Certificate Policy for VillageMall

1. Introduction

This document outlines the policies for certificates issued that contain the domain suffix "villagemall.net.au" ( "VillageNet") Certificate Services. It assumes the reader has a basic understanding of digital certificates and signatures. It covers certificate application, validation of applicants, certificate issuance, use, and revocation.
VillageMall maintains a number of Certification Authorities and Certificate Policies for use by its subscribers. This VillageNet Certificate Authority provides certificate services to subscribers that will create and store their associated private keys on commercial computer platform without hardware (smartcard, token) protection.

1.1 Definitions

Certificate Revocation List ("CRL") means the register from time to time of information regarding the status of Digital Certificates or a facility which enables the revocation status of a Digital Certificate to be checked.

Certification Authority ("CA") means VillageNet or any other entity expressly authorised by VillageNet to issue Digital Certificates to VillageNet network members.

2. General Disclaimer

As a Certification Authority, VillageNet binds the name and any other required information to a subscriber's public key and signs this information with VillageNet's Certification Authority private key. By issuing a certificate to a particular certificate policy, VillageNet is confirming that it has followed the rules associated with the certificate policy (please see signing procedures for details of minimum checks).

It must be noted that VillageNet makes no acknowledgment of the merchantability or credibility of products or services provided by an organisation or individual for whom it signs a digital certificate. Issuance of a certificate does not guarantee the authority of the person who has the associated private key to act on behalf of the named entity within the certificate.

3. Certification Infrastructure

3.1 Certificate Policy(ies)

VillageNet issues certificates with different certificate policies. Each certificate policy has been designed for a specific use. VillageNet certificate policies have a global unique Object Identifier (OID) allocated under the ISO registration authority, this certificate policy (OID) is included within the certificate policy extension of the VillageNet Certification Authority certificate.

VillageNet network certificates are issued to individuals and organisations and provide assurance about the identity of the certificate holder, to the level identified within the Identification section of the Certificate Practice Statement. VillageNet Certificates have a limited use, and may only be used within the VillageNet network, and in conjunction with a VillageNet service.
This certificate policy is identified as:
{iso(1) member-body(2) Australia (36) VillageMall(88024560) info(1) pki(1) certificate-policy (0) VillageNet-network (2) }
also shown within a certificate viewer in dot notation as {1.2.36.88024560.1.1.0.2}

4. Certificate Management

4.1 Generation

The generation of certificates by VillageNet are assessed and processed on an individual basis. VillageNet reserves the right not to proceed with the generation of a certificate for any individual or organisation which does not fulfil the requirements for the required certificate policy. VillageNet also reserves the right to withhold the reason for non-provision of certificates. Certificates generated by VillageNet are valid for the period as determined by VillageMall.

4.2 Distribution, Storage and Retrieval

Once generated, certificates are available to VillageNet subscribers. VillageNet does not make certificates available to the public.

4.3 Certificate Status

VillageNet also provides up to date information concerning the status of digital certificates issued by VillageNet CA, i.e. whether they are on a Certificate Revocation List (CRL). This CRL may be accessed by relying parties, however, before relying on a certificate issued by VillageMall, users must read and agree to the terms of VillageMall's Relying Party Agreement.

4.4 Revocation

Certificates may be revoked for a variety of reasons such as, but not limited to, the corresponding private key being compromised or the original subscriber no longer requiring it. It is the responsibility of a subscriber to notify VillageNet if, for any reason, a certificate requires revoking. A certificate can be revoked without reason, to meet VillageMall's commercial operations such as, but not limited to, the non payment of outstanding accounts, or leaving the VillageNet Network..

4.5 Renewal

As VillageNet certificates are valid for a fixed period, each certificate will need to be renewed prior to its expiration. The subscriber is responsible for renewing their certificate.

5. Legal Aspects

5.1 Warranty

VillageNet warrants that, in relation to a particular certificate, it will have carried out the validation procedures appropriate to that certificate policy.

Except as stated above, VillageNet does not warrant the accuracy, authenticity, reliability or competence of the information contained in certificates or otherwise held by VillageMall.

The attention of subscribers and relying parties is drawn to the terms of the Relying Party Agreement as appropriate.

5.2 Agency

VillageNet is not the agent or representative of any subscriber or relying party and no subscriber or relying party shall make any representations to the contrary.

