TrustAsia Certificate Policy and Certification Practice Statement for Global Trusted Service (CP&CPS)

TrustAsia Technologies, Inc. (abbreviated as "TrustAsia") was established in April 2013. In December 2020, TrustAsia CA passed the qualification review by the State Cryptography Administration Office of Security Commercial Code Administration (abbreviated as OSCCA) and was granted the "Electronic Authentication Service License" by OSCCA (License number: 0060). In November 2021, TrustAsia CA obtained the "License for Electronic Certification Service Provider" issued by the Ministry of Industry and Information Technology (License number: ECP31010421056).

TrustAsia CA was granted "ISO9001 quality management system certification", "ISO 27001 information security management system certification", and "ISO22301 business continuity management system certification" by China Quality Certification Centre (CQC), all of which were accredited by China National Accreditation Service for Conformity Assessment (CNAS) and the International Accreditation Forum (IAF).

TrustAsia CA is an outstanding domestic cyber security digital certificate and security monitoring solution provider. Its brand, TrustAsia, located in the field of information security, specializes in providing internationally renowned brand digital certificates and cyber security management solutions, which is recognized and trusted by the field of cyber security.

With the internationally standardized operational management and service level capability, we will provide globalized electronic authentication services for users with requirements on telecommunication and information security aspects in a variety of industries.

Under different application scenarios and algorithms, TrustAsia CA sets up the following root certificates:

This Certificate Policy and Certification Practice Statement (CP&CPS) is compiled with the "Measures for the Administration of Electronic Certification Services" and "Rules for electronic authentication business (for trial implementation)" issued by the Ministry of Industry and Information Technology of the People’s Republic of China.

This CP&CPS describes how TrustAsia CA carries out electronic certification business, including the business methods and processes of applying, approving, issuing, managing, revoking and updating certificates, as well as the corresponding service, legal and technical measures and safeguards for electronic certification participants to understand and follow.

The contents described in this CP&CPS follow these policies, guidelines and requirements:

TrustAsia CA will periodically review its updates and will continue to revise the CP&CPS. If there is any inconsistency between this CP&CPS and the relevant standard specifications, then the above officially issued specifications shall be prevailed. TrustAsia CA will notify the CA/Browser Forum if any of the provisions in the EV Guidelines is determined to be illegal by Chinese laws, regulations or government agencies.

CA/B Forum OID ({joint-iso-itu-t(2) international-organizations(23) ca-browser-forum(140) certificate-policies(1)}):

TrustAsia OID ({iso(1) identified-organization(3) dod(6) internet(1) private(4) enterprise(1) 44494}):

Certification Authority (CA) refers to all entities authorized to issue public key certificates.

TrustAsia CA is a Certification Service Organization established according to law. It has become the main body of Certification activities by issuing digital certificates to all parties engaged in electronic transactions and providing digital certificate verification services.

As an agent of multiple CAs, TrustAsia CA executes functions related to public key operations, including receiving certificate requests, issuing, revoking and updating digital certificates, maintaining, issuing and publishing CRL and OCSP responses. For general information about TrustAsia CA’s products and services, please visit www.trustasia.com.

On behalf of CA, the Registration Authority (RA) establishes the certificate application process, including confirming the identity of the certificate applicant (Subscriber), approving or refusing the certificate application, approving the Subscriber’s certificate revocation request or directly revoking the certificate, and approving the Subscriber’s certificate update request.

In addition to assuming the role of CA, TrustAsia CA will act as RA, and no longer set up a separate RA.

Subscribers are all end-users who obtain certificates from TrustAsia CA, either individuals, institutions, or equipment. Contracts are usually signed between TrustAsia CA and Subscribers to obtain certificates and assume responsibility as certificate subscribers by subscribers.

Subscribers are not always identified in the certificate, such as when the certificate is issued to the employee of the organization. The subject of the certificate is the party specified in the certificate. As used in this article, Subscribers may refer to the subject of the certificate and the entity that signed the certificate contract with TrustAsia CA. Before verifying the identity and issuing the certificate, the Subscriber is the applicant. In the application of electronic signature, the electronic signer and the certificate holder are the same object (Subscriber).

Relying parties are entities engaged in related activities based on trust in certificates and/or digital signatures issued by TrustAsia CA. The relying party can or may not be a Subscriber.

Other participants refer to other entities that provide related services for TrustAsia CA certification activities.

The certificate issued in accordance with this CP&CPS can be used for all identity authentication, encryption, access control, and digital signatures, specified by the key usage and extension key usage fields in the certificate.

The digital certificate issued by TrustAsia CA is functionally limited and can only be used for the appropriate purpose of the principal identity represented by the certificate. For the utilization of certificates exceed the scope of this CP&CPS, it will not be protected by this CP&CPS.

The certificates issued by TrustAsia CA are prohibited from being used in any case of a violation of national laws, regulations or the destruction of national security, from being used for man-in-the-middle (MITM) attack, and from being used under any criminal activity or any related business prohibited by law, otherwise the legal consequences arising therefrom shall be borne by the Subscriber.

TrustAsia CA certification system can provide formal certificates and test certificates. The formal certificate is issued by TrustAsia CA formal certification system and must be strictly authenticated in accordance with the provisions of CP&CPS.

The test certificate is issued by TrustAsia CA Test Certification system, and the certificate is untrustworthy. It is generally used to test the certificate application process, system applicability and technical feasibility, and cannot be used for any official purpose. Because the application scenarios in which digital certificates are used to process or protect information are very wide and different, relying parties must evaluate the applicability of their own application scenarios and the related risks in determining whether or not to issue certificates according to this CP&CPS. It covers different types of subscriber certificates and has different levels of protection. The following table describes the application scenarios for each certificate.

The governing body of this CP&CPS is the TrustAsia CA Security PolicyCommittee, which is responsible for formulating, approving, issuing, implementing, updating and revoking this CP&CPS. The TrustAsia CA Security PolicyCommittee is composed of appropriate representatives from the management of the company who are responsible for operational security, technical security, customer service and talent security. The Committee is responsible for the daily work of the external consulting service of this policy document.

TrustAsia CA Security Policy Committee is the main body of the policy formulation, and is also the highest authority to review and approve the CP&CPS.

This CP&CPS is compiled by the CP&CPS compilation team which is organized by Security Policy Committee of TrustAsia CA. When the compilation of this CP&CPS is finished, it will be submitted to Security Policy Committee for audit. After the approval by Security Policy Committee, it is published on the official website of TrustAsia CA.

This CP&CPS is revised annually in accordance with the country’s policies and regulations, technical requirements, business development and the latest requirements of BR and EVG issued by CA/Browser Forum. The CP&CPS compilation team will prepare the CP&CPS revision contents according to the relevant conditions and submit to the Security Policy Committee for review. After the approval of the Committee, the version number is incremented, the release time, the effective time and the revision record are updated, and it is officially released on the website of TrustAsia CA.

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this CP&CPS shall be interpreted in accordance with RFC 2119.

This document omits time and time zones when listing effective requirements such as dates. Except when explicitly specified, the associated time with a date shall be 00:00:00 UTC+8 (Beijing Time).

TrustAsia CA repositories will be posted on the official website (https://www.trustasia.com/cps) in a timely manner or in other possible forms as needed. The contents of the release include CA certificates, CP&CPS amendments and other materials, which must be consistent with CP&CPS and related laws and regulations.

