Rootca Cps

Huawei Equipment CA Certification Practice Statement
Confidentialitylevel:public
Huawei Equipment CA Certification Practice Statement Release v1.0.0
Huawei Technologies Co., Ltd.

Copyright reserved
Copyright 2011 Huawei Technologies Co., Ltd.
All rights reserved.
1 of 58
Contents
1 Introduction .......................................................................................................................................................... 7 1.1 Overview ........................................................................................................................................................ 7 1.2 Document Name and Identification ................................................................................................................ 8 1.3 PKI Participants .............................................................................................................................................. 8 1.3.1 Certification authorities ............................................................................................................................ 8 1.3.2 Registration authorities ............................................................................................................................ 9 1.3.3 Subscribers ............................................................................................................................................... 9 1.3.4 Relying parties ......................................................................................................................................... 9 1.3.5 Certificates Applicant............................................................................................................................... 9 1.3.6 Sponsor................................................................................................................................................... 10 1.3.7 Other Participants ................................................................................................................................... 10 1.4 Certificate Usage .......................................................................................................................................... 10 1.4.1 Appropriate certificate uses .................................................................................................................... 10 1.4.2 Prohibited certificate uses ...................................................................................................................... 10 1.5 Policy Administration ................................................................................................................................... 11 1.6 Definitions and Acronyms ............................................................................................................................ 11 2 Information publication and management .......................................................................................................... 13 2.1 Repositories .................................................................................................................................................. 13 2.2 Publication of certification information ........................................................................................................ 13 2.3 Time or frequency of publication ................................................................................................................. 13 2.3.1 Time or frequency of publication of electronic certification service rule .............................................. 13 2.3.2 Time or frequency of publication of certificate and CRL ...................................................................... 13 2.3.3 Time or frequency of publication of HWCA public information ........................................................... 13 2.4 Access controls on repositories..................................................................................................................... 13 3 Identification and Authentication ....................................................................................................................... 15 3.1 Naming ......................................................................................................................................................... 15 3.1.1 Types of names ...................................................................................................................................... 15 3.1.2 Need for names to be meaningful........................................................................................................... 15 3.1.3 Anonymity or pseudonymity of subscribers........................................................................................... 15 3.1.4 Rules for interpreting various name forms ............................................................................................. 15 3.1.5 Uniqueness of names.............................................................................................................................. 15 3.1.6 Recognition, authentication, and role of trademarks .............................................................................. 15 3.2 Initial Identity Validation ............................................................................................................................. 16 3.2.1 Method to prove possession of private key ............................................................................................ 16 3.2.2 Authentication of organization identity.................................................................................................. 16 3.2.3 Authentication of individual identity ..................................................................................................... 17 3.2.4 Identification and authentication of domain name (or IP address) ......................................................... 17 3.2.5 Validation of authority ........................................................................................................................... 18 3.3 Identification and Authentication for Re-key Requests ................................................................................ 18 3.3.1 Identification and authentication for routine re-key ............................................................................... 18 3.3.2 Identification and authentication for re-key after revocation ................................................................. 18
Copyright 2011 Huawei Technologies Co., Ltd. All rights reserved.
2 of 58
3.4 Identification and authentication for Revocation Requests .......................................................................... 18 4 Certificate Life-Cycle Operational Requirements .............................................................................................. 20 4.1 Certificate Application.................................................................................................................................. 20 4.1.1 Who can submit a certificate application ............................................................................................... 20 4.1.2 Enrollment process and responsibilities ................................................................................................. 20 4.2 Certificate Application Processing ............................................................................................................... 20 4.2.1 Performing identification and authentication ......................................................................................... 20 4.2.2 Approval or rejection of certificate applications .................................................................................... 20 4.2.3 Time to process certificate applications ................................................................................................. 21 4.3 Certificate Issuance ....................................................................................................................................... 21 4.3.1 CA actions during certificate issuance ................................................................................................... 21 4.3.2 Notification to subscriber by the CA of issuance of certificate .............................................................. 21 4.4 Certificate Acceptance .................................................................................................................................. 21 4.4.1 Conduct constituting certificate acceptance ........................................................................................... 21 4.4.2 Publication of the certificate by the CA ................................................................................................. 21 4.4.3 Notification of certificate issuance by the CA to other entities .............................................................. 22 4.5 Key Pair and Certificate Usage..................................................................................................................... 22 4.5.1 Subscriber private key and certificate usage .......................................................................................... 22 4.5.2 Signature and validation ......................................................................................................................... 23 4.5.3 Relying party public key and certificate usage....................................................................................... 23 4.6 Certificate Renewal ...................................................................................................................................... 23 4.7 Certificate key renewal ................................................................................................................................. 23 4.8 Certificate change ......................................................................................................................................... 24 4.9 Certificate revocation and hang up ............................................................................................................... 24 4.9.1 Circumstance for certificate renewal ...................................................................................................... 24 4.9.2 Who may request renewal ...................................................................................................................... 24 4.9.3 Processing certificate renewal requests .................................................................................................. 24 4.10 Certificate state service .......................................................................................................................... 25 4.11 End of Subscription ................................................................................................................................ 25 4.12 Key Escrow and Recovery ..................................................................................................................... 25 5 Facility, Management, and Operational Controls ............................................................................................... 27 5.1 Physical Security Controls ............................................................................................................................ 27 5.1.1 Site location and construction ................................................................................................................ 27 5.1.2 Physical access ....................................................................................................................................... 27 5.1.3 Power and air conditioning .................................................................................................................... 27 5.1.4 Water exposures ..................................................................................................................................... 27 5.1.5 Fire prevention and protection ............................................................................................................... 27 5.1.6 Media storage ......................................................................................................................................... 28 5.1.7 Waste disposal........................................................................................................................................ 28 5.2 Procedural Controls ...................................................................................................................................... 28 5.2.1 Trusted roles ........................................................................................................................................... 28 5.2.2 Number of persons required per task ..................................................................................................... 29 5.2.3 Identification and authentication for each role ....................................................................................... 29
3 of 58
5.2.4 Roles requiring separation of duties ....................................................................................................... 29 5.3 Personnel Controls ........................................................................................................................................ 29 5.3.1 Qualifications, experience, and clearance requirements ........................................................................ 29 5.3.2 Background check procedures................................................................................................................ 30 5.3.3 Training requirements ............................................................................................................................ 30 5.3.4 Retraining frequency and requirements ................................................................................................. 30 5.3.5 Job rotation frequency and sequence...................................................................................................... 30 5.3.6 Sanctions for unauthorized actions......................................................................................................... 31 5.3.7 Independent contractor requirements ..................................................................................................... 31 5.3.8 Documentation supplied to personnel .................................................................................................... 31 5.4 Audit Logging Procedures ............................................................................................................................ 31 5.4.1 Types of events recorded........................................................................................................................ 31 5.4.2 Frequency of processing log .................................................................................................................. 32 5.4.3 Retention period for audit log ................................................................................................................ 32 5.4.4 Protection of audit log ............................................................................................................................ 32 5.4.5 Audit log backup procedures.................................................................................................................. 32 5.4.6 Audit collection system .......................................................................................................................... 32 5.4.7 Notification to event-causing subject ..................................................................................................... 32 5.5 Records Archival .......................................................................................................................................... 33 5.5.1 Types of records archived ...................................................................................................................... 33 5.5.2 Retention period for archive ................................................................................................................... 33 5.5.3 Protection of archive .............................................................................................................................. 33 5.5.4 Archive backup procedures .................................................................................................................... 33 5.5.5 Requirements for time-stamping of records ........................................................................................... 33 5.5.6 Archive collection system ...................................................................................................................... 33 5.5.7 Procedures to obtain and verify archive information ............................................................................. 33 5.6 Key Changeover ........................................................................................................................................... 33 5.7 Compromise and Disaster Recovery............................................................................................................. 34 5.7.1 Compromise handling procedures .......................................................................................................... 34 5.7.2 Computing resources, software, and/or data are corrupted .................................................................... 34 5.7.3 Entity private key compromise procedures ............................................................................................ 34 5.7.4 Business continuity capabilities after a disaster ..................................................................................... 34 5.8 CA or RA Termination ................................................................................................................................. 34 6 Technical Security Controls ............................................................................................................................... 36 6.1 Key Pair Generation and Installation ............................................................................................................ 36 6.1.1 Key pair generation ................................................................................................................................ 36 6.1.2 Private key delivery to subscriber .......................................................................................................... 36 6.1.3 Public key delivery to subscriber ........................................................................................................... 36 6.1.4 Key sizes ................................................................................................................................................ 36 6.1.5 Public key parameters generation and quality checking ........................................................................ 36 6.1.6 Key usage purposes ................................................................................................................................ 36 6.2 Private Key Protection and Cryptographic Module Engineering Controls ................................................... 37 6.2.1 Private key escrow ................................................................................................................................. 37
4 of 58
6.2.2 Private key backup ................................................................................................................................. 37 6.2.3 Private key transfer into or from a cryptographic module...................................................................... 37 6.2.4 Private key storage on cryptographic module ........................................................................................ 37 6.2.5 Method of destroying private key .......................................................................................................... 37 6.3 Other Aspects of Key Pair Management ...................................................................................................... 38 6.3.1 Public key archival ................................................................................................................................. 38 6.3.2 Certificate operational periods and key pair usage periods .................................................................... 38 6.4 Activation Data ............................................................................................................................................. 38 6.4.1 Activation data generation and installation ............................................................................................ 38 6.4.2 Activation data protection ...................................................................................................................... 38 6.4.3 Other aspects of activation data.............................................................................................................. 38 6.5 Computer Security Controls ......................................................................................................................... 38 6.5.1 Specific computer security technical requirements ................................................................................ 38 6.5.2 Life Cycle Security Controls .................................................................................................................. 39 6.5.3 System development controls................................................................................................................. 39 6.5.4 Security management controls ............................................................................................................... 39 6.5.5 Life cycle security controls .................................................................................................................... 39 6.6 Network Security Controls ........................................................................................................................... 39 7 Certificate, CRL, and OCSP Profiles ................................................................................................................. 40 7.1 Certificate Profile.......................................................................................................................................... 40 7.1.1 Huawei Root CA Certificate Profile ...................................................................................................... 40 7.1.2 Huawei Issuing CA Certificate Profile ................................................................................................... 40 7.1.3 Equipment Certificate Profile................................................................................................................. 41 7.2 CRLCertificate revocation list .............................................................................................................. 42 7.3 OCSP ............................................................................................................................................................ 42 8 Compliance Audit and Other Assessment .......................................................................................................... 43 8.1 Assessment frequency and conditions .......................................................................................................... 43 8.2 Assessor qualification ................................................................................................................................... 43 8.3 Relation between assessor and assessed object ............................................................................................ 43 8.4 Assessment contents ..................................................................................................................................... 43 8.5 Measures taken for problems and weaknesses.............................................................................................. 44 8.6 Assessment result notification and publication............................................................................................. 44 9 Other Business and Legal Matters ...................................................................................................................... 45 9.1 Fees ............................................................................................................................................................... 45 9.1.1 Certificate issuance or renewal fees ....................................................................................................... 45 9.1.2 Certificate access fees ............................................................................................................................ 45 9.1.3 Revocation or status information access fees ......................................................................................... 45 9.1.4 Fees for other services ............................................................................................................................ 45 9.1.5 Refund policy ......................................................................................................................................... 45 9.2 Financial Responsibility ............................................................................................................................... 45 9.2.1 Insurance coverage ................................................................................................................................. 45 9.2.2 Insurance or warranty coverage for end-entities .................................................................................... 45 9.3 Confidentiality of Business Information....................................................................................................... 46
5 of 58
9.3.1 Scope of confidential information .......................................................................................................... 46 9.3.2 Information not within the scope of confidential information ............................................................... 46 9.3.3 Responsibility to protect confidential information ................................................................................. 46 9.4 Privacy of Personal Information ................................................................................................................... 47 9.4.1 Privacy plan ............................................................................................................................................ 47 9.4.2 Information treated as privacy................................................................................................................ 47 9.4.3 Information not deemed privacy ............................................................................................................ 47 9.4.4 Responsibility to protect private information ......................................................................................... 47 9.4.5 Notice and consent to use private information ....................................................................................... 48 9.4.6 Disclosure pursuant to judicial or administrative process ...................................................................... 48 9.4.7 Other information disclosure circumstances .......................................................................................... 48 9.5 Intellectual Property Rights .......................................................................................................................... 48 9.6 Representations and Warranties.................................................................................................................... 49 9.6.1 CA representations and warranties ......................................................................................................... 49 9.6.2 RA representations and warranties ......................................................................................................... 51 9.6.3 Subscriber representations and warranties ............................................................................................. 51 9.6.4 Relying party representations and warranties......................................................................................... 53 9.6.5 Representations and warranties of other participants ............................................................................. 53 9.7 Disclaimers of Warranties ............................................................................................................................ 53 9.8 Limitations of Liability ................................................................................................................................. 54 9.9 Indemnities ................................................................................................................................................... 54 9.10 Term and Termination ............................................................................................................................ 55 9.10.1 Term................................................................................................................................................. 55 9.10.2 Termination...................................................................................................................................... 55 9.10.3 Effect of termination and survival ................................................................................................... 55 9.11 Individual notices and communications with participants ..................................................................... 55 9.12 Amendments .......................................................................................................................................... 55 9.12.1 Procedure for amendment ................................................................................................................ 55 9.12.2 Notification mechanism and period ................................................................................................. 55 9.12.3 Amendment agreement .................................................................................................................... 56 9.12.4 Circumstances under which OID must be changed ......................................................................... 56 9.13 Dispute Resolution Procedures .............................................................................................................. 56 9.14 Governing Law....................................................................................................................................... 57 9.15 Compliance with Applicable Law .......................................................................................................... 57 9.16 Miscellaneous Provisions ....................................................................................................................... 57 9.16.1 Entire agreement .............................................................................................................................. 57 9.16.2 Assignment ...................................................................................................................................... 57 9.16.3 Severability ...................................................................................................................................... 58 9.16.4 Enforcement (attorneys' fees and waiver of rights) ......................................................................... 58 9.16.5 Force Majeure .................................................................................................................................. 58 9.17 Other Provisions ..................................................................................................................................... 58
6 of 58
1 Introduction
This Certification Practice Statement (hereinafter, CPS) describes the practices of Huawei Equipment Certification Authority (hereinafter called as HWCA) and the activities in HWCA issuance, and certificate management, operation and maintenance service, provides the regulations on actual operation for supervision and implementation. This CPS provides the lawful constraints for the related parties and reminders the related parties to produce and use a digital certificate within the range regulated in this CPS and validate the digital certificate. This CPS document will be updated and revised with CA change and will be published at the Web site http://support.huawei.com/support/pki. The document structure and content requirement of this CPS should comply with the format in the chapter 4 of RFC 3647.
1.1
Overview
This CPS publishes the basic standpoint and view of the HWCA on the electronic certification service, which is basis for actual application and operation document and applies to all entities with relationships with the HWCA, including Certification Authorities (CAs), Registration Authorities (RAs), Staff, Subscribers, and Relying Parties. All participants must completely understand and perform the articles in the CPS to enjoy rights and assume liabilities. The Huawei Equipment CA is divided into root CA and issuing CA. the CA hierarchy is shown as follows:
Huawei Equipment CA
Self-signed
Huawei Issuing CA
Huawei Issuing CA
Currently, the HWCA hierarchy consists of the following CAs:

