PKI Disclosure Statement

1. Contact Info:

Policy Authority:
Trustis FPS Policy Authority
Trustis Limited
Building 273
New Greenham Park
Greenham Common
Thatcham
Newbury
RG19 6HN
UK
Tel: +44 (0)870 429 4724
Fax: +44 (0)1635 231366
email: policy.authority@trustis.com

Issuing Authority:
Trustis FPS Issuing Authority
Trustis Limited
Building 273
New Greenham Park
Greenham Common
Thatcham
Newbury
RG19 6HN
UK
Tel: +44 (0)870 429 4724
Fax: +44 (0)1635 231366
email: issuing.authority@trustis.com

Registration Authority:
Trustis FPS Issuing Authority Registration Services
Trustis Limited
Building 273
New Greenham Park
Greenham Common
Thatcham
Newbury
RG19 6HN
UK
Tel: +44 (0)870 429 4724
Fax: +44 (0)1635 231366
email: registrar@trustis.com

2. Certificate Type, validation procedures and usage:

The Digital Certification Services provided by Trustis FPS implement a closed public key infrastructure in the sense that access and participation is only open to those who both satisfy eligibility criteria and are approved by Trustis FPS. The only trust service providers and end entities authorised and approved to issue, obtain, use and/or rely upon certificates that reference this Policy are clearly defined, conditional upon their agreement to be bound by the terms of this Policy.

The Digital Certification Services provided by Trustis FPS under this Certificate Policy support Trustis' customers' secure operations in their interactions with the general public, agent organisations and external contractors, in the direct pursuit of their business or in the authorised usage of services they provide. Certificates provided by this service are supported by the use of strong cryptography and highly robust registration mechanisms to support a level of trust and security comparable with the highest level of certificate available from other commonly available schemes.

Certificates issued under this policy may only be used for the support of business applications and services approved by Trustis FPS, requiring digital signatures, authentication of identities and the encrypting/decrypting of information, in the direct pursuit of Trustis' customers' business.

Details of documentary evidence that is required to support an application for a certificate is available from your sponsoring organisation or the Trustis FPS Registrar registrar@trustis.com.

3. Reliance Limits:

Trustis FPS does not set reliance limits for certificates issued under this policy. Reliance limits may be set by other policies, application controls, applicable law or by agreement. See Limitation of Liability, below.

4. Obligations of Subscribers:

It is the responsibility of the Subscriber to:

Review his/her issued certificate to confirm the accuracy of the subscriber information contained within it before first use
Use a trustworthy system for generating or obtaining a key pair and to prevent any loss, disclosure, or unauthorised use of the private key
Keep private keys confidential
Keep confidential any passwords, pass-phrases, PINs or other personal secrets used in obtaining authenticated access to PKI facilities
Make only true and accurate representations to the Registration Authority and/or Issuing Authority as to the information required to determine eligibility for a certificate and for information contained within the certificate
In accordance with the Trustis FPS Certificate Policy, exclusively use their certificate for legal purposes and restricted to those authorised purposes detailed by the Trustis FPS Certificate Policy
Immediately notify the Registration Authority of a suspected or known key compromise in accordance with the procedures laid down in the Trustis FPS Certificate Policy

5. Certificate Status checking obligations of Relying Parties:

A relying party may justifiably rely upon a certificate only after:

Ensuring that reliance on certificates issued under this policy is restricted to appropriate uses (see "Certificate Type, validation procedures and usage", above for a summary of approved usages).
Ensuring that the certificate remains valid and has not been revoked or suspended by accessing any and all relevant certificate status information
Determining that such certificate provides adequate assurances for its intended use.

6. Limited Warranty & Disclaimer/Limitation of Liability:

By signing a certificate containing a policy identifier which indicates the use of this policy, the Issuing Authority certifies to all who reasonably rely on the information contained in the certificate, that the information in the certificate has been checked according to the procedures laid down in this policy.

The Issuing Authority assumes no liability whatsoever in relation to the use of certificates or associated public/private key pairs issued under this policy for any use other than in accordance with this policy and any other agreements. Subscribers will immediately indemnify the Issuing Authority from and against any such liability and costs and claims arising therefrom.

