集,用于实现基于公钥密码的密钥及证书的可信创建、签发、管理及使用的功能.
公共可信证书由于其相应的根证书以信任锚的形式在广泛可用的应用软件中部署,从而可信的证书.
合格的审计师符合本CP章节8.
3所述要求的自然人或法律实体.
依赖方依赖某有效证书的自然人或法律实体.
订户被签发证书的自然人或法律实体,且受订户协议或使用条款约束的自然人或法律实体.
订户协议认证服务机构与证书申请人/订户之间的协议,该协议规定了各方的权力与责任.
WebTrustCPA加拿大针对认证服务机构的WebTrust项目的现行标准.
TermDefinitionGDCASecurityPolicyCommitteeItisthehighestmanagementandmonitorfunctionforCPSandthedecision-makingagencypursuanttoCPwithintheGDCAcertificationservicessystem.
CertificationAuthorityAnorganizationthatisresponsibleforthecreation,issuance,revocation,andmanagementofcertificates.
ThetermappliesequallytobothRootsCAsandSubordinateCAs.
RegistrationAuthorityARegistrationAuthority(RA)isresponsibleforprocessingservicerequestsfromcertificateapplicantsandcertificatesubscribers,andsubmittingthemtothecertificationauthorityforthefinalcertificateapplicanttoestablishregistrationprocess.
RAisalsoresponsibleforidentifyingandverifyingcertificateapplicants,initiatingortransferringcertificaterevocationrequest,andapprovingcertificaterenewalorre-keyrequestonbehalfofthecertificationauthority.
CertificateAnelectronicdocumentthatusesadigitalsignaturetobindapublickeyandanidentity.
CertificateRevocationListAregularlyupdatedtime-stampedlistofrevokedcertificatesthatiscreatedanddigitallysignedbytheCAthatissuedthecertificates.
CertificationPracticeStatementOneofseveraldocumentsformingthegovernanceframeworkinwhichcertificatesarecreated,issued,managed,andused.
GDCASM2证书策略(V1.
0版)28DomainNameThelabelassignedtoanodeintheDomainNameSystem.
FullyQualifiedDomainNameADomainNamethatincludesthelabelsofallsuperiornodesintheInternetDomainNameSystem.
OnlineCertificateStatusProtocolAnonlinecertificate-checkingprotocolthatenablesrelyingpartyapplicationsoftwaretodeterminethestatusofanidentifiedcertificate.
PrivateKeyThekeyofakeypairthatiskeptsecretbytheholderofthekeypair,andthatisusedtocreatedigitalsignaturesand/ortodecryptelectronicrecordsorfilesthatwereencryptedwiththecorrespondingpublickey.
PublicKeyThekeyofakeypairthatmaybepubliclydisclosedbytheholderofthecorrespondingprivatekeyandthatisusedbyarelyingpartytoverifydigitalsignaturescreatedwiththeholder'scorrespondingprivatekeyand/ortoencryptmessagessothattheycanbedecryptedonlywiththeholder'scorrespondingprivatekey.
PublicKeyInfrastructureAsetofhardware,software,people,procedures,rules,policies,andobligationsusedtofacilitatethetrustworthycreation,issuance,management,anduseofcertificatesandkeysbasedonpublickeycryptography.
PubliclyTrustedCertificateAcertificatethatistrustedbyvirtueofthefactthatitscorrespondingrootcertificateisdistributedasatrustanchorinwidely-availableapplicationsoftware.
QualifiedAuditorAnaturalpersonorlegalentitythatmeetstherequirementsofsection8.
3ofthisCP.
RelyingPartyAnynaturalpersonorlegalentitythatreliesonavalidcertificate.
SubscriberAnaturalpersonorlegalentitytowhomacertificateisissuedandwhoislegallyboundbyasubscriberagreement.
SubscriberAgreementAnagreementbetweentheCAandtheApplicant/Subscriberthatspecifiestherightsandresponsibilitiesoftheparties.
WebTrustThecurrentversionofCPACanada'sWebTrustProgramforCertificationAuthorities1.
6.
2.
缩略语及其含义一览表ListofAbbreviationsandtheirMeaningCACertification/CertificateAuthority电子认证服务机构CAACertificationAuthorityAuthorization认证机构授权CPCertificatePolicy证书策略GDCASM2证书策略(V1.
0版)29CPSCertificationPracticeStatement电子认证业务规则CRLCertificateRevocationList证书撤消列表CSRCertificateSigningRequest证书请求文件DBADoingBusinessAs商业名称DNSDomainNameSystem域名系统EVExtendedValidation扩展验证/增强验证FIPS(USGovernment)FederalInformationProcessingStandard(美国政府)联邦信息处理标准FQDNFullyQualifiedDomainName完全限定域名GDCAGlobalDigitalCybersecurityAuthorityCO.
,LTD.
数安时代科技股份有限公司gTLDGenericTop-LevelDomain通用顶级域名IANAInternetAssignedNumbersAuthority互联网编码分配机构ICANNInternetCorporationforAssignedNamesandNumbers互联网名字与编号分配机构ISOInternationalOrganizationforStandardization国际标准化组织KMKeyManagement密钥管理LDAPLightweightDirectoryAccessProtocol轻量级目录访问协议LRALocalRegistrationAuthority本地注册机构OCSPOnlineCertificateStatusProtocol在线证书状态协议SCAStateCryptographyAdministration国家密码管理局PINPersonalIdentificationNumber个人身份识别码PKCSPublicKEYCryptographyStandards公共密钥密码标准PKIPublicKeyInfrastructure公钥基础设施RARegistrationAuthority注册机构RFCRequestForComments请求评注标准(一种互联网建议标准)SSLSecureSocketsLayer安全套接字TLSTransportLayerSecurity传输层安全GDCASM2证书策略(V1.
0版)302.
发布与信息库责任PublicationandRepositoryResponsibilities2.
1.
信息库RepositoriesGDCA信息库是一个对外公开的信息库,它能够保存、取回证书及与证书有关的信息.
GDCA信息库内容包括但不限于以下内容:CP和CPS现行和历史版本、证书、CRL、订户协议,以及其它由GDCA在必要时发布的信息.
GDCA将及时发布包括证书、CPS修订和其它资料等内容.
GDCA信息库可以通过网址:https://www.
gdca.
com.
cn查询,或由GDCA随时指定的其它通讯方法获得.
GDCArepositoriesareopentothepublic.
Itcanstore,retrievecertificatesandtheirrelatedinformation.
GDCArepositoryincludesbutnotlimitedtothefollowing:currentandhistoricalCPsandCPSs,certificates,CRLs,subscriberagreementsandotherinformationpublishedbyGDCAwhennecesary.
GDCAwillreleasecertificates,CPandCPSrevisionsandsoontimelythatmustremainconsistentwiththeCPS,relevantlawsandregulations.
Youcansearchathttps://www.
gdca.
com.
cnorviaanyothercommunicationmethodsspecifiedbyGDCAatanytime.
2.
2.
信息的发布PublicationofInformationGDCA在官方网站https://www.
gdca.
com.
cn发布信息库,该网站是GDCA发布所有信息最首要、最及时、最权威的渠道.
GDCApublishesrepositoriesonitsofficialwebsite(https://www.
gdca.
com.
cn).
Theofficialwebsiteistheprimary,mostpromptandauthoritativechanneltopublishallinformationaboutGDCA.
GDCA通过目录服务器发布订户的证书和CRL,订户或依赖方可以通过访问GDCA的官网获取证书的信息和撤销证书列表;同时,GDCA提供在线证书状态查询服务,订户或依赖方可实时查询证书的状态信息.
GDCApublishescertificatesandCRLsviaLDAP.
SubscriberorrelyingpartycanobtaininformationofcertificatesandCRLsthroughGDCA'sofficialwebsite.
Meanwhile,subscriberorrelyingpartycangetthecurrentstatusofcertificateinstantlyviaOCSPserviceprovidedbyGDCA.
同时,GDCA也将会根据需要采取其他可能的形式进行信息发布.
Meanwhile,GDCAmayalsoreleaseanyrelatedinformationinotherpossibleforms.
2.
3.
发布的时间和频率TimeorFrequencyofPublicationGDCA在订户证书签发或者注销时,通过官方网站自动将证书和CRL发布.
GDCASM2证书策略(V1.
0版)31ROOTCA(SM2)证书签发的中级CA所签发的订户证书,CRL发布周期为8小时,CRL有效周期最长不超过24小时.
对于GDCAGMSM2ROOT证书签发的中级CA所签发的订户证书,CRL发布周期为24小时,CRL有效周期最长不超过48小时.
在紧急的情况下,GDCA可以自行决定证书和CRL的发布时间.
GDCA每年发布一次电子认证服务机构的CA证书撤销列表(ARL).
GDCAreleasesautomaticallythelatestcertificatesandCRLsviaitsofficialwebsitewhenthecertificatesareissuedorrevoked.
ThesubscribercertificatesissuedbythesubordinateCAsofROOTCA(SM2),theCRLsareissuedevery8hoursandarevalidfornomorethan24hours.
ForthesubscribercertificatesissuedbythesubordinateCAsofGDCAGMSM2ROOT,theCRLsareissuedevery24hoursandarevalidfornomorethan48hours.
信息库其他内容的发布时间和频率,由GDCA独立做出决定,这种发布应该是及时的、高效的,并且是符合国家法律的要求的.
GDCAcanindividuallychoosethetimeandfrequencyofreleasingotherinformationofrepository.
Thereleaseisefficient,timelyandconsistentwiththerequirementsofthelaws.
2.
4.
信息库访问控制AccessControlsonRepositoriesGDCA信息库中的信息是对外公开发布的,任何人都能够查阅,对这些信息的只读访问不受任何限制.
GDCA通过网络安全防护、系统安全设计、安全管理制度确保只有经过授权的人员才能进行信息库的增加、删除、修改、发布等操作.
TheinformationinGDCArepositoryispubliclyavailable.
Anybodycanreadtherelevantinformation,andtherearenorestrictionsontheread-onlyaccessofsuchinformation.
Withnetworksecurity,securesystemdesignandsecuritypolicy,GDCAensuresthatonlyauthorizedemployeescanadd,delete,modifyandpublishtherepositories.
GDCASM2证书策略(V1.
0版)323.
身份标识与鉴别IdentificationandAuthentication3.
1.
命名Naming3.
1.
1.
命名类型TypeofNamesGDCA签发的数字证书符合X.
509标准,分配给证书持有者的主体甄别名,采用X.
500命名方式.
ThecertificateissuedbyGDCAformatmeetsX.
509standardandtheidentifierwhichisassignedtothesubscriberastheDNmeetsX.
500standard.
对于SSL/TLS服务器证书,所有的域名都添加到主题别名中,而主题通用名为主域名,必须包含一个出现在主题别名中的全域名或IP地址.
ForSSL/TLSservercertificate,alldomainnamesorIPaddressesareaddedastheSubjectAlternativeNameandthecommonnameisaprimarydomainnamewhichmustbeoneofthedomainnamesorIPaddressesfromtheSubjectAlternativeName.
3.
1.
2.
对命名有意义的要求NeedforNamestobeMeaningful订户证书所包含的命名应具有一定的代表性意义,可以确定证书主题中的个人、机构或者设备的身份.
Thesubscriber'snamemustbemeaningful,usuallycontainsthesemanticswhichcouldbeunderstood.
Thenamecouldbeusedtoconfirmtheidentityofindividuals,organizationsorequipmentinthecertificatesubjects.
3.
1.
3.
订户的匿名或伪名AnonymityorPseudonymityofSubscribers订户不能使用匿名、伪名申请证书,证书中也不能使用匿名、伪名.
Subscriberscannotuseanonymousorpseudonymstoapplyforcertification.
Also,anonymousorpseudonymscannotbeusedincertificates.
3.
1.
4.
解释不同命名的规则RulesforInterpretingVariousNameForms依X.
500甄别名命名规则解释.
TheinterpretationshouldconformtonamingrulesofX.
500DN.
GDCASM2证书策略(V1.
0版)333.
1.
5.
命名的唯一性UniquenessofNamesGDCA应保证签发给某个订户的证书,其主体甄别名,在GDCA信任域内是唯一的.
当出现相同的名称时,以先申请者优先使用.
DNofcertificatemustbeuniquefordifferentsubscribersinGDCAtrustdomain.
WhenDNisnotuniquetodifferentsubscribers,thefirstapplicantofthisDNshallgovern.
3.
1.
6.
商标的识别、鉴别与角色Recognition,Authentication,andRoleofTrademarksGDCA签发的证书的主体甄别名中不包含商标名.
Subject'sDNofcertificateissuedbyGDCAdoesnotcontainanytrademarks.
3.
2.
初始身份确认InitialIdentityValidation3.
2.
1.
证明拥有私钥的方法MethodtoProvePossessionofPrivateKey证书申请者必须证明持有与所要注册公钥相对应的私钥,证明的方法包括在证书申请消息中包含数字签名(PKCS#10)、其它与此相当的密钥标识方法,或者GDCA要求的其它证明方式.
Applicantsmustprovethathe/sheholdsthecorrespondingprivatekeytothepublickeybeingregistered.
Youcanusethewaysofdigitalsignaturecontainedincertificaterequestmessages(PKCS#10)orotherequivalentmethodtoidentifythesecretkeys,orsomewaysrequiredbyGDCAtoprovethatyouholdstherelevantkeys.
3.
2.
2.
个人身份的鉴别AuthenticationofIndividualIdentity个人身份的鉴别包括如下内容:Authenticationofindividualidentityincludesthefollowing:1)确认申请者身份的真实性和有效性.
确认的方式必须是获得申请者至少一种由政府机构颁发的、有效的、带照片的身份证明文件(如居民身份证、护照、军官证或其他同等证照),GDCA检查该证明文件是否有任何篡改或伪造的痕迹,必要时,GDCA可以通过签发有效身份证明文件的权威第三方数据库进行核查,确认申请者身份.
2)通过语音通话、视频、邮件等方式与申请者个人进行身份和申请信息的确认,核实证书GDCASM2证书策略(V1.
0版)34申请的真实性.
3)确认申请者的地址(如证书主题中包含地址).
GDCA可以通过物业费账单、银行卡账单或信用卡账单等核实申请者的地址或直接依赖政府签发的身份证明文件上的地址.
4)当申请信息包含机构信息时,需要确认该机构是否存在,以及申请人是否属于该机构的成员.
如要求提交任职证明文件、查询第三方数据库、电话确认、发送确认电子邮件等.
5)在域名、设备名称或邮件地址被作为证书主题内容申请证书时,还需要验证该申请者个人是否拥有该权利.
1)Ensuretheidentityofthesubscriber.
Thismustbevalidatedbyobtainingatleastonecurrentlyvalidgovernment-issuedphotoID(e.
g.
IDcard,passport,militaryID,orequivalentdocumenttype),GDCAinspectsthecopyforanyindicationofalterationorfalsification.
GDCAcross-checkswithanauthoritativethird-partydatabasethatissuesthevalididentificationdocument.
2)GDCAconfimrstheapplicationinformationidentityinformationthroughavoicecommunication,video,ande-mailcommunicationetc.
withtheapplicant,toverifytheauthenticityoftheapplication.
3)Incasethesubjectofthecertificatecontainsanaddress,GDCAmayverifytheaddressoftheapplicantusingautilitybill,bankstatement,creditcardstatementetc.
,ordirectlyrelyontheaddressontheidentificationdocumentissuedbythegovernment.
4)Whentheapplicationinformationcontainssomeinformationofanorganization,itisnecessarytoconfirmtheexistenceoftheorganizationandwhethertheapplicantbelongstotheorganization.
GDCAcouldrequiretheapplicanttosubmitthecertificateofincumbency,orvalidatingbyathird-partythird-partydatabase,makingphonecalls,orsendinge-mailstotheorganizationetc.
5)Incasethesubjectofthecertificatecontainsadomainname,anequipmentname,orane-mailaddress,GDCAverifiestheownershiporcontrolrightofsuchdomain,equipment,ore-mailaddress.
如果认为有需要,GDCA还可以通过从第三方获取的信息来验证该申请者个人的身份,如果GDCA无法从第三方得到所有所需的信息,可委托第三方进行调查,或要求申请者提供额外的信息和证明材料.
Ifnecessary,GDCAcanalsoverifythesubscribers'identitiesusingtheinformationobtainedfromthethird-party.
IfGDCAcannotgetalltherequiredinformationfromathird-party,itmaydelegatethethird-partytoconductaninvestigationorrequirecertificatesubscriberstoprovideadditionalinformationandevidencematerials.
此外,必要时,GDCA还可以设定其它所需要的鉴别方式和资料.
Ifnecessary,GDCAmayalsoestablishotherrequiredidentificationmethodsandinformation.
申请者有义务保证申请材料的真实有效,并承担与此相关的法律责任.
Theapplicantisobligedtoensuretheauthenticityoftheapplicationmaterialsandbearthecorrespondinglegalresponsibility.
GDCASM2证书策略(V1.
0版)353.
2.
3.
机构身份的鉴别AuthenticationofOrganizationIdentity任何组织(政府机构、企事业单位等),在以组织名义申请机构类证书、设备类证书等各类型证书时,应进行严格的身份鉴别,包括如下内容:Organizations(governmentagencies,enterprisesandinstitutions,etc.
),whichapplyfororganizationcertificates,equipmentcertificates,andothertypesofcertificates,shallbeauthenticatedstrictly,includingthefollowing:1.
确认机构是确实存在的、合法的实体.
确认的方式可以是:政府机构签发的有效文件,包括但不限于工商营业执照或组织机构代码证等,或者通过签发有效文件的权威第三方数据库确认.
1.
GDCAmustauthenticatethattheorganizationisvalidandlegal.
Authenticationattestationsuchasvalidgovernmentissueddocuments,includingbutnotlimitedtobusinesslicenseororganizationcodecertificate,orvaliddocumentsfromauthoritativethird-partydatabase.
2.
核查证书申请关键信息与有效文件或第三方数据库的资料是否相符,避免信息填写有误,但注册信息最终以申请者确认为准.
2.
GDCAverifiestoareasonablelevelofassurancethatkeyinformationincertificateapplicationmatchesvaliddocumentorthird-partydatabase.
Butfinalconfirmationofapplicant'sinformationshallgovern.
3.
通过电话、邮政信函、被要求的证明文件或者与此类似的其它方式确认该组织资料信息的真实性,申请人是否得到足够的授权以及其它需要验证的信息.
3.
GDCAshallverifytheorganizationinformationthroughtelephone,postalmail,requiredattestationorothersimilarmethods.
4.
订户可采用面对面或者邮政信函等方式提交政府机构签发的有效文件.
4.
Subscriberscansubmitvalidgovernmentissueddocumentthroughmethodssuchasface-to-facesubmissionorpostalmail.
5.
确认经办人是否得到足够的授权,确认的方式可以是:组织机构授权给经办人申请办理证书事宜的授权文件及经办人有效身份证件的原件或者复印件.
5.
GDCAauthenticatestherepresentative'sauthoritytorepresenttheapplicantbycheckingauthorizeddocumentfromapplicantandvalidoriginalandcopyofpersonalID.
此外,必要时,GDCA还可以设定其它所需要的鉴别方式和资料.
Ifnecessary,GDCAcanalsosetotherrequiredidentificationmethodsandinformation.
3.
2.
4.
设备身份的鉴别AuthenticationofEquipmentIdentity设备身份的鉴别会根据其设备拥有者的不同而不同,GDCA必须对订户进行身份鉴证,GDCASM2证书策略(V1.
0版)36包括如下内容:Authenticationonequipmentidentityvariesbydifferentaccordingtodifferentowners.
GDCAmustauthenticatetheidentityofsubscriber,includingthefollowing:设备拥有者的身份鉴别根据不同类型按照不同的身份鉴别方式执行,订户为个人的,身份鉴别按照本CP第3.
2.
2节个人证书鉴别流程执行;订户为机构的,按照本CP第3.
2.
3节机构证书鉴别流程执行.
AuthenticationofIndividualequipmentIdentitywillbedifferentaccordingtothedifferentowneroftheequipment.
IfSubscriberareindividuals,GDCAperformstheverificationofidentityaccordingtotheCPsection3.
2.
2individualcertificateidentificationprocess;Subscriberareinstitutions,GDCAperformstheverificationofidentityinaccordancewiththeCPsection3.
2.
3organizationcertificateidentificationprocess.
在设备名称被作为证书主题内容申请证书时,还需要验证该申请者是否拥有该权利,确认的方式可以是提供归属权证明文件或机构对该设备所有权或使用权的书面承诺等,并加盖公章.
Whenthedevicenameisapplyingforacertificateasthecertificatesubjectcontent,GDCAalsoneedtoverifywhethertheapplicantshavetherighttodoso.
Confirmationcanbedoneasfollows:Applicantsshallprovidethecertificateofownershiporthewrittencommitmentoftheownershiporuse-rightfromtheinstitutionwithcompanychop.
如果认为有需要,GDCA还可以通过从第三方获取的信息来验证该申请者个人的身份,如果GDCA无法从第三方得到所有所需的信息,可委托第三方进行调查,或要求申请者提供额外的信息和证明材料.
Ifnecessary,GDCAcanalsoverifytheapplicants'identitiesusingtheinformationobtainedfromthethird-party.
IfGDCAcannotgetalltherequiredinformationfromathird-party,itmaydelegateathird-partytoconductaninvestigationorrequirecertificateapplicantstoprovideadditionalinformationandevidencematerial.
此外,必要时,GDCA还可以设定其它所需要的鉴别方式和资料.
GDCAcanalsosetotherrequiredidentificationmethodsandinformation.
3.
2.
5.
SSL服务器身份的鉴别AuthenticationofSSLServerIdentity根据所签发的证书类型的不同执行不同的鉴别方式,不同类型的SSL证书的鉴别方式须在《GDCASM2电子认证业务规则》中披露.
GDCAmustperformdifferentauthenticationmethodsdependinguponthetypesofSSLcertificateappliedbythesubscribers,detailsofthevalidationmethodsmustbedisclosedinthe.
GDCASM2证书策略(V1.
0版)373.
2.
6.
代码签名身份的鉴别AuthenticationofCodeSigningIdentity普通代码签名身份的鉴别根据其代码拥有者的不同执行不同的身份鉴别方式,订户为机构的,按照本CP第3.
2.
3节机构证书鉴别流程执行;订户为个人的,按照本CP第3.
2.
2节个人证书鉴别流程执行.
EV代码签名证书仅签发给机构用户,其身份的鉴别流程须在《GDCASM2电子认证业务规则》中披露.
Differentauthenticationofsubscribers'identityforaCodeSigningcertificateisperformedbasedondifferentsubscribers.
Fororganizationsubscriber,GDCAperformscertificatevalidationprocessinaccordancewiththeTypeOVorganizationauthenticationinCPsection3.
2.
3;forindividualsubscriber,GDCAperformscertificatevalidationprocessinaccordancewiththeTypeIVindividualauthenticationinCPsection3.
2.
2.
申请代码签名的订户,不论机构或个人,必须对其代码签名证书使用范围做出声明并提供证明文件,承诺不得将其代码签名证书用于对恶意软件、病毒代码、侵权软件、黑客软件等的签名.
SubscribermustmakeastatementandprovefortheuseoftheCodeSigningcertificate.
Subscribermustpromisenottosignmalicioussoftware,viruscodes,infringementsoftwareandhackersoftwareusingtheCodeSigningcertificate.
3.
2.
7.
文档签名证书身份的鉴别AuthenticationofDocumentSigningCertificatesIdentity根据所签发的文档签名证书类型的不同执行不同的鉴别方式:对于IV文档签名证书订户,GDCA需按本CP第3.
2.
2节的要求完成对个人身份的鉴别.
对于OV文档签名证书订户,GDCA需按本CP第3.
2.
3节的要求完成对机构身份的鉴别.
GDCAperformsdifferentvalidationbasedonthetypesofdocumentsigningcertificatesissued:ForIVdocumentsigningcertificates,GDCAvalidatestheidentitiesofindividualsinaccordancewithsection3.
2.
2ofthisCP.
ForOVdocumentsigningcertificates,GDCAvalidatestheidentitiesoforganizationsinaccordancewithsection3.
2.
3ofthisCP.
3.
2.
8.
E-mail证书身份的鉴别AuthenticationofE-mailCertificatesIdentity根据所签发的邮件证书类型的不同执行不同的鉴别方式:对于基础E-mail证书订户,GDCA向所申请的E-mail地址发送校验码,并收到使用该校GDCASM2证书策略(V1.
0版)38验码的确认回复,验证申请者对E-mail地址的所有权或控制权.
对于IVE-mail证书订户,GDCA除执行基础E-mail证书订户的验证流程外,还需按本CP第3.
2.
2节的要求完成对个人身份的鉴别.
对于OVE-mail证书订户,GDCA除执行基础E-mail证书订户的验证流程外,还需按本CP第3.
2.
3节的要求完成对机构身份的鉴别GDCAperformsdifferentvalidationbasedonthetypesofdocumente-mailcertificatesissued:ForthePrimaryE-mailcertificates,GDCAvalidatestheownershiporcontrolofane-mailaddressbysendingaRandomValueviaemailandthenreceivingaconfirmingresponseutilizingtheRandomValue.
ForIVE-mailcertificates,GDCAvalidatestheidentitiesofindividualsaccordingtosection3.
2.
2ofthisCPinadditiontocompletingthevalidationproceduresforthePrimaryE-mailcertificates.
ForOVE-mailcertificates,GDCAvalidatestheidentitiesoforganizationsaccordingtosection3.
2.
3ofthisCPinadditiontocompletingthevalidationproceduresforthePrimaryE-mailcertificates.
3.
2.
9.
时间戳证书身份的鉴别AuthenticationofTimestampIdentity时间戳证书身份的鉴别方式按照本CP第3.
2.
3节执行.
GDCAvalidatethetimestampidentityaccordingtosection3.
2.
3ofthisCP.
3.
2.
10.
域名的确认和鉴别DomainnamerecognitionandValidation对于域名的验证,被验证的实体还可以是申请者的母公司,子公司或附属机构,GDCA可采用以下鉴别方式中的一种:1.
通过该域名注册服务机构或权威第三方数据库中查询到的该域名持有者登记的电子邮件,通过邮件的方式发送随机值,并收到使用该随机值的确认回复,确认其对域名的所有权或控制权.
鉴别方式遵循BaselineRequirmentsv1.
7.
0第3.
2.
2.
4.
2节.
2.
向域名联系人发送构建邮件,通过将一封包含随机值的邮件发送给由'admin','administrator','webmaster','hostmaster'或'postmaster'作为前缀加上符号@,以授权域名为尾缀的邮箱,并收到使用该随机值的确认回复,确认其对域名的所有权或控制权.
鉴别方式遵循BaselineRequirmentsv1.
7.
0第3.
2.
2.
4.
4节.
3.
在包含FQDN(完全限定域名)的URI(统一资源标识符)的在线网页上对约定的信息进行改动,通过此方式以确认申请者对FQDN的实际控制权.
鉴别方式遵循BaselineRequirmentsv1.
7.
0第3.
2.
2.
4.
6节.
【该方法已于2020年6月3日起被禁止使用,因此GDCA不再使用该方法】GDCASM2证书策略(V1.
0版)394.
通过确认申请域名在DNSCNAME、TXT或CAA记录中的任意值或请求令牌的存在来确认申请人对FQDN(完全限定域名)的控制.
鉴别方式遵循BaselineRequirmentsv1.
7.
0第3.
2.
2.
4.
7节.
5.
通过确认请求值或随机值出现于某个文件的内容中(例如,某个请求值或随机值不出现于用于收取该文件的请求中,并收从请求中收到成功的HTTP2xx状态代码回复),以确认申请者对FQDN的实际控制权.
该鉴别方式遵循BaselineRequirmentsv1.
7.
0第3.
2.
2.
4.
18节.
Forthepurposeofdomainnamevalidation,entitiestobevalidatedmayalsobetheapplicant'sparentcompany,subsidiarycompany,oraffiliate.
GDCAmayuseoneofthefollowingwaysforthevalidationofdomainnames:1.
Obtainthee-mailaddressofthedomainnameownerlistedbythedomainnameregistrarorotherauthoritativethirdpartydatabase,andcontacttheownerbysendingaRandomValueviaemail,andthenreceivingaconfirmingresponseutilizingtheRandomValuetoconfirmitsownershipandcontrolofthedomainname;Thiswayofvalidationconformstosection3.
