GoogleInc.

CertificationPracticesStatement
GoogleInc.
CertificationPracticesStatement
1.INTRODUCTION
1.1Overview
1.2Documentnameandidentification
1.3PKIparticipants
1.3.1CertificateAuthorities
1.3.2RegistrationAuthorities
1.3.3Subscribers
1.3.4RelyingParties
1.4Certificateusage
1.4.1.Appropriatecertificateuses
1.4.2Prohibitedcertificateuses
1.5Policyadministration
1.5.1Organizationadministeringthedocument
1.5.2Contactperson
1.5.3PersondeterminingCPSsuitabilityforthepolicy
1.5.4CPSapprovalprocedures
1.6Definitionsandacronyms
2.PUBLICATIONANDREPOSITORYRESPONSIBILITIES
2.1
Repositories
2.2
Publicationofcertificationinformation
2.3Timeorfrequencyofpublication
2.4Accesscontrolsonrepositories
3.IDENTIFICATIONANDAUTHENTICATION
3.1Naming
3.1.1Typesofnames
3.1.2Needfornamestobemeaningful
3.1.3Anonymityorpseudonymityofsubscribers
3.1.4Rulesforinterpretingvariousnameforms
3.1.5Uniquenessofnames
3.1.6Recognition,authentication,androleoftrademarks
3.2Initialidentityvalidation
3.2.1Methodtoprovepossessionofprivatekey
3.2.2Authenticationoforganizationidentity
3.2.3Authenticationofindividualidentity
3.2.4.1DomainNames
3.2.4.2Domainnamesnotregisteredtothecorporation
3.2.5Nonverifiedsubscriberinformation
3.3I&AforRenewalandRekeyRequests

3.4I&AforRevocationRequests
4.CERTIFICATELIFECYCLEOPERATIONALREQUIREMENTS(11)
4.1CertificateApplication
4.1.1Whocansubmitacertificateapplication
4.1.2Enrollmentprocessandresponsibilities
4.2Certificateapplicationprocessing
4.2.1Performingidentificationandauthenticationfunctions
4.2.2Approvalorrejectionofcertificateapplications
4.2.3Timetoprocesscertificateapplications
4.3Certificateissuance
4.3.1CAactionsduringcertificateissuance
4.3.2NotificationtosubscriberbytheCAofissuanceofcertificate
4.4Certificateacceptance
4.4.1Conductconstitutingcertificateacceptance
4.4.2PublicationofthecertificatebytheCA
4.4.3NotificationofcertificateissuancebytheCAtoother
entities
4.5Keypairandcertificateusage
4.5.1Subscriberprivatekeyandcertificateusage
4.5.2Relyingpartypublickeyandcertificateusage
4.6Certificaterenewal
4.6.1Circumstanceforcertificaterenewal
4.6.2Whomayrequestrenewal
4.6.3Processingcertificaterenewalrequests
4.6.4Notificationofcertificaterenewaltosubscriber
4.6.5Conductconstitutingacceptanceofarenewalcertificate
4.6.6PublicationoftherenewalcertificatebytheCA
4.6.7NotificationofcertificateissuancebytheCAtoother
entities
4.7Certificaterekey
4.7.1Circumstanceforcertificaterekey
4.7.2Whomayrequestcertificationofanewpublickey
4.7.3Processingcertificaterekeyingrequests
4.7.4Notificationofnewcertificateissuancetosubscriber
4.7.5Conductconstitutingacceptanceofarekeyedcertificate
4.7.6PublicationoftherekeyedcertificatebytheCA
4.7.7NotificationofcertificateissuancebytheCAtoother
entities
4.8Certificatemodification
4.8.1Circumstanceforcertificatemodification
4.8.2Whomayrequestcertificatemodification
4.8.3Processingcertificatemodificationrequests
4.8.4Notificationofnewcertificateissuancetosubscriber
4.8.5Conductconstitutingacceptanceofmodifiedcertificate
4.8.6PublicationofthemodifiedcertificatebytheCA
4.8.7NotificationofcertificateissuancebytheCAtootherentities
4.9Certificaterevocationandsuspension
4.9.1Circumstancesforrevocation
4.9.2Whocanrequestrevocation

4.9.3Procedureforrevocationrequest
4.9.4Revocationrequestgraceperiod
4.9.5TimewithinwhichCAmustprocesstherevocationrequest
4.9.6Revocationcheckingrequirementforrelyingparties
4.9.7CRLissuancefrequency(ifapplicable)
4.9.8MaximumlatencyforCRLs(ifapplicable)
4.9.9Onlinerevocation/statuscheckingavailability
4.9.10Onlinerevocationcheckingrequirements
4.9.11Otherformsofrevocationadvertisementsavailable
4.9.12Specialrequirementsuponkeycompromise
4.9.13Circumstancesforsuspension
4.9.14Whocanrequestsuspension
4.9.15Procedureforsuspensionrequest
4.9.16Limitsonsuspensionperiod
4.10Certificatestatusservices
4.10.1Operationalcharacteristics
4.10.2Serviceavailability
4.10.3Optionalfeatures
4.11Endofsubscription
4.12Keyescrowandrecovery
4.12.1Keyescrowandrecoverypolicyandpractices
4.12.2Sessionkeyencapsulationandrecoverypolicyandpractices
5.FACILITY,MANAGEMENT,ANDOPERATIONALCONTROLS(11)
5.1Physicalcontrols
5.1.1Sitelocationandconstruction
5.1.2Physicalaccess
5.1.3Powerandairconditioning
5.1.4Waterexposures
5.1.5Firepreventionandprotection
5.1.6Mediastorage
5.1.7Wastedisposal
5.1.8Offsitebackup
5.2Proceduralcontrols
5.2.1Trustedroles
5.2.2Numberofpersonsrequiredpertask
5.2.3Identificationandauthenticationforeachrole
5.2.4Rolesrequiringseparationofduties
5.3Personnelcontrols
5.3.1Qualifications,experience,andclearancerequirements
5.3.2Backgroundcheckprocedures
5.3.3Trainingrequirements
5.3.4Retrainingfrequencyandrequirements
5.3.5Jobrotationfrequencyandsequence
5.3.6Sanctionsforunauthorizedactions
5.3.7Independentcontractorrequirements
5.3.8Documentationsuppliedtopersonnel
5.4Auditloggingprocedures
5.4.1Typesofeventsrecorded
5.4.2Frequencyofprocessinglog