TrustAsia CA issues a Subscriber’s certificate and certificate revocation list (CRL) through HTTP. The Subscriber or relying party may obtain the CRL information from the CRL distribution point address in the certificate issued by TrustAsia CA. Each CRL issued by TrustAsia CA contains an incremental serial number.

TrustAsia CA provides Online Certificate Status Protocol (OCSP). Subscribers or relying parties can query the status information of certificates in real time.

TrustAsia CA CP&CPS can be obtained through repositories by 7d*24h. The release of CP&CPS is at least once every 365 days.

TrustAsia CA will follow the changes of the CA/Browser Forum standard on a regular basis and adjust the CP&CPS in a timely manner to meet the standard.

TrustAsia CA publishes CRL for Subscriber certificates on a daily basis; CRL for child CA certificates at least once every12 months. If the condition is that the child CA certificate being revoked occurs, the CRL for CA certificate must be updated within 24 hours.

The digital certificate issued by TrustAsia CA complies with the X.509 standard and is assigned to the unique distinguished name of the certificate holder and is named in the X.500 standard. Its naming practices are compliant with RFC 5280, the Baseline Requirements, and the EVG. The certificate of TrustAsia CA contains the identification of the issuer and the certificate Subscriber’s principal, identifies the identity and other attributes of the certificate applicant, and records its information in a different identification. The identity of the certificate holder is named and is included in the certificate subject in the form of a distinguished name and is the only distinguished name of the certificate holder.

For SSL/TLS server certificates, all domain names or IP addresses are added to the subject alias, while the Common Name is the primary or IP address and must be a domain name or IP address that appears in the subject alias. For Internationalized Domain Names (IDNs), TrustAsia CA may include the punycode version of the IDN as a subject name or subject alternative name.

In the subjectAltName extension or subject:commonName field of SSL/TLS server certificates, the reserved private IP addresses or internal names will not be included in them. In the dNSName entries of the certificate, the underscore ("_") characters will not be included in them.

For OV SSL/TLS server certificates, all domain names or IP addresses are added to the subject alias, while the Common Name is the primary or IP address and must be a domain name or IP address that appears in the subject alias.

In the subjectAltName extension or subject:commonName field of DV and EV SSL/TLS server certificates, IP addresses will not be included. EV SSL/TLS server certificates do not contain wildcard.

The naming rules and requirements of all types of certificates are documented in this CP&CPS and comply with the requirements of CA/Browser Forum.

Naming rules of issuer’s DN are as follows:

Naming rules of Subscriber’s DN are as follows:

Naming rules of EV certificate Subscriber’s DN are as follows:

TrustAsia CA uses the DN (Distinguished Name) to identify the entity that is the subject of the certificate and the entity is the issuer of the certificate, The names in the DN have representative meanings and can be related to the identities and specific properties of the final entities that use the certificates. The common name identifies the end entity’s particular name mentioned by this certificate. Identifier describes information of the specified entity with bound public key.

The name contained in Subscriber certificate has certain representative significance, and the principal identification name contained in it should be able to clearly determine the certificate holder and the network host server to be identified, or the Internet domain name, and can be identified by the relying party. The Distinguished Name of the subject shall comply with the requirements of laws and regulations and other relevant provisions.

Subscribers of certificates described in this CP&CPS must use real names when applying for certificates. However, for Sponsor-validated S/MIME certificates, the value of DN can use assumed name for organization name, pseudonym for individual information; for Organization-validated S/MIME certificates, the value of DN can use assumed name for organization name. Both organization’s assumed name and individual’s pseudonym must be authenticated and validated by TrustAsia CA.

A certificate issued by TrustAsia CA conforms to X.509 V3. The format of DN conforms to X.500, and naming rules of DN are defined by TrustAsia CA.

DN of certificate must be unique for different subscribers in TrustAsia CA trust domain, and same DNs cannot be allowed as the subject name of the certificates of different Subscribers. TrustAsia CA can issue more than one certificates using the unique DN for one Subscriber. When DN is not unique to different subscribers, the first applicant has the priority to use the DN, and the latter could add more additional information to distinguish from others.

The uniqueness of each subject name in the certificate is as follows:

The certificate applicant shall not use names that may infringe upon others' intellectual property rights in their certificate application. The certificate issued by TrustAsia CA does not verify the Subscriber’s right to use the trademark, nor responsible for resolving any trademark related disputes. TrustAsia CA can reject or revoke the relevant certificate in dispute with the trademark.

The certificate applicant must prove that he or she properly holds the private key corresponding to the public key contained in the certificate by submitting the digitally signed PKCS#10 format Certificate Signature Request (CSR), or by signing the CSR provided to the Finalize method of the ACME Protocol defined in RFC 8555, Section 7.4.

If the Applicant’s identity is a natural person, TrustAsia CA will review the Applicant’s name, address, and the authenticity of the certificate application. In the case of a personal identification certificate, TrustAsia CA will perform different identity authentication methods based on the different types of certificates applied by the individual. In general, the higher the certificate category, the higher the security level, the stricter the authentication method, and the more comprehensive the authentication content.

The Applicant needs to prove that he or she has control over some of the identity properties contained in the request, such as the e-mail address or domain name involved in the certificate in the certificate request. Applicants may also be required to submit clear copies of valid government-issued documents with photographs (such as identity cards, passports, driver’s permits, military officers' certificates or other equivalent documents). TrustAsia CA verifies that copies of the documents match the requested names and that other relevant information is correct.

TrustAsia CA identifies and validates in one or more of the following ways:

In addition, if necessary, TrustAsia CA can also set up other required authentication methods and data. The Applicant has an obligation to ensure the authenticity and validity of the application materials and to bear the relevant legal liability.

For Subscriber certificates issued by TrustAsia CA, TrustAsia CA establishes evaluation criteria to identify potentially high-risk fraud certificate requests. TrustAsia CA can directly reject certificate requests identified as "high risk".

In general, in addition to the need for explicit and reliable authentication of the identity information required by the type of certificate. For the Subscriber information that is not required to be verified, TrustAsia CA does not commit to the authenticity of the relevant information and does not assume the relevant legal responsibility.

The information in the certificate must be verified with a trusted third-party source of information, and the unverified information must not be written to the certificate.

When an institutional Subscriber authorizes the Applicant’s representative to handle the certificate business, TrustAsia CA will use the sources listed in Section 3.2.3 to obtain reliable means of communication to verify the authenticity of the Applicant’s application. TrustAsia CA can confirm the authenticity of the certificate application directly with the Applicant’s representative, or with the department with authority within the Applicant’s organization, such as the Applicant’s main business office, the company’s office, Human Resources Office, Information Technology Office or such other department as TrustAsia CA thinks fit.

TrustAsia CA also allows the Applicant to provide authorization letters, employment certificates or any equivalent means to verify that it belongs to the above-mentioned institution and that its representative conduct is authorized by the agency.

In addition, TrustAsia CA allows Applicants to designate independent individuals to apply for certificates. TrustAsia CA does not accept any request for a certificate beyond that authorization if the Applicant specifies in writing an independent individual who can apply for a certificate. Upon receipt of a verified written request from the Applicant, TrustAsia CA will provide the Applicant with a list of its authorized personnel.