CA type Root CA CA name Huawei Equipment CA Description of Function Serves as the trust anchor
7 of 58
for the HWCA hierarchy. Issuing CA Huawei Product CA Wireless Network Issues certificates to Huawei wireless network products.
1.2
Document Name and Identification
The name of this document is HWCA Certification Practice Statement and gives comprehensive description of the digital certificate and related services provided by the Huawei. HWCACPS, Huawei CA HWCA Certification Practice Statement, Huawei CACPS, Huawei CA center CPS and Huawei CA center electronic certification service rule and other similar expressions should be regarded as this document and reference to this document at any site.
1.3
1.3.1
PKI Participants
Certification authorities
All CAs within the HWCA hierarchy are called as the certification authority. The CA is an organization to issue the digital certificate and provides the digital certificate to the electronic certification service. HWCA is the first CA of the Huawei and provided the electronic digital certificate service to the Huawei devices. HWCA will deploy CA by the product family. The root CA is the self-signed digital certificate generated by Huawei. This root CA can be only used by Huawei to sign and issue sub-CA certificate to all Huawei products. the sub-CA of the product family signs and issues digital certificates for different products. Now the Huawei CA will not sign and issue CA certificate to outside temporarily and only provides the digital certificate service to the equipment provided and delivered by Huawei to customers and copartners. HWCA provides the following digital certificate lifecycle management. Digital certificate registration application Digital certificate revocation Digital certificate hang-up Digital certificate update Digital certificate state query service Distribute certificate status information in the form of Certificate Revocation Lists (CRLs)
8 of 58
Huawei Equipment CA Certification Practice Statement periodically.
Provide a repository to store and certificates and certificate status information. Directory service
1.3.2
Registration authorities
The registration authority of HWCA (hereinafter called as RA) is the business branch formally authorized by HWCA. It can identify and authenticate the entity identity of the certificate applicant and either approve or reject certificate application, certificate revocation and certificate renewal service. the certificate application, certificate revocation and certificate suspension can be originated by RA and forwarded to CA if audited successfully. The auditing policy of the Huawei RA system is divided into automatic system auditing and manual auditing. For the Huawei Issuing CAs, the RA function is performed by Huawei using a combination of automated and manual processes. The automatic system auditing should be permitted by RA administrator and the auditing policy should be made. It is used for automated or real-time system. After the corresponding policies are met, the system automatically audits the certificate request. For other non-automated or real-time system, the manual auditing must be adopted. 1.3.3 Subscribers
The subscriber is the lawful holder of the certificate and is the entity of HWCA. The subscribers are the legal end-entities to receive the certificates issued by HWCA. The subscriber in this document mainly includes the entities such as the hosts, servers and network devices which have applied and legally held the digital certificates issued by the CA within the HWCA domain The subscriber is the legal holder of a digital certificate and has the corresponding private key of the public key in the digital certificate. The subscriber is responsible for security protection, storage and use of the private key. 1.3.4 Relying parties
Relying Parties include any entity, individual and organization that may rely upon certificates issued by HWCA and uses a Subscribers Certificate to verify the integrity of a digitally signed message, to identify the creator of a message, to authenticate a Subscriber, or to establish confidential communications with the Subscriber. such as the customers who purchase Huawei equipment. 1.3.5 Certificates Applicant
Applicant can be any natural person or corporate who expects to become the subscriber of HWCA or sub-CA. the certificate applicant can complete application according to the necessary information regulated in this CPS by the
9 of 58
type of the certificate to acquire. After a certificate applicant submits its application, it indicates that the HWCA is authorized for identity identification and the applicant agrees to assist HWCA and its authorized authority to identify all facts, occurrence environment and other related information in a proper manner at this discretion. Here the proper manner is consistent with the requirements in this CPS and related laws and regulations. 1.3.6 Sponsor
Sponsor can be any group or organization which can pay all certificate service costs for the affiliated or serving subscribers or potential subscriber group and is a special certificate service transaction point. The certificate sponsor has a right to cancel all or partial certificate services of the holder which certificate cost is paid by the sponsor according to the regulations in this CPS, other regulations published by HWCA, laws and policies. It includes, but not limited to, revocation of the certificate of the holder. 1.3.7 Other Participants
It indicates other non-mentioned entities which affiliate to HWCA certificate system such as third-party identity authentication organization selected by HWCA, directory service provider and PKI service-related participants.
1.4
1.4.1
Certificate Usage
Appropriate certificate uses
The HWCA digital certificate is applicable to the applications in the areas such as electronic government public service, E-business, enterprise informationize and network information transfer and provides foundational credit service in construction of the trusted network environment. The HWCA digital certificate can be also used for other purposes, but it cannot breach the local laws and regulations, this CPS (complied in certificate issuing) and subscriber agreement and can be trusted by the relying parties .the certificate applicant can check and decide to use a proper certificate type at discretion on demand. 1.4.2 Prohibited certificate uses
The certificate issued by the HWCA cannot be used for the following purposes: 1Certificate application scope not agreed by HWCA and subscriber 2The certificate use cannot breach any state law, regulation or destruct the state security. Otherwise, the incurred legal aftermath is undertaken by the user. In addition, the certificate is not designed for, is not intended for and is not authorized for control equipment under the dangerous environment or failure-prevention occasion such as nuclear device operation, space shuttle pilot, air
10 of 58
traffic control system or weapon control system because its any failure will lead to death, personnel injury or severe environment damage.
1.5
Policy Administration
According to the regulations in the related laws, the HWCA specifies HWCA-CPS policy development team to draft, register, maintain and update the CPS. The contents of Huawei CPS will be subjective to update and revisal with CA change and will be published at the website http://support.huawei.com/support/pki.
1.6
Definitions and Acronyms
Table 1.1- Definitions and abbreviations Abbreviations/nouns HWCA Certificate Authority Definition Abbreviation of Huawei Certification Authority Huawei Root CA and service organization or group. Registration authority The CA registration authority is called as RA. It is an agent which signs the registration authority agreement and is authorized by HWCA to issue the HWCA certificate. The RA processes the certificate application from the certificate applicants and submits it to CA. Certificate issuing authority It includes HWCA-authorized registration authority, registration branch authority and transaction point certificate issuing authority. The certificate issuing authority will issue HWCA certificate to the certificate applicants Relying party It indicates a person who is engaged in related activities based on the trust for the digital certificate and/or electronic signature Subscriber Individual, collection, unit, organization, server or other individual or entities which own any HWCA certificate Certificate applicant It indicates individual, enterprise and organization which request HWCA to issue certificate Subscriber OCSP It indicates the holder of different certificates which are signed and issued by CA It indicates Online Certificate Status Protocol and can support to real time search the
11 of 58
CAs are Huaweis electronic certification
Huawei Equipment CA Certification Practice Statement state of digital certificate LDAP
It indicates Lightweight Directory Access Protocol and is used to search and download digital certificate and digital certificate revocation list (CRL)
PKI CRL
It indicates Public Key Infrastructure It indicates Certificate Revocation List. CRL records all user digital certificate SN of the revoked digital certificates before the old invalid date expires and can be searched when the digital certificate users authenticate peer digital certificate. Generally CRL is called as the digital certificate blacklist. Generally it includes the CA name, issuing date, scheduled issuing date for next revocation list, changed or revoked digital certificate SN and time and reason for change or revocation.
Certificate
The certification indicates that different entities review the identity via the trusted and neutral third party (such as HWCA) prior to network trade and the third-party proves the identity reliability and legality.
Priate key
It is the digital key which can not be open and be kept by the holder and is used to create electronic signature, decrypt packet or encrypt the profile with the corresponding public key
Public key
It is the digital key which can be open, can be used to validate corresponding packet with private key signature, can be used to encrypt packet and files and can be decrypted by the corresponding private key
PKCS
It is Public Key Cryptography Standard
12 of 58
2 Information publication and management

