This GeoTrust, Inc. (GeoTrust) Certificate Practice Statement

GeoTrust SSL

This GeoTrust, Inc. (“GeoTrust”) Certificate Practice Statement (the “CPS”) presents the principles and procedures GeoTrust employs in the issuance and life cycle management of GeoTrust True BusinessID Web Server Certificates, GeoTrust True BusinessID Trial Certificates, GeoTrust Organizational Certificates, GeoTrust SecureMark Certificates and GeoTrust S/MIME Institutional Certificates. This CPS and any and all amendments thereto are incorporated by reference into all of the above-listed GeoTrust Certificates.

For the purposes of this CPS, all capitalized terms used herein shall have the meaning given to them in Section VIII, Definitions, or elsewhere in this CPS.

C. Description and Use of Certificates

GeoTrust Trial Certificates are X.509 Certificates with SSL Extensions which allow a web administrator to test SSL functionality. GeoTrust Trial Certificates are signed by the Trial CA and do not require business authentication. GeoTrust Trial Certificates are not intended to provide identification of a Subscriber’s server. GeoTrust does not accept any liability whatsoever in the issuance and/or management of GeoTrust Trial Certificates. GeoTrust Trial Certificates do not in any manner chain to a Thawte CA nor is the Trial CA embedded within any browser software. To initiate a test of the GeoTrust Trial Certificates, a web administrator must install the GeoTrust Trial Certificates on their server and mark such GeoTrust Trial Certificates as trusted within the test browsers.

2.GeoTrust True BusinessID Web Server Certificates

GeoTrust True BusinessID Web Server Certificates are X.509 Certificates with SSL Extensions that chain to a Thawte CA and which facilitate secure electronic commerce by providing limited authentication of a Subscriber’s server and permitting SSL encrypted transactions between a Relying Party’s browser and the Subscriber’s server.

3.GeoTrust Organizational Certificates

GeoTrust Organizational Certificates are X.509 Certificates that chain to a Thawte CA and which facilitate secure electronic commerce by providing limited authentication of a Subscriber’s browser.

GeoTrust SecureMark Certificates are X.509 Certificates that chain to a Thawte CA which are S/MIME enabled to permit a consistent way to send and receive secure MIME data and provide limited authentication of a Subscriber’s browser.

5.GeoTrust S/MIME Institutional Certificates

GeoTrust S/MIME Institutional Certificates are X.509 Certificates that chain to either a Thawte CA or Equifax Secure CA which are S/MIME enabled to permit a consistent way to send and receive secure MIME data. These GeoTrust S/MIME Institutional Certificates are issued to the employees, contractors, vendors and other related individuals on behalf of GeoTrust’s institutional clients. A GeoTrust S/MIME Institutional Certificate may reference the specific institutional client for which the GeoTrust S/MIME Institutional Certificate was issued.

6.Operational Period of Certificates

GeoTrust Trial Certificates have an Operational Period of two (2) weeks from the date of issuance, unless another time period or expiration date is specified on such GeoTrust Trial Certificate, or unless the GeoTrust Trial Certificate is revoked prior to the expiration of the GeoTrust Trial Certificate’s Operational Period.

GeoTrust Server True BusinessID Web Certificates, GeoTrust Organizational Certificates, GeoTrust SecureMark Certificates and GeoTrust S/MIME Institutional Certificates have an Operational Period of three hundred seventy-nine (379) days from the date of issuance, unless another time period or expiration date is specified on such GeoTrust True BusinessID Web Server Certificate, GeoTrust Organizational Certificate, GeoTrust SecureMark Certificate or GeoTrust S/MIME Institutional Certificate, or unless the GeoTrust True BusinessID Web Server Certificate, GeoTrust Organizational Certificate, GeoTrust SecureMark Certificate or GeoTrust S/MIME Institutional Certificate is revoked prior to the expiration of the GeoTrust True BusinessID Web Server Certificate’s, the GeoTrust Organizational Certificate’s, the GeoTrust SecureMark Certificate’s, or the GeoTrust S/MIME Institutional Certificate’s Operational Period.

GeoTrust True BusinessID Web Server Certificates, GeoTrust True BusinessID Trial Certificates, GeoTrust Organizational Certificates, GeoTrust SecureMark Certificates and GeoTrust S/MIME Institutional Certificates may not be installed on more than a single server at a time.

