From time to time, SafeScrypt may update the SafeScrypt CPS and other documents; and may otherwise need or desire to convey other important information. This Practices Updates and Notices Section provides a central location to communicate such information. Depending upon the terms of the agreement that you accepted as part of your enrollment process, you may be bound by the changes in this Updates and Notices Section.

Netscape Access Control Class 1 Certificate

Practices Updates and Notices Entry #1.2-01
Amends: CPS Version 1.2
Date of Publication:
Effective date: Immediately upon publication (Note: This amendment does not effect the rights or obligations of any subscriber or other party within SafeScrypt 's PCS on the date of publication because SafeScrypt 's PCS are not available until that time. Therefore, this amendment is deemed non-material in nature and effective immediately upon publication)

About this Entry

SafeScrypt 's CPS permits it to place amendments to its Certification Practice Statement in the form of an entry in the Practices Updates and Notices section of the SafeScrypt repository. (See CPS ) This entry in the Practices Updates and Notices section (this "Entry") is such an amendment. This Entry does not effect the rights or obligations of any subscriber or other party within SafeScrypt 's PCS on the date of publication because SafeScrypt 's PCS are not available until that time. Therefore, SafeScrypt has deemed this Entry non-material in nature in accordance with the CPS (See CPS ) and effective immediately upon publication. This Entry supersedes any provisions of the CPS that conflict with, or are designated in, this Entry. (See CPS) Although this Entry amends the CPS, if you request, use, or rely upon certificates, you still have an obligation to read the entire CPS.

Amendment

SafeScrypt will be offering a new type of Class 1 certificate for access control. The following features of these certificates are different from the features of SafeScrypt 's other Class 1 certificates:

• These certificates are intended to be used exclusively for access control purposes and shall not be used to send and receive secure E-mail.
• A unique name appears in these certificates to distinguish them from other types of Class 1 certificates
• Revocation at the request of a subscriber is not supported.
• The operational period of these certificates will be not less than ten (10) years. Other Class 1 certificates are issued with a one-year validity period.

Please take these changes into consideration when you request, use, or rely upon access control Class 1 Certificates. Please see SafeScrypt 's CPS for important details and specifically CPS (concerning Class 1 certificates).

Server OnSite^SMCertificates

Practices Updates and Notices Entry #1.2-02
Amends: CPS Version 1.2
Date of Publication:
Effective date: Immediately upon publication (Note: This amendment does not effect the rights or obligations of any subscriber or other party within SafeScrypt 's PCS on the date of publication because SafeScrypt 's PCS are not available until that time. Therefore, this amendment is deemed non-material in nature and effective immediately upon publication)

About this Entry

SafeScrypt 's CPS permits it to place amendments to its Certification Practice Statement in the form of an entry in the Practices Updates and Notices section of the SafeScrypt repository. (See CPS) This entry in the Practices Updates and Notices section (this "Entry") is such an amendment. This Entry does not effect the rights or obligations of any subscriber or other party within SafeScrypt 's PCS on the date of publication because SafeScrypt 's PCS are not available until that time. Therefore, SafeScrypt has deemed this Entry non-material in nature in accordance with the CPS (See CPS) and effective immediately upon publication. This Entry supersedes any provisions of the CPS that conflict with, or are designated in, this Entry. (See CPS) Although this Entry amends the CPS, if you request, use, or rely upon certificates, you are also bound by the CPS provisions unaffected by this amendment.

Amendment

SafeScrypt will be offering a new service to assist organizations with more than one server to obtain Class 3 certificates. Currently, SafeScrypt only permits non-SafeScrypt organizational LRAs ("OnSite Customers") to assist affiliated individuals in applying for certificates, approving certificate applications, and (where necessary) revoking their certificates ("OnSite Customer Functions") relating to Class 2 certificates. This amendment will permit certain OnSite Customers to perform OnSite Customer Functions for Class 3 organization certificates, subject to SafeScrypt 's Class 3 OnSite Agreement, CPS, and the requirements below.

OnSite Customers may only approve Class 3 organization certificate applications if the application is submitted by an individual or entity whose affiliation with the OnSite Customer is ascertainable by the OnSite Customer via appropriate internal documentation (such as human resources employee, independent contractor, and other appropriate business records) and the domain name and organizational name listed in the certificate application is the same as the domain name and organizational name of the OnSite Customer. The domain name listed in the certificate application may also contain additional domain levels (For example, the domain name xxx.company.com listed in a certificate application would be considered the same as the domain name company.com of the corresponding OnSite Customer).