2.1
Repositories
HWCA provides repositories to support certificate services and try the best effort to keep access to its public repository and its policy information so that Relying Parties may obtain certificates and CRLs from or through that public repository. The repository shall be available as required by the certificate information posting and retrieval stipulations of this CPS.
2.2
Publication of certification information
Huawei CA will publish CPS, root CA certificate, CA certificates chain and CRLs. The subscribers can get them at the HWCA website http://support.huawei.com/support/pki .
2.3
Time or frequency of publication
This CPS and any subsequent changes are made publicly available within one week of approval. The CRLs are updated at least daily. The certificate database is updated every time a certificate is published. 2.3.1 Time or frequency of publication of electronic certification service rule
The HWCA will publish the latest CPS version in time. if the rule changed and supplement is approved, without a special case, the HWCA will publish the CPS at the website http://support.huawei.com/support/pki within five business days. 2.3.2 Time or frequency of publication of certificate and CRL
For all revoked or suspended certificates, the list CRL will be automatically published via HWCA directory server. The latest CRL can be manually published on demand. The users can search or download latest CRL at the HWCA website http://support.huawei.com/support/pki . For the issuing CA, CRL is issued at least within 24 hours, and a Root CRL is issued at least every year The CRL list can be manually updated in case of an emergency. 2.3.3 Time or frequency of publication of HWCA public information
Once HWCA will publish the related notifications, notices and other public information due to some reasons, it will quickly publish it at the website http://support.huawei.com/support/pki .
2.4
Access controls on repositories
URLs of each HWCA can use SSL-based HTTP for secure access to records. Other URLs for issuing important information should be based on https. HWCA is configured with the information access control and security auditing measures to guarantee that only authorized HWCA persons can write and modify the HWCA online notice version
13 of 58
and published information. The authorized operations will be recorded. If necessary, HWCA can independently select and manage information privilege to guarantee that only qualified parties can read the information with certain privilege.
14 of 58
3 Identification and Authentication

3.1
3.1.1
Naming
Types of names
The HWCA-published certificate contains a distinguished name of the issuing organization and subscribers as Issuer and Subject fields. The distinguish name assigned to the subject of a certificate are unique within a CA and can be used to identify the owner of certificate. All names specified in X.509 certificates must be expressed as non-null subject Distinguished Names (DNs) complying with the X.500 standard. 3.1.2 Need for names to be meaningful
The user identification information used by the identifier name must include the specific, traceable and affirmative representation meaning. The anonymity or pseudo name is forbidden. For the digital certificate provisioned to the device in during manufacturing, the distinguish name assigned to the subject of a certificate is provided by HWCA. The common name in the subject field contains the equipment information such as equipment serial number which identifies relationship between equipment and certificate. For this type of equipment digital certificate, the subject alternative name includes a DSN name that contains the equipment serial number. 3.1.3 Anonymity or pseudonymity of subscribers
HWCA does not accept or allow any anonymous or pseudo name and only accept the name with specific meaning as the unique identifier. The certificate which is applied with the pseudo or counterfeited name is invalid. If the fact is proven, the certificate will be revoked. 3.1.4 Rules for interpreting various name forms
No applicable 3.1.5 Uniqueness of names
The distinguish name assigned to the subject of a certificate are unique within HWCA. When DN is same, the first applicants will use this DN. The followed applicants should add other identification information into DN item for distinguishing. 3.1.6 Recognition, authentication, and role of trademarks
Applicants must not use the names in the certification application which will infringe the intellectual property or proprietary trademark of others, however, HWCA will not check whether the certification applicants of the names in
15 of 58
the certification applications own this intellectual property or proprietary trademark and will not arbitrate, mediate or solve the dispute caused by the domain name, trademark name and service regulations. When this dispute occurs, HWCA has a right to reject or suspend the certificate application till the dispute is solved (if necessary) according to the rule of first application and first use and will not be liable to any certificate applicant.
3.2
3.2.1
Initial Identity Validation

Method to prove possession of private key
When HWCA signs the certificate, HWCA will first compute by using the data digest algorithm according to the information in the certificate applicant, then decrypt the private key in the applicant by using the public key in the application and finally compare them. if they are equal, it indicates that the digital certificate applicant owns the corresponding signature private key of the signature public key. 3.2.2 Authentication of organization identity
When applying certificates for organizations, the applicant should appoint the legally authorized certificate application representative, sign on Certificate Applicant to accept the articles in the certificate application and undertake corresponding liabilities. HWCA and the certificate authority should review whether the certificate applicant is qualified in face-to-face manner. The identity of an organization should be identified in the following manners: 1. The authorized organization dealer should go to the application site with self original ID card, business license registration certificate, original organization code certificate (original or copy) and duplicates. 2. Check consistency of the ID card, business license registration certificate, original organization code certificate (original or copy) and duplicates. 3. Check whether the information in ID card, business license registration certificate, original organization code certificate is consistent with the information in the application form. 4. Check whether the organization accepts the articles in HWCA digital certificate user responsibility statement. 5. Check integrity of the application materials submitted by the subscriber. 6. HWCA can identify by inquiring third-party database or corresponding authority and using the reasonable methods to HWCA such as telephone and post address survey. 7. If HWCA cannot get the required information from third-party, it can request third-party to survey or request the certificate applicant to guarantee truth of the provided additional information and proof materials. HWCA and
16 of 58
authorized authority should review legality of the applicant materials. The review contents include, not limited to, the above statement. 3.2.3 Authentication of individual identity
The checkers of the HWCA-authorized certificate issuing authority should reasonably and carefully check the originals and copies of the application materials according to the procedure, review truth of the applicant materials according to the management regulations and can reject or approve the application. After HWCA receives the certificate application from the individual subscriber, before issuing the certificate to this subscriber, HWCW should check and identify the individual identity of this certificate applicant. The identification procedure is shown as follows: 1. The individual certificate applicant should go to the certificate application site wit hthe self ID card or password original and duplicates and check true of the subscriber identity in face-to-face manner. 2. Check whether the applicant ID card or the passport original and copy are consistent with the duplicates. 3. Check whether the information in the applicant ID original or passport is consistent with the information in the application form. 4. Check whether this applicant can accept the articles in HWCA digital certificate user responsibility statement. 5. Check integrity of the application materials submitted by this subscriber. 6. The review contents include, not limited to, the above statement. The applicant must be liable to truth of the application materials. After HWCA and authorized certificate authority review compliance to the laws and regulations, they will not be liable for applicant identity proving such as ID card legality identification. The HWCA and its authorized certificate authority should store the detailed information 3.2.4 Identification and authentication of domain name (or IP address)
The applicant fills the written application form. After signed by the authorized representative of the organization and sealed by the organization (for individual application, individual signature is required), the applicant should go to the HWCA-authorized certificate issuing authority to for identity check and fee payment with related materials. If the certificates DN is the domain name (RDN), besides the written materials submitted by the applicant which will be reviewed, the applicant, should also provide additional proof for domain name use right or inquire it for the corresponding domain name registration authority to check whether the subscriber can use the corresponding domain name. The auditors of the HWCA-authorized certificate issuing authority will carefully and reasonably check truth of the applicant material original and copies according to the related regulations.
17 of 58
Huawei Equipment CA Certification Practice Statement 3.2.5 Validation of authority
When a natural person or corporate applies for a certificate via the authorized third-party agent, the HWCA and its authorized certificate authority should audit the identity and qualification of the authorized person, including his identity information and authorization proof, and can check information via a call, letter or other methods for legality. HWCA has a right to confirm information on the authorized persons via third-party or other modes and request the authorized person to provide additional proof such as trust letter.
3.3
Identification and Authentication for Re-key Requests
HWCA has a right to decide the valid period of a certificate on demand. Before the valid period expires, to keep old certificate name, the subscriber should generate a new key pair and obtain the certificate again to guarantee certificate use continuity. This process is called as key update. When the information related to the certificate changes or the subscriber has doubt on the key security, he must register again to generate a new key pair and apply the certificate authority for signing and issuing certificate. 3.3.1 Identification and authentication for routine re-key
If the routine key is updated due to expired certificate, the certificate owner can sign the update request message by using the old private key and request to sign the certificate again. The certificate issuing authority will validate and identify correctness, legality and uniqueness of the update request message. The certificate owner can fill change application form and submit related documents according to the initial identity validation steps in case of certificate or key change application, HWCA-authorized certificate issuing authority will check it. The auditor should reasonably and carefully check the application document originals and copies according to the regulated procedure, review truth of the applicant information and approve or reject it. 3.3.2 Identification and authentication for re-key after revocation
HWCA does not update key for the revoked certificate. The certificate user must register identity and apply for a new certificate.
3.4
Identification and authentication for Revocation Requests
When the certificate subscriber or his legal agent applies to revoke a certificate, he should go to HWCA certificate authority for transaction, including fill certificate revocation application form, and submit related documents according to the initial identity validation steps. The HWCA-authorized certificate issuing authority will check it. The auditors of HWCA-authorized certificate issuing authority will reasonably and carefully check the application
18 of 58
document originals and copies according to the regulated procedure, review truth of the applicant information and approve or reject it.
19 of 58
4 Certificate Life-Cycle Operational Requirements

4.1
Certificate Application
HWCA provides online digital certificate application Website interface for 24-hour online application service. For the digital certificate application service, a Huawei RA system has responsibility to identify and authenticate the identity and audit the certificate application request. Only the approved certificate request will be submitted to the CA system and then the CA system signs and issues digital certificate to the applicant. 4.1.1 Who can submit a certificate application
Generally, there is no restriction on a certificate application, but currently the certificate application interface of the HWCA only accepts the certificate application from the staff, authorized CA, RA authority, organization or entities. For the equipments delivered by Huawei, the Huawei CA system do not provide online certificate application interface to these equipments. The staff work for Huawei technical support service has duty to apply certificate for these equipment if necessary. 4.1.2 Enrollment process and responsibilities
When applying for a certificate the applicants are responsible for providing accurate information and fill out an application form required for the digital certificate. After receiving the application, the RA system authenticates the applicant identity and validates the contents of the certificate application request. After successful auditing, the RA approve the digital certificate request. Otherwise, it will reject the request.
4.2
4.2.1
Certificate Application Processing

Performing identification and authentication
The HWCA or authorized certificate issuing organization should audit the materials submitted by the certificate applicant according to the regulations and related flow regulations in the chapter 3 of CPS and approve or reject it. 4.2.2 Approval or rejection of certificate applications
Certificate application approval
HWCA will approve the application and issue a certificate upon successful completion of the identity-proofing process and validation process of the certificate request. Certificate application rejection
The HWCA can reject to sign certificate at its discretion and will not be liable for any incurred loss or cost. If the
20 of 58
application fails during the identity identification and authentication, HWCA will reject the certificate application. Generally HWCA will inform the applicant about any problems. However HWCA has a right to reject to inform the applicants or explain failure reason and will not be liable for any compensation. The rejected certificate applicant can apply again after providing accurate information. 4.2.3 Time to process certificate applications
Huawei will make an effort to process the certificate applications within a reasonable time upon receiving the request. There is no maximum process time for an application unless otherwise indicated in other relevant agreement. If the processing period is extended, the application will remain active until it is approved or rejected.
4.3
4.3.1
Certificate Issuance
CA actions during certificate issuance
Once receiving the certificate request to issue a certificate from Huawei RA for applicant, HWCA creates and signs the certificate based on the information in certificate request that contains subscribers data. At the same time, HWCA will publish the certificate to repository and send the certificate to applicant via Huawei RA. 4.3.2 Notification to subscriber by the CA of issuance of certificate
After a certificate has been issued, HWCA directly informs subscribers or through an authorized agent by means of face-to-face notification, Email notification, post letter notification and other methods recognized by HWCA.
4.4
4.4.1
Certificate Acceptance
Conduct constituting certificate acceptance
After HWCA digital certificate is signed and issued, the certificate applicant downloads the certificate and verifies its content. A Subscribers receipt of a certificate and subsequent use of the certificate and private key corresponding to the public key in the certificate constitute certificate acceptance. After the certificate applicant accepts the digital certificate, he should properly save the corresponding private key securely (stored into the storage medium). If the subscriber is object to accepting the certificate, the applicant must explicitly inform Huawei with the reasons
and details.
4.4.2
Publication of the certificate by the CA