8.Technical Requirements of Certificates

In order to use a GeoTrust Trial Certificate or a GeoTrust True BusinessID Web Server Certificate, the appropriate server software must support SSLv3. In order to use a GeoTrust Organizational Certificate, a GeoTrust SecureMark Certificate or a GeoTrust S/MIME Institutional Certificate, a Subscriber must use Lotus Notes Web Navigator 5.x (or later release), Netscape Navigator 4.X (or later release) or Microsoft Internet Explorer 4.X (or later release) (so long as any of such browsers can handle 128 bit encryption).

GeoTrust will: (i) issue Certificates in accordance with this CPS; (ii) perform limited authentication of Subscribers as described in this CPS; (iii) revoke Certificates; and (iv) perform any other functions which are described within this CPS.

Subscribers will submit truthful information about itself, its business entity, domain ownership and contacts, as applicable. Subscribers will not install a Certificate on more than a single server at a time. Subscribers will at all times abide by this CPS and a Subscriber will immediately request revocation of a Certificate if the related Private Key is Compromised. The Subscriber will only use the GeoTrust Trial Certificate and GeoTrust True BusinessID Web Server Certificate for purposes of initiating SSL sessions. The Subscriber will only use the GeoTrust Organizational Certificate for purpose of authenticating the Subscriber. The Subscriber will only use the GeoTrust SecureMark Certificate for authenticating the Subscriber and/or utilizing S/MIME applications and GeoTrust S/MIME Institutional Certificates for authenticating the Subscriber and/or utilizing S/MIME applications in connection with applications supported by the applicable institutional client. The Subscriber is!

solely responsible for the protection of its Private Key and for notifying GeoTrust immediately in the event that its Private Key has been Compromised.

With regard to GeoTrust S/MIME Institutional Certificates, Relying Parties must verify that the Certificate is valid by verifying the status of the Certificate with GeoTrust’s institutional client specific to the Certificate’s Subscriber before initiating a transaction involving such Certificate.

With regard to the other Certificates, Relying Parties must verify that the Certificate is valid by examining the Certificate Revocation List before initiating a transaction involving such Certificate.

GeoTrust does not accept responsibility for reliance on a fraudulently obtained Certificate or a Certificate that is on the CRL.

GeoTrust provides the following limited warranty at the time of Certificate issuance: (i) it issued the Certificate substantially in compliance with this CPS; (ii) the information contained within the Certificate accurately reflects the information provided to GeoTrust by the Applicant in all material respects; and (iii) it has taken reasonable steps to verify that the information within the Certificate is accurate. The nature of the steps GeoTrust takes to verify the information contained in a Certificate is set for in Section III of this CPS.

EXCEPT FOR THE LIMITED WARRANTY DESCRIBED ABOVE, GEOTRUST EXPRESSLY DISCLAIMS AND MAKES NO REPRESENTATION, WARRANTY OR COVENANT OF ANY KIND, WHETHER EXPRESS OR IMPLIED, EITHER IN FACT OR BY OPERATION OF LAW, WITH RESPECT TO THIS CPS OR ANY CERTIFICATE ISSUED HEREUNDER, INCLUDING WITHOUT LIMITATION, ALL WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE OR USE OF A CERTIFICATE OR ANY SERVICE (INCLUDING, WITHOUT LIMITATION, ANY SUPPORT SERVICES) PROVIDED BY GEOTRUST AS DESCRIBED HEREIN, AND ALL WARRANTIES, REPRESENTATIONS, CONDITIONS, UNDERTAKINGS, TERMS AND OBLIGATIONS IMPLIED BY STATUTE OR COMMON LAW, TRADE USAGE, COURSE OF DEALING OR OTHERWISE ARE HEREBY EXCLUDED TO THE FULLEST EXTENT PERMITTED BY LAW. EXCEPT FOR THE LIMITED WARRANTY DESCRIBED ABOVE, GEOTRUST FURTHER DISCLAIMS AND MAKES NO REPRESENTATION, WARRANTY OR COVENANT OF ANY KIND, WHETHER EXPRESS OR IMPLIED, EITHER IN FACT OR BY OPERATION OF LAW, TO ANY APPLICANT, SUBSCRIBER OR ANY RELYING PARTY THAT (!