For other electronic certification services, they can interoperate with TrustAsia CA, but the CP&CPS of the electronic certification service must meet the TrustAsia CA CP&CPS requirements and a corresponding agreement must be signed with TrustAsia CA.

If there are relevant provisions in national laws and regulations, TrustAsia CA will strictly implement the provisions.

So far, TrustAsia CA has not issued any cross-certificate.

TrustAsia CA supports certificate Subscribers to make key update requests during the validity period, and Subscribers can choose to generate a new key pair to replace the key pair in use or the key pair that is about to expire.

There are two types of certificate key update: the reissue and the replacement.

TrustAsia CA does not provide Re-key/renewal after revocation.

An Applicant or an individual authorized to apply for a certificate on behalf of an Applicant may file a certificate application. The Applicant is responsible for any data provided to TrustAsia CA by it or the authorized representative.

The EV certificate request must be submitted by an authorized certificate applicant and approved by the certificate approver. The certificate application must be accompanied by a (written or electronic) Subscriber Agreement signed by the Contract Signer.

When TrustAsia CA receives a Subscriber’s certificate request, the TrustAsia CA Verification Team will identify and authenticate the Subscriber’s identity as required in Section 3.2 of the CP&CPS. TrustAsia CA maintains systems and processes to fully verify the identity of the Applicant in accordance with CP&CPS. The content of communication through telephone, fax or email will be stored securely together with the information provided by the Applicant directly through TrustAsia CA web interface or the API.

TrustAsia CA will establish and maintain a high-risk database list of SSL certificates based on certificates that have been denied or revoked for suspected or identified phishing or other fraudulent purposes, and will query the list information when accepting certificate applications. For Subscribers that appear in the list, TrustAsia CA has the right to reject the certificate request or perform additional authentication.

TrustAsia CA performs an CAA record check on each DNS Name in the issued certificate subject alias extension and determines whether the certificate application is approved according to the inspection method and results in Section 4.2.4 of the CP&CPS.

When conducting identity identification and authentication, the TrustAsia CA Verification Team will enforce rigorous control procedures for the separation of validation duties to ensure that no one person can single-handedly validate and authorize the issuance of an Individual-validated, Organization Validation or Extended Validation Certificate. One validation specialist will strictly follow the regulations as outlined in Section 3.2, and complete the initial validation of the certificate request. The validation content includes but is not limited to: utilizing a trusted database to examine information; completing the validation of the Applicant, Contract Signer, Certificate Requester and Certificate Approver; collecting and verifying all related information and documents. A second validation specialist will review the collected materials and check all of the validation items and validation procedures. The second specialist shall not participate in the information collection procedure. Only if the information is reviewed and approved by the second specialist can the certificate be issued. The entire procedure of identity identification and authentication conducted by the TrustAsia CA Verification Team will be recorded and be audited.

If some or all of the identity authentication data is not in the official language of TrustAsia CA, TrustAsia CA will use properly trained personnel with sufficient experience and judgment ability to complete the final cross-audit and due diligence.

After the verification is completed, the TrustAsia CA Verification Team will decide to accept, refuse the application or request the applicant to submit additional relevant materials based on the verification results.

For the purpose of authenticating the information contained in the Individual-validated, Organization Validation and Extended Validation Certificates, if the previous validation data or documentation obtained by TrustAsia CA from a source specified under Section 3.2 of this CP&CPS is no more than 398 days and has not changed, TrustAsia CA may use such data or documentation. For validation of domain names and IP addresses according to Section 3.2.2.4 and Section 3.2.2.5 of this CP&CPS, the prior validation can be reused in accordance with the stipulation in the following table.

TrustAsia CA does not issue certificates containing internal names or reserved IP addresses.

Effective September 15, 2025, TrustAsia CA does not issue certificates containing a domain name whose Top-Level Domain is arpa.

Under normal circumstances, TrustAsia CA validates Subscriber information and issues certificates within a reasonable time frame. Unless otherwise stated in an agreement or other agreement with the Subscriber concerned, the processing time for the completion of the certificate application is not specified.

The time of certificate processing depends to a large extent on when the Subscriber provides the details and documents needed to complete the verification and whether to respond to the management requirements of TrustAsia CA in a timely manner. The application for a certificate will remain valid until it is rejected.

For SSL/TLS Server Certificates, TrustAsia CA conforms to the requirements specified in Section 3.2.2.8 of CA/Browser Forum BR. TrustAsia CA checks for DNS CAA records for each domain name in the Subject Name and Subject Alternative Name of the Certificate before issuance.

TrustAsia CA processes the "issue", "issuewild", "issuemail", "iodef" property tags in accordance with RFC 8659 when processing CAA records.

When using ACME client for certificate request, CAA supports "accounturi" and "validationmethods" confirguration. "accounturi" managed by TrustAsia CA can be used to request certificate issuance and used as an object identification representing specific entity or relevant entity organization. "validationmethods" supports http-01 and dns-01.

When processing the property tags in CAA records, TrustAsia CA does not act on the contents of the "iodef" property tag. TrustAsia CA respects the critical flag and does not issue a certificate if an unrecognized property tag with this flag set is encountered.

TrustAsia CA does not issue a certificate if there is a "issue", "issuewild" or "issuemail" tag in CAA records and "issue", "issuewild" tags do not contain "trustasia.com".

For S/MIME Certificates, starting on September 15, 2024, TrustAsia CA processes the "issuemail" property tag in CAA records, as specified in RFC 9495, prior to issuing a certificate that includes an email address. The "issuemail" property tag does not conflict with "issue" and "issuewild" in SSL/TLS Server Certificates.

If there is the "issuemail" tag in CAA records, TrustAsia CA does not issue a certificate to an email address beyond domain names included in "issuemail".

TrustAsia CA treats a record lookup failure as permission to issue a certificate if:

TrustAsia CA issues a certificate within the validity period of the CAA record (the TTL of the CAA record, or 8 hours, whichever is greater). TrustAsia CA documents potential issuances that were prevented by a CAA record in sufficient detail to provide feedback to the CA/Browser Forum on the circumstances.

CAA record is not applicable for Code Signing Certificates, Document Signing Certificates and Timestamp Certificates.

For Subscriber Certificates, TrustAsia CA confirms the source of the certificate request before issuing it.

In the process of issuing, the RA administrator is responsible for the examination and approval of the certificate application, and sends the request for issuing the certificate to the certificate issuing system of CA through the operation of the RA system. The certificate issuance request information sent by the RA to the CA must include the authentication and information confidentiality measures of RA, and it must be ensured that the request is sent to the correct CA certificate issuing system. After obtaining the certificate issuance request, the CA certificate issuing system authenticates and decrypts the information from the RA.

TrustAsia CA does not issue the end-entity certificate directly from its root certificates. The SSL/TLS Server Certificate to be trusted in Chrome is recorded in two or more certificate transparency databases.

Database storage and CA processes that occur during certificate issuance are protected against unauthorized modifications.

For valid certificate issuance requests, the CA certificate issuing system will send a notification to the Subscriber/Applicant after issuance.

TrustAsia CA has deployed Multi-Factor Authentication (MFA) for all the accounts that can directly issue certificates.

TrustAsia CA provides certificates in any secure manner within a reasonable time after release. Typically, TrustAsia CA will email the certificate to the e-mail address specified by the Subscriber during the certificate application process.