21 of 58
Once the certificate applicant accepts the certificate, HWCA will publish the certificate duplicate on the directory
server and in one or more manners decided by the HWCA. The certificate applicant can publish the digital certificate signed and issued by HWCA in other information database. 4.4.3 Notification of certificate issuance by the CA to other entities
For the certificate signing and issuing of HWCA, HWCA and its authorized registration authority will not inform other entity. The subscriber and relying parties can search on the information repository.
4.5
4.5.1
Key Pair and Certificate Usage

Subscriber private key and certificate usage
The subscriber must have knowledge on PKI business. When applying a digital certificate, he must guarantee correctness and truth of the provided registration information. The subscribers must use the trusted system or secure agent to generate key pair, securely and properly store the private key and guarantee that the private key holder is the actual entity corresponding to the certificate subject name. The subscribers must also prevent the compromise, loss, disclosure, modification, or otherwise unauthorized use of their private keys. After the subscriber accepts the digital certificate, he must properly store the corresponding private key of the certificate (stored into the storage medium) to avoid loss, leakage, tempering or theft. When any user is using a certificate, he must validate the certificate, including check whether the certificate is revoked, is within the valid period and is signed and issued by HWCA. When using the signature related to the certificate signed and issued by HWCA and signed information, all involving parties (HWCA and certificate authority, certificate subscriber and relying parties) should enjoy the corresponding liabilities and fulfill corresponding obligations according to the regulations in CPS. All parties are deemed to be informed and agree with the articles in this CPS and agreement and specification between HWCA and all parties. For any use of certificate and private key beyond the regulations in this CPS, HWCA will not assume any liability. The certificates signed and issued by HWCA can be used to indicate the certificate holders identity in case of certificate application and validate the signature made by the certificate holder by using the private key corresponding to the public key in the certificate, so the signature and signature validation can guarantee truthful identity of the certificate holder, information integrity, information non-repudiation, key agreement. If the certificate holder uses this certificate for other purposes, HWCA will not assume any liability and obligation. If some fields of this certificate indicate the use scope and purpose of the certificate, this certificate can be used
22 of 58
within this scope. For any action beyond the application marked in the certificate, the actor should be liable for it. HWCA will not assume any liability and obligation for any action beyond the application scope. 4.5.2 Signature and validation
The signature is created in the following cases: Created in valid use period of a certificate; The signature is correctly validated via certificate path validation. The trusted parties do not discover or notice that the signature violates the actions regulated in CPS. The relying parties should comply with all regulations in this CPS.
The certificate use does not indicate that the subscriber can act or take any special action for any individual interest. The signature validation aims to guarantee that the signature is created by using the private key corresponding to the public key in the issuer certificate and the signature is not change after created. 4.5.3 Relying party public key and certificate usage
After the certificate from the peer is obtained, the user can know its identity by viewing the certificate, validate truth of the electronic signature via the public key, realize communication non-repudiation and keep confidentiality and integrity of data transfer between two parties. Before the certificate and signature is trusted, the relying parties should independently do reasonable endeavor and make reasonable judgment. Except additional regulation in this CPS, the certificate is not a commitment from the certificate issuing authority to any power or privilege. The relying party can only trust the certificate and its public key within the scope regulated in this CPS and make decision. Validate a certificate by using a CRL and OCSP and trust a certificate only if it has not been suspended or revoked. If some fields of a certificate indicate use scope and purpose, this certificate can only be used in this scope. The relying parties must make a reasonable judgment. The relying party will be liable for any trust to the action beyond the application scope in this certificate. HWCA will not assume any liability and obligation.
4.6
Certificate Renewal
Not applicable.
4.7
Certificate key renewal

23 of 58
Huawei Equipment CA Certification Practice Statement Not applicable.
4.8
Certificate change
Not applicable.
4.9
Certificate revocation and hang up
The certificate revocation is permanent and cannot be recovered. 4.9.1 1. 2. Circumstance for certificate renewal
The new key pair replaces the old key pair. Key disclose: the corresponding key of the public key in the certificate is disclosed or the user is doubtful for the key.
3. 4.
Affiliation relation change: when the subject related to the key-related subscriber is changed. Operation termination: the certificate is not used for old purpose, but the key is not disclosed, but termination is required (E.g. a subscriber leaves from an organization);
5. 6. 7.
The certificate update fee is not received. The subscriber main body does not exist; The subscriber does not comply with liabilities and obligations regulated in this CPS or other agreement, laws and regulations.
8. 9.
When a subscriber applies for initial registration, he does not provide true materials. The private key corresponding to the public key in certificate is stolen, faked, counterfeited or tempered.
10. The subscriber application is revoked. 4.9.2 Who may request renewal
When the case 1-9 of the chapter CPS4.9.1 is met, the entity requesting certificate revocation can be HWCA or other authorized agent and the revocation is mandatory. After revocation, the subscriber must be instantly informed. If the case 10 of the chapter CPS4.9.1 is met, the entity requesting certificate revocation will be consistent with the statement in CPS4.1.2. Other cases will depend on actual condition. HWCA can determine it. 4.9.3 Processing certificate renewal requests
The subscriber application revocation flow is described as follows: Before the subscriber revokes a certificate, he should decrypt the encrypted data such as encrypted Email, back
24 of 58
up it (E.g. The mail contents are copied and are stored as plaintext or the mail attach is stored) and delete the certificate. The applicant fills out revocation application form and the revocation reason. Then submit the revocation request to HWCA. The HWCA or authorized registration authority should check the certificate revocation application submitted by the subscriber according to the regulations in CPS3.4; HWCA or authorized registration authority checks the revocation application and then revokes the certificate. HWCA publishes the information into the public repository in time for subscriber and relaying parties downloading the revocation informant.
4.10
Certificate state service

CRL
HWCA makes available certificate status checking services including CRLs, OCSP and appropriate web interfaces. .
HWCA will sign and publish the CRL to public repository and make it available from http://support.huawei.com/support/pki. OCSP
Currently HWCA only makes OCSP responses available for internal use.
4.11
End of Subscription
The service termination indicates that the certificate user terminates the service with HWCA, including the following two cases: When the certificate expired or revoked, the system terminates the service with HWCA. When the certificate expired, if the certificate does not extend certificate use or does not apply for a certificate again, the certificate user can terminate the service. When the certificate is not expired, the system terminates the service with HWCA. If the certificate service is terminated by the certificate users due to certain reason in the valid period of the certificate, HWCA will hang up or revoke the certificate according to the requirements of the certificate user. The service between the certificate user and HWCA will terminate.
4.12
Key Escrow and Recovery

25 of 58
Huawei Equipment CA Certification Practice Statement Not applicable
26 of 58
5 Facility, Management, and Operational Controls

5.1
Physical Security Controls
The HWCA certification service system is located in high security and stable building and has independent software and hardware OS. Only the authorized operator can access the management area for operation according to the related safety operation regulation. The root key of HWCA is located under the highly secure environment to prevent against damage or unauthorized operation. 5.1.1 Site location and construction
To guarantee security and reliability of the physical environment, HWCA fully considers the threats such as water disaster, fire, earthquake, electromagnetic disturbance and emission, crime and job accidents and can provide the functions such as vibration resistance, fire prevention, water prevention, constant humidity and control, spare power generation, gate access control and video monitoring to guarantee continuous and reliable certification service. 5.1.2 Physical access
When an operator wants to enter the device room, he must pass the strict approval, safety check and identity check based on IC card gate control system. The measures such as material access registration, personnel access registration and 24-hour video monitoring and guarding and walking inspection are taken. Without permission, it is forbidden to bring any prohibited objects into the device room such as metal objects, electronic camera, vidicon and USB memory. 5.1.3 Power and air conditioning
HWCA system is powered by double power supplied. When one power breaks, the system can normally operate. The UPS is used to avoid power fluctuation and guarantee emergency power supply. The central air conditioner is used for adjustment and control of the temperature and humidity inside the system device room, which can guarantee that the air quality, temperature and humidity, fresh air and air cleanness reach the state regulations inside the device room. 5.1.4 Water exposures
HWCA device room is located in F3. The certificate service system is located in a closed building and the waterproof and erosion-resisting measures are taken to guarantee system safety. 5.1.5 Fire prevention and protection
The HWCA device room is installed with the fire automated alarm system and gas automatic fire extinguishing system. This system can be started in an automated, manual or mechanical emergency operation mode. under
27 of 58
automated state, when the protection area catches a fire, after the fire alarm controller receives two independent fire alarm signals from the protection zone, it will instantly give out joint signals. After 30 s delay, the fire alarm controls output signals and starts fire extinguishing system. The alarm controller receives the feedback signals from the pressure signal device, the indicator will be on in the protection zone to prevent any person from entering. When
some persons are working the protection zone, the system can switch from automated state to the manual state via manual/automated switch outside the protection zone door. When a fire alarm occurs in the protection zone, the alarm controller only gives out alarm signals and will not output action signals. The on-duty person confirms the fire alarm and can press the control panel or crash the emergency start button outside the protection zone, he can instantly start the system and spray the gas fire extinguishing agent. When the automated and manual emergency start fails, the person can start via the mechanical emergency operation in the bottle storage room. 5.1.6 Media storage
HWCA should store and use the physical mediums according to the waterproof, fireproof, vibration-proof, damp-proof, erosion-proof, anti-insect, anti-static and anti-electromagnetic emission. The measures such as medium use registration, medium duplication prevention and information encryption are taken to protect medium safety. 5.1.7 Waste disposal
When the hardware equipment, storage equipment and encryption equipment used by the HWCA certification service system is abandoned, the sensitive and confidential information should be securely and utterly deleted. When the files and storage medium include sensitive and confidential information, special destruction measures should be taken to guarantee that the information cannot be recovered and read. All processing actions should be recorded for review. All destruction actions should comply with the related laws and regulations.
5.2
5.2.1
Procedural Controls
Trusted roles
In order to reduce opportunities for unauthorized modification or misuse of information or services, HWCA segregate duties and areas of responsibility by different roles, key functions and posts for CA system execution, including but not limited to Operation security management team, Super administrator, System administrator, System auditor, Key administrator, Security administrator, Network administrator, Monitoring administrator, Gate control administrator, Input person, Auditor, Certificate maker. These posts are assigned to guarantee clear responsibility, establish effective
28 of 58
Huawei Equipment CA Certification Practice Statement security mechanism and guarantee internal management and operation security. 5.2.2 Number of persons required per task
Table 5.1minimum staff for trusted roles SN 1 2 3 4 5 6 7 8 9 10 11 5.2.3 Trusted roles Operation security management team Super administrator System administrator System auditor Security administrator Network administrator Monitoring administrator Gate control administrator Operator Auditor Certificate maker Identification and authentication for each role Persons 3-5 2 2 1 1 1 1 1 Several Several Several
After all HWCA employees must be certified, they will be allocated with the security tokens such as required system operation card, gate control card, login password and operation certificate by job nature and title privilege. For the employees who use the security token, HWCA system will independently record and supervise all operation actions. The security tokens only belong to the token holder or organization and cannot be shared according to the security specification. HWCA system and procedure can control the operator privileges by token. 5.2.4 Roles requiring separation of duties
The HWCA defines the trusted roles according to the rule of trusted role separation and operation and management separation. The security administrator and network administrator cannot be appointed as one person. The system administrator and system auditor cannot be appointed as one person. The monitoring administrator and gate control administrator cannot be appointed as a person. The input person and auditor cannot be appointed as one person.
5.3
5.3.1
Personnel Controls
Qualifications, experience, and clearance requirements
29 of 58
The staff who is assigned by HWCA as the trusted roles should meet the following conditions: 1. Have good social and work background 2. Comply with state laws and regulations and obey uniform schedule and management of HWCA 3. Comply with the security management specifications, regulations and systems of HWCA 4. Have good individual quality, culture and careful and responsible attitude 5. Have good team cooperation spirit 5.3.2 Background check procedures
HWCA staff is employed according to the strict employment procedure. The background of the trusted staff will be survey according to the post requirement. HWCA performs strict background survey on the key CA staff. The survey includes, not limited to, validation of previous work record, validation of identity proof truth, validation of truth of the diploma and other certificate and validation of cheat behaviors. The registration authority, registration branch authority and operators at the transaction site should be surveyed by referring to the HWCA survey for the trusted staff. The responsible organization of the transaction site can supplement survey, probation and training based on it, but it can not violate the HWCA certificate transaction regulation and HWCA electronic certificate service rule. HWCA identifies the flow management rule. The CA staff is restricted by the contract and regulations and can not disclose sensitive information of the HWCA certification service system. All staff sign secrete agreement with HWCA. 5.3.3 Training requirements
HWCA will hold staff training on responsibilities, posts, technology, policies, laws and security on demand. HWCA provides the following comprehensive training to HWCA staff, including but not limited to: Information security knowledge training and examination Post responsibility and post skill training Fire control knowledge training and drilling Professional knowledge and skill training on PKI system business Retraining frequency and requirements
5.3.4
HWCA will hold periodical staff training according to the internal environment change and staff conditions to adapt to the new change and continuously improve the professional quality of the staff. 5.3.5 Job rotation frequency and sequence
30 of 58
Huawei Equipment CA Certification Practice Statement Not involved 5.3.6 Sanctions for unauthorized actions
When the HWCA staff make unauthorized or over-limit operation, HWCA should take some appropriate administrative and disciplinary actions against personnel who perform unauthorized actions, such as instantly abandon or terminate security certificate and IC card of this employee. 5.3.7 Independent contractor requirements
The independent contractors can be employed as the trusted persons in some limited cases. Generally after these contractors or consulters pass the background survey and sign the secrete agreement according to the regulations in CPS 5.3.2, they can have the power like it of the HWCA staff at similar posts and must comply with all security control specifications. If the independent contractors do no pass the background survey and sign the secrete agreement according to the regulations in CPS 5.3.2, they cannot fulfill their responsibilities together with the accompanying the trusted role . 5.3.8 Documentation supplied to personnel
HWCA provides the following training documents to the staff during training and re-training period, including but not limited to: 1HWCA system operation manual 2HWCA electronic certification service rule 3HWCA technical system document 4HWCA security management system
5.4
5.4.1
Audit Logging Procedures