All Class 3 organization certificates issued by SafeScrypt following an OnSite Customer's approval of a certificate application shall contain a distinguished name that conforms to SafeScrypt 's naming conventions and states the affiliation of its subject. OnSite Customers, and not SafeScrypt, are responsible for approving or not approving certificate applications and requesting revocation of the corresponding certificates. Consequently, SafeScrypt and IAs disclaim all such responsibility.

Please take these changes into consideration when you request, use, or rely upon Class 3 organization certificates. Please see SafeScrypt 's CPS for important details and specifically CPS (Class 3 Certificates), CPS (Local Registration Authorities (LRAs) and LRA Administrators (LRAAs)), and CPS (Local Registration Authority Administrator (LRAA) Requirements).

Certificate Revocation Lists (CRLs)

Practices Updates and Notices Entry #1.2-03
Amends: CPS Version 1.2
Date of Publication:
Effective date: Immediately upon publication (Note: This amendment does not effect the rights or obligations of any subscriber or other party within SafeScrypt's PCS on the date of publication because SafeScrypt 's PCS are not available until that time. Therefore, this amendment is deemed non-material in nature and effective immediately upon publication)

About this Entry

SafeScrypt 's CPS permits it to place amendments to its Certification Practice Statement in the form of an entry in the Practices Updates and Notices section of the SafeScrypt repository. (See CPS) This entry in the Practices Updates and Notices section (this "Entry") is such an amendment. This Entry does not effect the rights or obligations of any subscriber or other party within SafeScrypt 's PCS on the date of publication because SafeScrypt 's PCS are not available until that time. Therefore, SafeScrypt has deemed this Entry non-material in nature in accordance with the CPS (See CPS) and effective immediately upon publication. This Entry supersedes any provisions of the CPS that conflict with, or are designated in, this Entry. (See CPS) Although this Entry amends the CPS, if you request, use, or rely upon certificates, you are also bound by the CPS provisions unaffected by this amendment.

Amendment

This Entry clarifies that certificate revocation lists ("CRLs") are copyrighted by SafeScrypt and, like certificates, are considered the property of SafeScrypt . Specifically this Entry adds CRLs to a portion of CPS as follows.

Certificates and CRLs issued by SafeScrypt CAs and SafeScrypt subordinate CAs contain a copyright notice: "Copyright ©2000 SafeScrypt, All Rights Reserved" or "©00" in connection with SafeScrypt . Permission is hereby granted to reproduce and distribute certificates and CRLs on a nonexclusive, royalty-free basis, provided that they are reproduced and distributed in full, except that certificates and CRLs shall not be published in any publicly accessible repository or directory without the express written permission of SafeScrypt.

Please take these changes into consideration when you request, use, or rely upon CRLs. Please see SafeScrypt 's CPS for important details and specifically CPS (Property Interests in Security Materials).

RSA Secure Server Certification Authority

Practices Updates and Notices Entry #1.2-04
Amends: CPS Version 1.2
Date of Publication:
Effective date: Immediately upon publication (Note: This amendment does not effect the rights or obligations of any subscriber or other party within SafeScrypt 's PCS on the date of publication because SafeScrypt 's PCS are not available until that time. Therefore, this amendment is deemed non-material in nature and effective immediately upon publication)

About this Entry

SafeScrypt 's CPS permits it to place amendments to its Certification Practice Statement in the form of an entry in the Practices Updates and Notices section of the SafeScrypt repository. (See CPS) This entry in the Practices Updates and Notices section (this "Entry") is such an amendment. This Entry does not effect the rights or obligations of any subscriber or other party within SafeScrypt 's PCS on the date of publication because SafeScrypt 's PCS are not available until that time. Therefore, SafeScrypt has deemed this Entry non-material in nature in accordance with the CPS (See CPS) and effective immediately upon publication. This Entry supersedes any provisions of the CPS that conflict with, or are designated in, this Entry. (See CPS) Although this Entry amends the CPS, if you request, use, or rely upon certificates, you are also bound by the CPS provisions unaffected by this amendment.

Amendment

SafeScrypt approves and designates the RSA Secure Server Certification Authority (the "RSA CA") as an issuing authority within SafeScrypt 's Public Certification Services ("PCS"). The RSA CA employs certificate issuance, management, revocation, and renewal practices that are materially consistent with those of Class 3 issuing authorities ("IAs") within SafeScrypt 's PCS and RSA CA-issued certificates shall therefore be considered to provide assurances of trustworthiness comparable to Class 3 certificates issued to organizations.

The RSA CA is a root IA (and therefore shall not be certified under any other IA) and shall issue certificates to end-user Subscribers.