2.
2.
4.
2oftheBaselineRequirementsv1.
7.
0.
2.
Sendinganconstructedemailtodomaincontacttoconfirmtheownershipandcontrolofthedomainname,bysendinganemailincludingaRandomValuetooneormoreaddressescreatedbyusing'admin','administrator','webmaster','hostmaster',or'postmaster'asthelocalpart,followedbytheat-sign("@"),followedbyanauthorizedDomainName,andreceivingaconfirmingresponseutilizingtheRandomValue.
Thiswayofvalidationconformstosection3.
2.
2.
4.
4oftheBaselineRequirementsv1.
7.
0.
3.
Bymakingachangetotheagreed-uponinformationfoundonanonlineWebpageidentifiedbyauniformresourceidentifiercontainingtheFQDN,toconfirmtheapplicant'spracticalcontrolovertheFQDN.
Thiswayofvalidationconformstosection3.
2.
2.
4.
6oftheBaselineRequirementsv1.
7.
0.
[Thismethodisnolongerusedbecauseitisdeprecatedasof3June2020].
4.
ByconfirmingthepresenceofaRandomValueorRequestTokeninaDNSCNAME,TXT,orCAArecordtoconfirmtheapplicant'spracticalcontrolovertheFQDN.
Thiswayofvalidationconformstosection3.
2.
2.
4.
7oftheBaselineRequirementsv1.
7.
0.
5.
Confirmingtheapplicant'scontrolovertheFQDNbyverifyingthattheRequestTokenorRandomValueiscontainedinthecontentsofafile(suchasaRequestToken,RandomNumberthatdoesnotappearintherequestusedtoretrievethefileandreceiptofasuccessfulHTTP2xxstatuscoderesponsefromtherequest).
Thiswayofvalidationconformstosection3.
2.
2.
4.
18oftheBaselineRequirementsv1.
7.
0.
对于通配符域名,GDCA验证通配符右侧的域名,保证该域名是明确归属于某一个商业实体、社会组织或政府机构等机构,并经过注册获得的.
GDCA拒绝通配符(*)右侧的域名直接是顶级域名、公共后缀或由域名注册管理机构控制的域名的证书申请,除非申请者能够证明其完全控制该域名的所有命名空间.
GDCASM2证书策略(V1.
0版)40必要时,GDCA还需要采取其它独立的审查措施,以确认该域名的归属权,如果要求申请者提供相应的协助,该申请者不得拒绝这种请求.
Asforthevalidationofawildcarddomainname,GDCAverifiesthedomainnameintherightpositionofthewildcardtoensurethedomainnameintherightpositionof(*)isobtainedthroughregistration,andexplicitlyownedorcontrolledbyabusinessentity,asocialorganization,oragovernmentauthorityetc.
GDCArejectsanycertificaterequestwithadomainnameintherightpositionofthewildcard(*)beingagTLD,publicsuffix,oraregistry–controlleddomainname,unlesstheapplicantprovesitsrightfulcontroloftheentiredomainnamespace.
Ifnecessary,GDCAmayalsoperformtheindependentinvestigationtoconfirmtheownershipofthedomainname.
ThesubscribershallnotrefusetherequirementswhencorrespondingassistanceisneededfromGDCA.
3.
2.
11.
机构商业名称验证VerificationofDBA/Tradename若证书主题中包含DBA或商业名称,GDCA可通过以下方式中的至少一种以核实申请者有权使用该DBA或商业名称:1.
申请者所在辖区的政府机构提供的可证明申请者合法成立、存在或认可的文档,或与该政府机构沟通;2.
可靠的数据来源;3.
与负责管理此类DBA名称或商业名称的政府机构沟通;4.
附带支持文件的证明函件;5.
物业账单,银行对账单,信用卡对账单,政府签发的税单,或其他GDCA认为可靠的验证方式.
IfthesubjectidentityinformationistoincludeaDBAortradename,GDCAverifiesthattheapplicantshaverighttousetheDBA/tradenameusingatleastoneofthefollowing:1.
Documentationprovidedby,orcommunicationwith,agovernmentagencyinthejurisdictionoftheapplicant'slegalcreation,existence,orrecognition;2.
Areliabledatasource;3.
CommunicationwithagovernmentagencyresponsibleforthemanagementofsuchDBAsortradenames;4.
Anattestationletteraccompaniedbydocumentarysupport;or5.
Autilitybill,bankstatement,creditcardstatement,government-issuedtaxdocument,orotherformofidentificationthatGDCAdeterminestobereliable.
GDCASM2证书策略(V1.
0版)413.
2.
12.
所在国的确认与鉴别VerificationofCountry若证书主题项中包含国家选项,GDCA通过权威第三方数据库查询网站DNS记录显示的IP地址或申请者的IP地址来确认所在国,确保申请人的IP地址所在国与申请人实际所在国一致.
Incasethe"countryName"fieldispresentinthesubject,GDCAverifiesthecountryassociatedwiththesubjectthoughcheckingtheIPaddressoftheapplicantortheIPaddressontheDNSrecordfromanauthoritativethirdpartydatabase,toensuretheIPaddressoftheapplicantisconsistentwithacountrywheretheapplicantisactuallylocated.
3.
2.
13.
IP地址的确认和鉴别AuthenticationofanIPAddressGDCA采用以下方式,确认申请者拥有或实际控制该IP地址:1.
在包含IP地址的URI(统一资源标识符)的在线网页上对约定的信息进行改动,通过此方式以确认申请者对IP地址的实际控制权.
鉴别方式遵循BaselineRequirmentsv1.
6.
6第3.
2.
2.
5.
1节.
GDCA不可为IP地址签发EVSSL证书.
GDCAadoptsthefollowingwayfortheauthentication,toconfirmtheapplicantownsorpracticallycontrolstheIPaddress:1.
Bymakingachangetotheagreed-uponinformationfoundonanonlineWebpageidentifiedbyauniformresourceidentifiercontainingtheIPaddress,toconfirmtheapplicant'spracticalcontrolovertheIPaddress.
Thiswayofvalidationconformstosection3.
2.
2.
5.
1oftheBaselineRequirementsv1.
6.
6.
GDCAmustnotissueEVSSLcertificateforanIPaddress.
3.
2.
14.
数据来源的准确性DataSourceAccuracy在将任何数据来源作为可依赖数据来源使用之前,GDCA对该来源的可依赖性,准确性,及更改或伪造可抗性进行评估,并考虑以下因素:1.
所提供信息的年限;2.
信息来源更新的频率;3.
数据供应商,及数据搜集的目的;4.
数据对公众的可用性及可访问性;5.
伪造或更改数据的相对难度.
对于GDCA所签发的SSL证书,若从评估为可依赖数据来源中获得的数据或文件不超过GDCASM2证书策略(V1.
0版)42证书签发前825天,则GDCA可使用该数据及文件.
对于GDCA所签发的非SSL证书,若从评估为可依赖数据来源中获得的数据或文件的时间不超过本CP规定的证书最大有效期,则GDCA可使用该数据及文件.
Priortousinganydatasourceasareliabledatasource,GDCAevaluatesthesourceforitsreliability,accuracy,andresistancetoalterationorfalsification,andconsidersthefollowingduringitsevaluation:1.
Theageoftheinformationprovided,2.
Thefrequencyofupdatestotheinformationsource,3.
Thedataproviderandpurposeofthedatacollection,4.
Thepublicaccessibilityofthedataavailability,and5.
Therelativedifficultyinfalsifyingoralteringthedata.
GDCAmayusethedocumentsanddatatoverifycertificateinformation,providedthatitobtainedthedataordocumentnomorethanthirteenmonthspriortoissuingthecertificate.
FortheSSLcertificates,GDCAmayusethedocumentsanddatatoverifycertificateinformation,providedthatitobtainedthedataordocumentnomorethan825dayspriortoissuingthecertificate.
Fornon-SSLcertificates,GDCAmayusethedocumentsanddatatoverifycertificateinformation,providedthatitobtainedthedataordocumentwithinthemaximumvalidityasstipulatedinthisCPSpriortoissuingthecertificate.
3.
2.
15.
没有验证的订户信息Non-VerifiedSubscriberInformation证书中的信息必须经过验证,未经验证的信息不得写入证书.
Theinformationcontainedinthecertificatemustbevalidated,theinformationthatisnotvalidatedshallnotbewrittenintothecertificate.
3.
2.
16.
授权确认ValidationofAuthority当机构订户授权经办人办理证书业务时,GDCA应进行如下验证:1.
通过第三方身份证明服务或数据库、政府主管部门签发的文件等方式确认该机构存在;2.
通过机构授权文件、电话、有回执的邮政信函、雇佣证明或任何同等方式来验证该人属于上述机构以及其代表行为被该机构授权.
GDCA应允许申请者指定独立个人来申请证书.
若申请者以书面形式指定了可以进行证书申请的独立个人,则GDCA不得接受在该指定人员以外的任何证书申请请求.
在收到申请者已核实的书面请求时,GDCA应向申请者提供其已授权人员的清单.
Thefollowingverificationwillbeconductedwhiletherepresentativeoforganizationsubscriberapplyingforcertificate:GDCASM2证书策略(V1.
0版)431.
Confirmingtheorganizationfromthird-partyidentityverificationserviceordatabase,documentsissuedbygovernment.
2.
Usingtelephone,postalletterwithreturnreceipt,employmentproofdocumentoranyequivalentwaytoconfirmthatthepersonbelongstoaboveorganizationandhis/herbehaviorisauthorizedbytheseorganization.
GDCAshouldallowanapplicanttospecifyindividualstorequestcertificates.
Ifanapplicantspecifies,inwriting,theindividualswhomayrequestacertificate,thenGDCAshallnotacceptanycertificaterequeststhatareoutsidethisspecification.
GDCAshouldprovideanapplicantwithalistofitsauthorizedcertificaterequestersupontheapplicant'sverifiedwrittenrequest.
3.
2.
17.
互操作准则CriteriaforInteroperation对于其他的电子认证服务机构,可以与GDCA进行互操作,但是该电子认证服务机构的CPS必须符合GDCACP要求,并且与GDCA签署相应的协议.
OthercertificateauthoritiescaninteroperatewithGDCA.
TheseCAsmustensurethattheirCPSareincompliancewiththerequirementsfromGDCA'sCPandsignrelatedagreementwithGDCA.
GDCA将依据协议的内容,接受非GDCA的发证机构鉴别过的信息,并为之签发相应的证书.
GDCAacceptstheinformationauthenticatedbyotherCAsandissuecorrespondingcertificatesbasedontheagreement.
如果国家法律法规对此有规定,GDCA将严格予以执行.
Ifthereareprovisionsofnationallawsandregulationsregardinginteroperationsofissuingcertificate,GDCAwillperformstrictlyaccordingtorelevantlegislations.
截至目前,GDCA未签发任何交叉证书.
Todate,GDCAhasnotissuedanycrosscertificates.
3.
3.
密钥更新请求的标识与鉴别IdentificationandAuthenticationforRekeyRequests在进行CP第4.
7节所述的证书密钥更新前,需对更新的密钥进行鉴别以确保密钥更新请求来自原证书密钥拥有者.
BeforerekeyoperationdescribedinCPsection4.
7,GDCAshallauthenticatethekeytoconfirmthattherequestofrekeyisfromtheoriginalkeyowner.
GDCASM2证书策略(V1.
0版)443.
3.
1.
常规密钥更新的标识与鉴别IdentificationandAuthenticationforRoutineRekey对于常规情况下的密钥更新,订户可访问GDCA证书服务网站进行密钥更新申请,系统自动获取订户原证书信息,如甄别名、证书序列号等,形成证书密钥更新申请;GDCA的证书认证系统将对密钥更新申请进行身份验证.
订户也可以到GDCA的注册机构申请密钥更新,GDCA注册机构必须验证订户与经办人的有效文件.
Ingeneral,subscribercanapplyforrekeyviaGDCAcertificateservicewebsite.
ThesystemcangetformercertificateinformationautomaticallysuchasDN,serialnumber,etc.
Aboveoperationscancompletetheapplicationofrekey;CertificateauthenticationsystemofGDCAauthenticatesidentityforrekeyapplication.
SubscribercanalsoapplyforrekeytoRA.
RAmustauthenticatevaliddocumentsofsubscriberandagent.
密钥更新会造成使用原密钥对加密的文件或数据无法解密,因此,订户在申请密钥更新前,必须确认使用原密钥对加密的文件或者数据已经解密,由此造成的损失,GDCA将不承担责任.
Therenewalofthesecretkeywillcausethattheoriginalsecretkeyisunabletodecryptthefilesordata.
Therefore,thesubscribershallmakesuretheencrypteddocumentsordatahavebeendecryptedbeforetheyapplyforthesecretkey'supdating.
GDCAshallnotassumeanyresponsibilityduetofailureofdecryptionbytherenewalofthesecretkey.
3.
3.
2.
撤销后密钥更新的标识与鉴别IdentificationandAuthenticationforRekeyAfterRevocation证书撤销后不能进行密钥更新.
Re-key/renewalafterrevocationisnotpermitted.
3.
4.
撤销请求的标识与鉴别IdentificationandAuthenticationforRevocationRequest证书撤销请求可以来自订户,也可以来自GDCA、注册机构.
当GDCA或者注册机构有本CP4.
9.
1.
1所述理由撤销订户的证书时,有权依法撤销证书,这种情况无须进行鉴证.
GDCA或者注册机构的证书撤销请求,必须经过其管理机构或者监督机构进行确定才可以进行.
如果订户主动请求撤销证书,则按照本CP第3.
2节所述进行身份鉴别.
如果是司法机关依法提出撤销,CA或者RA将直接以司法机关书面的撤销请求文件作为鉴别依据,不再进行其他GDCASM2证书策略(V1.
0版)45方式的鉴别.
Revocationrequestscanbemadebysubscriber,GDCAorRA.
GDCAorRAcanrevokecertificatebasedonthereasonsstatedinsection4.
9.
1.
1ofthisCPwithoutauthentication.
RevocationrequestsofGDCAorRAmustbeapprovedbyitsmanagementorsupervisionauthority.
SubscriberswhorequesttorevokecertificatesshallfollowidentityproceduresdescribedinCPsection3.
2.
Iftherevocationrequestsarefromjudicialauthoritybylaw,CAorRAwilluserevocationrequestdocumentsofjudicialauthorityasauthenticationevidenceandwillnotuseanyothermethodsforauthentication.
4.
证书生命周期操作要求CertificateLifeCycleOperationalRequirements4.
1.
证书申请CertificateApplication4.
1.
1.
证书申请实体WhoCanSubmitaCertificateApplication证书申请实体包括个人和具有独立法人资格的组织机构(包括行政机关、事业单位、社会团体和人民团体等).
Entitiesofcertificateapplicantsmaybeindividualsandorganizationswithindependentlegalentities(suchasadministrativeorganizations,institutions,socialorganizations,people'sorganizationsandotherorganizations).
4.
1.
2.
注册过程与责任EnrollmentProcessandResponsibilities1.
注册过程1.
RegistrationProcess申请者将证书请求发送到RA,RA验证该请求,并对其签名,然后将其发送给CA.
ApplicantsendscertificaterequesttoRA.
RAverifiesandsignstherequest,thensendstheresultstoCA.
CA接收到该请求后,验证RA的签名,签发订户证书.
在整个注册过程中,必须采取措施保证:CAvalidatestheRAsignatureafterreceivingtherequestandissuestheend-usersubscribercertificate.
Inthewholeregistrationprocess,itisnecessarytotakeenoughmeasurestoensurethat:RA必须对申请信息和申请者的资料进行鉴别RAmustverifytheinformationofapplicationandtheidentityofapplicant.
GDCASM2证书策略(V1.
0版)46在RA向CA发送证书请求时,保证传输信息过程安全、保密、完整RAensuresthesecurity,confidentialityandintegrityofinformationtransmissionintheprocessofsendingcertificaterequesttoCA.
2.
责任2.
ResponsibilitiesGDCA及注册机构有责任向订户告知数字证书和电子签名的使用条件;GDCAandRegistrationAuthorityhavetheresponsibilitytoinformthesubscribersabouttheusageconditionofdigitalcertificateandelectronicsignature.
GDCA及注册机构有责任向订户告知服务收费的项目和标准;GDCAandRegistrationAuthorityhavetheresponsibilitytoinformthesubscriberonservicechargingitemsandstandards.
GDCA及注册机构有责任向订户告知保存和使用订户信息的权限和责任;GDCAandRegistrationAuthorityhavetheresponsibilitytoinformthesubscribersontherightsandresponsibilitiesofpreservingandusingsubscriberinformation.
GDCA及注册机构有责任向订户告知GDCA的责任范围;GDCAandRegistrationAuthorityhavetheresponsibilitytoinformthesubscribersontheresponsibilityscopeofGDCA.
GDCA及注册机构有责任向订户告知订户的责任范围;GDCAandRegistrationAuthorityhavetheresponsibilitytoinformthesubscribersontheresponsibilityscopeofsubscriber.
订户应事先了解订户协议、CP及CPS等文件约定的事项,特别是其中关于证书适用范围、权利、义务和担保的相关内容;Theapplicantsshouldlearnabouttheagreed-uponmattersstipulatedinthesubscriberagreement,theCPandCPSetc.
inadvance,particularlythoseinrelationtocertificateusage,rights,obligationsandwarranties.
订户负有在其证书申请中提供准确信息的责任;ThesubscriberhastheresponsibilitytoprovideaccurateapplicationinformationanddatatoGDCA.
注册机构承担对订户提供的证书申请信息与身份证明材料的一致性检查工作,同时承担相应审核责任.
RAsshallensuretheconsistencybetweencertificateapplicationinformationandidentificationwhichsubscribersprovidedandbearcorrespondingresponsibilitiesofreview.
GDCASM2证书策略(V1.
0版)474.
2.
证书申请处理CertificateApplicationProcessing4.
2.
1.
执行识别与鉴别PerformingIdentificationandAuthenticationFunctions当GDCA、注册机构接受到订户的证书申请后,应按本CP第3.
2节的要求,对订户进行身份识别与鉴别.
AfterGDCAanditsregistrationagenciesreceivethesubscriber'scertificateapplication,theywillperformidentityrecognitionandverificationofidentificationoverthesubscriberaccordingtotherequirementsofCPsection3.
2.
在签发证书前,GDCA根据本CP3.
2.
14的规则确认是否重用此前已验证的信息.
Priortoissuingacertificate,GDCAconfirmswhetherornottore-usethevalidatedinformationaccordingtotherequirementsstipulatedinsection3.
2.
14ofthisCP.
4.
2.
2.
证书申请批准和拒绝ApprovalorRejectionofCertificateApplicationsGDCA、注册机构应在鉴证的基础上,批准或拒绝申请.
如果拒绝申请,则应该通过适当的方式、在合理的时间内通知证书申请者.
GDCAandRAshouldapproveorrejectapplicationsbasedonauthentication.
IfGDCAandRArejectanapplication,theyshouldinformtheapplicantswithappropriatewaysandwithinreasonabletimeperiod.
4.
2.
2.
1.
证书申请的批准ApprovalofCertificateApplications如果符合下述条件,RA可以批准证书申请:1.
该申请完全满足本CP第3.
2节关于订户身份的标识和鉴别规定;2.
申请者接受或者没有反对订户协议的内容和要求;3.
申请者已经按照规定支付了相应的费用.
RAwillapprovethecertificaterequests,ifthefollowingconditionsaremet:1.
TheapplicationshallcompletelymeettherequirementsfromCPsection3.
2regardingthesubscriber'sidentificationinformationandauthentication.
2.
Applicantacceptsorhasnooppositionregardingthecontentorrequirementsofthesubscriber'sagreement.
3.
Applicanthaspaidalreadyinaccordancewiththeprovisions.
GDCASM2证书策略(V1.
0版)484.
2.
2.
2.
证书申请的拒绝RejectionofCertificateApplications如果发生下列情形,RA应拒绝证书申请:RAshallrefusethecertificateapplicationincaseofthefollowingsituations:1.
该申请不符合本CP第3.
2节关于订户身份的标识和鉴别规定;1.
Theapplicationdoesnotmeetthespecificationsofsubscriber'sidentificationandauthenticationinCPsection3.
2.
2.
申请者不能提供所需要的身份证明材料;2.
Theapplicantcan'tprovidetherequiredidentitydocuments.
3.
申请者反对或者不能接受订户协议的有关内容和要求;3.
Theapplicantopposesorcannotaccepttherelevantcontentorrequirementsofthesubscriber'sagreement.
4.
申请者没有或者不能够按照规定支付相应的费用;4.
Theapplicanthasnotpaidorcan'tpaytheappropriatefees.
5.
申请的证书含有ICANN(TheInternetCorporationforAssignedNamesandNumbers)考虑中的新gTLD(顶级域名);5.
TherequestedcertificatescontainanewgTLDunderconsiderationbyICANN(TheInternetCorporationforAssignedNamesandNumbers).
6.
GDCA或者注册机构认为批准该申请将会对GDCA带来争议、法律纠纷或者损失.
6.
GDCAorRAconsidersthattheapprovaloftheapplicationwillbringaboutcontroversies,legaldisputesorlossestotheGDCA.
如果法律法规明确禁止某个申请,或GDCA认为批准该申请具有高风险性,GDCA应拒绝该申请,GDCA根据反钓鱼联盟、防病毒厂商或相关联盟、负责网络安全事务的政府机构等第三方发布的名单,或公共媒体公开报道中披露的信息,或GDCA之前由于怀疑网络钓鱼或其他诈骗用途或顾虑而拒绝的证书请求或撤销的证书,建立和维护证书高风险申请人列表,在接受证书申请时将会查询该列表信息.
对于列表中出现的申请人,GDCA将直接拒绝其申请.
对于拒绝的证书申请,GDCA通知申请者证书申请失败.
Iftheapplicationisprohibitedexplicitlybylawsandregulations,orGDCAconsidersthattherearehighlyriskstoapprovetheapplication,GDCAshallrejectit.
GDCAestablishesandmaintainsalistofhighriskcertificateapplicantsaccordingtothelistprovidedbyanti-phishingalliance,antivirusvendororrelatedalliance,governmentagencieswhichareresponsiblefornetworksecurityaffairsandotherthirdparties,orthedisclosureofinformationthroughpublicmediareports,orpreviouslyrejectedcertificaterequestsbyGDCAduetosuspectedphishingorotherfraudulentusageorconcerns.
GDCAwillqueryinformationGDCASM2证书策略(V1.
0版)49fromthelistduringacceptingcertificateapplication.
Iftheapplicantsappearinthislist,GDCAwillrejecttheirapplicationdirectly.
Fortherejectedcertificateapplicationrequest,GDCAwillnotifytheapplicantaboutthefailureofapplication.
4.
2.
3.
处理证书申请的时间TimetoProcessCertificateApplicationsGDCA的电子认证业务规则(CPS)应规定合理的证书申请处理时间.
GDCA和注册机构应在CPS规定的时间内处理证书申请,无论是批准还是拒绝.
这个时间通常是2个工作日.
GDCACPSshouldspecifytheprocessingperiodofcertificateapplication.
Nomatterapprovingorrejecting,GDCAandRAshouldprocesscertificateapplicationwithintheperiodspecifiedbyCPS.
Theperiodis2workingdaysingeneral.
4.
2.
4.
认证机构授权(CAA)CertificationAuthorityAuthorization(CAA)对于GDCA颁发SSL/TLS证书,GDCA对签发证书主题别名扩展项中的每一个dNSName做CAA记录检查,并遵循查询到的指示.
GDCA根据RFC6844(经勘误表5065修订)的规定处理"issue"、"issuewild"及"iodef"的属性标签:若"issue"、"issuewild"标签中不包含"gdca.
com.
cn",则GDCA不签发对应的证书;若CAA记录中出现"iodef"标签,则GDCA与申请者沟通后决定是否为其颁发证书.
GDCA应以下列CAA记录查找失败情况作为可签发证书的条件:1)在非GDCA的基础设施中查询CAA记录失败;2)至少尝试过一次重新查找CAA记录;3)域名所在区域不存在指向ICNNA根区域的DNSSEC验证链.
FortheSSL/TLScertificatesissuedbyGDCA,GDCAwillchecktheCAArecordsandfollowtheprocessinginstructionsfoundforeachdNSNameinthesubjectAltNameextensionofthecertificatetobeissued.
GDCAshallprocess"issue","issuewild",and"iodef"propertytagsaccordingtoRFC6844asamendedbyErrata5065:GDCAshallnotissuecorrespondingcertificatesifthe"issue","issuewild"propertytagsdonotcontain"gdca.
com.
cn".
Incasethepropertytag"iodef"ispresentintheCAArecords,GDCAshalldeterminewhetherornottoissuecertificatesaftercommunicatingwiththeapplicant.
GDCAshalltreatarecordlookupfailureaspermissiontoissuecertificatesif:1)thefailureisoutsidetheGDCA'sinfrastructure;2)thelookuphasbeenretriedatleastonce;and3)thedomain'szonedoesnothaveaDNSSECvalidationchaintotheICANNroot.
GDCASM2证书策略(V1.
0版)504.
3.
证书签发CertificateIssuance4.
3.
1.
证书签发中RA和CA的行为CAActionsDuringCertificateIssuance根CA的证书签发应由GDCA授权的可信人员谨慎地发布直接指令,使根CA执行证书签名操作.
AtrustedpersonauthorizedbyGDCAshoulddeliberatelyissueadirectcommandwithrespecttocertificateissuancebytherootCA,inorderfortherootCAtoperformacertificatesigningoperation.
在证书的签发过程中RA的管理员负责证书申请的审批,并通过操作RA系统将签发证书的请求发往CA的证书签发系统.
RA发往CA的证书签发请求信息须有RA的身份鉴别与信息保密措施,并确保请求发到正确的CA证书签发系统.
Intheprocessofissuingcertificate,theRA'sadministratorisresponsiblefortheapprovalofcertificateapplication,andsendingcertificateissuancerequesttothecertificateissuancesystemofCAviatheRAsystem.
IssuancerequestwhichRAsendstoCAmustincludeidentificationwiththemeasuresofinformationsecurity.
RAmustensurethattherequestissenttothecorrectCAcertificateissuancesystem.
CA的证书签发系统在获得RA的证书签发请求后,对来自RA的信息进行鉴别与解密,对于有效的证书签发请求,证书签发系统签发订户证书.
AfterobtainingtheRAcertificateissuancerequest,CAcertificateissuancesystemauthenticatesanddecryptstherequests.
Forthevalidcertificateissuingrequest,certificateissuessystemissuesthesubscribercertificate.
4.
3.
2.
CA和RA通知订户证书的签发NotificationstoSubscriberbytheCAofIssuanceofCertificateGDCA的证书签发系统签发证书后,将直接或者通过RA通知订户证书已被签发,并向订户提供可以获得证书的方式,包括通过面对面、网络下载等方式,或者通过其它与订户约定的方式告知订户如何获得证书.
AfterGDCAcertificateissuancesystemissuescertificates,subscriberswillbeinformedbyGDCAorRAthatthecertificateisissuedandhowtoobtaincertificates.
Subscribercangetthecertificateviaface-face,onlinedownload,orothermethodsspecifiedbysubscriber.
GDCASM2证书策略(V1.
0版)514.
4.
证书接受CertificateAcceptance4.
4.
1.
构成接受证书的行为ConductConstitutingCertificateAcceptance1.
订户自行访问专门的GDCA证书服务网站将证书下载,证书下载完毕即代表订户接受了证书.
2.
GDCA注册机构在订户的允许下,代替订户下载证书,并把证书通过邮件及其他GDCA认为可靠方式发送给订户,即代表订户接受了证书.
3.
订户接受了获得证书的方式,并且没有提出反对证书或者证书中的内容.
1.
SubscribersaccesstospecializedGDCAcertificateservicewebsiteanddownloadthecertificate.
Whenthecertificateiscompletelydownloaded,itrepresentsthatthesubscriberhavereceivedacertificate.
2.
GDCA'sRAdownloadscertificateonbehalfofthesubscribers,whenasubscriberreceivesacertificatefromRAthroughe-mailrepresentsthatthesubscriberhasreceivedthecertificate.
3.