Types of events recorded
The HWCA CA and RA operation system records all events on the system for review, including but not limited to: Management events in CA key lifecycle, including key generation, backup, recovery, archiving and destruction. Certificate subscriber identity information recorded by the RA system, including enterprise (individual) name, certificate number, address, mailbox and contact information All operations in the certificate cycle, including certificate application, certificate key update and certificate revocation. Person access control record.
31 of 58
Regardless of written or electronic form, these records should include event date, event content, event occurrence interval and event-related entity. Other HWCA-recorded events not related to CA system such as visit record of physical channel and human change 5.4.2 Frequency of processing log
HWCA reviews the records every month and archives the review records. 5.4.3 Retention period for audit log
HWCA should keep the review records for at least one month in the database and keep offline archives for at least 7 months. 5.4.4 Protection of audit log
HWCA performs strict channel management to guarantee that only HWCA-authorized persons can access these review records. These records should be under strict protection and prevent against any unauthorized access, reading, change and deletion. 5.4.5 Audit log backup procedures
HWCA guarantee that all review records and summaries will comply with HWCA backup standard and procedure. The online and offline backup tools and different backup methods are used by record nature and requirements. 5.4.6 Audit collection system
The auditing collection system involves: 1Certificate management system 2Certificate signature and issuing system 3Certificate directory system 4Certificate approval and handling system 5Backup recovery system 6Other necessary systems to review 5.4.7 Notification to event-causing subject
HWCA will record the attack cases discovered in review in detail, track the attacker within the scope permitted by the law, inform the related authorities and reverse the right to take the countermeasures, e,g. cut of the services open to the attackers and submit it to the judicial authority. HWCA can determine whether to inform the attackers or peace breaker discovered in the review.
32 of 58
5.5
5.5.1
Records Archival
Types of records archived
The contents archived by HWCA include the HWCA-issued certificates, CRL, review data records and certificate review and approval documents. 5.5.2 Retention period for archive
The HWCA subscriber certificate and the application document should be kept for 10 years after the certificate is invalid. 5.5.3 Protection of archive
The archived contents are secured via the physical security measures and password technology. Only the authorized trusted personnel can access to the min a specific secure manner. HWCA protects the related documents from environmental threats such as the temperature, humidity and magnetic force. 5.5.4 Archive backup procedures
All archives are stored into the HWCA storage repository. The archive database should be physically or logically isolated and will not interact with the outside. Only the authorized personnel can read the archives under supervision. HWCA guarantee that the archives and backup cannot be deleted and changed via secure mechanism. 5.5.5 Requirements for time-stamping of records
The archives stated in 5.5.1 should be marked with the time. 5.5.6 Archive collection system
The HWCA archive collection system consists of manual operation and automated operation. 5.5.7 Procedures to obtain and verify archive information
HWCA will annually validate integrity of the archives.
5.6
Key Changeover
Here the key conversion indicates the measures taken for the root key replacement when the HWCA root certificate expired. The HWCA root key pair is generated by the HSM. When the certificate expired and the key is replaced, three certificates are signed and issued. The old private key pair is used to sign and generate certificate for the new public key and information; The new private key pair is used to sign and generate certificate for the old public key and information; The new private key pair is used to sign and generate certificate for the new public key and information;
33 of 58
The above three certificates are used for key replacement and make the new and old certificate authentication and trust each other. The valid period of the HWCA root certificate is 10 years. Before the HWCA certificate expires, HWCA will replace the root private key. The key conversion procedure will play a role in transition from the old key pair to new key pair. The HWCA key is converted as follows: HWCA will stop issuing a new certificate within 60 days before the certificate expires. After a old HWCA certificate expires, HWCA will sign an issue a certificate by using a new CA key pair.
5.7
Compromise and Disaster Recovery
When HWCA device room cannot normally provide service due to attack, communication network resource destruction, computer equipment system failure, software damage, database tampering or other force majeure, HWCA will restore according to HWCA disaster recovery plan. 5.7.1 Compromise handling procedures
When HWCA suffers from an attack, communication network resource destruction, computer equipment system failure, software damage, database tampering or other force majeure, HWCA will start the backup system according to HWCA emergency management scheme. 5.7.2 Computing resources, software, and/or data are corrupted
When the software, data or other information is exceptional and is damaged in the certification system, HWCA can process it according to HWCA emergency management scheme. If necessary, HWCA will start backup scheme. HWCA will restore the system according to the internal backup and make the certification system normally run. 5.7.3 Entity private key compromise procedures
When the root private key and low-level sub-CA certificate private key of HWCA suffers from damage, loss, disclosing, cracking, tampering or third-party theft, HWCA will process it according to HWCA root key leakage emergency processing flow. 5.7.4 Business continuity capabilities after a disaster
After HWCA suffers from the disaster described in 5.7.1 and 5.7.2, it should restore all services as quickly as possible via backup.
5.8
CA or RA Termination
When HWCA and its authorized service authority will stop operation, it will strictly comply with the regulations of electronic certification service management. HWCA will make a effort to archive the records of the CA and transfer
34 of 58
Huawei Equipment CA Certification Practice Statement them to a designated organization.
35 of 58
6 Technical Security Controls

Because the key pair is the key in the security mechanism, this CPS gives corresponding regulations to guarantee confidentiality, integrity and non-repudiation of the key pair generation, transfer and installation.
6.1
6.1.1
Key Pair Generation and Installation

Key pair generation
The private key of Huawei CA is generated by the trusted hardware secure module (hereinafter, HSM) and multiple parties participate in it. Huawei stores the HWCA private key by using HSM . Access from multiple administrators is under control via the management card and card access password. The HSM is based on the white list control policy. Only CA system can access the HSM online. Other key-related operations are allowed by multiple management terminals. The HWCA private key is independently backed up in an isolated HSM. 6.1.2 Private key delivery to subscriber
HWCA doesnt provide generate key pair service for subscribers. If the subscriber generates the key pair, there is no need for private key delivery to the end user. 6.1.3 Public key delivery to subscriber
The HWCA public keys are included in the corresponding HWCA certificates. The Subscribers and Relaying parties can download HWCA certificates from HWCA website http://support.huawei.com/support/pki. 6.1.4 Key sizes
The HW Root CA is based on 4096 bits RSA key pair. The sub-CA is based on 2048 bits RSA key pair. Subscribers public keys must be between 1024 and 4096 bits in size, with 2048 bits recommended. 6.1.5 Public key parameters generation and quality checking
The public key parameters are generated by the hardware supported by the HWCA digital certificate signing and issuing system under permission of the state password administration bureau. 6.1.6 Key usage purposes
The key pair is one important part of the digital certificate and can be used for encryption, decryption and digital signature of the sensitive data. HWCA set key usage bits for CA certificates as the value cRLSign and keyCertSign. Certificates issued by HWCA must be conforming to the X.509 v3 key usage field, e.g. digitalSignature,
36 of 58
Huawei Equipment CA Certification Practice Statement nonRepudiation, keyEncipherment, dataEncipherment, keyAgreement.
If subscriber certificates to be used for digital signatures, it must be set to digitalSignature and nonRepudiation. If subscriber Certificates to be used for encryption, they shall be set to keyEncipherment, dataEncipherment, or keyAgreement.
6.2
Private Key Protection and Cryptographic Module Engineering Controls
6.2.1
Private key escrow
HWCAs private keys are not held in any escrow. HWCA will not keep subscribers private keys or any private key material. Subscribers signing keys escrow is strongly discouraged in case of 6.2.2 Private key backup
HWCAs private keys are back up into a separated hardware security module. Huawei keeps the backup copies of CA private keys in encrypted documents controlled by n out of m legal persons with administrator token card. For individual certificate, it is strongly suggested that the key pair is generated and stored on a smart card that cannot be extracted from the smart card and are therefore not backed up. For certificate used by device, it is strongly suggested that the key pair is generated and stored on the device. If the key used to encrypted data, the certificate holder can back up it security to guarantee the data security in case of loss or corruption of the key 6.2.3 Private key transfer into or from a cryptographic module
The private CA key can be imported into the cryptographic module by using the HWCA software in the HWCA certificate service system. The private CA key cannot be exported from the cryptographic module unless the multiple administrators enter the token card at the same physical site. 6.2.4 Private key storage on cryptographic module
The certificate holder can store the private key into the hardware password module or the software password module. HWCA private keys are stored into the hardware secure module. 6.2.5 Method of destroying private key
HWCA signing private keys will be destroyed when they are no longer needed, or when the certificates corresponding to the private keys are expired or are revoked.
37 of 58
The destruction of private CA key is authorized and controlled under n out of m multiple legal persons. The operation will be documented and signed by the operators.
6.3
6.3.1
Other Aspects of Key Pair Management

Public key archival
For the public key archive, the operation process, security measure, storage period and storage policy should be consistent with the certificate. 6.3.2 Certificate operational periods and key pair usage periods
The valid period of a public key is same as the corresponding private key and is same as the valid period of the certificate signed and issued by HWCA.
6.4
6.4.1
Activation Data
Activation data generation and installation
The sensitive data includes the certificate private key password and encrypted data provided by HWCA. HWCA provides unique non-guessable certificate private key password. These private key passwords are approved by HWCA according to the authorization and operation permit and are issued to the authorized users. 6.4.2 Activation data protection
HWCA should protect sensitive data by using multiple methods such as encryption and decryption to avoid unauthorized use. When the non-authorized user wants to reach the expected purpose by using the sensitive data, the sensitive data will be automatically locked. 6.4.3 Other aspects of activation data
Considering the security factor, the regulations on the subscriber activated data lifecycle are described as follows: 1. The subscriber applies for the certificate password with the activation data. The activation will be invalid after successful application. 2. The activation data is used to protect private key or IC card and USB Key password. The subscriber is recommended to change it at any time on demand. After three months, it must be changed.
6.5
6.5.1
Computer Security Controls