The Subscriber is solely responsible for installing the issued certificate on the Subscriber’s computer or hardware security module.

Subscribers are deemed to accept issued certificates, including, but not limited to:

TrustAsia CA delivers the certificate to the Subscriber as a release of the certificate. TrustAsia CA will choose to publish the certificate on multiple Certificate Transparency Log servers, as required by Google and Apple, in accordance with different utilization scenarios of Subscribers' certificates.

TrustAsia CA follows the regulations on the information base mechanism in Section 2.4 and 2.5 of this CP&CPS to issue certificates to Subscribers. Only personnel in roles authorized by CA can monitor and manage the high-risk database or alternate issuance mechanism of the information database. At the same time, the personnel in roles are authorized to maintain and manage its integrity. If required by relevant laws and regulations such as confidentiality laws, TrustAsia CA will comply with relevant requirements and make its certificate in a searchable state after obtaining the Subscriber’s consent.

TrustAsia CA does not notify other entities.

After receiving the certificate issued by TrustAsia CA, the Subscriber shall take reasonable measures to properly keep the key pair and control its use authorization.

The Subscriber shall use the key pair within the scope of the protocol, laws and regulations, CP&CPS.

The relying party shall consider the overall situation and the risk of loss before relying on the certificate.

When the relying party has received the message with digital signature, the party has the obligation to carry out the following operations to confirm:

If the above conditions are not met, it is the duty of the relying party to refuse the signature information.

For a Subscriber certificate issued by TrustAsia CA, a certificate update may be made from 30 days (inclusive) prior to the expiration of the certificate. If the Subscriber chooses to keep using the original key pair to re-issue the certificate, the Subscriber needs to ensure that the security of its key pair is not compromised. As of 30 days (inclusive) prior to the expiration of the certificate, TrustAsia CA will notify the Subscriber of the renewal of the certificate by way of a mail notification.

If the Subscriber does not change the certificate subject alias name and the related identity information when the certificate renewal request is submitted, and the verification time of the original certificate does not exceed the period specified in Section 4.2.1 of this CP&CPS, then TrustAsia CA verifies the information of the update certificate with reference to the data and the supporting documents verified by the original certificate.

Where the Subscriber needs to change some of the certificate information when submitting the certificate renewal request or the validation limitation of the original certificate has exceeded the time limit specified in Section 4.2.1 of this CP&CPS, the certificate renewal request will be verified in accordance with the process and requirements of the certificate initial application by TrustAsia CA.

If the original certificate of the Subscriber has expired, verification in accordance with the process and requirements of the initial application of the certificate is required when applying for the certificate again.

The entity requesting the renewal of the certificate is a Subscriber or other authorized representative who has applied for a TrustAsia CA certificate, and the remaining validity of the certificate is less than 30 days (inclusive).

For certificate update, the processing procedure includes application identification and authentication, certificate information verification and certificate issuance.

See CP&CPS Section 4.3.2

See CP&CPS Section 4.4.1.

See CP&CPS Section 4.4.2.

See CP&CPS Section 4.4.3.

The Subscriber can choose the certificate rekey service when the Subscriber’s certificate is as follows:

The entity requesting a certificate update is a Subscriber or its authorized representative who has applied for a TrustAsia CA certificate and whose certificate has not expired.

The processing of certificate key update request is completed by the process of certificate update request in TrustAsia CA. See CP&CPS Section 4.6.3.

See CP&CPS Section 4.3.2.

See CP&CPS Section 4.4.1.

See CP&CPS Section 4.4.2.

See CP&CPS Section 4.4.3.

Certificate change means that the Subscriber’s certificate is within its validity period, the alternate name of the certificate extension information is changed with nonupdated key, but the certificate is reissued.

The Subscriber’s request to change the name of the certificate authority is not accepted by TrustAsia CA. If the name of the authority needs to be changed, the Subscriber needs to apply for a new certificate.

The entity requesting certificate modification is a Subscriber or its authorized representative who has applied for a TrustAsia CA certificate and whose certificate has not expired.

When the Subscriber submits the application for modification of certificate information, TrustAsia CA will re-verify the certificate information. If the application data of the original certificate are available and not expired (the application data of Individual-validated, OV and EV certificate is valid for 398 days, the application data of DV certificate needs to be verified every time), the original information can be examined and verified by reference to the original data. If the above information is unavailable or overdue, then TrustAsia CA will perform validation in accordance with the initial application process and requirements before reissuing a new certificate.

See CP&CPS Section 4.3.2.

See CP&CPS Section 4.4.1.

See CP&CPS Section 4.4.2.

See CP&CPS Section 4.4.3.

The Subscribers, TrustAsia CA, or judicial officials authorized by judicial institutions can initiate revocation. Additionally, relying parties, application software suppliers, anti-virus organizations and other third parties may submit certificate problem reports informing TrustAsia CA of reasonable reasons to revoke the certificates.

For incidents involving malware, TrustAsia CA takes the following measures:

TrustAsia CA does not support a revocation request grace period.

TrustAsia CA will investigate within 24 hours of receipt of the revocation request or certificate issue report to determine whether to revoke the certificate or take other reasonable measures. If the circumstances described in Section 4.9.1.1 (1) occur, TrustAsia CA will revoke the certificate within 24 hours.

Within 24 hours after receiving a revocation request, TrustAsia CA will investigate the facts and circumstances related to the revocation request and provide a preliminary report on the findings to both the Subscriber and the entity who initiated the revocation request.

After reviewing the facts and circumstances, TrustAsia CA will work with the Subscriber and any entity reporting the revocation request to establish whether or not the certificate will be revoked or other appropriate processing measures will be taken. If the certificate is determined to be revoked, the period from receipt of the revocation request or revocation-related notice to published revocation will not exceed the time frame set forth in Section 4.9.1.1.

The date which TrustAsia CA will revoke the certificate considers the following criteria:

Certificate Revocation List CRL, as public information, does not have the security setting of reading permission, and the relying party is free to query according to the needs, including querying the Certificate Revocation List, querying the certificate status through the TrustAsia CA designated website, querying the online certificate status protocol (OCSP), and so on.

Before trusting this certificate, the relying party should actively check the status of the certificate according to the latest published CRL of TrustAsia CA, and also need to verify the reliability and integrity of the CRL to confirm the validity of the certificate.

CRL is available via a publicly-accessible HTTP URL. Within twenty-four hours of issuing the first certificate, the CA will generate and publish either:

CA issuing Subscriber Certificates will:

CA issuing CA Certificates will:

CA will continue issuing CRLs until one of the following is true:

TrustAsia CA CRL is automatically released to the public network after it is generated. The validity is usually within 1 hour and does not exceed 24 hours.

The validity interval of an OCSP response is the difference in time between the thisUpdate and nextUpdate field, inclusive. For purposes of computing differences, a difference of 3,600 seconds is equal to one hour, and a difference of 86,400 seconds is equal to one day, ignoring leap-seconds.

In the case of the following certificate serial numbers, a certificate serial is marked as "assigned":

A certificate serial is marked as "unassigned" if it is not "assigned".

The following applies for communicating the status of Certificates and Precertificates which include an Authority Information Access extension with an id-ad-ocsp accessMethod.

OCSP responders operated by TrustAsia CA support the HTTP GET and POST method. TrustAsia CA processes the Nonce extension (1.3.6.1.5.5.7.48.1.2) in accordance with RFC 8954.

