TrustMint(r) Express Certificate Policy 1. INTRODUCTION 1.1 Overview This Policy sets forth certain rules governing the issuance, management and use of TrustMint Express Certificates. Digital Signature Trust Co. ("DST"), as an independent contractor on behalf of its TrustMint Express Customers ("Sponsors"), acts as Certification Authority in issuing, managing and revoking TrustMint Express Certificates, as instructed and authorized by its Sponsors, and provides Repository services with respect to such TrustMint Express Certificates. 1.2 General Definitions The following terms, when used in this Policy or related agreements, shall have the meanings indicated: Certificate A computer-based record or electronic message that: (a) identifies the Certification Authority issuing it; (b) names or identifies a Certificate Holder; (c) contains the Public Key of the Certificate Holder; (d) identifies the Certificate's operational period; and (e) is digitally signed by a Certification Authority. A Certificate includes not only its actual content but also all documents expressly referenced or incorporated in it. Certificate Holder An Individual or Organization that: (a) is named or identified, or is responsible for the electronic device named or identified, in a TrustMint Express Certificate as the subject of such Certificate; and (b) holds the Private Key that corresponds to the Public Key listed in that TrustMint Express Certificate. Certificate Revocation List (CRL) A database or other list of TrustMint Express Certificates that have been revoked prior to the expiration of their validity period. Certification Authority (CA) An entity that creates, issues, manages and revokes Certificates. Digital Signature The transformation of an electronic record by one person using a Private Key and public key cryptography so that another person having the transformed record and the corresponding Public Key can accurately determine: (a) whether the transformation was created using the Private Key that corresponds to the Public Key; and (b) whether the record has been altered since the transformation was made. Identification and Authentication (I&A) To ascertain and confirm through appropriate inquiry and investigation the identity of a Certificate Holder, Relying Party or other entity. Individual A natural person, and not a juridical person or legal entity. Key A general term used throughout this Policy to encompass any one of the defined keys mentioned in this General Definitions section (e.g., Private Key and Public Key). Key Pair Two mathematically related Keys (a Private Key and its corresponding Public Key), having the properties that: (i) one Key can be used to encrypt a communication that can only be decrypted using the other Key; and (ii) even knowing one Key it is computationally infeasible to discover the other Key. Organization An entity that is legally recognized in the jurisdiction of its origin (e.g., a corporation, partnership, sole proprietorship, government department, non-government organization, university, trust, special interest group or non-profit corporation). Policy This TrustMint Express Certificate Policy. Private Key The Key of a Key Pair kept secret by its holder, used to create Digital Signatures and to decrypt messages or files that were encrypted with the corresponding Public Key. Public Key The Key of a Key Pair publicly disclosed by the holder of the corresponding Private Key and used to validate Digital Signatures created with the corresponding Private Key and to encrypt messages so that they can be decrypted only with the corresponding Private Key. Registration Authority (RA) An entity contractually delegated by a Sponsor to accept and process Certificate applications and to verify the identity of potential Certificate Holders and Relying Parties, and authenticate information contained in Certificate applications in conformity with the provisions of this Policy and related agreements. Relying Party An individual or entity that has been authorized by a Sponsor, by contract or otherwise, to rely upon TrustMint Express Certificates that have been issued pursuant to this Policy and at the direction of such Sponsor. Repository An online system maintained by DST for storing and retrieving TrustMint Express Certificates and other information relevant to TrustMint Express Certificates and Digital Signatures, including information relating to certificate validity or revocation. TrustMint Express Certificate A Certificate issued pursuant to this Policy by DST as instructed to do so by a Sponsor. 1.3 Identification The Object Identifier ("OID") for this Policy, to be asserted in TrustMint Express Certificates issued in accordance with this Policy, is: {joint-iso-ccitt (2) country (16) USA (840) US-company (1) DST (113839) CP (0) TrustMintExpress (5)}. 1.4 Community and Applicability TrustMint Express Sponsors determine and designate who is authorized to be a Registration Authority, Certificate Holder or Relying Party for the TrustMint Express Certificates issued under this Policy. 