Subscribershavereceivedthewayofobtainingthecertificates,andnoobjectionofthecertificatesortheircontents.
4.
4.
2.
CA对证书的发布PublicationoftheCertificatebytheCA订户接受证书后,GDCA将该订户证书发布到GDCA的目录服务系统.
Afterasubscriberreceivesacertificate,GDCApublishesthesubscribercertificatetodirectoryservicesystem.
4.
4.
3.
CA通知其他实体证书的签发NotificationofCertificateIssuancebytheCAtoOtherEntities除证书订户外,GDCA及注册机构不需要通知其他实体证书的签发.
GDCAandRAdonotneedtonotifythecertificateissuancetootherentitiesexceptforsubscribers.
4.
5.
密钥对和证书的使用KeyPairandCertificateUsage4.
5.
1.
订户私钥和证书的使用SubscriberPrivateKeyandCertificateUsage订户在提交了证书申请并接受了GDCA所签发的证书后,均视为已经同意遵守与GDCA、GDCASM2证书策略(V1.
0版)52依赖方有关的权利和义务的条款.
订户接受到数字证书,应采取合理措施妥善保存其证书对应的私钥避免未经授权的使用.
订户只能在适用的法律、本CP以及订户协议规定的范围内使用私钥和证书.
对于签名证书,其私钥可用于对信息的签名,订户应知悉并确认签名的内容.
对于加密证书,其私钥可用于对采用对应公钥加密的信息进行解密.
在证书到期或被撤销之后,订户必须停止使用该证书对应的私钥.
对于SSL/TLS证书,订户有责任和义务保证只在证书中列出的主题别名对应的服务器中部署证书.
AfterthesubscribershavesubmittedcertificateapplicationandreceivedcertificatesissuedbyGDCA,theyaredeemedtohaveagreedtocomplywiththetermsofGDCA,relyingpartyrelatedrightsandobligations.
Thesubscriberwhoreceivesthecertificateshalltakeappropriatemeasurestoproperlykeepthecorrespondingprivatekeytothecertificatefromunauthorizeduse.
SubscriberscanonlyusetheprivatekeyandcertificateintheCPspecifiedrange,andunderapplicablelawsandthesubscriberagreement.
Forthesignaturecertificate,theprivatekeycanbeusedforthesignatureofamessage.
Thesubscribershouldknowaboutandconfirmthesignaturecontent.
Fortheencryptioncertificate,theprivatekeycanbeusedtodecrypttheinformationwhichusesthecorrespondingpublickeytoencrypt.
Afterthecertificateexpiresorisrevoked,thesubscribermuststopusingthecertificate'scorrespondingprivatekey.
FortheSSL/TLScertificates,thesubscribersshouldundertakeanobligationandwarrantytoinstallthecertificatesonlyonserversthatareaccessibleatthesubjectAltName(s)listedinthecertificates.
4.
5.
2.
依赖方公钥和证书的使用RelyingPartyPublicKeyandCertificateUsage当依赖方接收到加载数字签名的信息后,有义务进行以下确认操作:Whentherelyingpartyhasreceivedthemessagewithdigitalsignature,thepartyhastheobligationtocarryoutthefollowingoperationstoconfirm:1.
获得数字签名对应的证书及信任链;1.
Obtaindigitalsignature'scorrespondingcertificateandtrustchain.
2.
确认该签名对应的证书是由GDCA所签发;2.
Confirmthatthesignature'scorrespondingcertificateistheonetrustedbytherelyingparty.
3.
通过查询CRL或OCSP确认该签名对应的证书是否被撤销;3.
ConfirmwhetherthesignaturecorrespondingcertificatehasbeenrevokedbyqueryingtheCRLorOCSP.
4.
证书的用途适用于对应的签名;4.
Certificateusageissuitableforthecorrespondingsignature.
GDCASM2证书策略(V1.
0版)535.
使用证书上的公钥验证签名.
5.
Usecertificate'spublickeytoverifythesignature.
6.
检查证书的有效期6.
Checkthevalidityofthecertificates以上任何一个环节失败,依赖方有责任拒绝签名信息.
Iftheaboveconditionsarenotmet,relyingpartyhastheresponsibilitytorefusetosigninformation.
当依赖方需要发送加密信息给接受方时,须先通过适当的途径获得接受方的加密证书,然后使用证书上的公钥对信息加密.
依赖方应将加密证书连同加密信息一起发送给接受方.
Whentherelyingpartyneedstosendanencryptedmessagetothereceivingparty,thepartymustfirstobtaintheencryptioncertificateofreceivingpartythroughproperchannels,andthenencrypttheinformationusingpublickeyofthecertificate.
Therelyingpartyshouldsendtheencryptioncertificateandencryptedinformationtoreceivingparty.
4.
6.
证书更新CertificateRenewal证书更新指在不改变证书中订户的公钥或其他任何信息的情况下,为订户签发一张新证书.
Certificaterenewalistheissuanceofanewcertificatetothesubscriberwithoutchangingthepublickeyoranyotherinformationinthecertificate.
4.
6.
1.
证书更新的情形CircumstancesforCertificateRenewal对于GDCA签发给订户的证书,订户需在证书到期前进行证书更新.
GDCA根据本CP3.
2.
14的规则确认是否重用此前已验证的信息.
证书过期后,订户必须重新申请新证书.
对于SSL/TLS证书,GDCA接受订户在不更新密钥时申请更新证书.
订户申请更新证书时,GDCA需对订户提交的密钥进行检查,以确认其是否为弱密钥,如为弱密钥,则要求订户提交符合要求的密钥.
ForthesubscribercertificatesissuedbyGDCA,thesubscribersneedtosubmitthecertificateupdaterequestbeforetheexpiryofthecertificate.
GDCAconfirmswhetherornottore-usethevalidatedinformationaccordingtotherequirementsstipulatedinsection3.
2.
14ofthisCP.
Ifthecertificatehadexpired,thesubscribermustapplyforanewcertificate.
ForSSL/TLScertificate,GDCAacceptsthesubscribertoapplyforcertificaterenewalwithoutupdatingthekey.
Whenasubscriberrequeststorenewacertificate,GDCAwillcheckwhetherakeysubmittedisaGDCASM2证书策略(V1.
0版)54weakkey,andwillrequirethesubscribertorenewthekeypairifthesubmittedkeyisprovedtobeweak.
4.
6.
2.
请求证书更新的实体WhoMayRequestRenewal请求证书更新的实体为证书订户.
Theentitywhorequestscertificateupdateisthesubscriber.
4.
6.
3.
处理证书更新请求ProcessingCertificateRenewalRequests对于证书更新,其处理过程包括申请验证、鉴别、签发证书.
对申请的验证和鉴别须基于以下几个方面:Forcertificaterenewal,itsprocessincludesapplicationandverification,identification,andissuanceofthecertificate.
Theverificationandauthenticationofapplicationshallbebasedonthefollowing:1.
订户的原证书存在并且由GDCA所签发;1.
TheoriginalcertificateofsubscriberisexistandissuedbyGDCA2.
验证证书更新请求在许可期限内;2.
Validatethecertificateupdaterequestisinvalidityperiod.
3.
基于原注册信息进行身份鉴别.
3.
Identityverificationbasedontheoriginalregistrationinformation.
在以上验证和鉴别通过后GDCA才可批准签发证书.
GDCAcanissuecertificateonlyifalltheverificationandidentificationabovearepassed.
订户也可以选择一般的初始证书申请流程进行证书更新,按照要求提交相应的证书申请和身份证明资料.
GDCA在任何情况下都可将这种初始证书申请的鉴别方式作为证书更新时的鉴别处理手段.
Whenthecertificateisupdated,subscriberscanusetheoriginalprivatekeytosigntheupdaterequest,andGDCAwillverifyandidentifythevalidity,legalityanduniquenessofsubscriber'ssignatureandpublickey,userinformationoftheupdaterequest.
4.
6.
4.
通知订户新证书的签发NotificationofNewCertificateIssuancetoSubscriber同本CP第4.
3.
2节.
SeeCPsection4.
3.
2GDCASM2证书策略(V1.
0版)554.
6.
5.
构成接受更新证书的行为ConductConstitutingAcceptanceofaRenewalCertificate同本CP第4.
4.
1节.
SeeCPsection4.
4.
14.
6.
6.
CA对更新证书的发布PublicationoftheRenewalCertificatebytheCA同本CP第4.
4.
2节.
SeeCPsection4.
4.
24.
6.
7.
CA通知其他实体证书的签发NotificationofCertificateIssuancebytheCAtoOtherEntities同本CP第4.
4.
3节.
SeeCPsection4.
4.
34.
7.
证书密钥更新CertificateRekey证书密钥更新指订户或其他参与者生成一对新密钥并申请为新公钥签发一个新证书.
CertificateRekeyreferstogeneratinganewkeyandrequestingtoissueanewcertificateforthenewpublickeybythesubscriberorotherparticipants.
4.
7.
1.
证书密钥更新的情形CircumstancesforCertificateRekeyGDCA的证书密钥更新包括但不限于以下情形:GDCAcertificateRe-keyincludingbutnotlimitedtothefollowingcircumstances:1.
证书私钥泄露而撤销证书;1.
Revocationcertificateduetoprivatekeyleakage.
2.
证书到期;2.
Thecertificateexpires.
3.
基于技术、政策安全原因,GDCA要求证书密钥更新.
GDCASM2证书策略(V1.
0版)563.
GDCArequirescertificatekeyupdatebasedonthesecurityreasonsoftechnologyandpolicy.
4.
7.
2.
请求证书密钥更新的实体WhoMayRequestCertificationofaNewPublicKey请求证书密钥更新的实体为证书订户.
Theentitywhorequestsre-keyisthecertificatesubscriber.
4.
7.
3.
处理证书密钥更新请求ProcessingCertificateRekeyingRequests同本CP第4.
6.
3节.
SeeCPsection4.
6.
3.
4.
7.
4.
通知订户新证书的签发NotificationofNewCertificateIssuancetoSubscriber同本CP第4.
3.
2节.
SeeCPsection4.
3.
2.
4.
7.
5.
构成接受密钥更新证书的行为ConductConstitutingAcceptanceofaRekeyedCertificate同本CP第4.
4.
1节.
SeeCPsection4.
4.
1.
4.
7.
6.
CA对密钥更新证书的发布PublicationoftheRekeyedCertificatebytheCA同本CP第4.
4.
2节.
SeeCPsection4.
4.
2.
密钥更新证书应在24小时内发布.
Re-KeyedCertificatemustbepublishedwithin24hours.
GDCASM2证书策略(V1.
0版)574.
7.
7.
CA通知其他实体证书的签发NotificationofCertificateIssuancebytheCAtoOtherEntities同本CP第4.
4.
3节.
SeeCPsection4.
4.
3.
4.
8.
证书变更CertificateModification4.
8.
1.
证书变更的情形CircumstancesforCertificateModification如果订户提供的注册信息发生改变,必须向GDCA提出证书变更.
Iftheregisteredinformationwhichsubscriberprovideischanged,thesubscriberhastheobligationtoreportcertificatemodificationtotheGDCA.
如果证书内包含信息的变更可能影响订户权利义务的改变,则订户不能申请证书变更,只能撤销该证书,再重新申请新的证书.
Ifinformationcontainedinthecertificatechangesthatmayaffecttherightsandobligationsofsubscribers.
Thesubscribercannotapplyforthecertificatechange,andhe/shecanonlyrevokethecertificatethenapplyforanewcertificateagain.
证书变更的申请和证书申请所需的流程、条件是一致的.
Bothoftheprocedureandconditionsofthecertificateapplicationandmodificationisthesame.
4.
8.
2.
请求证书变更的实体WhoMayRequestCertificateModification请求证书变更的实体为证书订户.
Theentitywhorequeststhecertificatemodificationisthesubscriberofthecertificate.
4.
8.
3.
处理证书变更请求ProcessingCertificateModificationRequests证书变更按照初次申请证书的注册过程进行处理,同本CP3.
2.
Thecertificatemodificationisprocessedfollowingtheregistrationprocedureswherethefirstapplicationforacertificate,seeCP3.
2.
GDCASM2证书策略(V1.
0版)584.
8.
4.
通知订户新证书的签发NotificationofNewCertificateIssuancetoSubscriber同本CP第4.
3.
2节.
SeeCPsection4.
3.
24.
8.
5.
构成接受变更证书的行为ConductConstitutingAcceptanceofModifiedCertificate同本CP第4.
4.
1节.
SeeCPsection4.
4.
14.
8.
6.
CA对变更证书的发布PublicationoftheModifiedCertificatebytheCA同本CP第4.
4.
2节.
SeeCPsection4.
4.
24.
8.
7.
CA通知其他实体证书的签发NotificationofCertificateIssuancebytheCAtoOtherEntities同本CP第4.
4.
3节.
SeeCPsection4.
4.
34.
9.
证书撤销和挂起CertificateRevocationandSuspension4.
9.
1.
证书撤销的情形CircumstancesforRevocation4.
9.
1.
1.
订户证书撤销的原因ReasonsforRevokingaSubscriberCertificate若出现以下情况中的一种或多种,GDCA必须在24小时之内撤销证书:1.
订户以书面形式请求撤销证书;2.
订户通知GDCA最初的证书请求未得到授权且不能追溯到授权行为;3.
GDCA获得了证据,证明与证书公钥对应订户私钥遭到了泄漏;GDCASM2证书策略(V1.
0版)594.
GDCA获得了证据,证明对证书中FQDN或IP地址的域名授权或控制权的验证不应被依赖.
若出现以下情况中的一种或多种,CA应在24小时之内撤销证书,且必须在5天之内撤销证书:1.
证书不再符合本CP第6.
1.
5节及第6.
1.
6节;2.
GDCA获得了证书遭到误用的证据;3.
GDCA获悉订户违反了订户协议、CP/CPS中的一项或多项重大责任;4.
GDCA获悉了任何表明FQDN或IP地址的使用不再被法律许可(例如,某法院或仲裁员已经撤销了域名注册人使用域名的权力,域名注册人与申请人的相关许可及服务协议被终止,或域名注册人未成功更新域名);5.
GDCA获悉某通配符证书被用于鉴别具有欺骗误导性的子域名;6.
GDCA获悉证书中所含信息出现重大变化;7.
GDCA获悉证书的签发未能符合GDCA的CP或CPS;8.
GDCA认为任何或被告知出现在证书中的信息为错误信息;9.
GDCA从事电子认证业务的资格失效,或被撤销或被终止,除非其继续维护CRL/OCSP信息库;10.
CPS中职责的履行被延迟或受不可抗力的阻碍;自然灾害;计算机或通信失败;法律、规章或其它法律的改变;政府行为;或其它超过个人控制的原因并且对他人信息构成威胁的;11.
GDCA已经履行催缴义务后,订户仍未缴纳服务费;12.
CA被告知出现了可使订户私钥泄露的经验证的方法,此类方法可根据公钥轻易地计算私钥值(例如Debian弱密钥,见:http://wiki.
debian.
org/SSLkeys),或存在明确的证据,证明生成私钥的方法有缺陷.
GDCAshallrevokeacertificatewithin24hoursifoneormoreofthefollowingoccurs:1.
ThesubscriberrequestsinwritingthatGDCArevokethecertificate;2.
ThesubscribernotifiesGDCAthattheoriginalcertificaterequestwasnotauthorizedanddoesnotretroactivelygrantauthorization;3.
GDCAobtainsevidencethatthesubscriber'sprivatekeycorrespondingtothepublickeyinthecertificatesufferedakeycompromise;or4.
GDCAobtainsevidencethatthevalidationofdomainauthorizationorcontrolforanyFully-QualifiedDomainNameorIPaddressinthecertificateshouldnotbereliedupon.
GDCAshouldrevokeacertificatewithin24hoursandmustrevokeacertificatewithin5daysifoneorGDCASM2证书策略(V1.
0版)60moreofthefollowingoccurs:1.
ThecertificatenolongercomplieswiththeCPsection6.
1.
5and6.
1.
6;2.
GDCAobtainsevidencethatthecertificatewasmisused;3.
GDCAismadeawarethatasubscriberhasviolatedoneormoreofitsmaterialobligationsunderthesubscriberagreementandCP/CPS;4.
GDCAismadeawareofanycircumstanceindicatingthatuseofafully-qualifieddomainnameorIPaddressinthecertificateisnolongerlegallypermitted(e.
g.
acourtorarbitratorhasrevokedadomainnameregistrant'srighttousethedomainname,arelevantlicensingorservicesagreementbetweenthedomainnameregistrantandtheapplicanthasterminated,orthedomainnameregistranthasfailedtorenewthedomainname);5.
GDCAismadeawarethatawildcardcertificatehasbeenusedtoauthenticateafraudulentlymisleadingsubordinatefully-qualifieddomainname;6.
GDCAismadeawareofamaterialchangeintheinformationcontainedinthecertificate;7.
GDCAismadeawarethatthecertificatewasnotissuedinaccordancewithGDCA'sCPorCPS;8.
GDCAdeterminesorismadeawarethatanyoftheinformationappearinginthecertificateisinaccurate;9.
GDCA'srighttoissuecertificatesunderthisCPexpiresorisrevokedorterminated,unlessithasmadearrangementstocontinuemaintainingtheCRL/OCSPrepository;10.
ThefulfillmentoftheobligationsintheCPSisdelayedorencountersforcemajeure,suchasnaturaldisasters,computerorcommunicationsfailures,changesoflawsandregulations,governmentactionsorothercausesbeyondthereasonablecontrol,causingthreatstotheinformationofothers;or11.
SubscribersfailtopaytheservicefeesafterGDCAperformedtheobligationsofnotifyingthesubscriberstopay;12.
GDCAismadeawareofademonstratedorprovenmethodthatexposesthesubscriber'sprivatekeytocompromise,methodshavebeendevelopedthatcaneasilycalculateitbasedonthepublickey(suchasaDebianweakkey,seehttp://wiki.
debian.
org/SSLkeys),orifthereisclearevidencethatthespecificmethodusedtogeneratetheprivatekeywasflawed.
发生下列情形,对于GDCA证书服务系统中使用的证书,例如CA、RA、受理点或其它服务主体(包括服务系统中的设备使用的证书)使用的证书,可以撤销其证书:1.
CA与RA、受理点等签订的协议终止或者发生改变;2.
证书私钥发生安全性损害或者被怀疑发生安全性损害;3.
出于管理的需要.
Ifthefollowingcircumstancesoccur,forthecertificatesusinginGDCAcertificateservicesystem,suchascertificateusinginCA,RA,LRAorotherservicesentities(includingequipmentusingcertificateinservicesystem),GDCAcanrevokethecertificate:GDCASM2证书策略(V1.
0版)611.
AgreementbetweenGDCAandRA,LRAhaschangedorstopped.
2.
Theprivatekeyofthecertificatehassecuritydamageorissuspectedwithsecuritydamage.
3.
Theneedofmanagement.
证书订户如果发现或者怀疑证书私钥安全发生损害,应立即通知CA进行撤销.
对于SSL/TLS服务器类证书,若出现以下任意一项或几项情形,也需进行证书撤销操作:1.
CA机构得知域名不在合法,如被法院判定该域名非法、与域名注册机构的合约终止等;2.
CA机构得知一个通配符证书被用来验证一个欺诈性的误导子域名;3.
CA机构由于某种原因终止运行,并且未安排其他CA提供撤销证书的支持性操作;4.
CA签发证书的权利已届满或被撤销或终止,除非CA已作出安排,继续维护CRL/OCSP;5.
证书的技术内容或格式造成了对应用软件供应商或依赖方不可接受的风险.
Ifcertificatesubscribersdiscoverorsuspectthesecurityofprivatekeyofthecertificatehasbeendamaged,theyshallimmediatelynotifyGDCAtorevokethecertificate.
FortheSSL/TLSservercertificate,ifthefollowingoneorseveralcaseshaveoccurred,GDCAalsoneedtocarryoutthecertificaterevocation:1.
DomainnamethatCAknowsisnolongervalid,suchasthedomainnamehasbeenjudgedbythecourt,domainnameregistrationagencycontracttermination,etc.
2.
GDCAknewawildcardcertificatewasusedforafraudulentmisrepresentationsubdomainname.
3.
GDCAterminatestheoperationforsomereasonsanddoesn'tarrangeotherCAtoprovideforsupportingoperationofrevocationcertificates.
4.
UnlessGDCAmakespecialarrangements,GDCAwillcontinuetomaintainCRL/OCSP,underthecircumstanceofthatGDCA'srighttoissuecertificatehasbeenexpired,revokedorterminated.
5.
Technicalcontentorformatofcertificatecausesunacceptableriskforapplicationsoftwarevendororrelyingparty.
4.
9.
1.
2.
中级CA证书的撤销原因ReasonsforRevokingaSubordinateCACertificate若出现以下情况中的一种或多种,GDCA须在7天之内撤销中级CA证书:1.
GDCA获得了证据,证明与证书公钥对应的中级CA私钥遭到了损害,或不再符合本CP第6.
1.
5节及第6.
1.
6节的相关要求;2.
GDCA获得了证书遭到误用的证据;3.
GDCA获悉证书的签发未能符合CP/CPS;4.
GDCA认为任何出现在中级CA证书中的信息不准确、不真实或具有误导性;5.
GDCA由于任何原因停止运营,且未与另一家CA达成协议以提供证书撤销服务;6.
GDCA从事电子认证业务的资格失效,或被撤销或被终止,除非其继续维护CRL/OCSPGDCASM2证书策略(V1.
0版)62信息库.
GDCAshallrevokeasubordinateCAwithin7daysifoneormoreofthefollowingoccurs:1.
GDCAobtainsevidencethatthesubordinateCA'sprivatekeycorrespondingtothepublickeyinthecertificatesufferedakeycompromiseornolongercomplieswithSection6.
1.
5and6.
1.
6ofthisCP;2.
GDCAobtainsevidencethatthecertificatewasmisused;3.
GDCAismadeawaresubordinateCAswerenotissuedincompliancewiththeGDCACPorCPS;4.
GDCAdeterminesthatanyoftheinformationappearinginthesubordinateCAcertificateisinaccurate,unrealormisleading;5.
GDCAceasesoperationsforanyreasonandhasnotmadearrangementsforanotherCAtoproviderevocationsupportforthecertificate;6.
GDCA'squalificationstoprovideelectroniccertificationservicesexpireorarerevokedorterminated,unlessGDCAhasmadearrangementstocontinuemaintainingtheCRL/OCSPRepository.
4.
9.
2.
请求证书撤销的实体WhoCanRequestRevocation以下实体可以请求撤销一个订户证书:1.
GDCA或注册机构可以依据本CP第4.
9.
1节要求撤销一个订户证书;2.
对于个人证书,证书订户可以请求撤销他们自己的个人证书;3.
对于机构证书,只有机构授权的代表有资格请求撤销已经签发给该机构的证书;4.
对于设备证书,只有拥有设备的机构授权的代表有资格请求撤销已经签发的证书;5.
法院、政府主管部门及其他公权力部门可以依法撤销订户证书.
6.
依赖方、应用软件提供商、防病毒机构或其他的第三方可以提交证书问题报告,告知GDCA有合理理由撤销证书.
Thefollowingentitiescanrequestrevocationofsubscribercertificate:1.
GDCAorRegistrationAuthoritycanrevokeonesubscribercertificatebasedontherequirementsofthisCPsection4.
9.
1.
2.
Forindividualcertificate,certificatesubscriberscansubmitarequesttorevoketheirownindividualcertificates.
3.
Fororganizationcertificate,onlyrepresentativeauthorizedbythisorganizationhastherighttosubmitarequesttorevokecertificatewhichhasbeenissuedtothisorganization.
4.
Forequipmentcertificate,onlyrepresentativeauthorizedbythisorganizationwhohastheequipmenthastherighttosubmitarequesttorevokecertificatewhichhasbeenissuedtothisorganization.
5.
Thecourt,governmentdepartmentsandotherpublicpowerdepartmentcanrevokesubscribercertificateinaccordancewiththelaw.
GDCASM2证书策略(V1.
0版)636.
Relyingparties,applicationsoftwaresuppliers,anti-virusorganizationsandotherthirdpartiesmaysubmitcertificateproblemreportsinformingGDCAofreasonablegroundstorevokethecertificates.
只有GDCA可以撤销根证书或者中级CA证书.
OnlyGDCAcanrevokerootcertificateorSubordinateCAcertificate.
4.
9.
3.
证书撤销请求的处理程序ProcedureforRevocationRequest4.
9.
3.
1.
订户请求撤销证书Thesubscriberactivelyproposedtorevocationapplication.
1.
订户向注册机构提交撤销,同时说明撤销原因;2.
注册机构核实申请撤销实体的身份和撤销理由的正当性;3.
注册机构将撤销申请表提交给GDCA,由GDCA完成撤销.
4.
GDCA提供7*24小时的撤销申请服务.
1.
Subscribersubmitsrevocationapplicationformandidentificationmaterialtoregistrationauthorityandindicatesrevocationreason.
2.
RegistrationAuthorityverifiestheidentityofentitiesapplyingforrevocationandtheappropriatenessofrevocationreasons.
3.
RAsubmitsapplicationformofrevocationtoGDCAandGDCAcompletestherevocationoperation.
4.
GDCAoffers24x7certificaterevocationrequestsservice.
4.
9.
3.
2.
订户被强制撤销证书Thesubscriberisforcedtorevokethecertificate1.
当GDCA或注册机构有充分的理由确信出现本CP第4.
9.
1.
1节中的情况时,可通过内部确定的流程撤销证书;2.
GDCA提供7*24小时的证书问题报告和处理流程;3.
当依赖方、司法机构、应用软件提供商、防病毒机构等第三方提请证书问题报告时,GDCA应组织调查并根据调查结果来决定是否撤销证书;4.
GDCA撤销订户证书后,通过适当的方式,包括电子邮件、电话等,告知订户证书已被撤销及撤销理由.
1.
WhenGDCAorRAhassufficientreasonstoconfirmthatcircumstancesdescribedinCPsection4.
9.
1.
1haveoccurred,theycanrevokesubscribercertificatesthroughdeterminedinternalprocesses;2.
GDCAmaintainsa24x7certificateproblemsreportingandprocessingprocedures;3.
GDCAwilltakeactionstoinvestigatethecertificateproblemreportssubmittedbyrelyingparties,judicialinstitutions,applicationsoftwareproviders,anti-virusorganizationsandotherthirdparties,GDCASM2证书策略(V1.
0版)64andwilldecidewhetherornottorevokethecertificatesbasedontheresultsoftheinvestigation;4.
Afterthecertificaterevocation,GDCAorRAwilluseappropriateways,includingemail,phone,andfaxtonotifythefinalsubscriberthatthecertificatehasbeenrevokedandthereasonwhyitisrevoked.
4.
9.
4.
撤销请求的宽限期RevocationRequestGracePeriod如果出现密钥泄露或有泄露嫌疑等事件,撤销请求必须在发现泄密或有泄密嫌疑8小时内提出.
其他撤销原因的撤销请求必须在变更的48小时内提出.
Ifkeyexposureoccursorsuspectedoccurs,revocationrequestmustbesubmittedinfindingleakageorleakagesuspicionwithin8hoursafterkeyexposureorsuspectedexposureisfound.
Revocationrequirementscausedbyotherreasonsmustbemadewithin48hours.
4.
9.
5.
CA处理撤销请求的时限TimeWithinWhichCAMustProcesstheRevocationRequestGDCA自接到撤销请求到完成撤销之间的间隔期限,不得超过24个小时.
ThecycleofGDCAprocessesrevocationrequestisnomorethan24hours.
4.
9.
6.
依赖方检查证书撤销的要求RevocationCheckingRequirementsforRelyingParties依赖方在依赖一个证书前必须查询GDCA发布的CRL确认他们所信任的证书是否被撤销.
RelyingpartiesmustchecktheCRLpublishedbyGDCAbeforetrustingacertificatetocheckwhetherthecertificateisrevoked.
4.
9.
7.
CRL发布频率CRLIssuanceFrequency对于ROOTCA(SM2)证书签发的中级CA所签发的订户证书,CRL发布周期为8小时,CRL有效周期最长不超过24小时.
对于GDCAGMSM2ROOT证书签发的中级CA所签发的订户证书,CRL发布周期为24小时,CRL有效周期最长不超过48小时,且nextUpdate字段的值不超出thisUpdate值的10天以上.