A) THE SUBSCRIBER TO WHICH IT HAS ISSUED A CERTIFICATE IS IN THE FACT THE PERSON, ENTITY OR ORGANIZATION IT CLAIMS TO HAVE BEEN (B) A SUBSCRIBER IS IN FACT THE PERSON, ENTITY OR ORGANIZATION LISTED IN THE CERTIFICATE, OR (C) THAT THE INFORMATION CONTAINED IN THE CERTIFICATES OR IN ANY CERTIFICATE STATUS MECHANISM COMPILED, PUBLISHED OR OTHERWISE DISSEMINATED BY GEOTRUST, OR THE RESULTS OF ANY CRYPTOGRAPHIC METHOD IMPLEMENTED IN CONNECTION WITH THE CERTIFICATES IS ACCURATE, AUTHENTIC, COMPLETE OR RELIABLE.

IT IS AGREED AND ACKNOWLEDGED THAT APPLICANTS ARE LIABLE FOR ANY MISREPRESENTATIONS MADE TO GEOTRUST AND RELIED UPON BY A RELYING PARTY. GEOTRUST DOES NOT WARRANT OR GUARANTEE UNDER ANY CIRCUMSTANCES THE “NON-REPUDIATION” BY A SUBSCRIBER AND/OR RELYING PARTY OF ANY TRANSACTION ENTERED INTO BY THE SUBSCRIBER AND/OR RELYING PARTY INVOLVING THE USE OF OR RELIANCE UPON A CERTIFICATE.

IT IS UNDERSTOOD AND AGREED UPON BY SUBSCRIBERS AND RELYING PARTIES THAT IN USING AND/OR RELYING UPON A CERTIFICATE THEY ARE SOLELY RESPONSIBLE FOR THEIR RELIANCE UPON THAT CERTIFICATE AND THAT SUCH PARTIES MUST CONSIDER THE FACTS, CIRCUMSTANCES AND CONTEXT SURROUNDING THE TRANSACTION IN WHICH THE CERTIFICATE IS USED IN DETERMINING SUCH RELIANCE.

THE SUBSCRIBERS AND RELYING PARTIES AGREE AND ACKNOWLEDGE THAT CERTIFICATES HAVE A LIMITED OPERATIONAL PERIOD AND MAY BE REVOKED AT ANY TIME. SUBSCRIBERS AND RELYING PARTIES ARE UNDER AN OBLIGATION TO VERIFY WHETHER A CERTIFICATE IS EXPIRED OR HAS BEEN REVOKED. GEOTRUST HEREBY DISCLAIMS ANY AND ALL LIABILITY TO SUBSCRIBERS AND RELYING PARTIES WHO DO NOT FOLLOW SUCH PROCEDURES. MORE INFORMATION ABOUT THE SITUATIONS IN WHICH A CERTIFICATE MAY BE REVOKED CAN BE FOUND IN SECTION III(I) OF THIS CPS.

GeoTrust provides no warranties with respect to another party’s software, hardware or telecommunications or networking equipment utilized in connection with the use, issuance, revocation or management of Certificates or providing other services (including, without limitation, any support services) with respect to this CPS. Applicants, Subscribers and Relying Parties agree and acknowledge that GeoTrust is not responsible or liable for any misrepresentations or incomplete representations of Certificates or any information contained therein caused by another party’s application software or graphical user interfaces. The cryptographic key-generation technology used by Applicants, Subscribers and Relying Parties in conjunction with the Certificates may or may not be subject to the intellectual property rights of third-parties. It is the responsibility of Applicants, Subscribers and Relying Parties to ensure that they are using technology which is properly licensed or to otherwise o!

btain the right to use such technology

EXCEPT TO THE EXTENT CAUSED BY GEOTRUST’S WILLFUL MISCONDUCT, IN NO EVENT SHALL THE CUMULATIVE LIABILITY OF GEOTRUST TO APPLICANTS, SUBSCRIBER AND/OR ANY RELYING PARTY FOR ALL CLAIMS RELATED TO THE INSTALLATION OF, USE OF OR RELIANCE UPON A CERTIFICATE OR FOR THE SERVICES PROVIDED HEREUNDER INCLUDING WITHOUT LIMITATION ANY CAUSE OF ACTION SOUNDING IN CONTRACT, TORT (INCLUDING NEGLIGENCE), STRICT LIABILITY, FOR BREACH OF A STATUTORY DUTY OR IN ANY OTHER WAY EXCEED FIFTY THOUSAND U.S. DOLLARS ($50,000.00).