5.3 Subscribing party's obligations

The subscribing party must ensure that the certificate is not used for any purpose which is fraudulent or in any other way illegal. If a certificate is used for such a purpose then VillageNet may revoke the certificate without notice.

5.4 Protection of Privacy and Personal Data

VillageNet and third parties may make use of information supplied by a subscriber for the purposes issuing and using the subscriber's certificate. VillageNet may also use the information supplied by a subscriber for the purposes, as outlined within our Privacy Statement.

6. Application

6.1 Procedure

Every prospective subscriber must complete the application form appropriate to the certificate policy for which they wish to apply. Failure to complete the application completely and accurately may lead to that application being delayed or rejected.

6.2 Key Pairs

The prospective subscriber key pairs may be generated using industry standard key generation such as contained within a Internet browser.

6.3 Subscribers Agreement

Before submitting an application, every prospective subscriber must familiarise themselves with the terms of VillageMall's Subscribers Agreement. Submission of an application form indicates that the prospective subscriber has agreed to be bound by that Agreement.

6.4 Further Information

VillageNet reserves the right to request further background information from a prospective subscriber where it, at its discretion, feels such additional information is appropriate or desirable in relation to the certificate policy for which the prospective subscriber has applied.

6.5 VillageNet Procedures

VillageNet retrieves certificate requests and conducts the following verification checks on each application according to the certificate policy.

VillageNet will only issue a Certificate to an Australian resident under this policy, this is indicated, and attested to by the Subscriber on the application form.

6.6 Privacy

Before submitting an application, every prospective subscriber must familiarise themselves with the contents of VillageMall's Privacy Policy. This Privacy policy is also incorporated by reference into the VillageNet Certification Practice Statement.

6.7 Private Key Storage

Prospective subscribers are responsible for ensuring that their private key is kept private, this means any associated password or access control authentication information is NOT shared by anyone other than the named entity within the certificate, in a manner so are to ensure it is not subject to loss, disclosure, corruption, modification or unauthorised use.

7. Issuance

If VillageNet agrees to issue a certificate, it will sign the subscriber's certificate and return the certificate to the users token for storage.

8. Acceptance

Once a subscriber has downloaded and installed their certificate, or upon first use of their private key associated with the certificate, they are bound by the terms and conditions of the Subscribers Agreement.

9. Use

Use of any digital certificate issued by VillageNet must be in accordance with the Subscribers Agreement.

10. Revocation

VillageNet reserves the right to revoke any certificate which use contravenes the terms and conditions of the Subscribers Agreement.

11 Obligations

11.1 The following are the Certification Authority obligations:

Practice and Procedures- To follow the procedures within the Certification Practice Statement.
Accuracy of representations – The CA is obligated to all who reasonably rely on the information contained in the certificate that it has issued the certificate to the named subscriber.
Notification of certificate issuance - The CA is obligated to ensure that the subscriber who is the subject of the certificate is notified of the certificate issuance.
Notification of revocation of a certificate – The CA is obligated to ensure that the subscriber who is the subject of the certificate and others who reasonably rely on that certificate are notified of the certificate revocation.
Accurately represent the information provided as part of the registration request.

11.2 The following are subscriber’s obligations:

Accuracy of representations in certificate applications – Subscribers are obligated to accurately represent the information required of them on the certificate application.
Protection of subscriber private key – Subscribers are obligated to protect their private keys, and any assocaited PINs at all times.
Notification of CA upon private key compromise – Subscribers are obligated to notify the CA that issued their certificate upon realisation that their private key is compromised.
Proper use of certificate – Subscribers are obligated to abide by all restrictions levied upon the use of their private key and certificate.

11.3 The following are the relying parties’ obligations:

Proper use of certificates – Relying parties are obligated to rely upon the certificate, only for the purpose for which it was issued.
Digital signature verification responsibilities – Relying parties are obligated to verify the digital signature of the CA who issued the certificate they are about to use.
Checking CRL's– Relying parties are obligated to check that no certificates within the certification path are included within any VillageNet CA CRL(s).
Establishing trust in CA – Relying parties are obligated to establish trust in the CA who issued the certificate they are about to use by verifying the chain of certificates at root of which a trusted CA exist. The path processing should be based on the guidelines set by the X.509 for version 3 certificates.
Identifying the certificate policy under which the certificate was issued, and determination of appropriateness for the intended use.