对于中级CA证书,GDCA的CRL发布周期为12个月.
如果撤销中级CA证书,GDCAGDCASM2证书策略(V1.
0版)65在撤销后24小时之内更新CRL,且nextUpdate字段的值不得超出thisUpdate值的12个月以上.
在特殊紧急情况下可以使CRL立即生效(假使网络传输条件能够保证),CRL的立即生效由GDCA制定的发布策略决定.
ThesubscribercertificatesissuedbythesubordinateCAsofROOTCA(SM2),theCRLsareissuedevery8hoursandarevalidfornomorethan24hours.
ForthesubscribercertificatesissuedbythesubordinateCAsofGDCAGMSM2ROOT,theCRLsareissuedevery24hoursandarevalidfornomorethan48hours,andthevalueofthenextUpdatefieldisnotmorethantendaysbeyondthevalueofthethisUpdatefield.
ForthesubordinateCAcertificates,GDCAshallupdateandpublishcertificaterevocationlist(CRL)every12months.
IncasethesubordinateCAcertificatesarerevoked,GDCAshallupdateandpublishthecertificaterevocationlist(CRL)within24hoursaftertherevocation,andandthevalueofthenextUpdatefieldshallbenomorethantwelvemonthsbeyondthevalueofthethisUpdatefield.
However,CRLcancomeintoeffectimmediatelydeterminedbyreleasestrategymadebyGDCAinspecialemergencycircumstances(assumingthatthenetworktransmissionconditioncanguarantee).
4.
9.
8.
CRL发布的最大滞后时间MaximumLatencyforCRLs一个证书从它被撤销到它被发布到CRL上的滞后时间不能超过24小时.
ArevokedcertificatewillbeaddedtoCRLwithin24hours.
4.
9.
9.
在线状态查询的可用性OnlineRevocation/StatusCheckingAvailabilityGDCA应向证书订户和依赖方提供在线证书状态查询服务.
OCSP响应须符合RFC6960的要求,并且被OCSP服务器签名.
OCSP服务器的证书与正在查询状态的证书由同一个CA签发,OCSP服务器的证书应包含一个RFC6960定义的类型为id-pkix-ocsp-nocheck的扩展项.
GDCAshouldsupportOCSPresponsesforsubscribersandtherelyingparties.
TheOCSPresponsesshouldconformtoRFC6960,andsignedbyanOCSPResponderwhoseCertificateissignedbytheCAthatissuedtheCertificatewhoserevocationstatusisbeingchecked.
TheOCSPsigningcertificatesshouldcontainanextensionoftypeid-pkix-ocsp-nocheck,asdefinedbyRFC6960.
4.
9.
10.
在线状态查询要求OnlineRevocationCheckingRequirements用户可以自由进行在线状态查询,GDCA不得设置任何的读取权限.
GDCA提供Get和Post两种方式的OCSP查询服务.
对于订户证书,GDCA应至少每四天更新OCSP信息.
OCSP响应的最长有效期为10天.
GDCASM2证书策略(V1.
0版)66对于已经撤销的证书,立即更新OCSP.
对于中级CA证书,GDCA应至少每12个月更新OCSP信息.
当撤销中级CA证书时,应在24小时内更新OCSP信息.
对于未签发的证书的状态查询请求,GDCA不得返回"good"状态.
Usersmayfeelfreetoinquirestatusonline.
GDCAmustnotimposeanyaccesslimits.
GDCAofferstheOCSPserviceusingboththeGetandPostmethods.
Forsubscribercertificates,GDCAshouldupdatetheOCSPinformationatleasteveryfourdays.
OCSPresponsesfromthisservicehaveamaximumexpirationtimeoftendays.
Fortherevokedcertificates,OCSPstatuswillbeupdatedimmediately.
ForsubordinateCAcertificates,GDCAshouldupdatetheOCSPinformationatleasteverytwelvemonths,andwithin24hoursafterrevokingasubordinateCAcertificate.
GDCAmustnotrespondwitha"good"statusfortherequestforstatusofacertificatethathasnotbeenissued.
4.
9.
11.
撤销信息的其他发布形式OtherFormsofRevocationAdvertisementsAvailable除了CRL、OCSP外,GDCA可以提供撤销信息的其他发布形式,但这不是必须的.
GDCAmayprovideotherpublicationformsofrevocationinformationinadditiontoCRLandOCSP,however,suchpublicationformsarenotmandatory.
4.
9.
12.
密钥损害的特别要求SpecialRequirementsrelatedtoKeyCompromise除本CP第4.
9.
1节规定的情形外,当订户或注册机构的证书密钥受到安全损害时,应立即向GDCA提出证书撤销请求.
如果CA的密钥(根CA或中级CA密钥)安全被损害或者怀疑被损害,应该在合理的时间内用合式的方式及时通知订户和依赖方.
ExceptforthecasedescribedinCPsection4.
9.
1,whencertificatekeyofsubscriberorRAhassecuritydamages,certificaterevocationrequestshouldbemadetoGDCAimmediately.
IfCAkey(rootCAorSubordinateCAkey)iscompromisedormayhavebeencompromised,subscriberandrelyingpartyshallbenotifiedbyreasonablemeanstimely.
4.
9.
13.
证书挂起的情形CircumstancesforSuspensionGDCA不支持证书挂起.
GDCAdoesnotsupportcertificatesuspension.
GDCASM2证书策略(V1.
0版)674.
9.
14.
请求证书挂起的实体WhoCanRequestSuspensionGDCA不支持证书挂起.
GDCAdoesnotsupportcertificatesuspension.
4.
9.
15.
挂起请求的程序ProcedureforSuspensionRequestGDCA不支持证书挂起.
GDCAdoesnotsupportcertificatesuspension.
4.
9.
16.
挂起的期限限制LimitsonSuspensionPeriodGDCA不支持证书挂起.
GDCAdoesnotsupportcertificatesuspension.
4.
10.
证书状态服务CertificateStatusServices4.
10.
1.
操作特征OperationalCharacteristics订户可以通过CRL、LDAP目录服务、OCSP查询证书状态,上述方式的证书状态服务应该对查询请求有合理的响应时间和并发处理能力.
对于被撤销的证书,GDCA不应在证书到期前删除其在CRL中的撤销记录.
GDCA不删除CRL中代码签名证书的撤销记录.
GDCA不删除OCSP中的撤销记录.
SubscriberscanquerycertificatestatusthroughtheCRL,LDAPandOCSP.
Certificatestatusservicesdescribedaboveshouldhavereasonableresponsetimeandconcurrencyprocesscapabilityforqueryrequest.
Fortherevokedcertificates,GDCAshallnotremovetheirrevocationrecordsfromCRLpriortoexpirationofsuchcertificates.
GDCAdoesnotremovetherevocationrecordsofCodeSigningcertificatesfromtheCRL.
GDCAdoesnotremovetherevocationrecordsintheOCSP.
4.
10.
2.
服务可用性ServiceAvailability证书状态服务必须保证7X24小时可用,且响应时间不得超过10秒.
GDCASM2证书策略(V1.
0版)68CertificateStatusServicesmustbeavailablein24*7hours,andtheresponsetimemustbeoftensecondsorless.
4.
10.
3.
可选特征OperationalFeatures不适用.
Notapplicable.
4.
11.
订购结束EndofSubscription订户证书出现下列情形时表明订户的订购行为正式结束:Thefollowingcircumstancesofcertificatesindicatethatthesubscriber'ssubscribingbehaviorhasformallyterminated:1.
证书到期后没有进行更新;1.
Thecertificateisnotrenewedaftertheexpiration.
2.
证书到期前被撤销.
2.
Thecertificateisrevokedbeforetheexpiration.
4.
12.
密钥托管与恢复KeyEscrowandRecovery4.
12.
1.
密钥托管与恢复的策略与行为KeyEscrowandRecoveryPolicyandPractices订户的密钥对由订户自行生成.
因私钥遗失、泄露等所造成的损失由订户自己承担,GDCA对此不承担责任.
GDCA不提供订户私钥的托管和恢复服务.
Thekeypairsofsubscribersshallbegeneratedbythesubscribersthemselves.
Subscribersshallundertaketheresponsibilitiesbythemselvesforthelossesincurredbythelossofsignatureprivatekey,andGDCArefusestotakethecorrespondingresponsibilities.
GDCAdoesnotprovidekeyescrowandrecoveryservicesforthesubscribers'privatekeys.
4.
12.
2.
会话密钥的封装与恢复的策略与行为SessionKeyEncapsulationandRecoveryPolicyandPractices不适用.
NotApplicable.
GDCASM2证书策略(V1.
0版)695.
认证机构设施、管理和操作控制Facility,Management,andOperationalControls5.
1.
物理控制PhysicalControls5.
1.
1.
场地位置与建筑SiteLocationandConstructionGDCA中心机房按照功能主要分为核心区、服务区、管理区、操作区、公共区五个区域.
核心区是一个高性能电磁屏蔽室.
其壳体是六面优质冷轧钢板,其中顶、墙板采用厚度为2mm的冷轧钢板,地板采用厚度为3mm的冷轧钢板.
焊接工艺为CO2保护焊.
玻璃是加厚的嵌有金属网的防弹玻璃.
屏蔽门是手动锁紧屏蔽门.
通风口是按屏蔽室规格配置蜂窝型通风波导窗.
电源滤波器是单相高性能低泄漏滤波器.
存放保密资料的密码柜必须放置在核心区.
AccordingtothefunctionsofGDCAcentralarea,itconsistsofcorearea,servicearea,managementarea,operationarea,publicarea.
Thecoreareaisahigh-performanceelectromagneticshieldingroom.
Itsshellismadeofsixsidesofhighqualitycold-rolledsteelplate.
Theroofandwallpanelismadeofcold-rolledsteelplatewiththicknessof2mm.
Thefloorismadeofcold-rolledsteelsheetwiththicknessof3mm.
WeldingprocessisCO2protectionwelding.
Glassisthickenedandbulletproofwithmetalmeshaddedonit.
Shieldingdoorismanuallocked.
Ventisconfiguredwithhoneycombtypeventilationductshieldingroomwindowaccordingtothespecificationsoftheshieldingroom.
Powerfilterissinglephasehigh-performancelowleakagefilter.
Safewithconfidentialinformationstoredmustbeplacedinthecorearea.
5.
1.
2.
物理访问控制PhysicalAccess进出每一个物理安全层的行为都需要被记录、审计和控制,从而保证进出每一个物理安全层的人都是经过授权的.
GDCA的CPS必须对物理访问控制进行比较详细的规定.
Theactivitiesofaccessingtoeachphysicalsecuritylayershallberecorded,auditedandcontrolledinordertoensurethatallaboveactivitiesofcertainpersonhavebeenauthorized.
GDCACPSmustdefinedetailedrulesforphysicalaccesscontrol.
5.
1.
3.
电力与空调PowerandAirConditioningGDCA机房应有安全、可靠的电力供电系统及电力备用系统,以确保持续不间断的电力供应.
另外,还应具有机房专用空调系统、新风系统控制运营设施中的温度和湿度.
GDCASM2证书策略(V1.
0版)70ThecomputerroomofGDCAshallbeequippedwithsecureandreliableelectricpowersystemandelectricbackupsystemtoensurecontinuous,uninterruptedaccesstoelectricpower.
Inaddition,thesesystemsshallhavetemperatureandrelativehumidityofspecialair-conditioningsystemandwindsystemcontroloperationfacilities.
5.
1.
4.
防水WaterExposuresGDCA机房应有专门的技术措施,防止、检测漏水的出现,并能够在出现漏水时最大程度地减小漏水对认证系统的影响.
ThecomputerroomofGDCAshouldhavespecializedtechnicalmeasurestopreventanddetectleaks,andbeabletoreducetheinfluenceofleakageonthecertificationsystemtothemaximumextent.
5.
1.
5.
火灾防护FirePreventionandProtectionGDCA机房应采取预防措施,并制定相应的程序来消除和防止火灾的发生,这些火灾防护措施应符合当地消防管理部门的安全要求.
TheroomofGDCAshouldtakepreventivemeasures,andformulatethecorrespondingprogramtoeliminateandpreventtheoccurrenceofthefire.
Thesemeasuresshallmeetlocalapplicablesafetyregulations.
5.
1.
6.
介质存放MediaStorage对物理介质的存放和使用应满足防火、防水、防震、防潮、防腐蚀、防虫害、防静电、防电磁辐射等的安全需求,并且建立严格的保护手段以防止对介质未经授权的使用和访问.
GDCAmeetsthesecurityrequirementsformediastorage,includingfire-proof,water-proof,earthquake-proof,moisture-proof,corrosion-proof,pest-proof,static-proof,electromagneticradiation-proof,etc.
Meanwhile,GDCAtakesstrictmeasurestopreventthemediafromunauthorizeduseandaccess.
5.
1.
7.
废物处理WasteDisposal当GDCA存档的纸张文件和材料已不再需要或存档期限已满时,必须采取措施销毁,使信息无法恢复.
密码设备和存放敏感信息的存储介质在作废处置前根据制造商提供的方法先将其初始化并进行物理销毁.
ThewrittendocumentsandmaterialsofGDCAshouldbedestroyedwhentheyarenolongerneededorexceededtheexpirationdate,andmustnotberecovered.
Cryptographicdevicesandmediawithsensitiveinformationshouldbeinitializedandphysicallydestroyedbyusingmanufacturer'smethodbeforedisposal.
GDCASM2证书策略(V1.
0版)715.
1.
8.
异地备份Off-SiteBackupGDCA建立了异地数据备份中心,使用专门的软件对关键系统数据、审计日志数据和其他敏感信息进行异地每天备份.
GDCAhasestablishedaremotedatabackupcenter.
Itbackupsthecoresystemdata,auditlogdataandothersensitiveinformationbythespecializedsoftwareatoff-sitelocationonadailybasis.
5.
2.
程序控制ProceduralControls5.
2.
1.
可信角色TrustedRoles在GDCA提供的电子认证服务过程中,能从本质上影响证书的颁发、使用、管理和撤销等涉及密钥操作的职位都被GDCA视为可信角色.
这些角色应包括:IntheprocessofelectronicauthenticationserviceprovidedbyGDCA,apersonwhocanessentiallyaffecttheprocessesofcertificateissuance,usage,managementandrevocation,andotherrelatedpositionswhichareinvolvedinkeyoperationisconsideredastrustedroles.
Thetrustedrolesinclude:1.
密钥和密码设备的管理人员;1.
Administratorofkeyandpassworddevices.
2.
系统管理人员;2.
Systemadministrator.
3.
安全审计人员;3.
Securityauditor.
4.
业务管理人员及业务操作人员.
4.
Businessadministratorandbusinessoperator.
5.
2.
2.
每项任务需要的人数NumberofPersonsRequiredperTaskGDCA应在具体业务规范中对关键任务进行严格控制,确保多个可信角色共同参与完成一些敏感的任务:GDCAshouldstrictlycontrolkeytaskforspecificbusinessspecificationtoensurethatvarioustrustedrolesjointlyparticipateincompletenessofsomesensitivetasks:1.
密钥和密码设备的操作和存放:需要5个可信人员中的3个共同完成;2.
证书签发系统的后台操作:需要3个系统管理人员中的2个可信人员共同完成;3.
审核和签发证书:需要2个可信人员共同完成.
GDCASM2证书策略(V1.
0版)721.
Foroperationandstorageofthekeycryptographicequipment,itrequiresatleastthreeoffivetrustedpersonstooperate.
2.
Forbackgroundoperationofthecertificateissuancesystem,itrequiresatleasttwoofthreetrustedpersonstooperate.
3.
Forreviewandissuanceofthecertificate,itrequirestwotrustedpersonstooperate.
5.
2.
3.
每个角色的识别与鉴别IdentificationandAuthenticationforEachRole对于所有承担可信角色的人员,必须进行严格的识别和鉴证,确保其能够满足所从事工作职责的要求.
鉴证程序在GDCA的人员聘用管理条例中规定.
Allpersonswhoundertaketrustedrolesmustbeidentifiedandauthenticatedstrictlytoensurethattheycanmeettherequirementsoftheirjobs.
TheidentificationprocedureisgivenintheGDCApersonnelmanagementregulations.
5.
2.
4.
需要职责分割的角色RolesRequiringSeparationofDuties所谓职责分割,是指如果一个人担任了某一职能的角色,就不能再担任另一特定职能的角色.
需要职责分割的角色包括且不限于:Segregationofdutiesmeansapersonwhoplaysaspecificrolecannotbethepersonwhoplaysanotherspecificrole.
Rolesrequiringsegregationofdutiesincludebutnotlimitto:1.
证书业务受理2.
证书或CRL签发3.
系统工程与维护4.
CA密钥管理5.
安全审计1.
Theacceptanceofthecertificatebusinesses2.
TheissuanceofcertificatesorCRLs3.
SystemEngineeringandMaintenance4.
CAkeymanagement5.
SecurityauditingGDCASM2证书策略(V1.
0版)735.
3.
人员控制PersonnelControls5.
3.
1.
资格、经历和清白要求Qualifications,Experience,andClearanceRequirementsGDCA对承担可信角色的工作人员的资格要求如下:1.
具备良好的社会和工作背景;2.
遵守国家法律、法规,服从GDCA的统一安排及管理;3.
遵守GDCA有关安全管理的规范、规定和制度;4.
具有良好的个人素质、修养以及认真负责的工作态度;5.
具备良好的团队合作精神.
6.
无违法犯罪记录.
ThequalificationrequirementsofpersonwhoundertakestrustedroleinGDCAareasfollows:1.
Goodsocialandworkingbackground.
2.
Complyingwithstate'slawsandregulations.
ObeyingGDCA'sunifiedarrangementandmanagement.
3.
ComplyingwiththeGDCArelatedsecuritymanagementnorms,regulationsandspecifications.
4.
Havinggoodpersonalitiesandworkingattitudes,withgoodworkingexperience.
5.
Agoodteamplayer.
6.
Noillegalandcriminalrecords.
GDCA要求充当可信角色的人员至少必须具备忠诚、可信赖及对工作的热诚、无影响CA运行的其它兼职工作、无同行业重大错误记录等.
ApersonrequiredbyGDCAastrustedrolepersonnelmusthaveloyalty,trustworthinessanddedicationtowork,withoutotherpart-timeworkthataffectsCAdailyoperation,nomajorbadrecordsofthisindustryandetc.
5.
3.
2.
背景调查程序BackgroundCheckProceduresGDCA与有关的政府部门和调查机构合作,完成对可信员工的背景调查.
GDCAcollaborateswithgovernmentsandinvestigationorganizationstocompletebackgroundreviewforthetrustedroles.
所有的可信员工和申请调入的可信员工都必须书面同意对其进行背景调查.
背景调查分为:基本调查和全面调查.
GDCASM2证书策略(V1.
0版)74Allemployeeswhoaretrustedorapplyforshouldhaveawrittenconsentthattheymustgothroughabackgroundinvestigation.
Backgroundreviewincluding:basicreviewandfullreview.
基本调查包括对工作经历,职业推荐,教育,社会关系方面的调查.
Basicreviewincludesreviewingworkexperience,jobrecommendation,educationandsocialrelation.
全面调查除包含基本调查项目外还包括对犯罪记录,社会关系和社会安全方面的调查.
对于公开信任证书业务的关键岗位必须进行全面调查.
Fullreviewincludesreviewingcriminalrecords,socialrelationandsocialsecuritybesidesbasicreview.
Fullreviewsmustbecarriedoutforkeyrolesthatinvolvewithpubliclytrustedcertificatesbusiness.
调查程序包括:a)人事部门负责对应聘人员的个人资料予以确认.
提供如下资料:履历、最高学历毕业证书、学位证书、资格证及身份证等相关有效证明.
b)人事部门通过电话、信函、网络、走访等形式对其提供的材料的真实性进行鉴定.
c)用人部门通过现场考核、日常观察、情景考验等方式对其考察.
d)经考核,GDCA与员工签订保密协议,以约束员工不许泄露CA证书服务的所有保密和敏感信息.
同时,GDCA还将按照本机构的人员管理相关条例对所有承担可信角色的在职人员进行职位考察,以便能够持续验证这些人员的可信程度和工作能力.
Thereviewprocedureincludes:a)TheHRdepartmentisresponsibleforconfirmingcandidate'spersonalinformation.
Candidatesshouldprovidethefollowinginformation:resume,thehighestdegreegraduationcertificate,degreecertificate,qualificationcertificateandidentitycardandotherrelatedvalidcertificates.
b)TheHRdepartmentidentifiestheauthenticityoftheinformationprovidedbycandidatesthroughtelephone,correspondence,network,visitsandotherforms.
c)TheHRdepartmentcheckscandidatesthroughon-siteassessment,dailyobservation,situationaltestandothermethods.
d)Afterthereview,GDCAsignsaconfidentialityagreementwithemployeeinordertorestrainemployeenottorevealanyconfidentialandsensitiveinformationofCAcertificateservices.
Atthesametime,GDCAwillalsobeinaccordancewiththerelevantorganizationregulationsofpersonnelmanagementandmakejobexaminationonin-servicestaffwhoassumedtrustedrole,soastocontinuouslyreviewtheseemployees'trustworthinessandworkingability.
5.
3.
3.
培训要求TrainingRequirements为了使员工能够胜任工作,需要对员工进行必要的岗前培训和工作中的再培训,以更好的满足工作岗位对人员的要求.
培训应该包括但不限于以下内容:Inordertomaketheemployeestobecompetentathis/herjobs,pre-trainingandre-trainingmustbeGDCASM2证书策略(V1.
0版)75conductedforemployeestomeettherequirementsofthejobpositions.
Contentoftrainingshallincludebutnotlimitto:1.
GDCA颁布的证书策略和电子认证业务规则;1.
CPandCPSissuedbyGDCA.
2.
PKI基本知识;2.
PKIbasicknowledge.
3.
电子签名法和相关法律法规;3.
ElectronicSignatureLawofthePeople'sRepublicofChinarelatedlawsandregulations.
4.
GDCA运营体系、技术体系和安全管理制度;4.
GDCAoperationsystem,technologysystemandsecuritymanagementsystem.
5.
工作职责和岗位说明.
5.
Workingresponsibilityandjobdescription.
5.
3.
4.
再培训的频度和要求RetrainingFrequencyandRequirementsGDCA应根据需要安排再培训,以保证重要岗位的员工更加符合岗位需求,顺利地完成其工作职责.
GDCAshallarrangeforcontinuousre-trainingforemployeesatimportantpositionsregularlytoensureemployeescanmeettheirjobrequirementsandcompletetheirjobsmoresmoothly.
5.
3.
5.
工作岗位轮换的频度和次序JobRotationFrequencyandSequenceGDCA应依据安全管理策略制定在职人员的工作岗位轮换周期和顺序.
JobrotationcycleandthesequenceofGDCAservingofficerwillbebasedonorganizationsecuritymanagementstrategy.
5.
3.
6.
未授权行为的处罚SanctionsforUnauthorizedActionsGDCA应建立并维护一套管理办法,对未授权行为进行适当的处罚,包括解除或终止劳动合同、调离工作岗位、罚款、批评教育、提交司法机构处理等方式.
这些处罚行为应当符合法律法规的要求.
GDCAshallestablishandmaintainasetofmeasuresfortheadministration,includingterminationoflaborcontracts,positionremoving,fines,criticismandeducation,submittingtoJudiciaryforprocessing,etc.
,toappropriatelydisciplinethepersonnelunauthorizedactivities.
Abovedisciplineactivitiesshallcomplywithlawsandregulations.
GDCASM2证书策略(V1.
0版)765.
3.
7.
独立合约人的要求IndependentContractorRequirements对于不属于GDCA机构内部工作人员,但从事GDCA业务有关工作的如业务分支机构的业务人员、管理人员等独立合约人,GDCA的统一要求如下:1.
人员档案的备案管理;2.
GDCA提供统一的岗前培训和工作中的再培训,培训内容包括但不限于GDCA证书受理规则和电子认证业务规则.
ForpersonswhodonotbelongtotheGDCAbutparticipateintherelevantworksforGDCAbusinesses,suchasbusinesspersonnelofbusinessbranchorganization,managementpersonnelandotherindependentcontractors,GDCAhasrequirementsareasfollows:1.
Recordmanagementofpersonnelprofiles2.
GDCAprovidesunifiedtrainingandretraining,includesbutnotlimitedtotheGDCAcertificateacceptancerulesandelectroniccertificationbusinessrules.
5.
3.
8.
提供给人员的文件DocumentationSuppliedtoPersonnelGDCA提供给内部员工的文件应包括培训材料和与员工工作相关文档.
DocumentsprovidedtointernalemployeesbyGDCAincludetrainingdocumentsandrelatedpersonnelworkingdocuments.
5.
4.
审计记录程序AuditLoggingProcedures5.
4.
1.
记录事件的类型TypesofEventsRecordedCA和RA必须记录与运行系统相关的事件.
这些记录,无论是手动生成或者是系统自动生成,都应该包含以下信息:1.
事件发生的日期和时间;2.
记录的序列号;3.
记录的类型;4.
记录的来源;5.
记录事件的实体.
AllmajorsecurityincidentsoccurredinGDCAwillbeloggedintheaudittrailrecords.
Regardlessofmanualorautomaticgeneration,theserecordsshouldcontainthefollowinginformation:1.
ThedateandtimeoftheeventGDCASM2证书策略(V1.
0版)772.
Sequencenumberfortherecord3.
Typeofrecord4.
Recordsource5.
EventrecordingentityGDCA应记录的事件包括但不限于:1.
CA密钥生命周期内的管理事件,包括CA密钥生成、备份、存储、恢复、使用、撤销、归档、销毁、私钥泄露等;2.
证书生命周期内的管理事件,包括证书的申请、批准、更新、撤销等;3.
系统、网络安全事件,包括:成功或不成功访问CA系统的活动,系统日常运行产生的日志文件,系统变更等;4.
信息安全设备的安全事件;5.
系统操作事件,包括系统权限的创建、删除,设置或修改密码;6.
认证机构设施的访问,包括授权人员进出认证机构设施、非授权人员进出认证机构设施等相关记录;7.
可信人员管理记录,包括系统权限的创建、删除及变更等.
Theseeventsincludebutnotlimitedto:1.
Managementeventsinkey'slifecycle,includinggeneration,backup,storage,recovery,usage,revocation,archiving,destruction,privatekeyleakage,etc.
2.
Managementeventsofcertificatelifecycle,includingapplication,approval,update,revocation,etc.
3.
Systemandnetworksecurityeventsincluding:successfulorunsuccessfulaccessattemptsforCAsystem,logsgeneratedduringthedailysystemoperationandsystemupdatesetc.
4.
Securityeventsrecordedviainformationsecuritydevices.
5.
Systemoperatingevents,creationordeletionofpermission,configurationormodificationofpassword.
6.
AccesstoCAfacilities,includingtheaccessofauthorizedorunauthorizedpersonnelandattendants,andotherrelevantrecords.
7.
Managementrecordoftrustedrolesandpersonnel,includingsystemaccessapplication,deletionandmodification.
5.
4.
2.
处理日志的频度FrequencyofProcessingLogGDCA应定期检查审计日志,以便发现重要的安全和操作事件,对发现的安全事件采取相应的措施.
GDCASM2证书策略(V1.
0版)78AlltheauditlogsshouldbecheckedbyGDCAregularlyinordertodiscoverthesignificantsecurityandoperationeventsandtakecorrespondingmeasures.
5.
4.
3.
审计日志的保留期限RetentionPeriodforAuditLogGDCA必须妥善保存电子认证服务的审计日志,保存期限为电子签名认证失效后十年.
GDCAsaveselectroniccertificationserviceauditlogsproperly.
Thepreservationlimitationperiodistenyearsafterthedateofexpirationoftheelectronicsignaturecertification.
5.
4.
4.
审计日志的保护ProtectionofAuditLog所有的审计日志,应当采取严格的物理和逻辑访问控制措施,防止未经授权的浏览、修改、删除等.
Alltheauditlogsshouldbehandledwithstrictphysicalandlogicalaccesscontrolmeasurestoavoidunauthorizedreading,modificationanddeletion,etc.
5.
4.
5.
审计日志的备份程序AuditLogBackupProcedures对审计日志的备份应该建立和执行可靠的制度,定期进行备份.