GEOTRUST SHALL NOT BE LIABLE IN CONTRACT, TORT (INCLUDING NEGLIGENCE), STRICT LIABILITY, FOR BREACH OF A STATUTORY DUTY OR IN ANY OTHER WAY (EVEN IF GEOTRUST HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES) FOR:

(I) ANY ECONOMIC LOSS (INCLUDING, WITHOUT LIMITATION, LOSS OF REVENUES, PROFITS, CONTRACTS, BUSINESS OR ANTICIPATED SAVINGS);

(II) TO THE EXTENT ALLOWED BY APPLICABLE LAW, ANY LOSS OR DAMAGE RESULTING FROM DEATH OR INJURY OF SUBSCRIBER AND/OR ANY RELYING PARTY OR ANYONE ELSE;

(III) ANY LOSS OF GOODWILL OR REPUTATION; OR

(IV) ANY OTHER INDIRECT, CONSEQUENTIAL, INCIDENTAL, MULTIPLE, SPECIAL, PUNITIVE, EXEMPLARY DAMAGES

IN ANY CASE WHETHER OR NOT SUCH LOSSES OR DAMAGES WERE WITHIN THE CONTEMPLATION OF THE PARTIES AT THE TIME OF THE APPLICATION FOR, INSTALLATION OF, USE OF OR RELIANCE ON THE CERTIFICATE, OR AROSE OUT OF ANY OTHER MATTER OR SERVICES (INCLUDING, WITHOUT LIMITATION, ANY SUPPORT SERVICES) UNDER THIS CPS OR WITH REGARD TO THE USE OF OR RELIANCE ON THE CERTIFICATE.

BECAUSE SOME JURISDICTIONS DO NOT ALLOW THE EXCLUSION OR LIMITATION OF INCIDENTAL OR CONSEQUENTIAL DAMAGES, THE ABOVE EXCLUSIONS OF INCIDENTAL AND CONSEQUENTIAL DAMAGES MAY NOT APPLY TO AN APPLICANT, SUBSCRIBER AND/OR A RELYING PARTY BUT SHALL BE GIVEN EFFECT TO THE FULL EXTENT PERMITTED BY LAW.

THE FOREGOING LIMITATIONS OF LIABILITY SHALL APPLY ON A CERTIFICATE-BY-CERTIFICATE BASIS, REGARDLESS OF THE NUMBER OF TRANSACTIONS OR CLAIMS RELATED TO EACH CERTIFICATE, AND SHALL BE APPORTIONED FIRST TO THE EARLIER CLAIMS TO ACHIEVE FINAL RESOLUTION.

In no event will GeoTrust be liable for any damages to Applicants, Subscribers, Relying Parties or any other party arising out of or related to the use or misuse of, or reliance on any Certificate issued under this CPS that: (i) has expired or been revoked; (ii) has been used for any purpose other than as set forth in the CPS (See Section I(c) for more detail); (iii) has been tampered with; (iv) with respect to which the Key Pair underlying such Certificate or the cryptography algorithm used to generate such Certificate’s Key Pair, has been Compromised by the action of any party other tha GeoTrust (including without limitation the Subscriber or Relying Party); or (v) is the subject of misrepresentations or other misleading acts or omissions of any other party, including but not limited to Applicants, Subscribers and Relying Parties.

In no event shall GeoTrust be liable to the Applicant, Subscriber, Relying Party or other party for damages arising out of any claim that a Certificate infringes any patent, trademark, copyright, trade secret or other intellectual property right of any party.

GeoTrust shall not be liable for any default or delay in the performance of its obligations hereunder to the extent and while such default or delay is caused, directly or indirectly, by fire, flood, earthquake, elements of nature or acts of God, acts of war, terrorism, riots, civil disorders, rebellions or revolutions in the United States, strikes, lockouts, or labor difficulties or any other similar cause beyond the reasonable control of GeoTrust.

GeoTrust is not an agent, fiduciary, trustee, or other representative of the Applicant or Subscriber and the relationship between GeoTrust and the Applicant and the Subscriber is not that of an agent and a principal. GeoTrust makes no representation to the contrary, either explicitly, implicitly, by appearance or otherwise. Neither the Applicant nor the Subscriber has any authority to bind GeoTrust by contract or otherwise, to any obligation.

