1. Policy Authority & Issuing Authority Contact Info:

Policy Authority:
Trustis FPS Policy Authority

Mailing Address:
Trustis FPS
Building 273 New Greenham Park
Thatcham
Berkshire, RG19 6HN

Tel: +44 (0) 1635 231361
Fax: +44(0) 1635 231366
email: policy.authority@trustis.com

Issuing Authority
Trustis HMRC SET Issuing Authority

Mailing Address:
Trustis FPS
Building 273 New Greenham Park
Thatcham
Berkshire, RG19 6HN

Tel: +44 (0) 1635 231361
Fax: +44(0) 1635 231366
email: issuing.authority@trustis.com

2. Certificate Type, validation procedures and usage:

The Certification Services provided by the Trustis HMRC SET Issuing Authority implement a closed public key infrastructure in the sense that access and participation is only open to those who both satisfy eligibility criteria and are approved by the Trustis FPS Policy Authority. The Participants providing trust services and End-Entities authorised and approved to issue, obtain, use, and/or rely upon Certificates that reference this Certificate Policy are clearly defined. Participation is conditional upon agreeing to be bound by the terms of this Certificate Policy.

The Certification Services provided by the Trustis HMRC SET Issuing Authority support secure operations and interactions with the general public, agent organisations, partners, customers and external contractors in the direct pursuit of Trustis-related business, or in the authorised usage of services provided by Trustis HMRC SET Issuing Authority. Certificates provided by this service, are supported by the use of strong cryptography and highly robust registration mechanisms to a defined and assured level of trust and security.

Certificates issued under this Certificate Policy may only be used for the support of the HM Revenue and Customs Secure Electronic Transfer Service (SET).

Applicants for Certificates are required to submit to the validation of identity credentials for both the organisation and a nominated representative of the organisation.

Acceptable documentary evidence that can be provided in support of an application for a Certificate must satisfy HMG's Minimum Requirements for the Verification of the Identity of Organisations, e-Government Strategy Framework Policy and Guidelines, Version 2.0,January 2003.

3. Reliance Limits:

The Trustis HMRC SET Issuing Authority does not set reliance limits for Certificates it issues. Reliance limits may be set by applicable law or by agreement. See Limitation of Liability below

4. Obligations of Subscribers:

Subscribers must comply with the requirements as defined in the Subscriber Agreement at http://www.trustis.com/pki/HMRCSET/policy/subscriber-agreement.html

It is the responsibility of the Subscriber to:

• Ensure all information submitted in support of a certificate application is true, accurate and they hold such rights as necessary to any trade marks or other such information submitted during the application for a Certificate.
• Review the issued Certificate to confirm the accuracy of the information contained within it before installation and first use.
• Use a trustworthy system for generating or obtaining a key pair and to prevent any loss, disclosure, or unauthorised use of the private key.
• Keep Private Keys confidential.
• Keep confidential, any passwords, pass-phrases, PINs or other personal secrets used in obtaining authenticated access to Certificates and PKI facilities.
• Make only true and accurate representations to the Registration Authority and/or Issuing Authority as to the information required to determine eligibility for a Certificate and for information contained within the Certificate.
• In accordance with the Trustis HMRC SET Issuing Authority Certificate Policy, exclusively use the Certificate for legal purposes and restricted to those authorised purposes detailed by the Trustis HMRC SET Issuing Authority Certificate Policy.
• Immediately notify the Registration Authority of a suspected or known compromise of Certificate security in accordance with the procedures laid down in the Trustis HMRC SET Issuing Authority Certificate Policy.

For Subjects holding Certificates and acting on behalf of Subscribers, the Subscriber must ensure all responsibilities are met.

WARNING: If a Subscriber's Private Key is compromised, unauthorised persons could decrypt or sign messages with the key and commit the Subscriber to unauthorised obligations.

5. Certificate Status checking Obligations of Relying Parties:

Relying Parties must comply with the requirements as defined in the Relying Party Agreement located at: http://www.trustis.com/pki/HMRCSET/policy/relying-party-agreement.html

A Relying Party may justifiably rely upon a Certificate only after:

• Ensuring that reliance on Certificates issued under this Certificate Policy is restricted to appropriate uses (see "Certificate Type, validation procedures and usage", above for a summary of approved usages).
• Ensuring, by accessing any and all relevant Certificate Status Information, that the Certificate remains valid and has not been Revoked or Suspended.
• Determining that such Certificate provides adequate assurances for its intended use.
• Take any other precautions prescribed in this Certificate Policy.