GDCAshouldsetupandcarryoutthereliablesystemforbackupsofauditlogs,andfullbackupsareperformedperiodically.
5.
4.
6.
审计收集系统AuditCollectionSystem(Internalvs.
External)不适用.
Notapplicable.
5.
4.
7.
对导致事件主体的通知NotificationtoEvent-CausingSubject审计记录报告一个事件时,应通知引起该事件的个人、组织机构.
Whenauditrecordreportsanevent,GDCAshallnotifyindividuals,organizationswhocausethisevent.
5.
4.
8.
脆弱性评估VulnerabilityAssessments根据审计记录,GDCA应定期进行安全脆弱性评估,并根据评估报告采取补救措施.
GDCAshouldconductsecurityvulnerabilityassessmentsregularlyaccordingtoauditrecordsandtakeGDCASM2证书策略(V1.
0版)79remedialmeasuresaccordingtoassessmentreports.
5.
5.
记录归档RecordsArchival5.
5.
1.
归档记录的类型TypesofRecordsArchived需要归档的记录,除了本CP第5.
4.
1节规定的外,还需要对如下记录进行归档,包括:InadditiontotherecordsneedtobearchivedspecifyinCPsection5.
4.
1,thefollowingrecordsshouldbearchived:1.
证书申请信息;1.
Informationofcertificateapplication.
2.
证书签发过程中的支持文档.
2.
Supportingdocumentsofcertificateissuance.
5.
5.
2.
归档记录的保留期限RetentionPeriodforArchiveGDCA的电子认证业务规则(CPS)应规定合理的归档记录保留期限.
CPSofGDCAshallprovidereasonableretentionperiodforarchive.
5.
5.
3.
归档文件的保护ProtectionofArchive应通过适当的物理和逻辑的访问控制方法保护归档数据,只有授权的可信人员允许访问归档数据,防止未经授权的浏览、修改、删除或其它的篡改行为.
Allarchiverecordsshalltakeappropriatemeasurestocontrolphysicalandlogicalaccesssothatonlytrustedpersonnelcanaccessrecords.
Archiverecordsshallbeprotectedfromtheunauthorizedbrowsing,modifying,deletingandotherillegaloperations.
5.
5.
4.
归档文件的备份程序ArchiveBackupProcedures对于系统生成的电子归档记录,应当定期进行备份,备份文件进行异地存放.
Electronicallyarchivedrecordsgeneratedbythesystemsshouldbebackedupweekly.
Thebackupfileshouldalsobestoredoff-site.
对于书面的归档资料,不需要进行备份,但需要采取严格的措施保证其安全性.
Forthewrittenarchivingdata,theydonotneedtobebackedup,butsomestrictmeasuresneedtobetakentoensurethesecurity.
GDCASM2证书策略(V1.
0版)805.
5.
5.
记录时间戳要求RequirementsforTime-StampingofRecordsGDCA的所有日志都有时间记录,均由操作人员手工记录或系统自动添加.
AlltheGDCArecordsarelabelledwithtime,andthetimewilleitherbeaddedmanuallybytheoperatorsorautomaticallybysystem.
5.
5.
6.
归档收集系统ArchiveCollectionSystem(InternalorExternal)各自实体应在内部建设归档收集系统,包括GDCA和注册机构.
AlltheentitiesincludingGDCAandRAshouldconstructinternalarchivecollectionsystem.
5.
5.
7.
获得和检验归档信息的程序ProcedurestoObtainandVerifyArchiveInformationGDCA的安全审计员和运维人员分别保留归档信息的2个拷贝.
在获得完整归案信息时,须对这2个拷贝进行比较.
SecurityauditorsandoperationandmaintenanceteamofGDCAretain2copiesoftheGDCAfileinformationrespectively.
Whileobtainingthecompletearchivedinformation,comparisonofthe2copiesshouldtakeplacetoconfirmtheintegrity.
5.
6.
密钥变更KeyChangeover在CA证书到期时,GDCA将对CA证书进行更新.
只要CA密钥对的累计寿命没有超过本CP第6.
3.
2节中规定的最大生命期,那么CA证书可以使用原密钥进行更新.
否则需要产生新的密钥对,替换已经过期的CA密钥对.
即使在密钥对生命期内,GDCA也可以通过生成新密钥对的方式产生新的CA证书.
在一个CA证书过期之前,密钥变更过程被启动,以保障这个CA体系中的实体从CA旧密钥对到新密钥对的平稳过渡.
WhenthecertificateofCAexpires,GDCAwillrenewthecertificateofCA.
AslongasCAkeypairdoesnotexceedthemaximumlifetimespecifiedinSection6.
3.
2,thecertificateofCAcouldrenewusingoriginalkey.
Otherwise,newkeypairshallbegeneratedtoreplacetheexpiredkeypairsofcertificateofCA.
Also,eveninthekeypairlifecycle,GDCAcouldgeneratenewcertificateofCAbyusingnewkeypair.
BeforethecertificateofformerlevelCAexpires,keychangeovershallbeperformedtoensurethattheentitiesintheCAsystemshallswitchfromoriginalkeypairtonewkeypairsmoothly.
在生成新的CA密钥对时,必须严格遵守GDCA关于密钥管理的规范.
新的密钥对产生时,GDCA将签发新的CA证书,并及时进行发布,让订户和依赖方能够及时获取新的CAGDCASM2证书策略(V1.
0版)81证书.
NewCAkeypairisgeneratedaccordingtothekeymanagementrulesofGDCAstrictly.
Whilegeneratingnewkeypair,GDCAshallissueandpublishthenewCAcertificatetimely,anditshallbeavailableforsubscriberandrelyingpartytoobtainnewCAcertificate.
CA密钥更替时,必须保证整个证书链的顺利过渡.
MakesurethattheentirecertificatechaintransitssmoothlyinCAkeychangeover.
5.
7.
损害与灾难恢复CompromiseandDisasterRecovery5.
7.
1.
事故和损害处理程序IncidentandCompromiseHandlingProceduresGDCA应制订各种事故处理方案和应急处理预案,规定相应的事故和损害处理程序.
GDCAshouldmakehandlingschemesofdifferentkindsofaccidentsandhandlingpre-schemeofemergency,stipulatecorrespondinghandlingproceduresofaccidentsanddamages.
5.
7.
2.
计算机资源、软件和/或数据的损坏ComputingResources,Software,and/orDataAreCorrupted如果出现计算机资源、软件和/或数据损坏的事件,GDCA立即启动事故处理程序,如有必要,可按照灾难恢复计划实施恢复.
Followingcorruptionofcomputingresources,software,and/ordata,GDCAshallutilizetheincidentandcompromisehandlingprocedurespromptly.
Ifnecessary,thedisasterrecoveryprocedurescouldbeused.
5.
7.
3.
实体私钥损害处理程序EntityPrivateKeyCompromiseProcedures在故意的、人为的或是自然灾难的情况下,GDCA将采取下列步骤以恢复安全环境:1.
GDCA认证系统的口令由业务管理员、业务操作员、系统管理员进行变更;2.
根据灾难的性质,部分或全部证书需要撤销或之后重新认证;3.
如果目录无法使用或者目录有不纯的嫌疑,目录数据,加密证书和CRL需要进行恢复;4.
及时访问安全现场尽可能合理地恢复操作;5.
如果需要恢复业务管理员的配置文件,应由系统管理员执行恢复;6.
如果需要恢复GDCA业务操作员的配置文件,则由另外一名GDCA安全业务操作员或业务管理员对其进行恢复.
GDCASM2证书策略(V1.
0版)82Incaseofanyintentional,man-madeornaturaldisasters,GDCAwilltakethefollowingstepstorestoresecurityenvironment:1.
GDCAverificationsystem'spasswordischangedbythebusinessadministrator,businessoperatorsandsystemadministrator.
2.
Accordingtothetypeofdisaster,someorallcertificateswillberevokedorre-verifiedlater.
3.
Directorydata,encryptioncertificateandCRLareneededforrecoveryifthedirectoryisunavailableordirectorywithimpuresuspicion.
4.
Timelyaccesstosecuritysiteasfaraspossibletorestoreoperationreasonably5.
Whilerestorethebusinessadministrator'sconfigurationfile,itwillbedonebythesystemadministrator.
6.
WhilerestoretheGDCAbusinessoperator'sconfigurationfile,itwillbedonebyanotherGDCAsecuritybusinessoperatororadministrator.
当CA根私钥被攻破或泄露,GDCA启动重大事件应急处理程序,由安全策略委员会和相关的专家进行评估,制定行动计划.
如果需要注销CA证书,将会采取以下措施:WhenCArootprivatekeyhasbeendamaged,missed,tamperedorleaked,GDCAstartsamajoremergencytreatmentprocess,whichisassessedbyGDCASecurityPolicyCommitteeandtherelevantexpertstomakeaplan.
IftheCAcertificatemustberevoked,thefollowingmeasureswillbetaken:1.
告知依赖方和国家主管部门;1.
Notifyrelyingpartiesandstateadministrativedepartment.
2.
发布证书注销状态到信息库;2.
Publishcertificaterevocationstatustorepositories.
3.
通过GDCA网站或其它通信方式发布关于注销CA证书的处理通报;3.
PublishhandlingnotificationaboutrevokedcertificatesatGDCAwebsiteorbyothercommunicationmethods.
4.
产生新的根私钥,重新为订户签发证书.
4.
Generatenewrootprivatekeyandre-issuecertificatetosubscriber.
5.
7.
4.
灾难后的业务存续能力BusinessContinuityCapabilitiesAfteraDisasterGDCA在发生灾难后,应有如下几个方面的业务存续能力:GDCAshouldhavethefollowingcontinuitycapabilitiesafteradisaster:1.
在尽可能短的时间内恢复业务系统,最多不超过48小时;1.
Recoverbusinesssystemassoonaspossible,notexceeding48hours.
2.
能够恢复客户信息;2.
Recoverinformationofcustomers.
GDCASM2证书策略(V1.
0版)833.
能够保证恢复后的运营场地符合安全要求;3.
Ensuretheoperationsitemeetsthesecurityrequirementsafterrecovered.
4.
有足够的人员继续开展业务并且不违反职责分割的要求.
4.
Thereareenoughemployeestooperatethebusinessandnotviolatingsegregationofduties.
5.
8.
CA或RA的终止CAorRATermination当GDCA及其注册机构需要停止其业务时,必须严格按照《中华人民共和国电子签名法》、《电子认证服务管理办法》及相关法规中对认证机构终止电子认证服务的规定要求进行有关工作.
WhenGDCAanditsRAneedtostoptheirbusiness,itshallenforceterminationproceduresstrictlyaccordingto"ElectronicSignatureLawofthePeople'sRepublicofChina","MeasuresfortheAdministrationofElectronicCertificationServices"andrelevantlawsandregulations.
在GDCA终止前,必须:1.
委托业务承接单位;2.
起草GDCA终止声明;3.
通知与GDCA终止相关的实体;4.
关闭从目录服务器;5.
证书注销;6.
处理存档文件记录;7.
停止认证中心的服务;8.
存档主目录服务器;9.
关闭主目录服务器;10.
处理GDCA业务管理员和GDCA业务操作员的操作权限;11.
处理加密密钥;12.
处理和存储敏感文档;13.
清除GDCA主机硬件.
Beforetermination,GDCAmust:1.
Arrangethebusinesstoundertake2.
DraftGDCAterminationstatement3.
NotifytheentitiesthatarerelatedtoGDCAtermination.
4.
ShutdownsubordinateLDAP5.
CertificaterevocationGDCASM2证书策略(V1.
0版)846.
Treatmentofarchivefilerecord7.
Terminationofcertificateauthorityservice.
8.
ArchivemainLDAP9.
ShutdownmainLDAP.
10.
DisposetheaccessofGDCAbusinessadministratorandGDCAbusinessoperator.
11.
Processencryptionkey.
12.
Processandstoresensitivedocuments.
13.
RemoveGDCAmainframehardware当RA因故终止服务时,GDCA将按照与其签订的相关协议处理有关业务承接事宜和其他事项.
WhenRAterminatesitsservices,GDCAdealswithalltherelevantbusinessinaccordancewiththeagreements.
6.
认证系统技术安全控制TechnicalSecurityControls6.
1.
密钥对的生成与安装KeyPairGenerationandInstallation6.
1.
1.
密钥对的生成KeyPairGeneration6.
1.
1.
1.
CA密钥对生成GenerationofCAKeyPairCA密钥对必须在安全的物理环境中,由多个可信人员在国家密码主管部门批准和许可的密码设备中生成.
密钥的生成、管理、存储、备份和恢复应遵循国家密码管理局的相关规定.
用于此类密钥生成的密码模块须通过国家密码主管部门鉴定、认证.
CA密钥对的生成过程需录像或由一名合格的审计师见证以确保其遵循CP以及角色分离的要求.
密钥对生成过程和操作均需记录并保存.
ThekeypairsofCAsaregeneratedwithinthecryptographicdevicesapprovedandlicensedbyStateCryptographyAdministration(SCA)ofChina,inaphysicallysecureenvironmentandunderthecontrolofmultipletrustedpersons.
Thegeneration,management,storage,backupandrecoveryofthekeypairshallcomplywiththerelevantregulationsofSCA.
HardwareSecurityModuleusedforkeygenerationmustbeauthenticatedandcertifiedbySCA.
ThegenerationoftheCAkeypairsshallbevideorecordedorwitnessedbyaqualifiedauditortoensurethegenerationprocesscomplieswiththerequirementsofthisCPandfollowtheseparationofrolesprinciple.
Theproceduresandoperationsrelatedtokeypairgenerationshallberecordedandarchived.
GDCASM2证书策略(V1.
0版)856.
1.
1.
2.
订户密钥对生成GenerationofSigningKeyPair订户密钥对的产生,必须遵循国家的法律政策规定.
GDCA支持多种模式的签名密钥对产生方式,可以使用硬件密码模块(如:USBKey),也可以使用国家密码管理局批准的软件密码模块,也可以使用标准的软件密码模块(如:Web服务器软件提供的密钥生成功能等),证书申请者可根据其需要进行选择.
不管何种方式,密钥对产生的安全性都应该得到保证.
GDCA在技术、业务流程和管理上,已经实施了安全保密的措施.
Thegenerationofthesubscriber'skeypairsmustcomplywiththenationallawsandregulations.
GDCAsupportsmultiplepatternstogeneratesigningkeypair.
Subscribercanuseahardwarecryptographicmodule(suchasUSBKey),orsoftwarecryptographicmoduleapprovedbySCA,orastandardsoftwarecryptographicmodule(suchasthekeygenerationfunctionofferedbywebserversoftware,etc.
),sosubscriberscanchooseaccordingtotheirneeds.
Inanycase,thesecurityofkeypair'sgenerationshallbeguaranteed.
GDCAshallimplementadequatesecuritymeasuresintechnology,businessprocessesandmanagement.
对于SSL/TLS证书、时间戳证书、设备证书,订户的密钥对由订户自己生成并保管.
对于邮件证书,GDCA允许订户在线生成密钥对并将私钥加密保护后通过安全通道传送给订户,或由订户提交CSR签发证书.
对于代码签名证书、文档签名证书,由订户采用符合标准要求的硬件设备(如USBKey或加密机)或受签名人控制的其他安全方式生成密钥对.
如采用硬件设备生成密钥对,则生成的私钥不能复制和导出,同时必须使用口令激活私钥,GDCA通过安全通道将激活口令传递给订户.
证书订户负有保护私钥安全的责任和义务,并承担由此带来的法律责任.
ForSSL/TLScertificates,timestampcertificatesandequipmentcertificates,subscribers'keypairsaregeneratedandkeptbythesubscribersthemselves.
Fore-mailcertificates,GDCAallowsthesubscriberstogeneratekeypairsonlineandwilldelivertheencryptedprivatekeystothesubscribersthroughsecurechannels.
SubscribersmaysubmittheCSRfortheissuanceofsuchcertificates.
FortheCodeSigningcertificatesanddocumentsigningcertificates,subscribersshallusethehardwareequipment(suchasUSBKeyorcryptographicmachines)thatmeetsrelevantrequirements,orothersecurewayscontrolledbythesubscriberstogeneratekeypairs.
Ifthekeypairsaregeneratedbyhardwareequipment,theprivatekeysshallnotbeduplicatedorexported,andtheactivationofwhichmustrequireapassword.
GDCAwilldelivertheactivationpasswordstothesubscribersthorughsecurechannels.
Certificatesubscribershavetheresponsibilitiesandobligationstoprotectthesecurityofprivatekeys,andassumethelegalresponsibilitiesforthis.
GDCASM2证书策略(V1.
0版)866.
1.
2.
私钥传送给订户PrivateKeyDeliverytoSubscriber除邮件证书外,GDCA不需要将私钥传递给订户.
对于需要传递私钥的邮件证书,私钥加密保护后通过安全通道传送给订户.
GDCAdoesnotneedtosendprivatekeystosubscribers.
Forthee-mailcertificatesthatrequirethedeliveryofprivatekeys,theprivatekeysshallbedeliveredencryptedandprotectedviasecurechannelstothesubscribers.
6.
1.
3.
公钥传送给证书签发机构PublicKeyDeliverytoCertificateIssuer为了获得数字证书,最终订户和RA通过PKCS#10格式的证书签名请求信息或其它数字签名的文件包格式,以电子的方式将公钥提交给GDCA签发,这些请求或文件包的传送需要使用安全协议保护,比如安全套接层协议(SSL).
Inordertoobtainadigitalcertificate,endsubscriberandRAsendscertificationissuancerequesttoGDCAelectronically.
TherequestcontainspublickeyforGDCAtoissuethecertificate.
TherequestinformationisencodedasPKCS#10orotherpackingformatwithdigitalsignature.
Thetransmissionoftheserequestsorfilepackagesneedstousesecurityprotocolforprotection,suchassecuresocketslayerprotocol(SSL).
最终订户和RA通过PKCS#10格式的证书签名请求信息或其它数字签名的文件包格式,以电子的方式将公钥提交给GDCA签发,GDCA在签发证书前验证所提交请求中的订户签名.
EndsubscriberandRAsendscertificationissuancerequesttoGDCAelectronically.
TherequestcontainspublickeyforGDCAtoissuethecertificate.
TherequestinformationisencodedasPKCS#10orotherpackingformatwithdigitalsignature.
Thesubscriber'ssignatureontherequestisauthenticatedpriortoissuingthecertificate.
6.
1.
4.
CA公钥传送给依赖方CAPublicKeyDeliverytoRelyingPartiesGDCA应该通过安全可靠的途径将CA公钥传给依赖方,包括从安全站点下载、面对面的提交等方式.
GDCAshallusesecureandreliablewaytodeliverCApublickeytorelyingparty,includingdownloadfromsecuritysite,facetofacesubmission,etc.
GDCA也需要通过目录发布其CA证书.
GDCAalsopublishesCAcertificatethroughserverdirectory.
GDCASM2证书策略(V1.
0版)876.
1.
5.
密钥的长度KeySizesGDCA支持的SM2密钥长度至少为256位.
ThesizeofSM2keywhichGDCAsupportsisminimum256bit.
6.
1.
6.
公钥参数的生成和质量检查PublicKeyParametersGenerationandQualityChecking对于使用硬件密码模块的GDCA订户,公钥参数必须使用国家密码主管部门批准许可的加密设备和硬件介质生成,例如加密机、加密卡、USBKey、IC卡等生成和选取,并遵从这些设备的生成规范和标准.
GDCA认为这些设备和介质内置的协议、算法等已经具备了足够的安全等级要求.
PublickeyparametersofsubscriberwhousehardwarecryptographicmodulesmustbegeneratedinencryptionequipmentandhardwaremediumapprovedandpermittedbySCA,suchascryptographicserver,cryptographiccard,USBKey,ICcard,andfollowgenerationstandardsofthesedevices.
GDCAconsidersthatbuilt-inprotocols,algorithmsforthesedevicesandmediumhavealreadymetsufficientlevelofsecurityrequirements.
对于参数质量的检查,同样由通过国家密码主管部门批准许可的加密设备和硬件介质进行,例如加密机、加密卡、USBKey、IC卡等.
QualityofpublickeyparametersisalsocheckedthroughtheencryptionequipmentandhardwaremediumapprovedandpermittedbySCA,suchascryptographicserver,cryptographiccard,USBKey,ICcards.
Ofcourse,GDCAconsidersthatbuilt-inprotocols,algorithmsforthesedevicesandmediumhavealreadymetsufficientlevelofsecurityrequirements.
6.
1.
7.
密钥使用目的KeyUsagePurposes(asperX.
509v3KeyUsageField)GDCA签发的X.
509v3证书包含了密钥用法扩展项,其用法与RFC5280标准(InternetX.
509PublicKeyInfrastructureCertificateandCRLProfile,May2008)相符.
如果GDCA在其签发证书的密钥用法扩展项内指明了用途,证书订户必须按照该指明的用途使用密钥.
X.
509v3certificatesissuedbyGDCAcontainskeyusageextensionwhichmeetstheRFC5280(InternetX.
509PublicKeyInfrastructureCertificateandCRLProfile,May2008).
IfthekeyusageisdefinedinthecertificatebyGDCA,thecertificatesubscribermustusethekeyaccordingtothekeyusagedefined.
参见本CP7.
1.
2.
SeeCP7.
1.
2.
GDCASM2证书策略(V1.
0版)886.
2.
私钥保护和密码模块工程控制PrivateKeyProtectionandCryptographicModuleEngineeringControls认证机构必须通过物理、逻辑和过程控制的综合实现来确保CA私钥的安全.
订户协议会要求证书订户采取必要的预防措施防止私钥的丢失、泄露、更改或未经授权的使用.
Physical,logicalandprocesscontrolapproachesmustbesyntheticallyusedtoensurethesecurityofCA'sprivatekeys.
Subscriberagreementwillrequirecertificatesubscribertotakenecessarymeasurestopreventtheloss,leak,changes,orunauthorizeduseoftheprivatekey.
6.
2.
1.
密码模块的标准和控制CryptographicModuleStandardsandControlsGDCA必须使用国家密码管理部门认可、批准的硬件密码模块生成根CA、签发证书的CA和其他CA密钥对,并存储相关CA私钥.
GDCAmustusetheHardwareSecurityModuleapprovedandpermittedbySCAtogenerateandstorethekeypairofrootCA,issuingCAandotherCAs.
6.
2.
2.
私钥多人控制(m选n)PrivateKey(noutofm)Multi-PersonControl认证机构必须通过技术及过程上的控制机制来实现多名可信人员共同参与CA加密设备的操作.
技术上的控制可使用"秘密分割"技术,即将使用一个CA私钥时所需的激活数据分成若干个部分,分别由多名可信人员持有.
如果为一个硬件密码模块的秘密分割总数为m,那么必须有超过n个的可信人员才能激活储存在密码模块中的CA私钥.
在这里m不小于5,n不小于3.
CAmustusetechnologyandprocesscontrolmechanismstoachievemulti-reliablepersonneljointlyparticipateintheoperationofCAencryptionequipment.
The"SecretSharing"technologyisadopted,namely,theactivateddatarequiredinoperatingtheprivatekeyofCAissplitintotheseveralpartsandthepartsareheldbyseveraltrustedpersonnel.
Ifhardwarecryptographymodule'ssecretdivisionamountism,thenatleastthenumberofnoftrustedpersonnelmustberequiredtoactivateCAprivatekeystoredinthiscryptographymodule.
Itnotesthatmisnotlessthan5,nisnotlessthan3.
6.
2.
3.
私钥托管PrivateKeyEscrow不适用.
Notapplicable.
GDCASM2证书策略(V1.
0版)896.
2.
4.
私钥备份PrivateKeyBackup为了保证业务持续开展,GDCA必须创建CA私钥的备份,以备灾难恢复使用.
私钥备份以加密的形式保存在硬件密码模块中.
存储CA私钥的密码模块应符合CP第6.
2.
1节的要求并存放在保险柜中.
CA私钥复制到备份硬件密码模块中要符合CP第6.
2.
6节的要求.
Inordertoensureongoingoperations,GDCAmustcreatebackupoftheCAprivatekeyfordisasterrecovery.
SuchkeysarestoredinencryptedforminhardwarecryptographicmodulesandassociatedkeystoragedevicesBackupoftheprivatekeyinencryptedformisstoredinthehardwarecryptographicmodule,andcryptographicmodulesusedforCAprivatekeystoragemeettherequirementsofsection6.
2.
1andarestoredinsafetybox.
CAprivatekeyiscopiedtobackupforhardwarecryptographicmoduletomeettherequirementsofsection6.
2.
6.
对于订户签名证书,如果其私钥存放在软件密码模块中,建议订户对私钥进行备份,备份的私钥需要采用口令保护等授权访问控制,防止非授权的修改或泄露.
Forsubscriberssigningcertificate,iftheprivatekeyisstoredinthesoftwarecodemodule,itisproposedthatsubscriber'sbackuptheprivatekey,thebackupprivatekeyusingthepasswordforaccesscontrolauthorizedtopreventunauthorizedmodificationordisclosure.
对于订户加密证书,其加密私钥由广东省电子密钥管理中心进行备份,备份私钥以密文形式存在.
Forsubscriber'sencryptioncertificate,itsencryptionprivatekeyisbackedupbyGuangdongelectronickeymanagementcenter,andbackupprivatekeyexistsintheformofciphertext.
6.
2.
5.
私钥归档PrivateKeyArchival在CA私钥到期后,必须使用满足CP第6.
2.
1节要求的硬件密码模块归档保存至少7年.
归档期限结束后,对CA私钥的销毁应符合CP第6.
2.
10节的规定.
Aftertheexpirationofprivatekey,GDCAmustusethehardwarecryptographicmodulespecifiedbyCPsection6.
2.
1toarchiveandstoreatleast7years.
Aftertheexpirationofarchivalperiod,thedestructionofprivatekeyshallmeettheprovisionofCPsection6.
2.
10.
6.
2.
6.
私钥导出、导入密码模块PrivateKeyTransferIntoorFromaCryptographicModuleCA的私钥,GDCA应严格按照根密钥管理规范进行备份,除此之外的任何导入导出操作将不被允许.
当CA密钥对备份到另外的硬件密码模块上时,以加密的形式在模块之间传送,并且在传递前要进行身份鉴别,以防止CA私钥的丢失、被窃、修改、非授权的泄露、GDCASM2证书策略(V1.
0版)90非授权的使用.
GDCAprivatekeybackupisrunstrictlyinaccordancewithprocedureandstrategiesspecifiedbyGDCA,inaddition,anydataimportandexportoperationsarenotbeallowed.
WhenCAkeypairisbackeduptoanotherhardwarecryptographicmodule,bythewayoftheencryptedformtotransmitbetweenthemodules,andmadeaauthenticationbeforethetransmittingtopreventtheCAprivatekeyfrombeinglost,stolen,modified,disclosurenon-authorized,usedunauthorized.
GDCA不提供订户私钥从硬件密码模块中导出的方法,也不允许如此操作.
对于存放在软件密码模块中的私钥,如果订户愿意并且自行承担相关风险,订户可自主选择导入导出的方式,操作时需要采用口令保护等授权访问控制措施.
GDCAdoesnotprovidetheexportofsubscriber'sprivatekeyfromhardwarecryptographicmoduleandallowthisoperation.
Asfortheprivatekeystoredinsoftwarecryptographicmodule,andifsubscriberiswillingtobeartherelevantrisks,subscribercanchoosethewayofimportandexportwithaccesscontrolsuchaspassword,etc.
6.
2.
7.
私钥在密码模块的存储PrivateKeyStorageonCryptographicModuleCA系统的私钥必须以密文的形式存放在国家密码主管部门批准和许可的硬件密码模块中.
TheprivatekeyofCAsystemsinencryptedformmustbestoredinHardwareSecurityModuleapprovedandpermittedbySCA.
订户的私钥存储在符合国家密码管理规定的USBKey介质或文件证书中,所有在USBKey中存储的私钥,都以密文的形式保存.
对于使用软件密码模块生成的私钥,最好在硬件密码模块中存储和使用,订户也可以自主选择使用有安全保护措施的特定软件密码模块.
Subscriber'sprivatekeyisstoredintheUSBkeymediumorfilecertificatemeetingtheregulationsofSCA.
AlltheprivatekeysstoredintheUSBkeyarestoredintheformofciphertext.