For the status of a Subscriber Certificate or its corresponding Precertificate:

For the status of a Subordinate CA Certificate, TrustAsia CA provides an updated OCSP response at least every twelve months, and within 24 hours after revoking the Certificate.

The following applies for communicating the status of certificates for which an OCSP responder is required to respond.

The OCSP response provided by TrustAsia CA complies with RFC 6960 and/or RFC 5019, and the OCSP response meets either of the following requirements:

OCSP responses for Subscriber Certificates have a validity interval greater than or equal to eight hours and less than or equal to ten days.

If the OCSP responder receives a request for the status of a certificate serial number that is "unassigned", then the responder will not respond with a "good" status. If the OCSP responder is for a CA that is not Technically Constrained in line with Section 7.1.2.3 or Section 7.1.2.5, the responder will not respond with a "good" status for such requests.

Consistent with RFC 6960.

Not applicable.

If the Subscriber or TrustAsia CA discovers or suspects the compromise of the private key, immediate measures should be taken to revoke the compromised key certificate and reissue the certificate in accordance with CP&CPS requirements.

Any relying party discovers a private key compromise can report to TrustAsia CA via an email (revoke@trustasia.com) and the email needs to provide evidence of a private key compromise:

TrustAsia CA does not support Suspension.

Not applicable.

Not applicable.

Not applicable.

Certificate status information can be obtained through CRL and OCSP responses.

For revoked certificates, TrustAsia CA does not delete its revocation records in CRL and OCSP until the certificate expires.

The round-the-clock Status Service of Certificates is provided. TrustAsia CA runs and maintains its CRL and OCSP capabilities with sufficient resources to provide 10 seconds or less response time under normal working conditions.

Under normal network conditions, the CRL of the EV CS, EV SSL certificate chain can be downloaded in no more than 3 seconds through an analogue telephone line.

TrustAsia CA maintains a continuous 7*24 ability to respond internally to a high-priority certificate problem, and where appropriate, forwards such a complaint to law enforcement authorities, and/or revoke a certificate that is the subject of such a complaint.

The OCSP responder may not apply to all of the types of certificates.

Not applicable.

Not applicable.

The TrustAsia CA’s data center and system are constructed in accordance with the following standard:

TrustAsia CA data center installs electronic access system with the following functions:

The whole area also has a video surveillance system, no blind spot monitoring, the important channels inside and outside the site to implement 7*24 hours of uninterrupted video recording. All video information is retained for at least 3 months, and videos of major events are archived separately for inquiries. Set illegal intrusion detection alarm, environmental control detection alarm, sound and light alarm, while notifying operation and maintenance personnel.

TrustAsia CA has a safe and reliable power supply system and an electric power reserve system to ensure the normal power supply for 7*24 hours and to provide normal services in the case of power supply interruptions in the power supply system. In addition, TrustAsia CA also has a diesel engine which can meet the requirement of all racks lasting for more than 12 hours under full load. The data center is equipped with air conditioning system to control the temperature and humidity in the operation facilities, and the power is configured according to the number of cabinets in each room and the full load of the equipment.

The water leakage alarm system is deployed at 1.45M above the ground in TrustAsia CA’s data center and equipped with a leakage alarm system. Once flood occurs, the system will immediately give an alarm to notify the relevant personnel to take emergency measures.

TrustAsia CA date center adopts the cabinet type heptafluoropropane automatic fire extinguishing device. The system collects fire-fighting data through the temperature and smoke fire detectors in the data center, meanwhile it provides the system with real-time processing of the alarm data of the user’s automatic fire alarm terminal and the system operation status data.

The system has two starting modes, automatic and manual operation, realizing the real-time detection and monitoring of network system and the setting of manual and automatic control mode of the system. It completes various linkage actions related to the system.

TrustAsia CA keeps the media storing software and data, archiving, auditing, or backup information in security facilities. These facilities are protected by appropriate physical and logical access control, allowing only the access of two authorized personnel and preventing these media from accidental compromise.

TrustAsia CA shreds sensitive files and materials out of use before processing to make the information unrecoverable. Before the disposal, cryptographic devices shall be initialized first and then be destroyed physically as per the method provided by the manufacturer.

At least 2 trusted personnel are present when processing the invalid content.

TrustAsia CA backups the coresystem data, audit log data at off-site location by offline media. The storage facilities fulfill the description of Section 5.1.7 media storage.

In the process of providing certification service, roles that essentially affect key operations, such as certificate issuance, use, administration, revocation, etc. will be regarded as trusted roles by TrustAsia CA. These roles include but are not limited to:

Trusted personnel are nominated by management position. The list of trusted personnel will be maintained and supervised every year.

TrustAsia CA strictly defines the controls of core missions in specific standards. Multiple trusted roles are required to jointly complete the sensitive operation. For example:

TrustAsia CA authenticates CA and RA systems before allowing the trusted roles access and executing the system, such as:

In order to ensure security of the systems, TrustAsia CA follows the trusted role segregation principle that the trusted role must be assumed by different personnel in TrustAsia CA. For EV Certificates, TrustAsia CA ensures that no one person can single-handedly validate and authorize the issuance of an EV Certificate. Such controls are auditable.

The qualification requirements of person who undertakes trusted role in TrustAsia CA are as follows:

TrustAsia CA may work with relevant government departments and investigation agencies to complete background checks on trusted employees. All trusted employees and those applying for transfer in must agree in writing to carry out background investigation. The background investigation must meet the requirements of laws and regulations, and the investigation contents, methods and personnel engaged in the investigation shall not violate laws and regulations. Background investigation shall use legal means to verify the background information of personnel through relevant organizations and departments as far as possible.

The background investigation is divided into basic investigation and comprehensive investigation. The basic survey includes work experience, career recommendation, education and social relations. In addition to the basic investigation items, the comprehensive investigation includes the investigation of criminal records, social relations and social security. It is necessary to conduct a comprehensive investigation on the key positions of the public trust certificate business.

HR review procedure includes:

In order to make the relevant personnel competent for their work, TrustAsia CA has a special training program for all the personnel of the trusted roles. The training contents include:

Each Validation Specialist must complete all the trainings above to ensure that his or her performs validation duties satisfactorily. All Validation Specialists must pass the periodic examinations arranged by TrustAsia CA to ensure that he or she has the necessary skills and abilities to fulfill their obligations.

For persons acting as trusted roles or other important roles, they shall be trained at least once a year by TrustAsia CA. Related personnel for operating authentication system should have the training of relevant skills and knowledge at least once a year. In addition, TrustAsia CA will provide ongoing training for employees irregularly according to system upgrade, strategy adjustment and other requirements.

TrustAsia CA will define and change the Job rotation cycle and the sequence based on the organization security management strategy.

When the circumstances that in-service staff use TrustAsia CA systems, perform authorization businesses without or beyond the permission, once the above circumstances are confirmed by TrustAsia CA, TrustAsia CA will immediately revoke the login certificates and simultaneously terminate the system access authorization. TrustAsia CA makes the implementation of the official notice criticism, fine, dismissal and submit judicial institutions and other measures depend on the seriousness of unauthorized behavior.

TrustAsia CA doesn’t hire external personnel engaged in the work related to certificate validation for now.