1.5 Contact Details Questions regarding this Policy should be directed to Digital Signature Trust Co., 255 North Admiral Byrd Rd, Salt Lake City, UT 84116-3703, Attn: Legal Department, legal@trustdst.com. 2. GENERAL LEGAL PROVISIONS 2.1 Obligations In issuing TrustMint Express Certificates that reference this Policy, DST acts pursuant to the instructions of TrustMint Express Sponsors. DST disclaims any and all responsibility for: (a) performing Identification and Authentication of applicants, and (b) verifying the accuracy of information submitted by applicants. DST makes no warranties or representations: (a) to any Sponsor, other than those representations and warranties expressly made in any agreement between the Sponsor and DST, or (b) to applicants, Certificate Holders, Relying Parties or any other party that may rely on or use TrustMint Express Certificates. 2.2 Liability Except as otherwise provided by express agreement with a Sponsor, DST disclaims any and all liability for the information contained in Certificates issued under this Policy, including all claims for misappropriation of identity and intellectual property infringement. 2.3 Financial responsibility Except as otherwise provided by express agreement with a Sponsor: (a) DST will be liable to a Sponsor only for breach of the agreement between the Sponsor and DST; and (b) DST will not be liable, in contract, tort or otherwise, to any applicant, Certificate Holder, Relying Party or any other party with respect to the application for or issuance, management or use of any TrustMint Express Certificate. Each Sponsor will include in its agreements with the Certificate Holders and Relying Parties it authorizes appropriate provisions specifying that such parties will have no, and will not pursue any, claim against DST. Each Sponsor will indemnify and hold DST harmless from and against any damages arising out of the conduct of the Sponsor or of any Certificate Holder, Relying Party or Registration Authority with respect to TrustMint Express Certificates issued at the direction of such Sponsor. 2.4 Interpretation and Enforcement The law of the State of Utah shall govern the enforceability, construction, interpretation, and validity of this Policy, without regard to its conflicts of law principles. 2.5 Privacy and Data Protections TrustMint Express Certificates and CRLs, and personal or corporate information appearing on them and in public directories, are not considered confidential. Information contained on a single TrustMint Express Certificate or related status information will not be considered confidential, when the information is used in accordance with the purposes of providing Certification Authority or Repository services and carrying out the provisions of this Policy. However, such information may not be used by any unauthorized party or for any unauthorized purpose (e.g., mass, unsolicited e-mailings, junk e-mail, spam, etc.), and any information pertaining to the management of TrustMint Express Certificates, such as compilations of certificate information, shall be treated as proprietary. 3 IDENTIFICATION AND AUTHENTICATION DST does not perform, and assumes no liability for, the Identification and Authentication of applicants, Certificate Holders of TrustMint Express Certificates or Relying Parties. Any additional policies and procedures in this category are determined by agreement between the Sponsor and DST. 4 CERTIFICATE LIFE CYCLE OPERATIONAL REQUIREMENTS DST will follow the practices and procedures outlined in the Certification Practices Statement with respect to issuance, management and revocation of TrustMint Express Certificates, except as may be required by any applicable agreement between DST and a Sponsor, or as a Sponsor may otherwise direct. All other policies and procedures concerning the issuance, validity periods, management and revocation of TrustMint Express Certificates are determined by agreement between the Sponsor and DST. 5 CERTIFICATION AUTHORITY FACILITY AND MANAGEMENT CONTROLS All policies and procedures concerning DST's and Sponsor's physical, procedural, personnel and other operational standards are determined by agreement between the Sponsor and DST. 6 TECHNICAL SECURITY CONTROLS DST maintains a reliable system to ensure the security of its Private Keys. All policies and procedures concerning DST's and Sponsor's technical security controls, including without limitations, Key generation, Key length, Key validity period, Private Key protection, and computer and network security, are determined by agreement between the Sponsor and DST. 7 CERTIFICATE AND CRL PROFILES All policies and procedures concerning TrustMint Express Certificate profiles and CRL profiles are determined by agreement between the Sponsor and DST. 8 SPECIFICATION ADMINISTRATION 8.1 Policy Changes. DST may correct errors, update, modify or amend this Policy from time to time. DST will notify all Sponsors of any correction, updates, modifications or amendments in accordance with the agreements between DST and the Sponsors. Any suggested modifications, or any comments or questions about corrections, updates, modifications or amendments to this Policy should be directed to DST, as provided in Section 1.5 of this Policy. 8.2 General. All other policies and procedures concerning maintenance and changes to this Policy are under the direction and control of DST and the Sponsor as determined by agreement between the Sponsor and DST.