Fortheprivatekeygeneratedbysoftwarecryptographicmodulesispreferablystoredandusedinhardwarecryptographicmodules.
Subscribercanalsousespecificsoftwarecryptographicmoduleswithsecuritymeasures.
6.
2.
8.
激活私钥的方法MethodofActivatingPrivateKeyCA的私钥存放于硬件密码模块中,其激活数据按照CP第6.
2.
2节进行分割,并且保存在IC卡等硬件介质中,必须由m选n的方式分别输入激活数据才能激活私钥.
TheprivatekeyofCAshallbesavedinhardwarecryptographicmodule,anditsactivationdatashallbespiltinaccordancewithSection6.
2.
2,andbesavedinthehardwaremediasuchasICcard.
Theprivatekeymustbeactivatedthroughenteringthedatausingnoutofm.
对于存放在诸如USBKey、加密卡、加密机或者其他形式的硬件密码模块中的订户私钥,GDCASM2证书策略(V1.
0版)91订户可以通过口令、IC卡等方式进一步保护.
当订户计算机上安装了相应的驱动后,将USBKey、IC卡等插入相应设备中,输入保护口令,则私钥被激活.
对于存放在订户计算机软件密码模块中的私钥,订户应该采用合理的措施从物理上保护计算机,以防止在没有得到用户授权的情况下,其他人员使用订户的计算机和相关私钥.
如果存放在软件密码模块中的私钥没有口令保护,那么软件密码模块的加载意味着私钥的激活.
如果使用口令保护私钥,软件密码模块加载后,还需要输入口令才能激活私钥.
FortheprivatekeysavedinsuchasUSBKey,cryptographiccard,cryptographicserver,orotherformsofhardwaremodules,thesubscribercanprotectthroughpassword,ICcard,etc.
Aftertheappropriatedriverisinstalledinsubscriber'scomputer,theprivatekeyisactivatedbythewaythattheUSBKey,smartcardsarepluggedintotheappropriatedevicetoentertheprotectionpassword.
Fortheprivatekeystoredinthesubscriber'scomputersoftwarecryptographicmodule,thesubscribershouldtakereasonablemeasurestoprotectthecomputersphysicallyinordertopreventunauthorizedpersonnelfromusingcomputersandprivatekeysofsubscriber.
Iftheprivatekeyisstoredinsoftwarecryptographicmodulewithoutthepasswordprotection,thentheloadingofsoftwarecryptographicmodulemeanstheactivationofprivatekey.
Theprivatekeyprotectedbypasswordcanbeactivatedviainputtingpassword.
6.
2.
9.
冻结私钥的方法MethodofDeactivatingPrivateKey一旦私钥被激活,除非这种状态被冻结,私钥总是处于活动状态.
在某些私钥的使用当中,私钥每次被激活,只能进行一次操作,如果需要进行第二次操作,需要再次进行激活.
Oncetheprivatekeyisactivated,unlessthestateisdeactivated,theprivatekeyisalwaysactive.
Insomecases,theprivatekeyisactivatedforoneoperationandreactivatedforanotheroperation.
冻结私钥的方式包括退出登陆状态、切断电源、将硬件密码模块移开、注销用户或系统等.
Thewaysofdeactivatingprivatekeyincludeexit,shutdown,removinghardwarecryptographicmoduleandlogoutofuserorsystem.
Anyunauthorizedpersoncan'texecuteaboveoperation.
对于CA私钥,当存放私钥的设备断电,私钥就被冻结.
Theprivatekeywillbedeactivatedwhenitsstoragedevicepowersoff.
订户冻结私钥由其自行决定,当每次操作后注销计算机,或者把硬件密码模块从读卡器中取出,切断电源时,私钥就被冻结.
Subscribercandeactivatetheprivatekeybythemselves.
Andprivatekeywillbedeactivatedwhenlogout,orremovehardcryptographicmodulefromcardreader,orturnoffthepowersupply.
6.
2.
10.
解除私钥激活状态的方法MethodofDestroyingPrivateKey私钥不再使用、不需要保存时,应该将私钥销毁,从而避免丢失、偷窃、泄露或非授权GDCASM2证书策略(V1.
0版)92使用.
Whenprivatekeyisnolongerusedanddonotneedtobesaved,itshallbedestroyedsoastoavoidloss,stealinganddisclosureorunauthorizedusage.
对于最终订户加密证书私钥,在其生命周期结束后,应该妥善保存一定期限,以便于解开加密信息.
对于最终订户签名证书私钥,在其生命周期结束后,如果无需再保存,由订户决定其销毁方法,可以通过私钥的删除、系统或密码模块的初始化、物理销毁私钥存储模块等方式来销毁.
Forendsubscriber'sencryptioncertificateprivatekey,aftertheterminationoflifetime,itshouldbekeptcertaintimesoastodecrypttheencryptedinformation.
Forendsubscribersignaturecertificateprivatekey,aftertheterminationoflifetime,ifitdoesnotneedtobekept,subscribershalldeterminethemethodofdestroyingtheprivatekey,includingdeletionofprivatekey,initializationofsystemorcryptographicmodule,physicallydestroyingtheprivatekeystoragemoduleandothermethods.
CA私钥,在生命周期结束后,需将CA私钥的一个或多个备份进行归档,其他的CA私钥备份被安全销毁.
归档的CA私钥在其归档期限结束时需在多名可信人员参与的情况下安全销毁.
CA私钥存放在硬件加密卡中,CA私钥的销毁必须通过将CA私钥从加密卡中彻底删除或将加密卡初始化的方式销毁.
Aftertheterminationoflifetime,GDCAneedarchiveoneormorebackupofCAprivatekeyandsecurelydestroyotherCAprivatekeybackup.
ThearchivedprivatekeyofCAshallbedestroyedbymultipleTrustedPersonsduringitsarchivingperiod.
TheCAprivatekeyisstoredinthehardwareencryptioncard,thedestructionofCAprivatekeymustusethemethodthattheCAprivatekeyisdeletedfromtheencryptioncardcompletelyorisdestroyedwithencryptioncardinitialization.
6.
2.
11.
密码模块的评估CryptographicModuleCapabilitiesGDCA使用国家密码主管部门批准和许可的密码产品,接受其颁发的各类标准、规范、评估结果、评价证书等各类要求,GDCA可根据产品性能、工作效率、供应厂商的资质等方面的条件,选择所需要的模块.
GDCAusestheproductsapprovedandpermittedbySCA,andacceptsvariousstandards,specifications,assessment,evaluationcertificationandotherrequirementspublishedbySCA.
GDCAcouldselectthemoduleaccordingtoproductperformance,efficiency,supplierqualificationsandotheraspects.
6.
3.
密钥对管理的其他方面OtherAspectsofKeyPairManagement6.
3.
1.
公钥归档PublicKeyArchival必须归档CA和最终订户证书,归档的证书可存放在数据库中.
GDCASM2证书策略(V1.
0版)93GDCAmustarchiveCAandendsubscribercertificate,andarchivedcertificatecanbestoredindatabase.
6.
3.
2.
证书操作期和密钥对使用期限CertificateOperationalPeriodsandKeyPairUsagePeriods公钥和私钥的使用期限与证书的有效期相关,但并不完全保持一致.
Theusageperiodofpublickeyandprivatekeyisrelatedtothevalidityperiodofcertificate,buttheyarenotcompletelyconsistent.
对于签名用途的证书,其私钥只能在证书有效期内才可以用于数字签名,私钥的使用期限不超过证书的有效期限.
但是,为了保证在证书有效期内签名的信息可以验证,公钥的使用期限可以在证书的有效期限以外.
Forthesigningcertificate,itsprivatekeycanonlybeusedforsigningwithinthecertificatevalidityperiodandnotbeusedsurpassthevalidityperiodofcertificate.
However,inordertoensuresignatureinformationcanbeverifiedwithinthecertificatevalidityperiod,thepublickeycanbeusedsurpassthevalidityperiodofcertificate.
对于加密用途的证书,其公钥只能在证书有效期内才可以用于加密信息,公钥的使用期限不超过证书的有效期限.
但是,为了保证在证书有效期内加密的信息可以解开,私钥的使用期限可以在证书的有效期限以外.
Fortheencryptioncertificate,itspublickeycanonlybeusedforencryptionwithinthevalidityperiodofcertificateandnotbeusedsurpassthevalidityperiodofcertificate.
However,inordertoensureinformationencryptedcanbeusedtounlocktheinformationwithinthevalidityperiodofcertificate,theprivatekeycanbeusedsurpassthevalidityperiodofcertificate.
对于身份鉴别用途的证书,其私钥和公钥只能在证书有效期内才可以使用.
Forthecertificateusedforauthentication,theprivatekeyandpublickeycanonlybeusedwithinthevalidityperiodofcertificate.
当一个证书有多个用途时,公钥和私钥的使用期限是以上情况的组合.
Ifacertificatehasmultipleusages,theusageperiodsofpublickeyandprivatekeyfollowtherulesdescribedabove.
另外需注意的是无论是订户证书还是CA证书,证书到期后,在保证安全的情况下,允许使用原密钥对对证书进行更新.
但是密钥对不能无限期使用.
Inaddition,aftertheexpirationofcertificate,underthecircumstancesofensuringsecurity,originalkeypaircanbeusedtoupdatethecertificate.
Butthekeypaircan'tbeusedindefinitely.
对于不同的证书,其密钥对允许通过证书更新的最长使用期限如下:1.
对ROOTCA(SM2)签发的CA证书,其密钥对的最长允许使用年限是20年,可少于20年;GDCASM2证书策略(V1.
0版)942.
对于GDCAGMSM2ROOT签发的CA,其密钥对的最长使用年限是25年,可少于25年;3.
对于SSL/TLS服务器证书,其密钥对的最长允许使用期限是397天,可少于397天;4.
对于代码签名证书,其密钥对的最长允许使用期限是39个月,可少于39个月;5.
对于时间戳证书,其密钥对的最长允许使用年限是10年,可少于10年;6.
对于文档签名证书,其密钥对的最长允许使用年限是3年,可少于3年;7.
对于客户端邮件证书,其密钥对的最长允许使用年限是3年,可少于3年;8.
对于客户端设备证书,其密钥对的最长允许使用年限是10年,可少于10年.
Fordifferentcertificates,themaximumusageperiodofthekeypaircanbeobtainedviacertificaterenewal:1.
ForROOTCA(SM2)CAcertificate,themaximumusageperiodofthekeypairis20yearsorlessthan20years.
2.
ForCAcertificatesissuedbyGDCAGMSM2ROOT,themaximumusageperiodofthekeypairis25yearsorlessthan25years.
3.
FortheSSL/TLSservercertificate,themaximumusageperiodofthekeypairis397daysorlessthan397days.
4.
Forthecodesigningcertificates,themaximumusageperiodofthekeypairis39monthsorlessthan39months.
5.
Forthetimestampcertificates,themaximumusageperiodofthekeypairis10yearsorlessthan10years.
6.
Forthedocumentsigningcertificates,themaximumusageperiodofthekeypairis3yearsorlessthan3years.
7.
Forthee-mailcertificates,themaximumusageperiodofthekeypairis3yearsorlessthan3years.
8.
Fortheclient-endequipmentcertificates,themaximumusageperiodofthekeypairis10yearsorlessthan10years.
6.
4.
激活数据ActivationData6.
4.
1.
激活数据的产生和安装ActivationDataGenerationandInstallationCA私钥的激活数据,必须按照关于密钥激活数据分割和密钥管理办法的要求,严格进行生成、分发和使用.
ActivationdataofCAprivatekeymustbegenerated,distributedandusedstrictlyaccordingtotherequirementswhicharerelatedtothesegmentationofkeyactivationdataandkeymanagement.
GDCASM2证书策略(V1.
0版)95订户私钥的激活数据,包括用于下载证书的口令(以密码信封的形式提供)、USBKey的PIN码等,都必须在安全可靠的环境下随机产生.
Activationdataofsubscriberprivatekey,includingpassword(providedintheformofpasswordenvelope)usedtodownloadthecertificate,USBKey,loginpasswordofICcard,mustbegeneratedrandomlyinsecureandreliableenvironments.
6.
4.
2.
激活数据的保护ActivationDataProtection对于CA私钥的激活数据,必须通过秘密分割将分割后的激活数据由不同的可信人员掌管,而且掌管人员必须符合职责分割的要求,签署协议确认他们知悉秘密分割掌管者责任.
ActivationdataofCAprivatekeymustbeseparatedinreliablewayandkeptbydifferenttrustedpersonnel.
Administratormustmeettherequirementsofresponsibilitydivision.
Theresponsibilitiesofkeysharingholdersshouldbeconfirmedbysigningrelatedagreements.
对于订户私钥的激活数据,包括口令或PIN码,都必须在安全可靠的环境下产生.
订户应妥善保管好其口令或PIN码,防止泄露或窃取.
同时为了配合业务系统的安全需求,应该经常对激活数据进行修改.
Subscriber'sactivationdata,includingpasswordandPIN,mustbegeneratedinthesafeandreliableenvironment.
ThesubscribershouldtakegoodcareofpasswordorPINtopreventbeingexposedorstolen.
Meanwhile,inordertomeetthesecurityrequirementsofbusinesssystems,activationdatashouldbemodifiedregularly.
6.
4.
3.
激活数据的其他方面OtherAspectsofActivationData当私钥的激活数据进行传送时,应保护它们在传送过程中免于丢失、偷窃、修改、非授权泄露、或非授权使用.
Activationofprivatekeyshallbeprotectedfromloss,theft,modification,unauthorizeddisclosure,orunauthorizedusageduringthetransmission.
当私钥的激活数据不需要时应该销毁,并保护它们在此过程中免于丢偷窃、泄露或非授权使用,销毁的结果是无法通过残余信息、介质直接或间接获得激活数据的部分或全部,比如记录有口令的纸页必须粉碎.
Theactivationdataofprivatekeywhichisnolongerusedshallbedestroyedandprotectedfromtheft,disclosureorunauthorizeduseduringthedestruction.
Theresultofdestructionisthatsomeorallofactivationdatacan'tberecovereddirectlyorindirectlyfromtheresidualinformationandmedium,papersrecordedwithpasswordsmustbeshredded.
GDCASM2证书策略(V1.
0版)966.
5.
计算机安全控制ComputerSecurityControls6.
5.
1.
特别的计算机安全技术要求SpecificComputerSecurityTechnicalRequirementsGDCA系统的信息安全管理,按照国标《信息安全技术证书认证系统密码及其相关安全技术规范》、工业和信息化部公布的《电子认证服务管理办法》,参照ISO27001信息安全标准规范以及其他相关的信息安全标准,制定出全面、完善的安全管理策略和制度,在运营中予以实施、审查和记录.
主要的安全技术和控制措施包括:身份识别和验证、逻辑访问控制、物理访问控制、人员职责分权管理、网络访问控制等.
InformationsecuritymanagementofGDCAcertificationsystemmeets"Informationsecuritytechnology--Specificationsofcryptographandrelatedsecuritytechnologyforcertificateauthenticationsystem"publishedbyStandardizationAdministrationCommittee,"MeasuresfortheAdministrationofElectronicCertificationServices"publishedbyMinistryofIndustryandInformationTechnology,standardsofinformationsecurityinISO27001andsecuritystandardsofotherrelevantinformation.
GDCAdrawsupcomprehensiveandperfectsecuritymanagementstrategiesandstandards,whichhavebeenimplemented,reviewedandrecordedwithinoperation.
Themainsecuritytechnologiesandcontrolmeasuresinclude:Identificationandauthentication,logicaccesscontrol,physicalaccesscontrol,managementofpersonnel'sresponsibilitiesdecentralization,networkaccesscontrol,etc.
通过严格的安全控制手段,确保CA软件和数据文件的系统是安全可信的系统,不会受到未经授权的访问.
StrictsecuritycontrolsensuresthatthesystemofCAsoftwareanddatafilesissecureandreliablewithoutunauthorizedaccess.
核心系统必须与其他系统物理分离,生产系统与其他系统逻辑隔离.
这种分离可以阻止除指定的应用程序外对网络的访问.
使用防火墙阻止从内网和外网入侵生产系统网络,限制访问生产系统的活动.
只有CA系统操作与管理组中的、有必要工作需要、访问系统的可信人员可以通过口令访问CA数据库.
Coresystemmustbeseparatedphysicallyfromothersystemsandtheproductionsystemmustbeseparatedfromothersystemlogically.
Thisseparationcanprohibitnetworkaccessexceptforspecificapplications.
Theusageoffirewallistopreventtheintrusionfromtheinternalandexternalnetworkproductionsystemandrestrictactivitiesofaccessproductionsystem.
OnlytrustedpersonsinoperationandmanagementgroupofCAsystem,whennecessarytoaccesstothesystemcanaccesstheCAdatabaseusingpassword.
GDCASM2证书策略(V1.
0版)976.
5.
2.
计算机安全评估ComputerSecurityRatingGDCA的认证系统,通过了国家密码管理局的安全性审查.
GDCAcertificationsystemspassthesecurityreviewofSCA.
6.
6.
生命周期技术控制LifeCycleTechnicalControls6.
6.
1.
系统开发控制SystemDevelopmentControlsGDCA的软件设计和开发过程遵循以下原则:1.
第三方验证和审查;2.
安全风险分析和可靠性设计.
同时,GDCA的软件开发操作规范,参考ISO15408的标准,执行相关的规划和开发控制.
SoftwaredesignanddevelopmentofGDCAprocessfollowsprinciples:1.
Verificationandreviewofthird-party2.
ThesecurityriskanalysisandreliabilitydesignTheoperationspecificationsofsoftwaredevelopment,whichrefertoISO15408standard,implementrelevantplananddevelopmentcontrol.
6.
6.
2.
安全管理控制SecurityManagementControlsGDCA认证系统的信息安全管理,严格遵循国家密码主管部门的有关运行管理规范进行操作.
InformationsecuritymanagementofGDCAcertificationsystemconformstotherelevantoperationmanagementspecificationofSCAstrictly.
GDCA认证系统的使用具有严格的控制措施,所有的系统都经过严格的测试验证后才进行安全和使用,任何修改和升级会记录在案并进行版本控制、功能测试和记录.
GDCA还对认证系统进行定期和不定期的检查和测试.
GDCAauthenticationsystemhaveastrictcontrolmeasures,andallthesystemscanbeusedthroughrigoroustestingandverifying.
Anymodificationsandupgradeswillberecordedforreferenceandmadeforversioncontrol,functionaltestandrecord.
GDCAalsocarriesoutregularandirregularinspectionandtestforcertificationsystem.
GDCA采用一种灵活的管理体系来控制和监视系统的配置,以防止未授权的修改.
GDCASM2证书策略(V1.
0版)98GDCAusestheflexiblemanagementsystemtocontrol,monitorsystemconfigurationandpreventunauthorizedmodification.
硬件设备由采购到接收时,会进行安全性的检查,用来识别设备是否被入侵,是否存在安全漏洞等.
加密设备的采购和安装必须在更加严格的安全控制机制下,进行设备的检验、安装和验收.
Hardwaredevicesarecheckedfromtheperspectiveofintrusionandsecurityholes,etc.
Encryptiondevicesmustbeexamined,installedandacceptedinastrictsecuritycontrolmechanism.
GDCA认证系统所有的软硬件设备升级以后,废旧设备在进行处理时,首先必须确认其是否有影响安全的信息存在.
AfterallthehardwareandsoftwareequipmentofGDCAauthenticationsystemareupgraded,GDCAmustconfirmtheexistenceofinformationwhichaffectsthesecurityinwasteequipment.
6.
6.
3.
生命周期的安全控制LifeCycleSecurityControlsGDCA认证系统的软硬件设备具备可持续性的升级计划,其中包括了对软、硬件生命周期的安排.
SoftwareandhardwareofGDCAcertificationsystemhavesustainableupgradeplansuchasarrangementofsoftwareandhardwarelifetimes.
6.
7.
网络的安全控制NetworkSecurityControlsGDCA认证系统采用多级防火墙和网络资源安全控制系统的保护,并且实施完善的访问控制技术.
GDCAauthenticationsystemhasmulti-levelfirewallsandtheprotectionofnetworkresourcesecuritycontrolsystems.
Italsohascompleteaccesscontroltechnology.
为了确保网络安全,GDCA认证系统安装部署了入侵检测、安全审计、防病毒和网管系统,并且及时更新防火墙、入侵检测、安全审计、防病毒和网管系统的版本,以尽可能的降低来自于网络的风险.
Inordertoensurenetworksecurity,GDCAauthenticationbusinesssystemhasbeenequippedwithintrusiondetection,securityauditing,virusprotectionandnetworkmanagementsystems,andupdatedtotheversionofabovesystems,asmuchaspossibletoreducetherisksfromthenetwork.
6.
8.
时间戳Time-StampingGDCA遵循RFC3161时间戳协议标准提供时间戳服务,采用标准的时间戳请求、时间GDCASM2证书策略(V1.
0版)99戳应答以及时间戳编码格式,时间源采用国家授时中心提供的标准时间.
GDCAprovidestimestampservicethatcomplieswithRFC3161,adoptsstandardtimestamprequest,timestampresponse,andtimestampcodingformat,andusesthestandardtimeprovidedbytheNationalTimeServiceofChinaasthetimesource.
7.
证书、证书撤销列表和在线证书状态协议Certificate,CRL,andOCSPProfiles7.
1.
证书描述CertificateProfileGDCA证书遵循ITU-TX.
509v3(1997):信息技术-开放系统互连-目录:认证框架(1997年6月)标准和RFC5280:InternetX.
509公钥基础设施证书和CRL结构(2008年5月).
TheformatofGDCAcertificatesconformstonationalstandard,i.
e.
ITU-TX.
509V3(1997):InformationTechnology-OpenSystemsInterconnection-theDirectory-AuthenticationFramework(June1997)recommendationbyITU-TandRFC5280:InternetX.
509PublicKeyInfrastructureCertificateandCertificateRevocationList(CRL)Profile(May2008).
GDCA通过CSPRNG生成大于0且长度为64位的非序列性的证书序列号.
GDCAgeneratesnon-sequentialcertificateserialnumbersgreaterthanzerocontaining64bitsofoutputfromaCSPRNG.
证书至少包含基本的X.
509v1域,其规定值或值的限制如下表所描述.
CertificatecontainsatleastbasicX.
509v1domain,anditsspecifiedvalueorlimitedvalueisdescribedasfollow:表-证书结构的基本域Table-BasicdomainofCertificatestructure域值或值的限制版本指明X.
509证书的格式版本,值为V3序列号证书的唯一标识符签名算法签发证书时所使用的签名算法(见CP第7.
1.
3节)签发者DN签发者的甄别名有效起始日期基于国际通用时间(UTC),和北京时间同步,按RFC5280要求编码有效终止日期基于国际通用时间(UTC),和北京时间同步,按RFC5280要求编码.
有效期限的设置符合CP第6.
3.
2节规定的限制.
GDCASM2证书策略(V1.
0版)100主题DN证书持有者或实体的甄别名公钥根据RFC5280编码,使用CP第7.
1.
3节中指定的算法,密钥长度满足CP第6.
1.
5节指定的要求domainValueorvaluelimitationVersionFormatversionofX.
509certificatewiththevalueisV3SerialnumberUniqueidentifierofcertificateSignaturealgorithmSignaturealgorithmforissuingcertificate(seeCPsection7.
1.
3)IssuerDNIssuer'sDistinguishNameStartperiodBasedontheCoordinatedUniversalTime(UTC),SynchronizedwithBeijingtime,encodingfollowstherequirementsofRFC5280.
EndperiodBasedontheCoordinatedUniversalTime(UTC),SynchronizedwithBeijingtime,encodingfollowstherequirementsofRFC5280.
ThesettingofvalidperiodfollowsthelimitationofthisCPSection6.
3.
2specified.
TitleDNCertificateholderorentityDNPublickeyUsingspecifiedalgorithmofCPSection7.
1.
3accordingtotheencodeofRFC5280,keylengthmeetsspecifiedrequirementsofCPSection6.
1.
5.
7.
1.
1.
版本号VersionNumber(s)GDCA订户证书符合X.
509V3证书格式,版本信息存放在证书版本信息栏内.
GDCAcertificatesareinlinewithX.
509V3certificateformat.
Theversioninformationisstoredinthefieldofthecertificateversioncolumn.
7.
1.
2.
证书扩展项CertificateExtensionsGDCA除了使用X.
509V3版证书标准扩展项以外,还使用了自定义扩展项.
自定义扩展项的使用是允许的,但是除非由于特别应用而包含该项,不保证该扩展项的使用.
InadditiontotheX.
509V3certificatestandardextensions,GDCAalsousescustomextensions.
Theuseofcustomextensionsisallowed,butunlessspecialapplicationcontainstheseextensions,GDCAdoesnotguaranteetheuseoftheseextensions.
7.
1.
2.
1.
标准扩展项StandardExtensions密钥用法(keyusage)KeyUsage指定证书密钥对的用法:电子签名,不可抵赖,密钥加密,数据加密,密钥协议,验证GDCASM2证书策略(V1.
0版)101证书签名,验证CRL签名,只加密,只解密,只签名.
Thekeyusageextensiondefinesthepurpose(e.
g.
,electronicsignature,non-repudiation,keyencryption,dataencryption,keyprotocol,certificatesignatureverification,CRLsignaturevalidation,onlyencryption,onlydecryptionandonlysignature)ofthekeycontainedinthecertificate.
颁发机构密钥标识符(authorityKeyIdentifier)AuthorityKeyIdentifier最终订户证书及中级CA证书加入颁发机构密钥标识符扩展项,当证书签发者包含主题密钥标识扩展项时,颁发机构密钥标识符由160位的颁发证书机构的公钥进行SHA-1散列运算后的值构成.
否则,它将包含颁发CA的主题DN.
这个扩展项的criticality域设置为FALSE.
TheauthoritykeyidentifierextensionofissuershallbeaddedtosubscriberandintermediateCAcertificate.
Ifthecertificateofissuercontainssubjectkeyidentifierextension,itsauthoritykeyidentifieriscomposedofthe160-bitSHA-1hashofthevalueofissuer'spublickey.
Otherwise,itcontainssubjectDNofissuerCA.
ThecriticalityfieldoftheextensionshouldbesettoFALSE.
主题密钥标识符(subjectKeyIdentifier)SubjectKeyIdentifier证书的主题密钥标识符扩展项赋值时,证书主题的公钥的密钥标识符被产生.
使用该扩展项时,其扩展项的criticality域设为FALSE.
Thepublickeyinacertificateshallbeusedtogenerateanidentifierwhenthesubjectkeyidentifierextensioninacertificateisinitialized.
ThecriticalityfieldofthisextensionissettoFALSE.
CRL发布点(CRLDistributionPoints)CRLDistributionPoints证书中的CRL的分发点扩展项,它包含本地的一个链接,可以向依赖方提供CRL的信息以便其查询证书状态.
此扩展项的criticality项应设为FALSE.
TheCRLdistributionpointsextensioninthecertificatecontainsalocallinkthatcanofferCRLinformationtorelyingpartyforqueryingcertificatestatus.
ThecriticalityfieldoftheextensionshouldbesettoFALSE.
证书策略扩展项(certificatePolicies)CertificatePolicies证书策略扩展项中有本CP中对应证书类的CP对象标识符及策略限定符.
这个扩展项的criticality域设置为FALSE.
ThecertificatepoliciesextensioncontainscorrespondingcertificateCPobjectidentifierandstrategyqualifierofthisCP.
ThecriticalityfieldoftheextensionshouldsettoFALSE.
基本限制扩展项(basicConstraints)BasicConstraintsGDCASM2证书策略(V1.
0版)102CA证书的基本限制扩展项中的主题类型被设为CA.
最终订户证书的基本限制扩展项的主题类型设为最终实体(End-Entity).
这个扩展项的criticality域设置为FALSE.
将来,对于其它的证书,这个扩展项的criticality域可以设置为TRUE.
ThesubjecttypeofbasicconstraintsextensionofCAcertificateissettoCA.
ThesubjecttypeofbasicconstraintsextensionofendsubscribercertificateissettoEnd-Entity.
ThecriticalityfieldoftheextensionissettoFALSE.
Inthefuture,forothercertificate,thecriticalityfieldoftheextensioncanbesettoTRUE.