The Issuing Authority shall not be liable for any consequential, indirect or incidental damages, nor for any loss of business, loss of profit or loss of management time, whether foreseeable or unforeseeable, arising out of breach of any express or implied warranty, breach of contract, tort, misrepresentation, negligence, strict liability however arising, or in any other way arising from or in relation to the use of or reliance on, any Digital Certificate except only in the case of the Issuing Authority's negligence, wilful misconduct, or where otherwise required by applicable law.

Nothing in this Certificate Policy excludes or restricts liability for death or personal injury resulting from negligence or the negligence of its employees, agents or contractors.

The Issuing Authority excludes all liability of any kind in respect of any transaction into which an End-Entity may enter with any third party.

The Issuing Authority is not liable to End Entities either in contract, tort (including negligence) or otherwise for the acts or omissions of other providers of telecommunications or Internet services (including domain name registration authorities) or for faults in or failures of their equipment.

Each provision of this Policy, excluding or limiting liability, operates separately. If any part is held by a court to be unreasonable or inapplicable, the other parts shall continue to apply.

7. Applicable Agreements, Certification Practice Statement, Certificate Policy:

A Subscriber Agreement can be found at:
http://www.trustis.com/pki/fpsia/policy/subscriber-agreement.htm
A Relying Party Charter can be found at:
http://www.trustis.com/pki/fpsia/policy/relying-party-charter.htm
This document (PKI Disclosure Statement) can be found at:
http://www.trustis.com/pki/fpsia/policy/disclosure-v0.1.htm
The Trustis FPS Certificate Policy can be found at:
http://www.trustis.com/pki/fpsia/
The Certification Practice Statement is not normally made generally available, but under special circumstances and at the discretion of the Issuing Authority, may be obtained on application to the Issuing Authority as detailed above.
Guidance in the use of certificates can be found at:
http://www.trustis.com/pki/fpsia/

8. Privacy Policy:

Trustis FPS strongly believes in an individual's rights to privacy, and operates this Digital Certification Service according to an extensive Privacy Charter which can be found at: http://www.trustis.com/pki/fpsia/privacy-charter.htm

9. Refund Policy:

No refunds will be made. All certificate purchases are final.

10. Applicable Law & Dispute Resolution:

Disputes shall be handled in accordance with the Trustis FPS complaints process, documentation of which can be obtained by applying to the Issuing Authority contacts listed in section 1 of this document.

The provision of Trustis FPS Issuing Authority Digital Certification Services shall be governed by English law and all parties shall submit to the exclusive jurisdiction of the courts of England and Wales

11. CA & Repository Licences Trust Marks & Audit:

Certificates are manufactured under this policy through the use of a Trustis Limited service which is both accredited to ISO17799 and has attained tScheme approval.

Audit shall be carried out on an annual basis. The following Auditors have been approved under this policy:

Audit resources of contracted Trust Service Providers
A certified public accountant with demonstrated expertise in computer security or an accredited computer security professional

12. Identification of this Certificate Policy:

This Policy has been registered with Trustis Limited and has been assigned an Object Identifier (OID) of: 1.3.6.1.4.1.5237.1.1.3

13. Approved Registration Authorities

The following Registration Authorities have been approved by the Issuing Authority to register subscribers under this policy:

Trustis FPS Issuing Authority Registration Services

14. Approved Repositories

The following Repositories have been approved by the Issuing Authority under this policy:

Trustis FPS

15. Eligible Subscribers

The following types of subscribers are eligible to be issued with certificates under this policy:

Trustis Customers approved by the Registration Authority

16. Eligible Relying Parties

The following types of Relying Parties are eligible to rely on certificates issued under this policy:

Anyone in their direct interaction with subscribers of certificates issued under this Certificate Policy and only in the direct pursuit of Trustis' Customers' business.

17. Certificate Status Information

Certificate Revocation Lists (CRLs) shall be published at least every 24 hours.

Trustis FPS Issuing Authority PKI Disclosure Statement