Specific computer security technical requirements
The data files and equipment of HWCA digital certificate signing and issuing system is maintained by HWCA system
38 of 58
administrator. Without permission of HWCA administrator, other persons cannot operate and control HWCA system. other command users have no system accounts and passwords. HWCA system is deployed inside multi-level firewalls from different manufacturers to guarantee system security. HWCA system password cannot be less than minimum length and meet the complexity requirement. HWCA system administrator should regularly change the system password. 6.5.2 6.5.3 Life Cycle Security Controls System development controls
The HWCA software design and development and deployment are in accordance with Huawei product lifecycle development standards. 6.5.4 Security management controls
HWCA configuration and any change and upgrade will be recorded and be under control. HWCA controls and monitors system configuration by using a flexible management system to avoid unauthorized change. 6.5.5 Life cycle security controls
The software and hardware equipment of the HWCA certification service system can continuously upgrade, including software and hardware cycle control, to guarantee security and reliability.
6.6
Network Security Controls
HWCA provides the firewall and other access control protection mechanism and only allows authorized access to the equipment via configuration. only authorized HWCA staff can log into HWCA signing and issuing system, HWCA registration system, HWCA directory server and HWCA certificate issuing system. All authorized users must have legal security certificate and pass the password validation.
39 of 58
7 Certificate, CRL, and OCSP Profiles

7.1
Certificate Profile
The HWCA certificate format should comply with the international standard ITU-T X.509 and RFC 5280. 7.1.1 Huawei Root CA Certificate Profile
Field Version Serial Number Signature Algorithm Issuer DN
Critical N/A N/A
Description
N/A N/A
Valid From Valid To Subject DN
N/A N/A N/A
Subject Public Key Extensions: Authority Key Identifier Subject Key Identifier Basic Constraints Key Usage
N/A
NO NO NO YES
V3 An integer unique to the certificate among the range of all serial numbers in certificates issued by the same issuer sha256withRSAEncryption CN = Huawei Equipment CA O = Huawei C = CN <creation time> <creation time> + 30 years CN = Huawei Equipment CA O = Huawei C = CN 4096-bit RSA key
SHA1 Hash value of issuers public key SHA1 Hash of the public key in the certificate Subject Type=CA Path Length Constraint=None Certificate Signing CRL Signing
7.1.2
Huawei Issuing CA Certificate Profile
Critical N/A N/A
Description
N/A N/A
Valid From Valid To
N/A N/A
V3 An integer unique to the certificate among the range of all serial numbers in certificates issued by the same issuer sha256withRSAEncryption CN = Huawei Equipment CA O = Huawei C = CN <creation time> <creation time> + 25 years
40 of 58
Subject DN
N/A
Subject Public Key Extensions: Authority Key Identifier Subject Key Identifier Certificate Policies
N/A
NO NO NO
CN = Huawei Wireless Network Product CA OU = Wireless Network Product Line O = Huawei C = CN 2048-bit RSA key SHA1 Hash value of issuers public key SHA1 Hash of the public key in the certificate [1]Certificate Policy: Policy Identifier: [1,1]Policy Qualifier Info: Policy Qualifier Id=CPS Qualifier: http:// support.huawei.com/support/pki CA = TRUE Path Length Constraint=0 Certificate Signing CRL Signing
Basic Constraints Key Usage
NO NO
7.1.3
Equipment Certificate Profile
Critical N/A N/A
Description
N/A N/A
Valid From Valid To Subject DN
N/A N/A N/A
Subject Public Key Extensions: Authority Key Identifier Subject Key Identifier Basic Constraints
N/A
NO NO NO
V3 An integer unique to the certificate among the range of all serial numbers in certificates issued by the same issuer sha1withRSAEncryption or sha256withRSAEncryption CA X.500 DN for identifying the issuer. The issuer of the radio network equipment certificate is: CN = Huawei Wireless Network Product CA OU = Wireless Network Product Line O = Huawei C = CN <creation time> <creation time> + 10 to 20 years X.500 unique name of the certificate holder: CN = <Equipment Serial Number>.huawei.com O = Huawei C = CN 2048-bit RSA key
SHA1 Hash value of public key issuer SHA1 Hash of the public key of the certificate holder CA = FALSE
41 of 58
Certificate Policies
NO
Key Usage CRL Distribution Points
YES NO
Subject Alternative Name
NO
Path Length Constraint=None [1]Certificate Policy: Policy Identifier: [1,1]Policy Qualifier Info: Policy Qualifier Id=CPS Qualifier: http:// support.huawei.com/support/pki Digital Signature, Non-Repudiation, Key Encipherment, Key Agreement, Data Encipherment [1]CRL Distribution Point Distribution Point Name: Full Name: URL=http://support.huawei.com/support/pki/ WNCA_crl.crl DNS=<Equipment Serial Number>.huawei.com
7.2
CRLCertificate revocation list
HWCA regularly signs and issues CRL (certificate revocation list) for users to search. The CRL signed and issued by HWCA should comply with RFC5280 standard.
Field Version signature Publishr thisUpdate nextUpdate
Critical
N/A N/A N/A N/A N/A
Description
V2 sha1withRSAEncryption <subject CA> <creation time> <creation time> + n For Issuing CA, the n is 24 hours and for the Root CA, the n is 1 year.
<serial number of revoked certificate > <revocation time> Revocation reason
revokedCertificates userCertificate revocationDate crlEntryExtensions CRL Reason Code crlExtensions Authority Key Identifier CRL Number
N/A N/A N/A N/A N/A
N/A NO NO < subject key identifier CA>, used to identifying the public key corresponding to the private key used to sign a CRL non-critical <CA assigned unique number>
7.3
OCSP
Not applicable
42 of 58
8 Compliance Audit and Other Assessment

8.1
Assessment frequency and conditions
HWCA will perform the following assessment: Internal assessment: the HWCA operation security management team will irregularly and regularly assess CA center and Registration Authority according to the regulated assessment methods and process annually except special cases. External assessment: the administration authority assesses and inspects according to <the regulations in electronic signature regulation of PRC> and <electronic certification service management regulation>. The frequency is identified by the administration authority according to the related laws and regulations.
8.2
Assessor qualification
The internal review of HWC is organized by the HWCA operation security management team which consists of experienced senior managers and core technicians. If HWCA thinks it necessary to invite external auditors to perform internal auditing, HWCA checks whether the auditors must be qualified and experienced and meet the requirements in the supervision laws and industrial regulations, including: Auditor or auditing assessment organization which must be permitted, have business license, have professional computer security knowledge and be prestigious in the industry. Know the computer information security system, communication network security requirement and PKI technical standard and operation. Have professional technologies and tools to check the system operation performance.
8.3
Relation between assessor and assessed object
The external assessors (information industry administration authority or trusted organization) should be independent of HWCA, has no business and finance relation with HWCA or other interests which affect assessment objectivity. The assessor should assess HWCA in an independent, fair and object attitude. HWCA internal assessors should be independent of the assessed objects and have no interests which affect assessment objectivity. The assessor should assess HWCA in an independent, fair and object attitude. HWCA can select a professional, fair and objective professional auditing assessment organization on demand to assist internal assessment.
8.4
Assessment contents
43 of 58
Huawei Equipment CA Certification Practice Statement The HWCA assessment contents include, not limited to: Whether to make and publish CPS and related operation specifications.
Whether the HWCA certificate operation regulation is consistent with this certification service rule? Whether the related operation specifications and operation agreement are made according to CPS? Whether the certificate application registration service is carried out according to related CPS operation specification and operation agreement? Whether HWCA implements related technology, management, polices and service rules. Service integrity: key and security management in certificate lifecycle, certificate revocation and suspension, security operation on business system, and standard review on business operation. Physical and environment security control: information security management, personnel security control, building facility security control, software/hardware equipment and storage security control, system and network security control, system development and maintenance security control, disaster recovery and backup system management, auditing and archive security management. Other contents necessary for auditor or HWCA
8.5
Measures taken for problems and weaknesses
After the information industry administration authority completes assessment, HWCA will check defects and weakness according to the assessment results, submit the measure of change and precaution and correction plan, accept review on correction plan and assess the correction again. After HWCA completes internal assessment, the assessor should list the detailed of all problems and notify the HWCA operation security management team and assessed objects of the results for further processing. HWCA will quickly solve problems according to recognized international routine or supervision laws.
8.6
Assessment result notification and publication
HWCA notify the auditing or assessment results to the corresponding objects according to the management or agreement requirement. Without requirements in the laws and regulations, HWCA will not publish the auditing or assessment results. The internal assessment results of HWCA are subjective to HWCA. if the auditing or assessment results is published or disclosed by other person without permission of HWCA,, HWCA will reserve the right to punish.
44 of 58
9 Other Business and Legal Matters

9.1
Fees
The certificate fee is published at HWCA website http://support.huawei.com/support/pki . The price list will take effect at the date specified by HWCA.. Without a specified effect date, the list will take effect after issued. HWCA will notify subscribers or other parties the fee change via other methods. If the price in the agreement negotiated between HWCA and the subscriber or HWCA associated organization is different. The price in the agreement shall take priority.. 9.1.1 Certificate issuance or renewal fees
Refer to CPS9.1 9.1.2 Certificate access fees
For certificate inquiry, now is no charge. Users will pay additional cost for HWCA when user has special requirement, HWCA is entitled to charge additional fees separately. 9.1.3 .
Revocation or status information access fees
Now HWCA will not charge on certificate revocation or state inquiry temporarily. 9.1.4 Fees for other services
Refer to CPS9.1 9.1.5 Refund policy
HWCA should comply with strict operation procedure and refunding policy in the process of certificate signing and issuing. Once a subscriber accepts the digital certificate, HWCA will not transact any refunding procedure. Unless the user proves that HWCA violates the liabilities or other significant obligations in the regulations on subscribers or subscriber certificate in CPS via a legal means, HWCA will not refund the payment. If refunding is required such as certificate revocation, the subscriber should fill the refunding application form and send it to HWCA for refunding. After refunding, if the subscriber continues using this certificate, HWCA will punish it according to the laws.
9.2
9.2.1
Financial Responsibility
Insurance coverage
HWCA decides the insurance policy according to the business development condition. Now it is unavailable temporarily. 9.2.2 Insurance or warranty coverage for end-entities
45 of 58
According to the regulations in PRC electronic signature regulation, the subscribers agree that HWCA only pay subscribers for some direct loss which is caused by HWCA, namely HWCA will commit certain compensation by the type of the certificate, refer to CPS9.8.
9.3
9.3.1
Confidentiality of Business Information