CA证书的基本限制扩展项中的路径长度设定为在证书路径中该证书之后的CA级数.
对于最终订户证书签发CA,其CA证书"pathLenConstraint"域的值设为0,表示证书路径中仅有一个最终订户证书可以跟在这个CA证书后面.
ThepathLenConstraintfieldofCAcertificategivesthemaximumnumberofnon-self-issuedintermediatecertificatesthatmayfollowthiscertificateinavalidcertificationpath.
ForCAwhoissuesendsubscribercertificate,thevalueofpathLenConstraintfiledofCAcertificateissetto0,whichindicatesthatonlyoneendsubscribercertificatecanfollowthisCAcertificateinacertificatepath.
7.
1.
2.
2.
自定义扩展项Customextensions针对不同的证书应用服务需求,GDCA灵活定义一些扩展项,包括但不限于如下扩展项:1.
社会保险号:用于表示订户的社会保险号码.
2.
组织机构代码:用于表示企业组织机构代码.
3.
工商注册号:用于表示企业工商注册号码4.
国税登记证号:用于表示企业国税号码5.
信任服务号:证书颁发机构产生用于标识订户的唯一编号.
6.
地税登记证号:用于表示企业地税号码.
7.
个人身份证号码:用于表示居民身份证的唯一编号.
Tosatisfydifferentrequirementsforcertificateapplicationservice,GDCAcandefinesomeextensionsflexibly,includingbutnotlimitedtothefollowingextensions:1.
Insurancenumber:Itisusedtoindicatethesubscriber'sinsurancenumber.
2.
OrganizationCode:ItisusedtoindicatetheOrganizationcode.
3.
ICregistrationnumber:ItisusedtoindicateenterpriseICregistrationnumber.
4.
Taxationregistrationcertificatenumber:Itisusedtoindicateenterprisenationaltaxationnumber.
5.
Trustedservicenumber:Itisusedtoindicatesubscriber'suniquenumbergeneratedbyGDCA.
6.
Landtaxationregistrationcertificatenumber:Itisusedtoindicateenterpriselandtaxationnumber.
7.
Residentidentitycardnumber:Itisusedtoindicateuniquenumberofindividual'sidentitycard.
GDCASM2证书策略(V1.
0版)1037.
1.
3.
算法对象标识符AlgorithmObjectIdentifiersGDCA签发的证书,密码算法的标识符为SM3WithSM2.
ThecryptographicalgorithmidentifiersofcertificatesissuedbyGDCAincludeSM3WithSM2.
7.
1.
4.
名称形式NameFormsGDCA签发的证书名称形式的格式和内容符合X.
501DistinguishedName(DN)的甄别名格式.
SSL/TLS证书主题项不能仅含有诸如".
","-",及""(空格)字符,及/或其他任何表示该项为空、不完整、或不适用的内容.
NameofcertificateissuedbyGDCAisformattedinaccordancewithX.
501DN.
SSL/TLSservercertificatescannotonlycontainmetadatasuchasand''(empty)charactersand/oranyotherindicationthatthevalue/fieldisabsent,incomplete,ornotapplicable.
7.
1.
5.
名称限制NameConstraints不适用.
Notapplicable.
7.
1.
6.
证书策略对象标识符CertificatePolicyObjectIdentifier当使用证书策略扩展项时,证书中包含证书策略的对象标识符,该对象标识符与相应的证书类别对应.
Whenthecertificatepolicyextensionisused,thecertificatecontainsobjectidentifierofCP,andtheobjectidentifierisinaccordancewiththecorrespondingcertificatecategory.
7.
1.
7.
策略限制扩展项的用法UsageofPolicyConstraintsExtension不适用.
Notapplicable.
7.
1.
8.
策略限定符的语法和语义PolicyQualifiersSyntaxandSemantics不适用.
GDCASM2证书策略(V1.
0版)104Notapplicable.
7.
1.
9.
关键证书策略扩展项的处理语义ProcessingSemanticsfortheCriticalCertificatePoliciesExtension与X509和PKIX规定一致.
ItisinaccordancewithX509andPKIXregulations.
7.
2.
证书撤销列表CRLProfileGDCA定期签发CRL,供用户查询使用.
依本CP签发的CRL符合RFC5280标准.
CRL至少包含如下表所述基本域和内容.
TheCRLdeterminedinthisCPisaccordancewithRFC5280.
CRLcontainsatleastbasicdomainandcontentdescribedinthefollowingtable:域值或者值的限制版本V2颁发者签发CRL的实体,颁发者甄别.
生效日期CRL的签发日期下次更新CRL下次签发的日期.
CRL每隔24小时更新签名算法签发CRL所使用的签名算法颁发机构密钥标识符由160位的颁发证书机构公钥进行散列运算后的值构成撤销列表列出撤销的证书,包括撤销证书的序列号和撤销日期DomainValueorvaluelimitationVersionV2IssuerEntityforissuingCRL,issuerdistinguish.
ThisupdateIssuancedateofCRL.
NextupdateNextissuancedateofCRL.
CRLisupdatedevery24hours.
SignaturesignaturealgorithmusedforissuingCRL.
AuthoritykeyidentifierIt'scomposedofa160-bithashofthevalueofCA'spublickey.
RevokedCertificatesListoftherevokedcertificates,includingserialnumberandrevocationdateofrevocationcertificate.
GDCASM2证书策略(V1.
0版)1057.
2.
1.
版本VersionNumber(s)GDCA目前签发X.
509V2版本的CRL,此版本号存放在CRL版本格式栏目中.
GDCAcurrentlyissuesCRLofX.
509V2version.
ThisversionnumberisstoredinformatcolumnofCRL.
7.
2.
2.
CRL和CRL条目扩展项CRLandCRLEntryExtensions不适用.
Notapplicable.
7.
3.
OCSP描述OCSPProfileGDCA为用户提供OCSP(在线证书状态查询服务),OCSP作为CRL的有效补充,方便证书用户及时查询证书状态信息.
AsaneffectivesupplementofCRL,OCSPprovidedbyGDCAisusedtochecktheinformationofcertificatestatusforsubscriberonline.
7.
3.
1.
版本号VersionNumber(s)RFC6960定义的OCSP版本.
ThefieldconformstoOCSPdefinedinRFC6960.
7.
3.
2.
OCSP扩展项OCSPExtensions不适用.
Notapplicable.
GDCASM2证书策略(V1.
0版)1068.
认证机构审计和其他评估ComplianceAuditandOtherAssessments8.
1.
评估的频度和情形FrequencyandCircumstancesofAssessmentGDCA定期或不定期对运营业务进行一致性审计和运营评估,以保证证书服务的可靠性、安全性和可控性:GDCAconductsaninternalcomplianceauditandanoperationassessmentregularlyorirregularlytoensurethereliability,securityandcontrollabilityofcertificationservices:1、每季度进行一次内部审计.
2、按照国家主管部门的要求、国家相关标准、本CPS的规定以及公司安全管理策略的要求,每年至少执行一次内部评估审核,包括对GDCA在内的其它实体(RA、受理点等)的评估审核.
3、每年进行一次风险评估工作,识别内部与外部的威胁,评估威胁事件发生的可能性及造成的损害,并评估目前的应对策略、技术、系统以及相关措施是否足够应对风险,根据风险评估,创建、实施并维持涵盖安全流程、措施及产品的安全计划.
1.
Internalauditonaquarterlybasis;2.
GDCAconductsoperationsandservicesaccordingtotherequirementsofstate'sauthorities,thespecificationsofstate'srelevantstandardsandthisCP.
GDCAshallconductinternalassessmentandaudittootherentities(includingRAorLRA,etc.
)inGDCAatleastonceayear.
3.
Internalassessmentatleastonanannuallybasisisexecutedaccordingtothereuiqrementsfromthenationalsupervisingauthority,relevantindustrystandards,requirementsofthisCPS,andtherequirementsoftheGDCAsecuritypolicycommittee.
SuchassessmentextendstotheentitiesincludingGDCAitself,RAsandLRAsetc.
除了内部审计和评估外,GDCA还接受外部的审计和评估,如根据《中华人民共和国电子签名法》、《电子认证服务管理办法》等的的要求,接受主管部门的评估和检查.
Inadditiontointernalauditsandassessments,GDCAalsoengagesexternalauditfirmstoperformassessmentsandevaluations.
GDCAisassessedandinspectedonceayearinaccordancewiththe"ElectronicSignatureLawofthePeople'sRepublicofChina","MeasuresfortheAdministrationofElectronicCertificationServices"andotherrequirementsbyadministrativeauthorities.
GDCASM2证书策略(V1.
0版)1078.
2.
评估者的身份/资格Identity/QualificationsofAssessorGDCA的内部审计,由GDCA安全策略委员会负责组织跨部门的审计评估小组,由审计评估小组执行此项工作.
CrossdepartmentauditassessmentgrouporganizedbyGDCASecurityPolicyCommitteeperformsinternalauditofGDCA.
8.
3.
评估者与被评估者之间的关系Assessor'sRelationshiptoAssessedEntityGDCA审计员与本机构的系统管理员、业务管理员、业务操作员的工作岗位不能重叠.
SegregationofdutiesisrequiredbetweentheGDCAauditors,andtheGDCAsystemadministrators,businessadministrators,andbusinessoperators.
8.
4.
评估的内容TopicsCoveredbyAssessmentGDCA内部审计的内容包括:GDCA'sinternalauditincludes:1.
安全策略是否得到充分的实施;2.
运营工作流程和制度是否得到严格遵守;3.
是否严格按CP、业务规范和安全要求开展认证业务;4.
各种日志、记录是否完整,是否存在问题;5.
是否存在其他可能存在的安全风险.
1.
Whetherthesecuritystrategyisfullyimplemented2.
Whetheroperationproceduresandprocessesstrictlyfollowed3.
WhetherstrictlyfollowingtheCP,businessspecificationsandsecurityrequirementswhenconductingauthenticationservices4.
Whetherallkindsoflogsandrecordsarepreservedandifthereisanyquestion5.
Ifthere'sanyotherpotentialsecurityrisks8.
5.
对问题与不足采取的行动ActionsTakenasaResultofDeficiency对于GDCA内部审计结果中的问题,由审计评估小组负责监督这些问题的责任职能部门GDCASM2证书策略(V1.
0版)108进行业务改进和完善的情况.
完成对审计结果的改进后,各职能部门必须向审计评估小组提交业务改进工作总结报告.
Auditassessmentgroupmonitorsresponsibledepartmentsforimprovementsandcompletestatusofissuesthatwerementionedinauditreports.
Afterimprovementofauditresultshavecompleted,variousfunctionaldepartmentsshouldsubmitsummaryofimprovementtoauditassessmentgroup.
对于GDCA授权注册机构的审计结果,如该机构正在进行违反本CP及GDCA制定的其他业务规范的行为,GDCA将予以制止,并有权责令其立即停止这些行为,同时根据GDCA的要求进行业务整改.
业务违规行为情节严重的注册机构,GDCA将终止对该机构的电子认证业务有关授权.
ForauthorizedRAmentionedinGDCA'sauditreport,iftheyareviolatingtheCPandotherbusinessstandardsdefinedbyGDCA,GDCAwillstoptheabovebehaviorsimmediatelyandaskthemtomakechangesinaccordancewiththerequirementsofGDCA.
GDCAwillterminaterelevantauthorizationofelectroniccertificationservicesofRAiftheabovebehaviorsareseriouslyviolated.
8.
6.
评估结果的传达与发布CommunicationsofResultsGDCA的内部审计结果应向本机构各职能部门以及审计涉及的注册机构进行正式通报,对可能造成订户安全隐患,GDCA必须及时向订户通报.
AuditresultsareformallyinformedtorelevantdepartmentsofGDCAandrelatedRA.
GDCAwillnotifythesubscribersofanypotentialsecurityriskstimely.
8.
7.
自评估Self-Audits见章节8.
1.
Seesection8.
1.
9.
法律责任和其他业务条款OtherBusinessandLegalMatters9.
1.
费用FeesGDCA可根据提供的电子认证相关服务向本机构的证书订户收取费用,具体费用将取决于市场规则和相关管理部门的规定.
GDCAcanchargesubscribercertificationfeesforthedigitalauthenticationserviceprovided.
Thespecificchargewillbedeterminedbymarketrulesandregulationsofrelevantadministrationdepartment.
GDCASM2证书策略(V1.
0版)1099.
1.
1.
证书新增和更新费用CertificateIssuanceorRenewalFeesGDCA对证书新增和更新的费用,公布在GDCA的网站www.
gdca.
com.
cn上,供用户查询.
ThefeesofGDCAaddingandrenewingcertificatesarepublishedinthewebsitewww.
gdca.
comforusertoquery.
如果GDCA签署的协议中指明的价格和GDCA公布的价格不一致,以协议中的价格为准.
IfthepricespecifiedinGDCAagreementisdifferentfromtheonepublished,theagreementpriceprevails.
9.
1.
2.
证书查询费用CertificateAccessFees对于证书查询,目前GDCA不收取任何费用.
除非用户提出的特殊需求,需要GDCA支付额外的费用,GDCA将与用户协商收取应该收取的费用.
Currently,GDCAdoesn'tchargeforinquiryduringthecertificatevalidationperiod.
Unlessthesubscriberhasspecialrequests,whichmakesGDCAtopayextrafees,GDCAwillinteractwiththesubscriberforappropriatecharges.
如果证书查询的收费政策有任何变化,GDCA将会及时在网站www.
gdca.
com.
cn上予以公布.
Ifcertificateinquirychargingpolicyhasanychanges,GDCAwillpromptlypostthechangesatitswebsite(www.
gdca.
com.
cn).
9.
1.
3.
撤销和状态信息查询费用RevocationorStatusInformationAccessFees对于撤销和状态信息查询,目前GDCA不收取任何费用.
除非用户提出的特殊需求,需要GDCA支付额外的费用,GDCA将与用户协商收取应该收取的费用.
GDCAcurrentlydoesnotchargeanyfeesforthecertificaterevocationandstatusinquiry.
Unlessthesubscriberhasspecialrequests,whichmakesGDCAtopayextrafees,GDCAwillinteractwiththesubscriberforappropriatecharges.
如果撤销和状态信息查询的收费政策有任何变化,GDCA将会及时在网站www.
gdca.
com.
cn上予以公布.
Ifrevocationandstatusinformationinquirychargingpolicyhasanychanges,GDCAwillpromptlypostthechangesatitswebsite(www.
gdca.
com.
cn).
GDCASM2证书策略(V1.
0版)1109.
1.
4.
其他服务费用FeesforOtherServices1.
如果用户向GDCA索取纸质的CP或其他相关的作业文件时,GDCA需要收取因此产生的邮递和处理工本费.
2.
GDCA将向用户提供证书存储介质及相关服务,GDCA在与订户或者其他实体签署的协议中指明该项价格.
3.
其他GDCA将要或者可能提供的服务的费用,GDCA将会及时公布,供用户查询.
1.
IfsubscriberrequestspaperversionofCPorotherrelateddocumentsfromGDCA,GDCAwillchargepostageandprocessingfees.
2.
GDCAprovidescertificatestoragemediaandrelatedservicestosubscribers.
GDCAdeclaresthepricesofaboveitemsintheagreementssignedwithsubscribersorotherentities.
3.
OtherservicesfeesthatGDCAmayorwillchargewillbepublishedtimelyforreferencing.
9.
1.
5.
退款策略RefundPolicyGDCA对订户收取的费用,除了证书申请和更新费用因为特定理由可以退还外,GDCA均不退还用户任何费用.
GDCAdoesnotrefundanyfeestosubscribersexceptfeeschargedforcertificateapplicationandrenewalbecauseofspecificreasons.
在实施证书操作和签发证书的过程中,GDCA遵守严格的操作程序和策略.
如果GDCA违背了本CP所规定的责任或其它重大义务,订户可以要求GDCA撤销证书并退款.
在GDCA撤销了订户的证书后,GDCA将立即把订户为申请该证书所支付的费用全额退还给订户.
Intheprocessofthecertificateoperationandthecertificateissuance,GDCAcomplieswithstrictoperatingproceduresandpolicies.
IfGDCAviolatesitsdefinedresponsibilitiesunderthisCPorothermaterialobligations,subscriberscanrequestGDCAtorevokecertificatesandrefund.
AfterGDCArevokessubscriber'scertificates,GDCAwillimmediatelyrefundthefullamountthatsubscribershavepaidforthecertificateapplication.
此退款策略不限制订户得到其它的赔偿.
Thisrefundpolicydoesnotlimitusersfromobtainingothercompensation.
完成退款后,订户如果继续使用该证书,GDCA将追究其法律责任.
Afterrefundcompletion,ifasubscribercontinuestousethecertificate,GDCAshallinvestigatehis/herlegalliabilities.
GDCASM2证书策略(V1.
0版)1119.
2.
财务责任FinancialResponsibility9.
2.
1.
保险范围InsuranceCoverage保险范围主要针对CP第9.
9节中所规定的赔偿.
InsuranceCoveragemainlyfocusesoncompensationspecifiedinCPSection9.
9.
9.
2.
2.
其他财产OtherAssets不适用.
Notapplicable.
9.
2.
3.
对最终实体的保险或担保范围InsuranceorWarrantyCoverageforEnd-Entities证书订户一旦接受GDCA的证书,或者通过协议完成对证书服务的接受,那么就意味着该订户已经接受了本CP关于保险和担保的规定和约束.
TheacceptanceofthecertificateoritsservicesspecifiedbytheagreementbythesubscribermeansthatsubscriberhasacceptedthespecificationandconstraintofinsuranceandwarrantycoverageinthisCP.
9.
3.
业务信息保密ConfidentialityofBusinessInformation9.
3.
1.
保密信息范围ScopeofConfidentialInformation在GDCA提供的电子认证服务中,以下信息视为保密信息:1.
GDCA订户的数字签名及解密密钥;2.
审计记录包括:本地日志、服务器日志、归档日志的信息,这些信息被GDCA视为保密信息,只有安全审计员和业务管理员可以查看.
除法律要求,不可在公司外部发布;3.
其他由GDCA和RA保存的个人和公司信息应视为保密,除法律要求,不可公布.
IntheelectroniccertificationserviceprovidedbyGDCA,thefollowinginformationistreatedasconfidentialinformation:1.
GDCAsubscriber'sdigitalsignatureanddecryptionkeyGDCASM2证书策略(V1.
0版)1122.
Auditrecordsincludinglocallogs,serverlogs,archivelogsinformation,whichistreatedbyGDCAasconfidentialinformation.
Theserecordscanonlybeaccessedbysecurityauditorsandbusinessadministrators.
Unlessforlawrequirements,thisinformationcannotbereleasedoutsideofthecompany3.
OtherindividualandcompanyinformationpreservedbyGDCAandRAandshouldbetreatedasconfidential.
Unlessforlawrequirements,thisinformationcannotbereleasedtothepublic9.
3.
2.
不属于保密的信息InformationNotWithintheScopeofConfidentialInformation1.
由GDCA发行的证书、证书中的公钥;1.
CertificateissuedbyGDCAanditspublickey.
2.
证书中的订户信息;2.
Informationofsubscriberinthecertificate.
3.
证书撤销列表;3.
CRL4.
证书策略(CP)、电子认证业务规则(CPS).
4.
CPandCPS9.
3.
3.
保护保密信息的责任ResponsibilitytoProtectConfidentialInformationGDCA、注册机构、订户以及与认证业务相关的参与方等,都有义务按照本CP的规定,承担相应的保护保密信息的责任,必须通过有效的技术手段和管理程序对其进行保护.
GDCA,RA,subscribers,relevantentitiesandpartiesinvolvedincertificationbusiness,havetheobligationstoassumeappropriateresponsibilityofkeepingconfidentialinformationinaccordancewiththisCP,andmustprotectitthrougheffectivetechnicalmeansandmanagementprocess.
当保密信息的所有者出于某种原因,要求GDCA公开或披露他所拥有的保密信息时,GDCA应满足其要求;同时,GDCA将要求该保密信息的所有者对这种申请进行书面授权,以表示其自身的公开或者披露的意愿.
如果这种披露保密信息的行为涉及任何其他方的赔偿义务,GDCA不应承担任何与此相关的或由于公开保密信息所造成的损失.
保密信息的所有者应承担与此相关的或由于公开保密信息引起的所有赔偿责任.
Asconfidential-informationholderrequiresGDCAtopublishorrevealallhis/her/itsownconfidentialinformationduetosomecauses,GDCAshallsatisfyhis/her/itsrequirements;Also,GDCAshallrequiretheholder'sdocumentaryapplicationandauthorizationtoexpresshis/her/itsownwillofpublishingorrevealing.
GDCASM2证书策略(V1.
0版)113IfanyotherobligationofcompensationisinvolvedintheactofrevealingconfidentialinformationoftheuserbyGDCA,GDCAwillnotassumeanyresponsibilityfordamageconcerningitorcausedbytheactofpublishingtheuser'sconfidentialinformation.
Theconfidential-informationholdershallassumecompensatoryresponsibilitiesrelatedwithitorcausedbytheopeningofconfidentialinformation.
当GDCA在任何法律、法规、法院以及其他公权力部门通过合法程序的要求下,必须提供本CP中规定的保密信息时,GDCA应按照法律、法规以及法院判决的要求,向执法部门公布相关的保密信息,GDCA无须承担任何责任.
这种提供不被视为违反了保密的要求和义务.
Whenfacinganyrequirementsoflawsandregulationsoranydemandsforundergoinglegalprocessofcourtandotheragencies,GDCAmustprovideconfidentialinformationinthisCP,andcouldpublishtherelevantconfidentialinformationtolaw-enforcingdepartmentaccordingtorequirementsoflaws,regulations,legaldoctrinesorcourtjudgments.
Underthiscircumstance,GDCAshallnotassumeanyresponsibility.
Therevealshallnotberegardedasabreachofconfidentialrequirementandobligations.
9.
4.
个人隐私保密PrivacyofPersonalInformation9.
4.
1.
隐私保密计划PrivacyPlanGDCA应制定隐私保密计划对订户的个人信息保密.
GDCAshouldestablishtheNon-disclosureplantoprotecttheprivacyinformationofsubscriber.
9.
4.
2.
作为隐私处理的信息InformationTreatedasPrivate除了证书中已经包括的信息以及证书状态信息外,订户提供的其他基本信息将被视为隐私处理.
作为隐私处理的信息包括:Exceptfortheinformationalreadyincludedinthesubscribercertificatesandthecertificatestatusinformation,otherbasicinformationprovidedbythesubscribersisdeemedprivate.
Informationtreatedasprivateincludes:1.
订户的有效证件号码如身份证号码;2.
订户的联系电话;3.
订户的地址;4.
订户的银行帐号.
1.
Subscriber'svaliddocumentsnumbersuchasIDnumber2.
Subscriber'stelephonenumber3.
Subscriber'smailingaddressandlivingaddressGDCASM2证书策略(V1.
0版)1144.
Subscriber'sbankaccountnumber9.
4.
3.
不被认为隐私的信息InformationNotDeemedPrivate订户持有的证书内包括的信息,以及该证书的状态等,是可以公开的,不被视为隐私信息.
Allinformationinasubscribercertificateandthestatusinformationofthecertificate,etc.
isdeemednotprivate,andshallnotberegardedasprivacyinformation.
9.
4.
4.
保护隐私的责任ResponsibilitytoProtectPrivateInformationGDCA、注册机构有妥善保管与保护本CP第9.
4.
2节中规定的订户隐私信息的责任与义务.
GDCAhastheresponsibilityandobligationforpropercustodyandprotectionofthecertificateapplicantpersonalprivacydescribedinsection9.
4.
2.
9.
4.
5.
使用隐私信息的告知与同意NoticeandConsenttoUsePrivateInformationGDCA在其认证业务范围内使用所获得的任何订户信息,只用于订户身份识别、管理和服务订户的目的.
在使用这些信息时,无论是否涉及到隐私,GDCA都没有告知订户的义务,也无需得到订户的同意.
AnysubscriberinformationGDCAobtainingwithinthescopeofcertificationbusinesscanonlybeusedforidentifying,managingandservingsubscribers.
Whenusingtheinformation,nomattertheprivacyisinvolvedornot,GDCAhasnoobligationstonotifysubscribers,andnoneedtoobtainsubscriber'sconsent.
GDCA在任何法律法规或者法院以及公权力部门通过合法程序的要求下,或者信息所有者书面授权的情况下向特定对象披露隐私信息时,也没有告知订户的义务,并且不需得到订户的同意.
Underanyrequirementsoflawsandregulations,anddemandsforundergoingthelegalprocessofotheragencies,orunderthecircumstancewhereprivateinformationholdersubmitsthewrittenauthorizationtocertainobjectforpublishingtheinformation,GDCAhasnoobligationstonotifysubscriber,andtoobtaintheconsentfromthesubscriber.
GDCA、注册机构如果需要将订户隐私信息用于双方约定的用途以外的目的,事前必须告知订户并获得订户同意和授权,而且这种同意和授权要用可归档的方式(如传真、信函等).
IfGDCAandregistrationauthorityshallapplyuser'sprivateinformationtootherpurposesbeyondthefunctionsagreedbetweentwosides,CAandRAshallnotifysubscribertoobtainhis/her/itsagreementGDCASM2证书策略(V1.
0版)115andauthorization,andtheagreementandauthorizationshallbeintheformwhichcanbearchived(suchasfaxandbusinesslettersetc.
).
9.
4.
6.
依法律或行政程序的信息披露DisclosurePursuanttoJudicialorAdministrativeProcess由于法律执行、法律授权的行政执行的需要,GDCA将订户的隐私信息提供给有关执法机关、行政执行机关是允许的.
包括:Duetotheneedoflegalexecutionaswellasadministrativeexecutionpermittedbylegalauthorization,GDCAshallprovidesubscriber'sprivateinformationtorelevantlawenforcementagencyandadministrativeenforcementauthorities.
Theabovebehaviorsarepermitted.
Itincludes:1.
政府法律法规的规定并且经相关部门通过合法程序提出申请;1.
Submittheapplicationfollowingthelegalprocessrequiredbyrelevantagenciespursuanttotheprovisionsoflawsandregulations.
2.
法院以及公权力部门处理因使用证书产生的纠纷时合法的提出申请;2.
Theformalapplicationbycourtandotheragencieswhendealingwiththedisputeofusingcertificate3.
具有合法司法管辖权的仲裁机构的正式申请.
3.
Theformalapplicationbyarbitrationagencywithlegaljurisdiction.
9.
4.
7.
其他信息披露情形OtherInformationDisclosureCircumstances如果订户要求GDCA提供某类特定客户支援服务如资料邮寄时,GDCA则需要把订户的联系电话和地址等信息提供给第三者如邮寄公司.
IfcertificatesubscriberrequiresGDCAtoprovidesomeparticularcustomersupportservicessuchasmailingmaterials,GDCAneedstosendthesubscriber'sname,mailingaddressandotherrelatedinformationtoathird-partysuchasmailingcompany.
9.
5.
知识产权IntellectualPropertyRights1.
GDCA享有并保留对证书以及GDCA提供的所有软件的全部知识产权;2.
GDCA对数字证书系统软件具有所有权、名称权、利益分享权;3.
GDCA网站上公布的一切信息均为GDCA财产,未经GDCA书面允许,他人不能转载用于商业行为;4.
GDCA发行的证书和CRL均为受GDCA支配的财产;5.
对外运营管理策略和规范为GDCA财产;GDCASM2证书策略(V1.
0版)1166.
用来表示目录中GDCA域中的实体的甄别名(以下简称DN)以及该域中颁发给终端实体的证书,均为GDCA的财产.
1.
GDCAreservesandremainsfullintellectualpropertiesrightsforallthecertificatesandsoftwareofferedbyGDCA.
2.
GDCAholdsownership,therightofname,therighttosharethebenefitsforcertificatesystemsoftware3.
AlltheinformationpublishedatGDCAwebsiteisGDCAproperty.
WithoutwrittenpermissionofGDCA,otherscannotrepostthemforcommercialactivities.
4.
CertificatesandCRLsissuedbyGDCAareboththepropertiescontrolledbyGDCA.
5.
ExternaloperationmanagementstrategyandspecificationareGDCAproperty.
6.
Thedistinguishedname(hereinafterreferredtoasDN)usedtoexpresstheGDCAdomainentityinthedirectoryandthecertificateissuedtotheterminalinthedomainentityarethepropertiesofGDCA.