During the training or retraining, TrustAsia CA provides materials including but not limited to the following categories:

TrustAsia CA records details of the actions taken to process a certificate request and to issue a certificate, including all information generated, the documents received in relation with the certificate request, the time and date, and the personnel involved.

TrustAsia CA will record manually if the application does not record automatically.

These events include but not limited to:

Generally, the log records shall include:

TrustAsia CA checks and summarizes the system’s automatic log and operators' manual records once a month.

TrustAsia CA tracks and handles the system security log once a month to check violations of policies and other major events.

TrustAsia CA and its Timestamp Authority retain the following logs for at least two years:

Note: While these requirements set the minimum retention period, TrustAsia and the Timestamp Authority will choose a greater value as more appropriate in order to be able to investigate possible security or other types of incidents that will require retrospection and examination of past events.

TrustAsia CA audit logs are stored in the database with backup, including audit information and event records in related documents.

TrustAsia CA carries out strictly the measures of physical and logical access control to ensure that only personnel authorized by TrustAsia can be access to the records being reviewed. These records are strictly protected from unauthorized access, reading, modification and deletion.

TrustAsia CA’s system log is backed up to the log server in real time, and to the different places weekly. The manual paper records are archived periodically and saved in a special filing cabinet.

Regarding the electronic audit information, TrustAsia CA’s log server can collect and archive the following logs:

Regarding paper audit information, there is a special filing cabinet for collection and archival.

When TrustAsia CA detects the attack, it will record the attacker’s behaviors, trace the attacker to the extent permitted by the law, and retain the right to take the corresponding countermeasures. TrustAsia CA has the right to decide whether to notify subjects related to the event.

TrustAsia CA performs an annual risk assessment that:

TrustAsia CA archives all audit logs as set forth in Section 5.4.1, and additionally retains the following types of records in its archives, including but not limited to:

Archived audit logs (as set forth in Section 5.5.1) will be retained for a period of at least two years from their record creation timestamp, or as long as they are required to be retained per Section 5.4.3, whichever is longer.

TrustAsia CA retains the following for at least two years:

TrustAsia CA has secure physical and logical protection measures and strict management procedures for various electronic and paper filing documents, ensuring that the archived documents will not be compromised and preventing unauthorized access, alteration, deletion or other tampering behaviors.

Backups of electronic archiving records generated by the system will be made regularly and backup files will be stored in different places; the manual electronic records will be archived in SVN.

For written archive materials, backup is not required, yet strict measures are required to protect their security and prevent deletion, alteration, etc. of archives and their backups.

TrustAsia CA will automatically timestamp its records based on the system time as they are created (non-cryptographic time-stamping). The time on TrustAsia CA’s time source server is synchronized to the universal coordinated time (UTC) recognized by National Measurement Institute.

The Timestamp Authority of TrustAsia CA will log the following information and make these records available to its qualified auditor as proof of the Timestamp Authority’s compliance with the Baseline Requirements.

For system-generated electronic records, they are synchronized to the log server in real time and backed up to the off-site every week.

For electronic records, the SVN server completes the collection and backup work.

For written archive materials, they are collected and archived into the management area.

TrustAsia CA takes physical and logical access control methods to ensure that only the authorized personnel can approach the archive information and strictly prohibit unauthorized operations such as access, reading, alteration and deletion, etc.

TrustAsia CA documents a business continuity and disaster recovery procedures designed to notify and reasonably protect Application Software Suppliers, Subscribers, and Relying Parties in the event of a disaster, security compromise, or business failure. TrustAsia CA does not publicly disclose its business continuity plans but its business continuity plan and security plans are available to the auditors upon request. TrustAsia CA annually tests, reviews and updates these procedures.

The business continuity plan includes:

TrustAsia CA has backed up the resources, software and/or data of the service system and other important systems, and has developed the corresponding emergency handling process. In case of network failure, system and software compromise, database failure, etc., or a disaster caused by force majeure, TrustAsia CA will implement the recovery in accordance with the disaster recovery plan.

In the event of a major disaster at the physical site, TrustAsia CA will restore some services within 48 hours in accordance with the business continuity plan.

TrustAsia CA does not generate or deliver the key pair on behalf of the Subscriber.

As part of the certificate application process, subscribers generate key pair and submit the public key to TrustAsia CA in CSR.

The public key of TrustAsia CA is included in the root CA certificate and the subordinate CA certificate issued by TrustAsia CA. The Subscriber and relying parties can download the certificates from TrustAsia CA’s certificate service site.

To ensure the security strength of the keys, TrustAsia CA uses a linting tool to perform key size check before certificate issuance, ensuring that TrustAsia CA’s different types of certificate keys meet the following standards:

TrustAsia CA and Subscribers shall generate public keys in accordance with the regulations stipulated in Section 6.1.1 in this CP&CPS. Public key parameters are generated by compliant devices/platforms to ensure parameter quality. Public keys must meet the requirements stipulated in Section 6.1.5.

TrustAsia CA uses linting tools to check public key parameters before the issuance of a certificate to ensure that the public key parameters meet the following requirements:

X.509v3 certificate issued by TrustAsia CA includes key usage extensions, and their usage conforms to RFC5280 Standard. Regarding the purposes specified by TrustAsia CA in key usage extensions of the issued certificate, the certificate Subscriber shall use the key according to specified purposes.

The root CA key is generally used to issue the following certificates and CRL:

The subordinate CA key is generally used to issue the following certificates and CRL:

The Subscriber’s key can be used to provide security services, such as identity authentication, information encryption and signature, non-repudiation and information integrity; the encryption key pair can be used to encrypt and decrypt information.

The combination usage of signature key and encryption key can achieve security mechanisms such as identity authentication, authorization management and responsibility identification.

Cryptographic modules used by TrustAsia CA for CA key pairs and timestamp key pairs meet the FIPS 140-2 Level 3 standards.

Cryptographic modules used for code signing, EV code signing and document signing certificates meet or exceed the following standards:

The generation, update, revocation, backup and restoration of TrustAsia CA private key are controlled by a multi-person mechanism, with the management authority of the private key distributed to 5 key administrators, and only when at least 3 or more of the key administrators are present and permitting, can the private key be operated by inserting the administrators’s IC card or USBKey and entering the PIN code.

TrustAsia CA does not escrow private keys.

TrustAsia CA backups for the root private key and the CA private key，generate backup ciphertext files and backup authority recovery IC cards or USBKey according to the operation specification provided by the encryption equipment manufacturer and save them in the company’s safe box (or bank safe deposit box and other location that security levels are not lower than the local backup).

TrustAsia CA does not archive private keys of Subscriber certificates. The private keys of all CA certificates will not be archived by third parties.

TrustAsia CA’s key pair is generated, saved and used on the hardware cryptographic module. In order to achieve recovery, TrustAsia CA backs up the CA key according to the operation specification provided by the encryption equipment manufacturer. Besides, TrustAsia CA also has strict key management process to control the replication of CA key pair. All these measures have effectively prevented the loss, theft, alteration, unauthorized disclosure, and unauthorized use of CA private key.

The TrustAsia CA private key is stored in the hardware cryptographic module, and activation needs to be achieved using the encrypted device’s operator privileges as per Section 6.2.2 of this CP&CPS, where at least half of the key administrators are present and permitted. When the CA private key is required (online or offline), the key administrators is required to provide the operator IC card or USBKey and enter the PIN to do so.