Scope of confidential information
The confidential information includes, not limited to, the following contents: 1. Agreement, communication letter and business agreement between HWCA and HWCA-authorized certificate issuing authority, between HWCA and subscribers, between HWCA-authorized certificate issuing authority and subscribers, between HWCA and other certificate service parties and between HWCA-associated parties. 2. Corresponding private key of the certificate public key of the certificate holder 3. Auditing records, auditing report and auditing results of HWCA or HWCA to certificate issuing authority 4. Operation information related to HWCA certification system 5. Internal flow management and control documents such as backup plan, emergency scheme and secure measures. 6. Individual privacy information except the subscriber certificate information Except the information regulated in the laws, required by governments and law-execution departments, or information necessary for HWCA, HWCA has no obligation to disclose or publish the above information. 9.3.2 Information not within the scope of confidential information
1. Certificate application flow, application procedure, application operation guidance and CPS. 2. Related information in certificate holder 3. Certificate state and revocation list 4. Other information which can be obtained via public channel. Although the above attributes are not confidential, it does not indicate that the information can be used by any unauthorized party. The HWCA and information owner reserves the intellectual property. Others: confidentiality of HWCA information depends on the special data item and application. 9.3.3 Responsibility to protect confidential information
HWCA, any subscriber, associated body and certificate service related parties are liable for compliance with the regulations in this CPS and protection on the confidential information. When HWCA is required to disclose the confidential information in this CPS according to the requirements in any
46 of 58
law, regulation or provision or from a court, HWCA can disclose related confidential information to the execution department according to the requirements in any law, regulation or provision or in a court judgment. When the owner of the confidential information requires HWCA to publish or disclose its confidential information, HWCA will meet the requirements under the permission of the laws and regulations. HWCA will require the owner to provide a written authorization for this application to indicate its publication or disclosing willing. If this action involves compensation obligation of any other party, HWCA will not be liable for any related loss or the loss caused by the public information. The owner of the confidential information should be liable for all loss and damage caused by the public information.
9.4
9.4.1
Privacy of Personal Information

Privacy plan
HWCA respect all users and their privacy and comply with the requirements in the laws and protection principle of individual data privacy internationally recognized. If a related specific privacy protection laws is released and takes effect (such as Personal Information Protection), this CPS will automatically refer to and comply with it as the basic principle for privacy protection. When anyone selects any service of HWCA, it indicates that he agrees with and accepts the privacy protection statement of HWCA. 9.4.2 Information treated as privacy
When HWCA manages and uses related information in the subscriber application and registration certificate, except the information in the certificate, it is forbidden to disclose the basic information and identity certification information of this subscriber without permission of the users or the legal requirement in accordance with the laws and authority. 9.4.3 Information not deemed privacy
The information in the certificate held by the certificate subscriber and the certificate state information can be public and cannot be regarded as the privacy information. 9.4.4 Responsibility to protect private information
HWCA, any subscriber, associated body and participants in the certification service should comply with the regulations in this CPS and be liable for protection on the privacy information. With permission in any law and regulation or legal procedure of the court or a written authorization from the
47 of 58
information owner, HWCA can disclose related privacy information to the specific objects. HWCA will not assume any liabilities and will not violate the privacy protection obligation. If privacy disclosing leads to any loss, HWCA should not assume any responsibility. 9.4.5 Notice and consent to use private information
HWCA can only use the obtained subscriber information for subscriber identification, management and subscriber service in the certificate service. When using these information, regardless of privacy or not, HWCA is not liable to inform the subscriber and need not require permission from subscribers. With permission in any law and regulation or legal procedure of the court or a written authorization from the information owner, HWCA can disclose related privacy information to the specific objects inform the subscriber and need not require permission from subscribers. If HWCA and its authorized registration authority will use the customer privacy information for other purposes except the negotiated purposes, HWCA should inform subscribers in advance and get the permission and written signed authorization of users within the legal scope. 9.4.6 Disclosure pursuant to judicial or administrative process and is not obligated to
Except one of the following conditions, HWCA cannot provide the basic registration information and identity information of the subscriber to any object, including court and governmental authority. Legitimate application proposed according to the laws and regulations in the governmental and legal authorization procedure of the authority. Legal application proposed when the court is processing the certificate dispute or arbitration. Formal application proposed in the arbitration authority with legal judicial jurisdiction Written authorization provided by the certificate subscriber 9.4.7 Other information disclosure circumstances
Other information should be disclosed according to the laws and regulations and the requirements in the subscriber agreement.
9.5
Intellectual Property Rights
HWCA enjoys and reserves the exclusive intellectual property to certificate and all software, documents and data provided by HWCA, including integrity right, name right, copyright and interest sharing right of the certificate and software, so HWCA has a right to decide the software system used by the associated entity and select the used style,
48 of 58
method, time, process and model to guarantee system compatibility and intercommunication. HWCA enjoys the ownership of all copyrights, trademarks and other intellectual properties related to the certificates issued by HWCA and the software provided by HWCA are subjective of HWCA according to the regulations in this CPS, including related documents and operation instruction. With permission of HWCA, the HWCA-authorized certification authority can use related documents and manuals and have a liability and obligation to propose comments. Without prior permission of HWCA, any user cannot use or accept any name, trademark and trading mode used by HWCA and confusing name, trademark and trading mode or business name after any certificate expires, is revoked or terminated.
9.6
Representations and Warranties
If the regulation of this CPS conflicts with the regulations and guideline made by other HWCA, except special regulations of HWCA in the agreement, the user must accept the regulations in this CPS. For the agreement signed by HWCA and subscriber which only restricts both parties, if some contents are not regulated in the agreement, it indicates that both parties to agree with the regulations in this CPS. If the regulations are different from them in this CPS, the regulations in the agreement between both parties should be complied with. 9.6.1 CA representations and warranties
General statement of HWCA: Specification and institutional system required for establishing certificate practice statement (CPS) and other certification services Comply with the regulations in this CPS in infrastructure and certification service provision according to the related provisions in this CPS. Establish and execute the security mechanism which meets the regulations in the related state policies to guarantee that the HWCA signature private key is stored and protected security. All activities related to the certification service should meet the laws and the regulations of the authority. HWCA and its authorized certificate authority do not act as the agent, assignee, manager or other representative of the certificate subscriber or replying parties. The relation between HWCA and certificate subscriber and the relation between HWCA and replying parties is not the relation between an agent and consigner. The certificate subscriber and relying parties has no right to make HWCA assume trust liability via the contract or other method. HWCA will
49 of 58
not give any statement conflicting with the above regulations in an indication, implication or other manner. HWCA statements to subscribers: Except additional regulations in this CPS or addition agreement between the certificate issuing authority and subscriber, HWCA commits the following statement to the subscribers in the certificate. The certificate does not include incorrect statements which are known to the certificate issuing authority or are from the certificate issuing authority. When generating a certificate, the data conversion will not be incorrect due to the mistake from the certificate issuing authority, even the mistake from the certificate issuing authority will not make the information in the certificate be inconsistent with the information received by the certificate issuing authority. The certificate signed and issued by the certificate issuing authority to subscribers should comply with all substantial requirements in this CPS. The certificate issuing authority will revoke or suspend a certificate according to the regulations in this CPS. The certificate issuing authority will make reasonable endeavors to inform subscribers of any known event which affect validity and reliability of the certificate signed and issued to the subscribers in essence. The above statement is only to guarantee interests of the subscribers and will not make any other party be benefited or force any other party to execute. If the actions of the certificate issuing authority meet the regulations in this CPS and related laws, it indicates that the certificate issuing authority makes reasonable efforts. Certificate issuing authority statement to relying parties: For issued certificate, the certificate issuing authority commits the following contents to the persons who reasonably trust signature (this signature can be validated according to the public key in the certificate) according to this CPS: Except the non-validated subscriber information, all information in the certificate or referred to in the certificate are accurate. The certificate issuing authority should fully comply with the regulations in this CPS for signing and issuing certificate. HWCA statement to publication: To publish a certificate, the certificate issuing authority should prove to the persons indicated by the information in HWCA information repository and all reasonable relying parties that the certificate issuing authority has signed and issued a certificate to subscribers and the subscriber has accepted this certificate according to the regulations in this CPS.
50 of 58
Huawei Equipment CA Certification Practice Statement 9.6.2 RA representations and warranties
After the registration authority to obtain authorization from HWCA, it should guarantee: Comply with this CPS, HWCA authorization agreement and other HWCA-published standards and flows, accept and process the certificate service request of the certificate service applicant and set and manage the subordinate certificate service authorities according to authorization, including RA and LRA. RA must comply with the service processing specification, system operation specification and management specification made by HWCA and can decide whether to provide certificate service to applicants according to this CPS and HWCA-published specifications. Identify the setting mode, management mode and auditing mode of the subordinate certificate service authorities according to HWCA requirements and specification. These decision should be archived as the written document and cover the related articles published by HWCA, but the contents cannot conflict with or be inconsistent with the HWCA articles. Guarantee a secure physical environment of the operation system and corresponding security management and isolation measures according to the regulations in this CPS. RA must provide all data documents and backup for the certificate service and guarantee secure information transfer with the subordinate certificate authorities according to HWCA requirements. It is important that RA commits to strictly comply with privacy confidentiality liability to all certificate users and assume corresponding legal liabilities. Accept RA management from HWCA according to this CPS and authorization agreement, including service qualification auditing and regulation compliance inspection. Accept that HWCA owns the final processing right to the service requests from all certificate service applicants. Provide necessary technical consulting to users and make users smoothly apply for and use a certificate. 9.6.3 Subscriber representations and warranties
Once the certificate signed and issued by the certificate issuing authority is accepted, if the subscriber is not notified additional since the certificate is accepted till the certificates valid period expires, it indicates that the subscriber provides the following guarantees to HWCA and the persons indicated by the reasonably trusted certificate: All statement and information filled in the certificate application must be complete, precise, truth and correct, can be checked and audited by HWCA. The subscriber should assume legal liabilities caused by the false and counterfeited information. If an agent exists, there are the infinite associated liabilities between the subscriber and the agent. The subscriber is
51 of 58
liable for informing HWCA or subordinate certificate issuing authorities of any false statement and omission made by the agent. All signatures made by the corresponding private key of the public key in this certificate are from the subscriber. The certificate is valid and is accepted by the subscriber in signing (the certificate does not expire and is not suspended or revoked). The unauthorized persons have never accessed to the private key of the subscribers. The information stated by the subscriber to the certificate issuing authority and included in this certificate is true and complete. The information known or noticed by the subscribers in the certificate is true. If the subscriber finds the information error in the certificate and does not inform the certificate issuing authority in time, the certificate issuing authority thinks that the subscriber accepts true of the above information. This certificate is only used for authorized purpose or other legal purposes according to the regulations in this CPS. Without specific approval in the writing agreement between the subscriber and certificate issuing authority, the subscriber guarantees not to be engaged in the business of the certificate issuing authority (or similar authorities). E.g. The corresponding private key of the public key in the certificate is used to sign and issue any certificate (or certification of other public keys) or certificate revocation list. Once the certificate is accepted, it indicates that the subscriber knows and accepts all provisions in this CPS, and accepts the corresponding subscriber agreement. Once the certificate is accepted, the subscriber should be liable for keeping consistent control over the private key, using trusted system and taking reasonable precautions to prevent against loss, disclosing, tampering or unauthorized use of private key. Once the certificate is accepted, the subscriber agrees to make HWCA be exempted from any liability and loss caused by the following causes in a direct or an indirect manner: the subscriber (or authorized agent) states false or incorrect fact, the subscriber can not disclose important facts. The intentional or non-intentional incorrect statement or duty breaching of the subscriber makes HWCA and any persons trusting the certificate be cheated; the subscriber does not use the trusted system or does not take necessary reasonable measures to prevent the private key from damage, loss, disclosing, tampering or unauthorized use. If it leads to any liability, loss, suit or cost to HWCA, the subscriber should compensate it. As the certificate applicant, he is liable to inform the certificate signing and issuing authority of any omission and
52 of 58
Huawei Equipment CA Certification Practice Statement incorrect statement of the applicant agent in time. 9.6.4 Relying party representations and warranties
When the relying parties trust any certificate signed and issued by HWCA, it indicates a guarantee. Be familiar with the provisions in this CPS and certificate policies of the trusted subscriber certificate and know use purpose of a certificate Before the relying parties trust the certificate signed and issued by HWCA, he has reasonably check and audited the certificate, including check the latest CRL published by HWCA to get the state of this certificate. Only when this certificate is not revoked, HWCA can guarantee that this certificate is valid; check reliability of the certificates in the certificate trust path and check the valid period and application of this certificate. Once the relying party violates the reasonable check provision due to mistake or other causes, it will compensate the loss to HWCA and assume the loss to self or others. Trust to a certificate indicates that the relying party has accepted all regulations in CPS, especially provisions on exemption, rejection and restricted obligations. 9.6.5 Representations and warranties of other participants
Statement of sponsor: The sponsor must pay for all certificate costs in a manner regulated by HWCA. The payment action of a sponsor indicates that the sponsor is willing to and can assume the warrant liability for truth of the certificate service applicant identity according to the regulation in this CPS.
9.7
Disclaimers of Warranties
Without specific commitment in CPS 9.6.1, HWCA will not assume other warrants and obligations and will: 1. If the HWCA pauses and terminates partial or all digital certificate services due to force majeure, HWCA will not compensate for it. 2. When the subscribers breaches the commitment in CPS 9.6.3 or the certificate relying party breaches the commitment in CPS 9.6.4, it will exempt HWCA. 3. Any software used in the certification is not guaranteed. 4. If the software and hardware failure, certificate error caused by network break, trade break or other losses are not caused by HWCA, HWCA will not assume any liability. 5. HWCA only compensates for the certificate in the valid period.
53 of 58
6. If this certificate is used for illegal trading or leads to dispute in trade and HWCA originates related operations according to the regulation in this CPS in the period since the certificate subscriber or other persons who have a right to revoke or suspend a certificate requests to suspend or revoke the certificate till HWCA completes revocation or suspendsion, HWCA will not compensate for any damage. 7. HWCA provides electronic signals for non repudiation in electronic government, electronic business or other network business according to the laws and requirements of a casualty within the legal scope, but HWCA will not assume any liability beyond the laws or regulations.
9.8
Limitations of Liability
For the loss to the related parties caused by HWCA (except the loss which cannot be proved via legal means), HWCA will assume corresponding compensation liability, but this liability is limited. HWCA is only liable for direct damage caused by the certificate trust instead of indirect damage, profits loss, mental damage and punishment compensation.
9.9
Indemnities
If the operations breach the regulations in this CPS or the requirements in laws and lead to loss to the certificate subscribers in certificate signing and issuing, HWCA will assume the limited compensation liability stated in CPS9.8. For any of the following cases, the subscriber or relying parties should assume corresponding loss compensation liabilities: Damage to HWCA, registration authority or third party caused when the subscriber provides untrue information due to intention, mistake or malicious intention in certificate registration application Damage to HWCA and third party caused when the subscriber leads to private key leakage and loss due to intention or mistake and does not inform HWCA of leakage and loss and delivers this private key to others for use. The subscribers or relying parties breach the regulations in this CPS in use or trust of the certificate or use this certificate for other businesses beyond this CPS. Damage to HWCA or third party caused when the users do not reasonably audit according to this CPS in use or trust of a certificate. If this certificate is used for illegal trading or leads to dispute in trade and HWCA originates related operations according to the regulation in this CPS in the period since the certificate subscriber or other persons who have a right to revoke or suspend a certificate requests to suspend or revoke the certificate till HWCA completes the action, the certificate subscriber must assume all compensation liabilities.
54 of 58
If the agreement between HWCA and the subscriber includes additional compensation regulations, it should be complied with.
9.10
9.10.1
Term and Termination