2. Indemnification by Applicant and Subscriber

Unless otherwise set forth in this CPS and/or Subscriber Agreement, Applicant and Subscriber, as applicable, hereby agrees to indemnify and hold GeoTrust (including, but not limited to, its officers, directors, employees, agents, successors and assigns) harmless from any claims, actions, or demands that are caused by the use or publication of a Certificate and that arises from (a) any false or misleading statement of fact by the Applicant (or any person acting on the behalf of the Applicant) (b) any failure by the Applicant or the Subscriber to disclose a material fact, if such omission was made negligibly or with the intent to deceive; (c) any failure on the part of the Subscriber to protect its Private Key and Certificate or to take the precautions necessary to prevent the Compromise, disclosure, loss, modification or unauthorized use of the Private Key or Certificate; or (d) any failure on the part of the Subscriber to promptly notify GeoTrust, as the case may be, of the Co!

mpromise, disclosure, loss, modification or unauthorized use of the Private Key or Certificate once the Subscriber has constructive or actual notice of such event.

The enforceability, construction, interpretation, and validity of this CPS and any Certificates issued by GeoTrust shall be governed by the substantive laws of the State of Oregon, United States of America, excluding (i) the conflicts of law provisions thereof and (ii) the United Nations Convention on Contracts for the International Sale of Goods.

Any dispute, controversy or claim arising under, in connection with or relating to this CPS or any Certificate issued by GeoTrust shall be subject to and settled finally by binding arbitration in accordance with the Arbitration Rules of the American Arbitration Association (AAA). All arbitration proceedings shall be held in Portland, Oregon. There shall be one arbitrator appointed by the AAA who shall exhibit a reasonable familiarity with the issues involved or presented in such dispute, controversy or claim. The award of the arbitrator shall be binding and final upon all parties, and judgment on the award may be entered by any court having proper jurisdiction thereof. This CPS and the rights and obligations of the parties hereunder and under any Certificate issued by GeoTrust shall remain in full force and effect pending the outcome and award in any arbitration proceeding hereunder. In any arbitration arising hereunder, each party to the preceding shall be responsible for its!

own costs incurred in connection with the arbitration proceedings, unless the arbitrator determines that the prevailing party is entitled to an award of all or a portion of such costs, including reasonable attorneys fees actually incurred.

If any provision of this CPS shall be held to be invalid, illegal, or unenforceable, the validity, legality, or enforceability of the remainder of this CPS shall not in any way be affected or impaired hereby.

With regard to GeoTrust S/MIME Institutional Certificates, GeoTrust shall operate a CRL that will be available to GeoTrust’s institutional clients.

With regard to all other Certificates, GeoTrust shall operate a CRL that will be available to both Subscribers and Relying Parties.

GeoTrust shall post the CRL every twenty-four (24) hours in a DER format.

1. Individual Subscriber Information

Information regarding Subscribers that is submitted on applications for Certificates will be kept confidential by GeoTrust and GeoTrust shall not release such information without the prior consent of the Subscriber. Notwithstanding the foregoing, GeoTrust may make such information available to courts, law enforcement agencies or other third parties upon receipt of a court order or subpoena or upon the advice of GeoTrust’s legal counsel. The foregoing confidentiality obligation shall not apply, however, to information appearing on Certificates, or to information regarding Subscribers that is already in the possession of or separately acquired by GeoTrust.

2. Aggregate Subscriber Information

Notwithstanding the previous Section, GeoTrust may disclose Subscriber information on an aggregate basis, and the Subscriber hereby grants to GeoTrust a license to do so, including the right to modify the aggregated Subscriber information and to permit third parties to perform such functions on its behalf. GeoTrust shall not disclose to any third party any personally identifiable information about any Subscriber that GeoTrust obtains in its performance of services hereunder.

1. GeoTrust True BusinessID Web Server Certificate Application.

An Applicant for a GeoTrust True BusinessID Web Server Certificate shall complete a GeoTrust True BusinessID Web Server Certificate application in a form prescribed by GeoTrust. All applications are subject to review, approval and acceptance by GeoTrust. All Applicants are required to include a Domain Name within the GeoTrust True BusinessID Web Server Certificate application and either an Organizational Name or Personal Name which will also appear on the GeoTrust True BusinessID Web Server Certificate. A GeoTrust True BusinessID Web Server Certificate may contain additional information as well.