Regarding private keys of TrustAsia CA, when CA system sends logout instruction to the cryptographic module or when the cryptography management software sends close instruction to the cryptographic module, or when the hardware cryptographic module that stores private keys is power off, private keys enter the inactivated state.

The operation of removing the private key is performed when at least half of the key administrators are present and permitting, and the key administrator logs into the server cryptographic machine using an administrator card containing his or her own PIN.

After the life cycle of TrustAsia CA’s private key ends, TrustAsia CA will continue to keep the CA private key in a backup hardware cryptographic module and archive it, and the other CA private key backups are safely destroyed. Meanwhile, all PIN codes and IC cards or USBKey, etc. for activating the private key must be destroyed.

Before the commercial purpose of the CA private key or its application has lost its value or the legal liability expires, the CA shall not destroy its private key.

An archived CA private key needs to be securely destroyed with the involvement of multiple trusted personnel after its archival period has expired, or when a backup or copy of the CA private key is no longer in use for a valid business purpose. The destruction of the CA private key will ensure that the CA private key is completely removed from the hardware cryptographic module, leaving no residual information.

See Section 6.2.1

For TrustAsia CA public key archiving, please refer to Section 5.5.

The maximum validity period of TrustAsia CA certificates:

Table: Maximum Validity Periods of TLS Subscriber Certificates

Effective April 15, 2025, private keys associated with Timestamp Certificates issued for greater than 15 months will be removed from the hardware cryptographic module protecting the private key within 18 months after issuance of the Timestamp Certificate. For Timestamp Certificates issued on or after June 1, 2024, TrustAsia CA will log the removal of the private key from the hardware cryptographic module through means of a key deletion ceremony performed by TrustAsia CA and witnesses and signed-off by at least two trusted role members.

The TrustAsia CA private key activation data is generated by the encryption device in accordance with the operating specifications provided by the manufacturer of the encryption device and with the permission of at least half of the key managers present.

The activation data of the Subscriber’s private key, including the password used to download the certificate (provided in the form of a password envelope, etc.), the USB key, the login password of the IC card, etc., must be generated in a safe and reliable environment. These activation data are delivered to subscribers in a safe and reliable way, such as offline face-to-face delivery, postal delivery, etc. For non-one-time use activation data, TrustAsia CA recommends that users modify it by themselves.

If Subscriber’s certificate private key is password, then all the protection password should follow the following principles:

Activation data of CA private key (smart IC card and PIN code) is kept in reliable way and by trusted personnel by TrustAsia CA. All the trusted personnel are requested to remember password instead of marking it down or sharing with others.

Subscriber’s activation data must be generated in the safe and reliable environment and be properly safeguarded or destroyed, and cannot be leaked to others. If the certificate Subscriber uses a password or PIN to protect private key, the Subscriber should take good care of password or PIN to prevent the leakage or theft. If the certificate Subscriber uses biological characteristics to protect the private key, the Subscriber should also pay attention to prevent his/her biological characteristics from illegal obtaining.

Activation of private key shall be protected from loss, theft, modification, unauthorized disclosure, or unauthorized usage during the transmission.

The activation data of private key which is no longer used will be destroyed and protected from theft, disclosure or unauthorized use during the destruction. The result of destruction is that some or all of activation data can’t be recovered directly or indirectly from the residual information and medium, papers recorded with passwords must be shredded.

For the security reasons, the rules of certificate applicant activate data of lifecycle as below:

Information security management of TrustAsia certification system meets <Specifications Related Security Technology Certificate Authentication System> published by OSCCA, <Measures for the Administration of Electronic Certification Services> published by Ministry of Industry and Information Technology, standards of information security in ISO 27001 and security standards of other relevant information.

TrustAsia draws up comprehensive and perfect security management strategies and standards, which have been implemented, reviewed and recorded within operation. The main security technologies and control measures include: Identification and authentication, logic access control, physical access control, management of personnel’s responsibilities decentralization, network access control, etc.

Multi-Factor Authentication is used for all the accounts capable of certificate issuance.

For the system operation staffs, log in to the system through the bastion machine to ensure that the CA software and data files are safe and reliable, and will not be accessed without authorization.

Core system must be separated physically from other systems and the production system must be separated from other system logically. This separation can prohibit network access except for specific applications. The usage of firewall is to prevent the intrusion from the internal and external network production system and restrict activities of access production system. Only trusted persons in operation and management group of CA system, when necessary to access the system can access the CA database using password.

TrustAsia CA system and its operating environment have passed third-party security assessments and penetration testing, and have received appropriate test reports.

TrustAsia CA maintains and updates Lingting tools to ensure that such tools are updated no later than three months from the release of the update. Whenever the Linting tools are updated, TrustAsia CA uses the updated tools to perform Linting on the corpus of all unexpired, un-revoked TLS/Code Signing/SMIME Subscriber Certificates.

Software design and development of TrustAsia CA process follows principles:

TrustAsia CA has developed a variety of security strategies, management systems and processes for security management of the certification system.

The information security management of the authentication system strictly follows the relevant operation management specifications of OSCCA.

The usage of authentication system has strict control measures. All systems are tested and verified strictly before use. Any modification and upgrade will be recorded.

TrustAsia CA conducts regular security checks on the system to identify whether the equipment has been intruded, whether there are security vulnerabilities, and etc.

TrustAsia CA controls the R&D and online work of certificate certification system through internal change control process to ensure the safety and reliability of the system.

All Certificates are X.509 Version 3 certificate. The version information is listed in the version field of the certificate.

In accordance with the requirements specified in RFC5280, the profiles in the following sections cover all certificates issued by TrustAsia CA.

This section details encoding rules that apply to all Certificates issued by a CA. Further restrictions may be specified within Section 7.1.2, but these restrictions do not supersede these requirements.

No stipulation.

No stipulation.

No stipulation.

No stipulation.

CRL issued by TrustAsia CA is formatted in accordance with X.509 v2.

Table: CRL Extensions

Table: revokedCertificates Component

Table: crlEntryExtensions Component

Table: CRLReasons

OCSP V1 version defined by RFC6960

Consistent with RFC6960. The singleExtensions of an OCSP response do not contain the reasonCode (OID 2.5.29.21) CRL entry extension.

TrustAsia CA will charge Subscriber certification’s fees based on the digital authentication service provided. The price standard depends on the regulations of marketing and management departments.

If the price specified in TrustAsia CA’s agreements with Subscribers is different from the one published, the agreement price shall prevail.

During the validity of the certificates, TrustAsia CA does not charge for certificate inquiries. If the Subscriber has special requests, which may charge extra fees, TrustAsia CA will negotiate with the Subscriber for proper charges.

TrustAsia CA does not charge any fees for the acquirement of Certificate Revocation List (CRL).

If TrustAsia CA provides certificate storage media and related services to Subscribers, the price will be specified in agreements with Subscribers or other entities. Other services fees that TrustAsia CA may or will charge, will inform the Subscribers timely.

In the event that TrustAsia CA is unable to perform the Subscriber Contract or the usage of Subscriber Certificate is disabled due to TrustAsia CA’s fault, TrustAsia CA will refund fees to the Subscriber. If the fault does not lead by TrustAsia CA and the Subscriber wants to require a refund, the terms of the Subscriber Agreement shall prevail.