9.
6.
陈述与担保RepresentationsandWarranties9.
6.
1.
CA的陈述与担保CARepresentationsandWarrantiesGDCA对证书订户必须做出如下担保:GDCAmustmakethefollowingwarrantiestosubscriber:1.
GDCA签发给订户的证书符合本CP的所有实质性要求;1.
CertificatesissuedtosubscribersbyGDCAmustbeinlinewithallsubstantiverequirementsofthisCP.
2.
验证证书中所包含的全部信息的准确性(organizationalUnitName信息除外);2.
Verifiestheaccuracyofalloftheinformationcontainedinthecertificate(withtheexceptionoftheorganizationalUnitNameinformation).
3.
GDCA保证其私钥得到安全的存放和保护,GDCA建立和执行的安全机制符合国家相关政策的规定;3.
GDCAensuresthatitsprivatekeyshallbestoredandprotectedsecurely,andGDCAshallestablishandimplementsecuritymechanismpursuanttothetermsofnationalrelevantpolicies.
4.
GDCA将按本CP的规定,及时撤销证书;4.
GDCAshallrevokecertificatetimelyinaccordancewiththisCP.
5.
GDCA将向证书订户通报任何已知的,将在本质上影响订户的证书的有效性和可靠性事件.
GDCASM2证书策略(V1.
0版)1175.
GDCAinformssubscribersanyknownevents,whichwillfundamentallyaffectthevalidityandreliabilityofthecertificate.
6.
验证申请者对列在证书主题字段及主题别名扩展(或,仅针对域名而言,获得了拥有域名使用权或控制权人士的授权)中的域名及IP地址拥有使用权或控制权;6.
Verifiesthattheapplicanteitherhadtherighttouse,orhadcontrolof,theDomainName(s)andIPaddress(es)listedinthecertificate'ssubjectfieldandsubjectAltNameextension(or,onlyinthecaseofDomainNames,wasdelegatedsuchrightorcontrolbysomeonewhohadsuchrighttouseorcontrol);7.
验证申请者授权了证书的签发以及申请者代表获得了授权,以代表申请者申请证书;7.
Verifiesthattheapplicantauthorizedtheissuanceofthecertificateandthattheapplicantrepresentativeisauthorizedtorequestthecertificateonbehalfoftheapplicant;8.
采取验证措施以减小证书主题"organizationalUnitName"中所包含的信息存在误导的可能性;8.
Implementsaprocedureforreducingthelikelihoodthattheinformationcontainedinthecertificate'ssubject:organizationalUnitNameattributewouldbemisleading;9.
根据CP3.
2的要求验证申请人的身份;9.
Verifiestheidentityoftheapplicantaccordingtosection3.
2ofthisCP;10.
若GDCA与订户无关联,则GDCA与订户是合法有效且可执行的订户协议双方;若GDCA与订户为同一实体或有关联,则申请人代表已认可使用条款;10.
That,ifGDCAandsubscribersarenotaffiliated,thesubscriberandGDCAarepartiestoalegallyvalidandenforceablesubscriberagreement,or,ifGDCAandsubscribersarethesameentityorareaffiliated,theapplicantrepresentativeacknowledgedthetermsofuse;11.
针对所有未过期的证书的当前状态信息(有效或已撤销)建立及维护全天候的(24x7)公开的信息库.
11.
Maintainsa24x7publicly-accessiblerepositorywithcurrentinformationregardingthestatus(validorrevoked)ofallunexpiredcertificates.
GDCA对依赖方必须做出如下担保:GDCAmustmakethefollowingwarrantiestorelyingparty:1.
除未经验证的订户信息外,证书中的其他订户信息都是准确的;1.
GDCAguaranteesthatthesubscriberinformationinthecertificateisaccurateexcepttheunauthenticatedsubscriberinformation.
2.
GDCA完全遵照本CP及CPS的规定签发证书;2.
GDCAisinfullcompliancewiththeprovisionsoftheCPandrelevantCPStoissuecertificate.
3.
在GDCA信息库中发布的证书已经签发给了订户,并且订户已经按照本CP中的规GDCASM2证书策略(V1.
0版)118定接受了该证书.
3.
CertificatespublishedinGDCArepositoriesshouldhavebeenissuedtosubscribersandacceptedbysubscribersinaccordancewiththeprovisionsoftheCP.
9.
6.
2.
RA的陈述与担保RARepresentationsandWarranties1.
提供给证书订户的注册过程完全符合本CP的所有实质性要求;2.
在GDCA生成证书时,不会因为注册机构的失误而导致证书中的信息与证书申请者的信息不一致;3.
注册机构将按本CP的规定,及时向GDCA提交证书申请、撤销、更新等服务申请.
1.
TheregistrationprocessprovidedforsubscribersiscompliantwithallthesubstantiverequirementsofGDCACP.
2.
Whengeneratingcertificates,GDCAdoesnotallowtheinconsistenciesbetweencertificateinformationandcertificateapplicantinformationduetomistakesofregistrationauthority.
3.
Registrationauthoritywillsubmittheapplicationsofrevocation,updateandotherservicestoGDCAintimeaccordingtotheprovisionsofCP.
9.
6.
3.
订户的陈述与担保SubscriberRepresentationsandWarranties订户一旦接受GDCA签发的证书,就被视为向GDCA、注册机构及依赖方作出以下承诺:1.
在证书的有效期内进行数字签名;2.
订户在申请证书时向注册机构提供的信息都是真实、完整和准确的,愿意承担任何提供虚假、伪造等信息的法律责任;3.
如果存在代理人,那么订户和代理人两者负有连带责任.
订户有责任就代理人所作的任何不实陈述与遗漏,通知GDCA或其授权的证书服务机构;4.
与订户证书所含公钥相对应的私钥所进行的每一次签名,都是订户自己的签名,并且在进行签名时,证书是有效证书(证书没有过期、撤销),证书的私钥为订户本身访问和使用;5.
除非经订户和发证机构间书面协议明确规定,订户保证不从事发证机构(或类似机构)所从事的业务;6.
一经接受证书,即表示订户知悉和接受本CP中的所有条款和条件,并知悉和接受相应的订户协议;7.
一经接受证书,订户就应当承当如下责任:始终保持对其私钥的控制,使用可信的系统,采取合理的预防措施来防止私钥的遗失、泄露、被篡改或被未经授权使用;GDCASM2证书策略(V1.
0版)1198.
不得拒绝任何来自GDCA公示过的声明、改变、更新、升级等,包括但不限于策略、规范的修改和证书服务的增加和删减等;9.
证书在本CP中规定使用范围内合法使用,只将证书用于经过授权的或其他合法的使用目的;10.
采取安全、合理的措施来防止证书私钥的遗失、泄露和被篡改等事件;11.
对于SSL/TLS证书,订户有责任和义务保证只在证书中列出的主题别名对应的服务器中部署证书;12.
对于代码签名证书,订户不得将其用于可疑代码等非法软件、恶意软件的签名.
OncesubscribersacceptacertificateissuedbyGDCA,thesubscriberisconsideredtomakethefollowingcommitmentstoGDCA,registrationauthorityandrelatedpartieswhotrustthecertificate:1.
Thesubscriberusesdigitalsignaturesifthecertificateisvalid.
2.
Allinformationthatsubscriberprovidestoregistrationauthorityduringcertificateapplicationprocessmustbetrue,completeandaccurate.
Thesubscriberiswillingtotakelegalresponsibilityforanyfalseorforgedinformation.
3.
Ifthereisanagent,thenboththesubscriberandagenttakejointlyresponsibility.
ThesubscriberisresponsiblefornotifyingGDCAanditsauthorizedcertificationservicesagenciesanyfalsestatementsandomissionsmadebytheagent.
4.
Eachsignatureisgeneratedusingtheprivatekeycorrespondingtocertificatebysubscribersthemselves.
Thecertificatesshallbevalidatthemomentofsigning,i.
e.
certificateisnotrevokedorexpired.
5.
Subscribersensurethattheydon'tengageinbusinessperformedbytheissuingagency(orsimilarinstitutions)unlesstheysignwrittenagreementswiththeissuingagencyonsuchmatters.
6.
Oncethecertificateisaccepted,subscribersareconsideredasknowingandacceptingallthetermsandconditionsintheCPaswellascorrespondingsubscriberagreements.
7.
Oncethecertificateisaccepted,thesubscribershouldassumethefollowingresponsibilities:alwaysmaintaincontroloftheirprivatekeys;usetrustworthysystems;andtakereasonableprecautionstopreventtheloss,disclosure,alteration,orunauthorizedusageoftheprivatekeys.
8.
Prohibitedforrejectinganystatements,changes,updatesandupgradespublishedbyGDCA,includingbutnotlimitedtomodificationofstrategiesandstandardsaswellasadditionsanddeletionsofcertificateservices.
9.
ThesubscriberonlyusescertificatefortheauthorizedorotherlawfulpurposewithintherangespecifiedbythisCP.
10.
Thesubscriberusesecureandreasonablemeasurestopreventtheprivatekeyfromloss,disclosure,alterationandotherevents.
11.
FortheSSL/TLScertificates,thesubscribersundertakeanobligationandwarrantytoinstallthecertificatesonlyonserversthatareaccessibleatthesubjectAltName(s)listedinthecertificates.
GDCASM2证书策略(V1.
0版)12012.
ThesubscribermustnotusetheCodeSigningcertificatesforsigningsuspiciouscodesandotherillegalormalicioussoftware.
9.
6.
4.
依赖方的陈述与担保RelyingPartyRepresentationsandWarranties1.
遵守本CP的所有规定;2.
在依赖证书前,确认证书在规定的范围和期限使用;3.
在依赖证书前,对证书的信任链进行验证;4.
在依赖证书前,通过查询CRL或OCSP确认证书是否被撤销;5.
一旦由于疏忽或者其他原因违背了合理检查的条款,依赖方愿意就此而给GDCA带来的损失进行补偿,并且承担因此造成的自身或他人的损失;6.
不得拒绝任何来自GDCA公示过的声明、改变、更新、升级等,包括但不限于策略、规范的修改和证书服务的增加和删减等.
1.
AbidebyallprovisionsofthisCP.
2.
Ensurethatthecertificateisusedinprescribedscopeandduration.
3.
Verifycertificate'strustchainbeforetrustthecertificate.
4.
Beforetrustacertificate,verifywhetherthecertificateisrevokedornotthroughqueryingCRLorOCSP.
5.
TherelyingpartyiswillingtocompensateGDCAforthelossesandacceptliabilitiesforanylossofselforothers,duetonegligenceorotherreasonsviolatingthetermsofareasonableinspection.
6.
Prohibitedforrejectinganystatements,changes,updatesandupgradespublishedbyGDCA,includingbutnotlimitedtomodificationofstrategiesandstandardsaswellasadditionsanddeletionsofcertificateservices.
9.
6.
5.
其他参与者的陈述与担保RepresentationsandWarrantiesofOtherParticipants遵守本CP的所有规定.
AbidebyallprovisionsofthisCP.
9.
7.
担保免责DisclaimersofWarranties除本CP9.
6.
1中的明确承诺外,GDCA不承担其他任何形式的保证和义务:1.
不保证证书订户、依赖方、其他参与者的陈述内容;GDCASM2证书策略(V1.
0版)1212.
不对电子认证活动中使用的任何软件做出保证;3.
不对证书在超出规定目的以外的应用承担任何责任;4.
对由于不可抗力,如战争、自然灾害等造成的服务中断并由此造成的客户损失承担责任;5.
订户违反本CP9.
6.
3之承诺时,或依赖方违反本CP9.
6.
4之承诺时,得以免除GDCA之责任.
ExceptforthecommitmentsdeclaredinCPSection9.
6.
1,GDCAdoesnotassumeanyotherformsofguaranteeandobligation:1.
Donotguaranteethestatementsofcertificatesubscribers,relyingpartyandother.
2.
Donotguaranteeanysoftwareusedinelectroniccertificationactivities.
3.
Donotassumeanyliabilitywhencertificateisusedbeyondtheprescribedpurposes.
4.
Donotassumeanyresponsibilityforserviceinterruptionandcustomerlossescausedbyforcemajeure,suchaswar,naturaldisasters,etc.
5.
WhensubscriberviolatesthecommitmentsdefinedinCPSection9.
6.
3,orrelyingpartyviolatesthecommitmentsdefinedinCPSection9.
6.
4,GDCAcanexemptfromliability.
9.
8.
有限责任LimitationsofLiability证书订户、依赖方因GDCA提供的电子认证服务从事民事活动遭受损失,GDCA只承担本CP第9.
9.
1节规定的有限责任.
ThecertificatesubscriberandtherelyingpartyspecializedincivilactivitiessufferedlossesduetoelectroniccertificationserviceprovidedbyGDCA,GDCAonlyassumelimitedliabilityamountstipulatedinCPsection9.
9.
1.
9.
9.
赔偿Indemnities9.
9.
1.
认证机构的赔偿责任IndemnificationbyGDCA如GDCA违反了本CP第9.
6.
1节中的陈述,订户、依赖方等实体可申请GDCA承担赔偿责任(法定或约定免责除外),包括以下情形:1.
GDCA将证书错误的签发给订户以外的第三方,导致订户或依赖方遭受损失的;2.
在订户提交信息或资料准确、属实的情况下,GDCA签发的证书出现了错误信息,导致订户或依赖方遭受损失的;3.
在GDCA明知订户提交信息或资料存在虚假谎报的情况,但仍然向订户签发证书,GDCASM2证书策略(V1.
0版)122导致依赖方遭受损失的;4.
由于GDCA的原因导致CA私钥的泄露;5.
GDCA未能及时撤销证书,导致依赖方遭受损失的.
IfGDCAviolatesstatementsinCPSection9.
6.
1,certificatesubscribers,relyingpartiesandotherentitiescanrequestGDCAassumecompensationliabilities(exceptforstatutoryandcontractualexemptions).
Ifthefollowingcircumstancesoccur,GDCAwillassumelimitedcompensationliability:1.
GDCAissuescertificatestoathird-partyinsteadofthesubscriberbymistake,whichleadstolossesofthesubscriberorrelyingparty.
2.
IfsubscribersubmitsaccurateandtrueinformationtoGDCA,butGDCAissuescertificateswitherrorinformationandtheerrorleadstolossesofthesubscriberorrelyingparty.
3.
AfterGDCAknowsthefactthatsubscriberprovidesfakeregistrationinformationordata,GDCAstillissuescertificate,whichleadstorelyingpartysufferinglosses.
4.
IftheprivatekeyofCAisdisclosedduetoGDCA'sfault.
5.
GDCAfailstorevokecertificatesintime,whichleadstorelyingpartysufferinglosses.
9.
9.
2.
订户的赔偿责任IndemnificationbySubscribers在如下情况,订户对自身原因造成的GDCA、依赖方损失,应当承担赔偿责任:IfthefollowingsituationscauseGDCAorrelyingpartysufferinglosses,subscribersshallbeassumedtheliabilitytocompensate:1.
订户申请注册证书时,因故意、过失或者恶意提供不真实资料,导致GDCA及其授权的证书服务机构或者第三方遭受损害;2.
订户因故意或者过失造成其私钥泄漏、遗失,明知私钥已经泄漏、遗失而没有告知GDCA及其授权的证书服务机构,以及不当交付他人使用造成GDCA及其授权的证书服务机构、第三方遭受损害;3.
订户使用证书的行为,有违反本CP及相关操作规范,或者将证书用于非本CP规定的业务范围;4.
证书订户或者其它有权提出撤销证书的实体提出撤销请求后,到GDCA将该证书撤销信息予以发布的期间,如果该证书被用以进行非法交易,或者进行交易时产生纠纷的,如果GDCA按照本CP的规范进行了有关操作,那么该证书订户必须承担所有损害赔偿责任;5.
证书中的信息发生变更但未停止使用证书并及时通知GDCA和依赖方;6.
没有对私钥采取有效的保护措施,导致私钥丢失或被损害、窃取、泄露等;GDCASM2证书策略(V1.
0版)1237.
在得知私钥丢失或存在危险时,未停止使用证书并及时通知GDCA和依赖方;8.
证书到期但仍在使用证书;9.
订户的证书信息侵犯了第三方的知识产权;10.
在规定的应用范围外使用证书,如从事违法犯罪活动.
1.
GDCAanditsauthorizedserviceagenciesorthird-partysufferlossesduetounrealinformation,suchasdeliberate,negligentormaliciousprovisionofunrealinformationbyapplicantswhenapplyingforcertificates.
2.
GDCAanditsauthorizedserviceagenciesorthird-partysufferlossesduetodisclosureandlossofprivatekeysdeliberatelyandbymistake;duetonotinformingGDCAanditsauthorizedserviceagenciesorthird-partyoftheleakageandlossofprivatekeyswithknowingthefacts;andduetohandingkeystoothersinappropriately.
3.
SubscribersviolatetheCPandrelatedoperationpracticeswhenusingcertificatesaswellasusingthecertificatesactivitiesoutsideoftheCP.
4.
IfthecertificateisusedforillegaltransactionsorcausesdisputesduringtheperiodfromrevocationrequestssubmittedbythesubscribersorotherentitiesauthorizedbyGDCAtothisinformationofcertificaterevocationpublishedbyGDCA,ifGDCAoperatesinaccordancewiththerequirementsoftheCP,subscribersmustassumeanyresponsibilityoflossesaccordingtothisCP.
5.
Subscribersdonotstoptousethecertificatewhichitsinformationhavechangedanddon'tnotifyittoGDCAorrelyingpartiesintime.
6.
Theprivatekeyislost,compromised,stolen,exposed,andetc.
duetonottakingeffectiveprotectionmeasures.
7.
SubscriberscontinuetousethecertificatesanddonotnotifyGDCAandrelyingpartiespromptlywhentheyaremadeawarethatprivatekeysarelostorattheriskofbeingcompromised.
8.
Thecertificatehasexpiredbutisstillinuse.
9.
Thesubscriber'scertificateinformationinfringesupontheintellectualpropertyrightsofathird-party.
10.
Usingcertificatesoutsidetheprovisionsofspecificapplicationscope,suchastheuseofcertificatesforillegalandcriminalactivities9.
9.
3.
依赖方的赔偿责任IndemnificationbyRelyingParties在如下情况,依赖方对自身原因造成的GDCA、订户损失,应当承担赔偿责任:IfthefollowingcircumstancesleadtothelossesofGDCAorsubscriber,relyingpartyshallbeassumedresponsibilitytocompensate:1.
没有履行GDCA与依赖方的协议和本CP中规定的义务;2.
未能依照本CP规范进行合理审核,导致GDCA及其授权的证书服务机构或第三方遭受损害;GDCASM2证书策略(V1.
0版)1243.
在不合理的情形下依赖证书,如依赖方明知证书存在超范围、超期限使用的情形或证书已经或有可能被人窃取的情形,但仍然依赖证书;4.
依赖方没有对证书的信任链进行验证;5.
依赖方没有通过查询CRL或OCSP确认证书是否被撤销.
1.
ObligationsdefinedintheCPandagreementsbetweenGDCAandrelyingpartiesarenotfulfilled.
2.
GDCAanditsauthorizedserviceagenciesorathird-partysufferlossesduetoinappropriatereviewsagainstthisCP.
3.
Trustcertificatesinunreasonablecircumstances.
Forexample,relyingpartystilltruststhecertificatewithknowingthatthecertificateusageisbeyonditsscopeorperiodorthecertificatehasormayhavebeenstolen.
4.
Relyingpartydoesnotverifytrustchainsofthecertificates.
5.
RelyingpartydoesnotcheckwhetheracertificateisrevokedthroughqueryingCRLorOCSP.
9.
10.
有效期与终止TermandTermination9.
10.
1.
有效期Term本CP在发布日期零时正式生效,上一版本的CP同时失效;本CP在下一版本CP生效之日或在GDCA终止电子认证服务时失效.
ThisCPwillenterintoforceat12o'clockofthereleasedate,andthelastversionCPwillbecomeinvalid.
ThisCPwillbecomeinvalidwhenthenextversionCPentersintoforceortheelectroniccertificationservicesofGDCAareterminated.
9.
10.
2.
终止TerminationGDCA终止电子认证服务时,本CP终止.
WhenGDCAterminateselectroniccertificationservices,thisCPisterminated.
9.
10.
3.
终止的效果与存续EffectofTerminationandSurvival本CP的终止,意味着认证机构认证业务的终止,但认证业务的终止不意味着认证机构责任的终止.
认证机构在业务终止后应采取合理的措施,将认证服务转到其他认证机构,保证订户的利益.
TheterminationofthisCPmeansthattheterminationofCAbusiness,buttheterminationofcertificationbusinessdoesnotmeantheterminationofCA'sresponsibility.
Aftertheterminationofbusiness,CAshallGDCASM2证书策略(V1.
0版)125takereasonablemeasurestotransfercertificationservicetootherCAsoastoensuretheinterestsofthesubscriber.
9.
11.
对参与者的个别通告及信息交互IndividualNoticesandCommunicationswithParticipants认证机构在必要的情况下,如主动撤销订户证书、发现订户将证书用于规定外用途及订户其他违反订户协议的行为,可通过适当方式,如电话、电子邮件、信函等,个别通知订户、依赖方.
ThecircumstancesthatCAactivelyrevokesthesubscriber'scertificate,findsoutsubscriberusingcertificateoutofspecifiedusage,orbehaviorsofsubscriberviolatingsubscriberagreementhaveoccurred,CAcanuseappropriateway,suchastelephone,E-mail,letter,Fax,etc.
,tonotifysubscriberandrelyingpartyifnecessary.
9.
12.
修订Amendments9.
12.
1.
修订程序ProcedureforAmendment经GDCA安全策略委员会授权,CP编写小组每年至少审查一次本CP,确保其符合国家法律法规、主管部门的要求以及相关国际标准,符合认证业务开展的实际需要.
ThroughtheauthorizationofGDCASecurityPolicyCommittee,CPcompositionteamshallreviewthisCPatleastonceayear,toensurethatCPmeetstherequirementsofnationallawsandregulationsandadministrationdepartment,tomeetthelatestSSLbaselinerequirementsandspecifications,andsatisfytheactualrequirementsofcertificationbusinessoperation.
本CP的修订,由CP编写小组提出修订报告,获得GDCA安全策略委员会批准后,由CP编写小组负责组织修订,修订后的CP经过GDCA安全策略委员会批准后正式对外发布.
TherevisedversionofthisCPwillberevisedbyCPcompositionteamandapprovedbyGDCASecurityPolicyCommittee.
CPcompositionteamwillberesponsiblefortherevisionandtherevisedCPwillbeofficiallyreleasedafterbeingapprovedbyGDCASecurityPolicyCommittee.
9.
12.
2.
通知机制和期限NotificationMechanismandPeriod修订后的CP经批准后将立即在GDCA的网站www.
gdca.
com.
cn上发布.
对于需要通过电子邮件、信件、媒体等方式通知的修改,GDCA将在合理的时间内通知有关各方,合理的时间应保证有关方受到的影响最小.
GDCASM2证书策略(V1.
0版)126AfterapprovaloftherevisedCP,itwillbepostedonGDCAofficialwebsitewww.
gdca.
com.
cnimmediately.
Forthemodificationnotifiedbyemail,mail,mediaandotherways,GDCAshallnotifytherelevantpartiesinreasonabletime,whichensuresthattherelevantpartieshaveminimuminfluence.
9.
12.
3.
必须修订的情形CircumstancesUnderWhichCPMustbeChanged如果出现下列情况,GDCA必须对本CP进行修改:Ifthefollowingsituationsoccur,thisCPmustbemodified:1.
密码技术出现重大发展,足以影响现有CP的有效性;1.
TheencryptiontechnologydevelopssignificantlyenoughtoaffecttheeffectivenessofexistingCP.
2.
有关认证业务的相关标准进行更新;2.
Therelevantstandardshavebeenupdated.
3.
认证系统和有关管理规范发生重大升级或改变;3.
Certificationsystemandrelevantmanagementregulationstakesignificantupgradeorchanges.
4.
法律法规和主管部门要求;4.
ThelawsandtheadministrationdepartmentsrequiretheCPtobemodified.
5.
现有CP出现重要缺陷.
5.
ThereissomesignificantdeficiencyintheexistingCP.
9.
13.
争议解决条款DisputeResolutionProvisions当GDCA、订户和依赖方之间出现争议时,有关方面应依据协议通过协商解决,协商解决不了的,可通过法律解决.
AnydisputesbetweenGDCAandsubscribersorrelyingpartiesshallberesolvedthroughnegotiationsasagreed,andthosecannotbesettledbynegotiationswillberesolvedbylaws.
9.
14.
管辖法律GoverningLawGDCA的CP受国家已颁布的《中国人民共和国电子签名法》、《电子认证服务管理办法》、《电子认证服务密码管理办法》法律法规管辖.
TheCPofGDCAisgovernedbythelawof"ElectronicSignaturesLawsofPeople'sRepublicofChina",theregulationof"MeasuresfortheAdministrationofElectronicCertificationServices"and"MeasuresfortheAdministrationofCipherCodesforElectronicCertificationServices"promulgatedbythecountry.
GDCASM2证书策略(V1.
0版)1279.
15.
符合适用法律CompliancewithApplicableLaw认证机构的所有业务、活动、合同、协议必须符合《中国人民共和国电子签名法》、《电子认证服务管理办法》、《电子认证服务密码管理办法》以及其它中华人民共和国法律法规的规定.
Allbusinesses,activities,contracts,andagreementsofGDCAmustconformto"ElectronicSignaturesLawsofPeople'sRepublicofChina","MeasuresfortheAdministrationofElectronicCertificationServices","MeasuresfortheAdministrationofCipherCodesforElectronicCertificationServices"andotherlawsandregulationsofPeople'sRepublicofChina.
9.
16.
一般条款MiscellaneousProvisions9.
16.
1.
完整协议EntireAgreementCP、CPS、订户协议、依赖方协议及其补充协议将构成PKI参入者之间的完整协议.
TheentireagreementiscomposedofCP,CPS,SubscriberAgreementandRelyingPartyAgreementaswellasitssupplementaryagreement.
9.
16.
2.
让渡Assignment根据本CP中详述的认证实体各方的权利和义务,各方当事人可按照法律的相关规定进行权利和义务的转让.
此转让行为发生时不影响到转让方对另一方的任何债务及责任的更新.
AccordingtotherightsandobligationsofcertificationentitypartiesdetailedinthisCP,allpartiescantransferthepossessionofrightsandobligationsinaccordancewiththerelevantprovisionsofthelaw.
Theoccurrenceoftheabovetransferbehaviordoesnotaffectthechangeofanydebtandliabilityamongthetransferors.
9.
16.
3.
分割性Severability如果本CP的任何条款或其应用由于与GDCA所在管辖区的法律产生冲突而被判定为无效或不具执行力时,GDCA应在最低必要的限度下修订该条款,使其继续有效,其余部分不受影响,GDCA应在此章节批露修订的内容.
IncaseanyclauseorprovisionofthisCPisheldtobeunenforceableorinvalidduetoanyconflictswiththelawsofanyjurisdictioninwhichGDCAoperates,GDCAshallmodifyanyconflictingclauseorprovisiontotheminimumextentnecessarytomakethemcontinuetobevalid,andotherclausesandprovisionsshallremainvalidwithoutbeingaffected.
GDCAshalldisclosethemodifiedcontentsinthisGDCASM2证书策略(V1.
0版)128section.
9.
16.
4.
强制执行Enforcement不适用.
Notapplicable.
9.
16.
5.
不可抗力ForceMajeure依据本CP制定的CPS应包括不可抗力条款,以保护各方利益.
CPSformulatedinaccordancewiththisCPshallincludeaforcemajeureclausetodefendthebenefitsofeachparty.
9.
17.
其他条款OtherProvisionsGDCA对本CP具有最终解释权.
GDCAhasfinalinterpretationrightstothisCP.
GDCASM2证书策略(V1.
0版)129附录:GDCA证书策略修订记录表Appendix:GDCACPRevisionRecords版本描述发布日期负责部门1.
0制定初始版本.
2020年12月22日安全策略委员会VersionDescriptionReleaseDateRevisionby1.
0Creationoftheinitialdocument.
December22,2020SecurityPolicyCommittee