2. GeoTrust Organizational Certificate Application.

An Applicant for a GeoTrust Organizational Certificate shall complete a GeoTrust Organizational Certificate application in a form prescribed by GeoTrust. All applications are subject to review, approval and acceptance by GeoTrust. All Applicants are required to include an Organizational Name within a GeoTrust Organizational Certificate application which will also appear on a GeoTrust Organizational Certificate. A GeoTrust Organizational Certificate may contain additional information as well.

3. GeoTrust Trial Certificate Application

An Applicant for a GeoTrust Trial Certificate shall complete a GeoTrust Trial Certificate application in a form prescribed by GeoTrust. All applications are subject to review, approval and acceptance by GeoTrust. GeoTrust does not authenticate the Applicant or any information contained in an application for, or in, GeoTrust Trial Certificates.

4. GeoTrust SecureMark Certificate Application

An Applicant for a GeoTrust SecureMark Certificate shall complete a GeoTrust SecureMark Certificate application in a form prescribed by GeoTrust. All applications are subject to review, approval and acceptance by GeoTrust. All Applicants are required to include a Personal Name and Email Address within a GeoTrust SecureMark Certificate application which will also appear on a GeoTrust SecureMark Certificate. A GeoTrust SecureMark Certificate may contain additional information as well.

5. GeoTrust S/MIME Institutional Certificate Application

An Applicant for a GeoTrust S/MIME Institutional Certificate shall complete an application in a form prescribed by GeoTrust and the applicable institutional client. All applications are subject to review, approval and acceptance by GeoTrust. A GeoTrust S/MIME Institutional Certificate will contain a Personal Name and Email Address and may contain additional information as well.

GeoTrust may obtain the Personal Name and Email Address from the applicable institutional client who provide to GeoTrust a list of pre-approved Subscribers, including each Subscriber’s Personal Name, Email Address and a Shared-Secret and other information that will be included onto a GeoTrust S/MIME Institutional Certificate. In this instance, GeoTrust and its institutional client have a shared responsibility for authenticating the Subscriber and GeoTrust relies on the institutional client to confirm that the Personal Name and Email Address provided for the Subscriber belongs to the Subscriber.

GeoTrust may also verify the Personal Name and Email Address in accordance with the CPS.

If a Certificate contains a Domain Name, GeoTrust will verify that the Subscriber had the right to use such Domain Name at the time it submitted its application. For instance, GeoTrust may perform this verification by confirming that the Subscriber is the same person or entity that holds the Domain Name registration from the relevant domain name registrar or that the Subscriber is authorized to use such Domain Name.

If a Certificate contains an Organizational Name, GeoTrust will make a reasonable attempt to establish that a Certificate request made on behalf of that organization is legitimate and properly authorized. GeoTrust will not include an Organizational Name in a Certificate without first ensuring the following: (a) the Organizational Name appears in conjunction with a country and possibly a state or province of other locality to sufficiently identify its place of registration or a place where it is currently doing business; and (b) in the case of an organization that could reasonably be expected to be registered with a local, state or national authority, in certain circumstances GeoTrust will obtain, view and verify copies of the registration documents. For instance, GeoTrust may (w) verify the validity of the registration through the authority that issued it, or (x) verify the validity of the registration through a reputable third party database or other resource, or (y) verify t!

he validity of the organization through a trusted third party, or (z) confirm that the organization exists if such organization is not the type that is typically registered or is capable of being verified under clause (y).

In addition, to prove that a Certificate is duly authorized by the organization, GeoTrust will typically request the name of a contact person who is employed by or is an officer of the organization. GeoTrust will also typically require a form of authorization from the organization confirming its intent to obtain a Certificate and will usually document the organization’s contact person. GeoTrust normally confirms the contents of this authorization with the listed contact person.

If a Certificate contains a Personal Name (i.e., the name of the Subscriber), GeoTrust will require some basic proof of identity. GeoTrust will make some attempt to obtain corroboration and confirmation of the Personal Name, but this does not require an absolute assurance of the Personal Name. For instance, GeoTrust may verify that the Personal Name is the name of the Subscriber by (a) the use of a Shared Secret or other similar form of identification, or (b) utilizing existing credit or other databases, or (c) corroboration of the identity by having a number of existing identified Certificate users attest to the identity.