TrustAsia CA maintains Commercial General Liability insurance with a policy limit of at least two million US dollars in coverage and Errors and Omissions/Professional Liability insurance with a policy limit of at least five million US dollars in coverage.

No stipulation.

If TrustAsia CA violates the provisions of this CP&CPS, certificate Subscribers can request let TrustAsia CA to bear the accountability for compensation (except for statutory or contractual exemption). After confirmation, TrustAsia CA will compensate for the entity. Limitations of compensation are as follows:

For the electronic certification services provided by TrustAsia CA, the following information is treated as confidential information:

TrustAsia CA treats the following information as non-confidential:

TrustAsia CA has the responsibility and obligation to protect the confidential information described in Section 9.3.1.

TrustAsia CA respects the privacy of certificate Subscriber’s personal data and guarantees to fully comply with the relevant national laws and regulations. In the meantime, TrustAsia CA requires all employees to strictly comply with security and confidentiality standards for personal privacy.

TrustAsia CA will consider all personal information which is undisclosed in the relevant certificate or CRL content as private. TrustAsia CA uses appropriate safeguards and reasonable degree of cautious to protect private information.

Certificate information held by Subscribers and certificate status information is not considered as privacy information.

TrustAsia CA has the responsibility and obligation for proper custody and protection of the certificate applicant’s privacy described in Section 9.4.2.

TrustAsia CA takes appropriate steps to protect the certificate Subscriber’s personal privacy, and takes reliable security measures to protect stored personal privacy information. TrustAsia CA guarantees not to provide the certificate Subscriber’s personal information, except personal information written in the certificate, to unrelated third parties (including companies and individuals) without the permission of certificate Subscribers, unless based on provisions of the law or government.

TrustAsia CA may need to provide relevant information to law-enforcement officials and administrative-enforcement officials without subscribers' knowledge, in accordance with the administrative regulations, rules, decisions, orders, and etc. due to the law requirements.

If certificate Subscriber requires TrustAsia CA to provide some particular customer support services such as mailing materials. TrustAsia CA may need to send the Subscriber’s name, mailing address and other related information to a third-party such as express company.

During the process of providing electronic certification service activities, TrustAsia CA makes following commitments:

After the certificate has issued to the public, TrustAsia CA guarantees that the Subscriber information in the certificate is accurate except the unverified Subscriber information.

TrustAsia CA is not responsible for the assessment of whether a certificate is used within an appropriate scope. Subscriber and relying party shall ensure the certificate is used for appropriate purposes based on Subscriber agreements and relying party agreements.

During participation in the process of electronic certification services, registration authority of TrustAsia CA makes following commitments:

Once Subscribers accept a certificate issued by TrustAsia CA, the Subscriber is considered to make the following commitments to TrustAsia CA, registration authority and related parties who trust the certificate:

Other participants engaged in electronic certification activities must promise to comply with all provisions of this CP&CPS.

If TrustAsia CA violated statement in CP&CPS Section 9.6.1, certificate subscribers, relying parties and other entities can request TrustAsia CA to assume compensation liabilities (except for statutory and contractual exemption). The upper limit of legal liability for direct losses:

If the following circumstances occurred, TrustAsia CA will assume limited compensation liability:

In addition, TrustAsia CA’s compensation scope is as follows:

If the following situations cause losses to TrustAsia CA or relying parties, subscribers shall assume the compensation liability:

If the following circumstances lead to the losses of TrustAsia CA or Subscribers, relying party shall be assumed compensation responsibility:

This CP&CPS and any amendments will immediately become effective when it is released on TrustAsia CA’s online repository. It will become effective until the new version of CP&CPS released.

When TrustAsia CA terminates electronic certification services, this CP&CPS is terminated.

After the termination of this CP&CPS, its effect will be terminated at the same time. The legal facts that occur before the date of termination, the provisions of the responsibility of the parties and the exemption of liability in this CP&CPS are still applicable, including, but not limited to, the contents of audit, confidential information, privacy protection, intellectual property, etc. in CP&CPS, as well as limited liability clauses relating to indemnification, are still valid after this CP&CPS is terminated.

When some provisions in CP&CPS, for example, Subscriber agreements, relying party agreements and other agreements become invalid due to some reasons, such as content modifications or conflict with applicable laws, they do not affect the force of law of other provisions in the corresponding document.

As authorized by TrustAsia CA Security Policy Committee, CP&CPS composition team reviews this CP&CPS at least once a year to ensure that the CP&CPS meets the requirement of national laws, regulations and administration department as well as relevant international standards; to ensure it meets actual needs of certification business operations.

Revisions and updates of the CP&CPS should be initiated by the CP&CPS compliance team and approved by TrustAsia CA Security Policy Committee. The revised CP&CPS shall be officially released after being approved by TrustAsia CA Security Policy Committee.

After approval of the revised CP&CPS, it will be released on TrustAsia CA’s official website synchronously. For the modification notified by email, mail, media and other ways, TrustAsia CA shall notify the relevant parties in time, which ensures that the relevant parties have minimum negative influence.

The TrustAsia CA is solely responsible for determining whether an amendment to the CP&CPS requires and OID change.

The situations that TrustAsia CA must modify this CP&CPS include: discrepancies between CP&CPS and governing laws, clear requirements of changes or adjustments for TrustAsia CA’s certification services initiated by national regulatory departments.

Complete document structure of TrustAsia CA’s CP&CPS includes three parts: titles, table of contents and main contents. Modified alternative content of the table of contents and the main contents will completely replace all previous parts. The previous parts would be displayed in the TrustAsia CA’s official website for browsing.

TrustAsia CA declares that the rights and obligations of the parties to the accredited entity as detailed in this CP&CPS may not be assigned by any means without the prior written consent of TrustAsia CA.

In the event of a conflict between the Requirements in this CP&CPS and a law, regulation or government order (hereinafter 'Law') of China mainland, TrustAsia CA will modify any conflicting requirement to the minimum extent necessary to make the requirement valid and legal in the jurisdiction. This applies only to operations or certificate issuances that are subject to that Law. In such event, TrustAsia CA will immediately (and prior to issuing a certificate under the modified requirement) include in Section 9.16.3 of this CP&CPS a detailed reference to the Law, and the specific modification to these Requirements implemented by TrustAsia CA.

TrustAsia CA (prior to issuing a certificate under the modified requirement) will notify the CA/Browser Forum of the relevant information newly added to this CP&CPS by sending a message to questions@cabforum.org and receiving confirmation that it has been posted to the Public Mailing List and is indexed in the Public Mail Archives available at https://cabforum.org/pipermail/public/ (or such other email addresses and links as the Forum may designate), so that the CA/Browser Forum may consider possible revisions to these Requirements accordingly.

Any modification to CA practice enabled under this section will be discontinued if and when the Law no longer applies, or these Requirements are modified to make it possible to comply with both them and the Law simultaneously. An appropriate change in practice, modification to this CP&CPS and a notice to the CA/Browser Forum, as outlined above, will be made by TrustAsia CA within 90 days.

TrustAsia CA declares that if an entity such as a certificate Subscriber or relying party fails to implement a provision in this CP&CPS, it is not considered that the entity will not implement that or other provisions in the future.

If force majeure, such as war, plague, fire, earthquake and natural disaster, results in violation, delay or failure to perform the warranty liability under this CP&CPS, then TrustAsia will not be responsible for such incidents.