Term
This CPS will formally take effect since it is published. The document will include the version number and publication date in detail. For the latest version, visit HWCA website http://support.huawei.com/support/pki . The individuals will not be informed. When a new version is formally released and takes effect, the old version will automatically terminate. 9.10.2 Termination
This CPS and the updated version will be invalid when HWCA terminates the certification service. it should be properly scheduled 60 days ahead of service termination. 9.10.3 Effect of termination and survival
The provisions of this CPS involving auditing, confidential information, privacy protection, archiving, intellectual property as well as HWCA compensation liabilities and limited liabilities will keep valid after this CPS terminates.
9.11
Individual notices and communications with participants
If it is necessary for HWCA and its authorized registration authority to terminate CPS in advance, they should inform subscribers and relying parties via telephone, E-mail, letter and Fax.
9.12
9.12.1
Amendments
Procedure for amendment
HWCA should avoid unnecessary change to this CPS. However, HWCA will irregularly review and assess this CPS to guarantee that it meets the requirements of the state laws, administration authorities and actual requirement in certification. The mentioned amendment is divided into major amendment and minor amendment. On the whole, the major amendment indicates the amendment to the liabilities and obligations of the parties. The minor amendment indicates the amendment to the unimportant contents such as the contact mode. HWCA can properly classify them. 9.12.2 Notification mechanism and period
HWCA can revise and change any term, condition and articles in CPS at a proper time without the need of informing any party in advance.
55 of 58
Huawei Equipment CA Certification Practice Statement HWCA sets and publishes the amendments in the information
Confidentialitylevel:public repository on the website
http://support.huawei.com/support/pki . If the change to the HWCA CPS is placed in the specification update and notification column in HWCA information repository, it is valid for change to HWCACPS. These changes will replace any conflictions and specified provisions in old CPS version. All written CPS amendments are sent to the subscribers via the following modes: If the receiver is a company or other organization, send message to the registration contact address or office. If the receiver is an individual, send the message to the address in the application form. These notifications may be posted via the express post or registered letter. HWCA can send notification via Email or other modes. The Email is marked in the subscriber s application certificate. 9.12.3 Amendment agreement
For minor amendment, without agreement of all parties, the revised CPS takes effect after publication. For the major amendment, if the certificate applicant and subscriber do not request to revoke the certificate within 15 days after the revised CPS is published, it is deemed to agree with amendment. All amendments and changes will take effect instantly. 9.12.4 Circumstances under which OID must be changed
If any of the following cases occur, the CPS must be revised. The necessary amendment to CPS will take effect 15 days after publication except that HWCA publishes an amendment cancellation notification in a same manner within 15 days. There is breakthrough in the password technology which will affect validity of the current CPS. The related standards of the certificate service are updated. The certification system and related specifications experience major upgrade or change Requested by the laws and regulation and administrator authority The current CPS includes important defect. New requirements occur in application
9.13
Dispute Resolution Procedures
As the expert organization for the certificate dispute arbitration, the expert group of the HWCA operation security management team should collect the related evidence to promote the dispute solution, coordinate the mutual relation
56 of 58
between HWCA service system and parties, act as the final writer of the dispute proposal report. No matter whether the expert group completes the proposed reports and transfers the proposal how the expert group makes decision, it does not prevent HWCA, parties and other interested parties taking the measures regulated in the law and this CPS. Except that the parties in the dispute agree to consistently select the dispute solution mechanisms in a written manner (such as arbitration), the suites involved in HWCACPS execution, agreement between HWCA and any party or the suites caused by the related business relation between related parties should be submitted to the court of HWCA industry and commerce registration location. All parties agree to submit the dispute case to the local court of the HWCA industry and commerce registration location.
9.14
Governing Law
This CPS is managed and explained according to PRC Electronic signature regulation, electronic certification service management regulation and other PRC laws. Regardless of selected provisions in the contract or other laws and established business relation in China, HWCACPS execution, explanation, translation and validity are applicable to laws in PRC. The selected laws can guarantee that all subscribers have uniform procedure and interpretation regardless of their residential location and certificate use location.
9.15
Compliance with Applicable Law
All policies of HWCA should comply with the requirements in the PRC laws and regulations and state information administration authority. If the provisions involved in this CPS are regarded as illegal, unenforceable or invalid, HWCA will revise them till these provisions are legal and enforceable. If one provision of this CPS is invalid, it will not affect the legal effect of other articles.
9.16
9.16.1
Miscellaneous Provisions
Entire agreement
This CPS will replace the previous written or oral explanation related to the subjects and compose a complete agreement between HWCA and all parties together with subscriber agreement, relying agreement and complementary agreements. 9.16.2 Assignment
If HWCA stops certification service due to force majeure or other causes, the subscribers of HWCA should accept and take over the certificate service provisions of CA according to the related state regulations.
57 of 58
Except above reasons, the liabilities and obligations between HWCA, subscribers and relying parties can not be transferred in any manner. 9.16.3 Severability
If any provision or application of this CPS is invalid or unenforceable due to certain reason or within any scope, other parts of CPS are still valid. The related parties understand and agree that the liability restrictions, guarantee or exemption provisions or restriction or exclusion of damage compensation regulated by HWCACPS can be enforced independent of individual provisions in other provisions. 9.16.4 Enforcement (attorneys' fees and waiver of rights)
No applicable 9.16.5 Force Majeure
The force majeure mentioned in CPS indicates the object conditions which cannot be predicted, prevented and solved. The force majeure includes, not limited to, the following cases: 1Natural disaster such as typhoon, flood and hailstone 2Governmental behaviors such as expropriation and confiscation 3Social exceptional events such as strike and sturt 4The internet or other infrastructure is unavailable.
9.17
Other Provisions
HWCA has the final right to explain this CPS.
58 of 58

Rootca Cps

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Rootca Cps

Uploaded by

Copyright:

Available Formats

Huawei Equipment CA Certification Practice Statement

Huawei Equipment CA Certification Practice Statement Release v1.0.0

Huawei Technologies Co., Ltd.

Copyright 2011 Huawei Technologies Co., Ltd.

All rights reserved.

Huawei Equipment CA Certification Practice Statement

Huawei Equipment CA Certification Practice Statement

Huawei Equipment CA Certification Practice Statement

Huawei Equipment CA Certification Practice Statement

Huawei Equipment CA Certification Practice Statement

Copyright 2011 Huawei Technologies Co., Ltd.

All rights reserved.

Huawei Equipment CA Certification Practice Statement

Currently, the HWCA hierarchy consists of the following CAs:

Copyright 2011 Huawei Technologies Co., Ltd.

All rights reserved.

Huawei Equipment CA Certification Practice Statement

Document Name and Identification

Copyright 2011 Huawei Technologies Co., Ltd.

Huawei Equipment CA Certification Practice Statement periodically.

Huawei Equipment CA Certification Practice Statement

Huawei Equipment CA Certification Practice Statement

Definitions and Acronyms

CAs are Huaweis electronic certification

Copyright 2011 Huawei Technologies Co., Ltd.

Huawei Equipment CA Certification Practice Statement state of digital certificate LDAP

It is Public Key Cryptography Standard

Copyright 2011 Huawei Technologies Co., Ltd.

All rights reserved.

Huawei Equipment CA Certification Practice Statement

2 Information publication and management

Publication of certification information

Time or frequency of publication

Access controls on repositories

Huawei Equipment CA Certification Practice Statement

Copyright 2011 Huawei Technologies Co., Ltd.

All rights reserved.

Huawei Equipment CA Certification Practice Statement

3 Identification and Authentication

No applicable 3.1.5 Uniqueness of names

Huawei Equipment CA Certification Practice Statement

Initial Identity Validation

Huawei Equipment CA Certification Practice Statement

Huawei Equipment CA Certification Practice Statement 3.2.5 Validation of authority

Identification and Authentication for Re-key Requests

Identification and authentication for Revocation Requests

Huawei Equipment CA Certification Practice Statement

Copyright 2011 Huawei Technologies Co., Ltd.

All rights reserved.

Huawei Equipment CA Certification Practice Statement

4 Certificate Life-Cycle Operational Requirements

Certificate Application Processing

Certificate application approval

Huawei Equipment CA Certification Practice Statement

Publication of the certificate by the CA

Huawei Equipment CA Certification Practice Statement

Key Pair and Certificate Usage

Huawei Equipment CA Certification Practice Statement

Certificate key renewal

Copyright 2011 Huawei Technologies Co., Ltd.

Huawei Equipment CA Certification Practice Statement Not applicable.

Certificate revocation and hang up

Copyright 2011 Huawei Technologies Co., Ltd.

Huawei Equipment CA Certification Practice Statement