If a Certificate contains an Email Address, GeoTrust will obtain reasonable information that the Email Address belongs to the Subscriber. At a minimum, GeoTrust will determine that the Subscriber has the ability to read email sent to that Email Address. In addition, GeoTrust may validate that the Email Address belongs to the Subscriber by (a) the use of an email “ping”, where a correspondence is sent to the Email Address to which the recipient must reply, or (b) obtaining proof that the Subscriber has the necessary mail server credentials to retrieve email sent to that Email Address, or (c) confirming from the email administrator or organization owning the email domain name that they regard the Subscriber as a legitimate holder of a Certificate containing that Email Address.

C. Procedure for Processing Certificate Applications

GeoTrust will process the Certificate Applications to confirm the information on the Certificates as discussed above. However, GeoTrust reserves the right to waive such procedures and issue a Certificate utilizing different authentication procedures in certain circumstances; provided that the general principles for verifying the application information is maintained. In addition, GeoTrust may use subcontractors or other third parties to assist in the performance of its operational requirements or any other obligation under this CPS.

At certain times during the application process in which GeoTrust is not able to verify information in a Certificate application, a customer service representative may be assigned to the Applicant to facilitate the completion of the application process. Otherwise, the Applicant may be required to correct its associated information with third parties and re-submit its application for a Certificate.

If GeoTrust finds that the Applicant’s Certificate application was sufficiently verified, then the Applicant’s Certificate will be signed by GeoTrust. Upon signing the Applicant’s Certificate, GeoTrust will attach such Certificate to an email and send such email to the appropriate contact. The email will include the date the Certificate was issued, the date the Certificate will expire, and the type of Certificate that was issued. In certain circumstances the email may include a GeoTrust customer service representative telephone number and email address for any technical or customer service problems. GeoTrust, in its sole discretion, may provide such technical or customer support to the Applicants/Subscribers.

The Applicant expressly indicates acceptance of a Certificate by using such Certificate.

The Subscriber is required to generate a new Public Key and complete a new Certificate request before the Subscriber will be able to obtain a renewal Certificate.

GeoTrust will attempt to notify all Subscribers of the expiration date of their Certificate, but in some instances will only notify the institutional client that the applicable GeoTrust S/MIME Institutional Certificate is to expire.

Certificate revocation is the process by which GeoTrust prematurely ends the Operational Period of a Certificate.

A Subscriber may request revocation of its Certificate at any time for any reason.

A GeoTrust institutional client may request revocation of a GeoTrust S/MIME Institutional Certificate issued to a Subscriber of that institutional client at any time for any reason.

A Subscriber shall inform GeoTrust and promptly request revocation of a Certificate:

·whenever any of the information on the Certificate changes or becomes obsolete; or

·whenever the Private Key, or the media holding the Private Key, associated with the Certificate is compromised, or

·upon a change in the ownership of a Subscriber’s web server, or

·in the event the Certificate is installed on more than a single server at a time.

A GeoTrust institutional client shall inform GeoTrust and promptly request revocation of a Certificate:

·whenever it comes to the attention of the institutional client that any of the information on the Certificate changes or becomes obsolete; or

·whenever it comes to the attention of the institutional client that the Private Key, or the media holding the Private Key, associated with the Certificate is Compromised.

GeoTrust shall revoke a Certificate:

·upon request of a GeoTrust institutional client, but only for a GeoTrust S/MIME Institutional Certificate of a Subscriber of that institutional client;

·in the event of Compromise of GeoTrust’s Private Key used to sign a Certificate;

·upon the Subscriber’s breach of either this CPS or Subscriber Agreement;

·if GeoTrust determines that the Certificate was not properly issued.

In the event that GeoTrust ceases operations, all Certificates issued by GeoTrust shall be revoked prior to the date that GeoTrust ceases operations.

The only persons permitted to request revocation of or revoke a Certificate issued by GeoTrust are the Subscribers and GeoTrust, except in the case of a GeoTrust S/MIME Institutional Certificate in which the institutional client associated with that GeoTrust S/MIME Institutional Certificate may request revocation.

3. Procedure For Revocation Request

Subscriber or the GeoTrust institutional client, as applicable, must contact GeoTrust, either by a national/regional postal service, facsimile or o