Please take these changes into consideration when you request, use, or rely upon certificates issued by the RSA CA. If you have further questions, E-mail to support@safescrypt.com or contact customer service at:

SafeScrypt Ltd, No. 667-668, Keshava Towers,
11th Main, 4th Block, Jayanagar
Bangalore-560011

Board: 91-80-26555104 | Direct: 91-80-26555093

Fax: 91-80-6555300

Key Management

Practices Updates and Notices Entry #1.2-05
Amends: CPS Version 1.2
Date of Publication:
Effective date: Immediately upon publication (Note: This amendment does not effect the rights or obligations of any subscriber or other party within SafeScrypt 's PCS on the date of publication because SafeScrypt 's certificates are not available until that time. Therefore, this amendment is deemed non-material in nature and effective immediately upon publication)

About this Entry

SafeScrypt 's CPS permits it to place amendments to its Certification Practice Statement in the form of an entry in the Practices Updates and Notices section of the SafeScrypt repository. (See CPS) This entry in the Practices Updates and Notices section (this "Entry") is such an amendment. This Entry does not effect the rights or obligations of any subscriber or other party within SafeScrypt 's PCS on the date of publication because SafeScrypt 's PCS are not available until that time. Therefore, SafeScrypt has deemed this Entry non-material in nature in accordance with the CPS (See CPS) and effective immediately upon publication. This Entry supersedes any provisions of the CPS that conflict with, or are designated in, this Entry. (See CPS) Although this Entry amends the CPS, if you request, use, or rely upon certificates, you are also bound by the CPS provisions unaffected by this amendment.

Amendment

I. Introduction The "SafeScrypt Key Recovery Service" is a SafeScrypt service used in conjunction with special hardware and software offered through SafeScrypt that can provide customers using SafeScrypt 's OnSiteSM service with the ability to generate, back up, and recover end-user subscribers' private keys used for encryption purposes and, securely transfer a copy of such keys to the end-user subscribers. (For customers choosing to use single key systems, these private keys may also be used for authentication purposes.) SafeScrypt and the SafeScrypt Key Recovery Service do not have access to, control over, or possession of subscribers' private keys. Rather, subscribers' private keys are stored in a database at the customer's site.

OnSiteSM customers ("OnSite Customers") are referred to in the CPS as non-SafeScrypt organizational Local Registration Authorities ("LRAs"). SafeScrypt provides the SafeScrypt Key Recovery Service and accompanying hardware and software ("OnSite Key Manager Software") to OnSite Customers under agreement with SafeScrypt

Key management is a solution to the problem of subscribers misplacing or losing access to their private keys. SafeScrypt 's Key Recovery Service permits OnSite Customers to recover a subscriber's private key after such a loss. Without this capability, valuable information may not be recoverable when a private key is misplaced or lost. Key management also gives OnSite Customers the ability to recover subscribers' private keys in other circumstances for the OnSite Customers' business purposes, for example in the event of the death or incapacitation of the subscriber.

The private keys themselves are stored on an encrypted database at the OnSite Customer's site. The OnSite Customer can recover a subscriber's private key by contacting the SafeScrypt Key Recovery Service at SafeScrypt 's secure data center and completing an established set of security procedures. The SafeScrypt Key Recovery Service then provides a key that can decrypt the subscriber's encrypted private key.

Relying parties can determine that such private key may be subject to recovery where the certificate's subject name contains a reference to a special relying party agreement ("Key Management Relying Party Agreement"), namely the string, "RPA1 STRING," or similar string referring to http://www.safescrypt.com/repository/updates/underconstruction.html. The Key Management Relying Party Agreement includes notice that the private key corresponding to the public key in the certificate is subject to key recovery.

AS A CONDITION TO THE RELIANCE UPON OR OTHER USE OF ANY CERTIFICATE SUBJECT TO KEY MANAGEMENT, THE RELYING PARTY SHALL AGREE TOTHE TERMS OF THE KEY MANAGEMENT RELYING PARTY AGREEMENT.

RELYING PARTIES SHOULD RECOGNIZE THAT AN ONSITE CUSTOMER IS CAPABLE OF RECOVERING THE PRIVATE KEY OF A SUBSCRIBER TO WHICH IT HAS ISSUED A CERTIFICATE. THE ONSITE CUSTOMER MAY HAVE LEGITIMATE BUSINESS REASONS FOR RECOVERING A SUBSCRIBER'S PUBLIC KEY, EVEN WITHOUT THE CONSENT OF THE SUBSCRIBER. THEREFORE, THE ONSITE CUSTOMER MAY BE CAPABLE OF DECRYPTING ENCRYPTED MESSAGES THAT RELYING PARTIES SEND TO THAT SUBSCRIBER WHEN IT GAINS ACCESS TO SUCH MESSAGES. RELYING PARTIES SHOULD KEEP THIS IN MIND WHEN CONSIDERING THEIR EXPECTATIONS OF PRIVACY WHEN SENDING ENCRYPTED MESSAGES TO THESE SUBSCRIBERS.

