System status | SwissSign
A data security specialist by Swiss Post

Main section

11.08.2017

2017-08-11 New framework of legal contract documents

Over the last few weeks the turbulences on the market have demonstrated the importance of compliance with the regulations, and the importance of ensuring that all parties take utmost care when approving and issuing certificates or delegate registration authority tasks.

We have adapted our Terms and Conditions, Subscriber Conditions for Certificate Services (formerly called End User Agreements), Relying Party Agreements also in accordance with the new ETSI regulations, laws (ZertES and eIDAS) and regulations, as well as missing informative documents according to the new ETSI regulation (PKI Disclosure Agreement, etc .) in order to meet the latest requirements for a CA. Due to the rapid growth in parallel new services, redundancies have also been created in the documents, which had to be eliminated.

The advantage for the customer is the fact that previously separated commercial terms and conditions (signature service, time stamp service, certificate services, webshop) have been grouped into a single GTC and redundancies and ambiguities are reduced or corrected.

The commercial terms and conditions for our end customers and partners can be found at:

https://www.swisssign.com/media/wysiwyg/PDF-ALL/01_GTC/CurrentGTC/GTC_EN.pdf

If our customers are not contacted individually, the existing commercial GTCs remain valid up to a change of contract or volume adaptation. The current “Subscriber Agreement” (former “End User Agreement”) governing the handling of the certificates must be accepted as before at every certificate request. They are derived from the rules of the ETSI and the CA Browser Forum and are subject to the supervision of our auditors. The new Subscriber Agreement can be found in our repository:

http://repository.swisssign.com/SubscriberAgreement_EN.pdf

The Subscriber Agreement for certificate services were completely revised. Redundant passages were removed, the wording was adapted according to the wording of the ETSI regulations. In addition, the conditions for the Platinum Certificates were fully revised with regard to the new ZertES Act in Switzerland and the eIDAS regulation in the EU.

The term of the certificate holder has been replaced with the ETSI terms of the subscriber and certificate holder. Information about time stamp services and signature services were removed and transferred into a new document “Subscriber Agreement Signature and Timestamping Service”. Liability and data protection regulations have been updated and harmonized with the liability and data protection regulations in the other documents.

The new order of a Managed PKI is made by ordering and completing an "Declaration of Consent to the Delegation of Registration Authority Activity", which replaces the previous comprehensive "Managed PKI Setup Agreement". It essentially consists only of the data to be entered by the customer and the declaration of acceptance to the "Guidelines on the Delegation of the registration authority activity", which summarizes the description of the tasks and duties of a registration authority. At the same time, the user management has been reworked in all parts in order to minimize ambiguity when checking the authorization process. In terms of content, the new two documents differ only slightly from the Managed PKI Setup Agreement, but the "Guideline on the Delegation of the registration authority activity" is now subject to the control of our auditor. Thus, as in the past, it is not contractually possible to deviate individually from the compliance regulations to which SwissSign is subject. The declaration can be found here:

http://repository.swisssign.com/RA_Delegation_EN.pdf

The “Organization Authority and Terms and Conditions of Use” form as a slightly modified copy of the Managed PKI Setup Agreement is void. Instead, a third party organization has to sign a separate Declaration of Acceptance on the "Guidelines for the Delegation of Registration Authority Activity". So the same form is taken. By the use of a third party's operator for the interface to SwissSign, each organization is itself responsible for the proper performance of a registration authority activity, even if the access responsible is employed by another organization.


Existing managed PKI agreements are not replaced; the new forms above are only relevant for new contracts.

Overall, we hope to have achieved some simplifications in the regulatory complex environment of the certificates, which especially will simplify the life for our customers and to manifest our trust in the market.