6. Limited Warranty & Disclaimer/Limitation of Liability:

The Issuing Authority assumes no liability whatsoever in relation to the use of Certificates or associated Public/Private Key pairs issued under this Certificate Policy for any use other than in accordance with this Certificate Policy and any other agreements. Subscribers will immediately indemnify the Issuing Authority from and against any such liability and costs and claims arising therefrom.

The Issuing Authority shall not be liable for any consequential, indirect or incidental damages, nor for any loss of business, loss of profit or loss of management time, whether foreseeable or unforeseeable, arising out of breach of any express or implied warranty, breach of contract, tort, misrepresentation, negligence, strict liability however arising, or in any other way arising from or in relation to the use of or reliance on, any Certificate except only in the case of the Issuing Authority's negligence, wilful misconduct, or where otherwise required by applicable law.

Nothing in this Certificate Policy excludes or restricts liability for death or personal injury resulting from negligence or the negligence of its employees, agents or contractors.

The Issuing Authority excludes all liability of any kind in respect of any transaction into which an End-Entity may enter with any third party.

The Issuing Authority is not liable to End-Entities either in contract, tort (including negligence) or otherwise for the acts or omissions of other providers of telecommunications or Internet services (including domain name registration authorities) or for faults in or failures of their equipment.

Each provision of this Certificate Policy, excluding or limiting liability, operates separately. If any part is held by a court to be unreasonable or inapplicable, the other parts shall continue to apply.

7. Applicable Agreements, Certification Practice Statement, Certificate Policy:

The full Certificate Policy, Subscriber Agreement and Relying party Agreement are published by the Issuing Authority and available at the locations reference in this PKI Disclosure Statement.

Such information is also made available subject to approval of a formal application in writing to the Issuing Authority.

8. Privacy Policy:

Trustis HMRC SET Issuing Authority maintains an individual's rights to privacy, and operates this Certification Service according to the Privacy Policy which many be found at http://www.trustis.com/pki/HMRCSET/policy/privacy-charter.html

9. Refund Policy:

The Trustis HMRC SET Issuing Authority does not provide refunds for issued Certificates.

10. Applicable Law & Dispute Resolution:

Disputes shall be handled in accordance with the Trustis FPS complaints procedure, documentation of which can be obtained by applying to the Issuing Authority. Contact details are provided in Section 1 of this document.

The provision of the Trustis HMRC SET Certificate Services is governed by English law and all parties shall submit to the exclusive jurisdiction of the courts of England and Wales.

11. CA & Repository Licences Trust Marks & Audit:

Certificates are manufactured under this Certificate Policy through the use of a Trustis Limited service which is both accredited to ISO27001 and has attained tScheme approval.

Audit shall be carried out on a periodic basis required to maintain security and trust accreditations. The Auditors that have been approved under this policy are:

• Audit resources of contracted Participants providing trust services.
• A certified public accountant with demonstrated expertise in computer security or an accredited computer security professional.

12. Identification of this Certificate Policy:

This Certificate Policy has been assigned an Object Identifier (OID) of: 1.3.6.1.4.1.5237.118.1.1

13. Approved Registration Authorities

The following Registration Authorities have been approved by the Issuing Authority to register Subscribers under this Certificate Policy:

• Trustis FPS

14. Approved Repositories

The following Repositories have been approved by the Issuing Authority under this Certificate Policy:

• Trustis FPS

15. Eligible Subscribers

The following types of Subscribers are eligible to be issued with Certificates under this Certificate Policy:

• Users of the HM Revenue and Customs Secure Electronic Transfer Service, (SET).

The Subscriber Agreement can be found at: http://www.trustis.com/pki/HMRCSET/policy/subscriber-agreement.html

16. Eligible Relying Parties

The following types of Relying Parties are eligible to rely on Certificates issued under this Certificate Policy:

• HM Revenue and Customs
• Users of the HM Revenue and Customs Secure Electronic Transfer Service, (SET).

The Relying Party Agreement can be found at: http://www.trustis.com/pki/HMRCSET/policy/relying-party-agreement.html

17. Certificate Status Information

Certificate Status information is made available via Certificate Revocation Lists (CRLs). CRLs shall be published, at a minimum, every 24 Hours.