WHEN PROPERLY IMPLEMENTED AND WITH PROPER USE, THE SAFESCRYPT KEY RECOVERY SERVICE CAN ENHANCE THE RELIABILITY OF AN ONSITE CUSTOMER'S KEY MANAGEMENT IMPLEMENTATION. IN THE UNLIKELY EVENT OF MISUSE BY THE ONSITE CUSTOMER OR UNAUTHORIZED PERSONS, HOWEVER, AN ONSITE CUSTOMER COULD DECRYPT MESSAGES IN ITS POSSESSION. ALSO, WHERE AN ONSITE CUSTOMER HAS NOT ENABLED THE GENERATION OF SEPARATE KEYS FOR CREATING DIGITAL SIGNATURES AND ENCRYPTION, THE ONSITE CUSTOMER MAY BE ABLE TO USE A RECOVERED PRIVATE KEY TO SEND DIGITALLY SIGNED MESSAGES APPEARING TO BE FROM THE SUBSCRIBER.

Please take these changes into consideration when you request, use, or rely upon certificates issued by the RSA CA. If you have further questions, E-mail to support@safescrypt.com or contact customer service at:

SafeScrypt Ltd, No. 667-668, Keshava Towers,
11th Main, 4th Block, Jayanagar
Bangalore-560011

Board: 91-80-26555104 | Direct: 91-80-26555093

Fax: 91-80-6555300

II. Implications for SafeScrypt 's Certification Infrastructure Certificates issued by OnSite Customers to individuals are Class 2 Certificates. OnSite Customers validate identity and approve the certificate applications of its subscribers based on the business records and other credentials in the possession of the OnSite Customer. When an OnSite Customer wishes to obtain key management services from SafeScrypt, it must become a non-SafeScrypt issuing authority within the SafeScrypt Public Certifications Services.

OnSite Customers obtaining key management services from SafeScrypt ("Key Management Customers") generate, back up, and can recover the private keys of their end-user subscribers. Therefore, such key management is an exception to the otherwise general rule that subscribers must generate their own private keys, and exclusively maintain the secrecy of their private keys, and prevent their disclosure to any other party as set forth in CPS and as implied elsewhere in the CPS.

Key Management Customers must issue certificates with an "enhanced" organizational unit field containing a string referring to the Key Management Relying Party Agreement, which is set forth in Section I above. They also must issue certificates containing appropriate notifications in X.509 v3 extensions, such as a CPS Pointer Qualifier containing the URL of the Key Management Relying Party Agreement or an alternative extension acceptable to the SafeScrypt naming authority. In addition, the User Notice Qualifier contains text that provides notice to potential relying parties about key recovery.

III. Implications for Certification Operations SafeScrypt 's right to investigate compromises in CPS includes the right to investigate any compromise of subscribers' private keys, key recovery information, and systems that generate, back up, or recover private keys, or transfer copies of such keys to the applicable subscribers. Circumstances indicating compromise include, but are not limited to, compromises in the security of a Key Management Customer's key management database, systems, or private keys. OnSite Customers must implement and maintain trustworthy systems under CPS and preserve an audit trail under CPS OnSite Customers' contingency planning and disaster recovery pursuant to CPS shall include Customer's key management systems and the database of encrypted private keys. Administrators performing key management functions ("Key Manager Administrators") are considered as serving in a trusted position pursuant to CPS § 3.14.1. Facilities security under CPS is described in more detail in the Key Manager Administrator's Handbook (available at www.safescrypt.com/repository).

Key Management Customers should be aware that law enforcement officials, litigants in civil cases, and others may seek information from SafeScrypt in an effort to obtain key recovery information by way of a search warrant, subpoena, request for production of tangible things, or other similar procedure. Although the SafeScrypt Key Recovery Service is never in possession of any subscriber's private key, SafeScrypt shall be entitled to comply appropriately with requests or demands for key recovery information pursuant to such judicial or administrative processes.

IV. Implications for Revocation Key Management Customers shall revoke the certificates of subscribers to whom they have issued a certificate if there has been a loss, theft, modification, unauthorized disclosure, or other compromise of the private key of the subscribers. SafeScrypt shall be entitled to revoke such certificates, or the certificates of the Key Management Customer, if it reasonably believes that a loss, theft, modification, unauthorized disclosure, or other compromise of the private keys of such subscribers has occurred. Circumstances indicating compromise include, but are not limited to, compromises in the security of a Key Management Customer's key management database, systems, or private keys.