5.4.3Retentionperiodforauditlog
5.4.4Protectionofauditlog
5.4.5Auditlogbackupprocedures
5.4.6Auditcollectionsystem(internalvs.external)
5.4.7Notificationtoeventcausingsubject
5.4.8Vulnerabilityassessments
5.5Recordsarchival
5.5.1Typesofrecordsarchived
5.5.2Retentionperiodforarchive
5.5.3Protectionofarchive
5.5.4Archivebackupprocedures
5.5.5Requirementsfortimestampingofrecords
5.5.6Archivecollectionsystem(internalorexternal)
5.5.7Procedurestoobtainandverifyarchiveinformation
5.6Keychangeover
5.7Compromiseanddisasterrecovery
5.7.1IncidentandCompromiseHandlingProcedures
5.7.2CorruptionofComputingResources,Software,and/orData
5.7.3CompromiseofGoogleInternetAuthorityPrivateKey
5.7.4Businesscontinuitycapabilitiesafteradisaster
5.8CAorRATermination
6.TECHNICALSECURITYCONTROLS
6.1Keypairgenerationandinstallation
6.1.1Keypairgeneration
6.1.2Privatekeydeliverytosubscriber
6.1.3Publickeydeliverytocertificateissuer
6.1.4CApublickeydeliverytorelyingparties
6.1.5Keysizes
6.1.6Publickeyparametersgenerationandqualitychecking
6.1.7Keyusagepurposes(asperX.509v3keyusagefield)
6.2PrivateKeyProtectionandCryptographicModuleEngineeringControls
6.2.1Cryptographicmodulestandardsandcontrols
6.2.2Privatekey(noutofm)multipersoncontrol
6.2.3Privatekeyescrow
6.2.4Privatekeybackup
6.2.5Privatekeyarchival
6.2.6Privatekeytransferintoorfromacryptographicmodule
6.2.7Privatekeystorageoncryptographicmodule
6.2.8Methodofactivatingprivatekey
6.2.9Methodofdeactivatingprivatekey
6.2.10Methodofdestroyingprivatekey
6.2.11CryptographicModuleRating
6.3Otheraspectsofkeypairmanagement
6.3.1Publickeyarchival
6.3.2Certificateoperationalperiodsandkeypairusageperiods
6.4Activationdata
6.4.1Activationdatagenerationandinstallation
6.4.2Activationdataprotection
6.4.3Otheraspectsofactivationdata

6.5Computersecuritycontrols
6.5.1Specificcomputersecuritytechnicalrequirements
6.5.2Computersecurityrating
6.6Lifecycletechnicalcontrols
6.6.1Systemdevelopmentcontrols
6.6.2Securitymanagementcontrols
6.6.3Lifecyclesecuritycontrols
6.7Networksecuritycontrols
6.8Timestamping
7.CERTIFICATE,CRL,ANDOCSPPROFILES
7.1Certificateprofile
7.1.1Versionnumber(s)
7.1.2Certificateextensions
7.1.3Algorithmobjectidentifiers
7.1.4Nameforms
7.1.5Nameconstraints
7.1.6Certificatepolicyobjectidentifier
7.1.7UsageofPolicyConstraintsextension
7.1.8Policyqualifierssyntaxandsemantics
7.1.9ProcessingsemanticsforthecriticalCertificatePoliciesextension
7.2CRLprofile
7.2.1Versionnumber(s)
7.2.2CRLandCRLentryextensions
7.3OCSPprofile
7.3.1Versionnumber(s)
7.3.2OCSPextensions
8.ComplianceAuditandOtherAssessments
8.1FrequencyandCircumstancesofAssessment
8.2Identity/QualificationofAssessor
8.3AssessorsRelationshiptoAssessedEntity
8.4TopicsCoveredbyAssessment
8.5ActionsTakenasaResultofDeficiency
8.6CommunicationsofResults
9.OTHERBUSINESSANDLEGALMATTERS
9.1Fees
9.1.1Certificateissuanceorrenewalfees
9.1.2Certificateaccessfees
9.1.3Revocationorstatusinformationaccessfees
9.1.4Feesforotherservices
9.1.5Refundpolicy
9.2Financialresponsibility
9.2.1Insurancecoverage
9.2.2Otherassets
9.2.3Insuranceorwarrantycoverageforendentities
9.3Confidentialityofbusinessinformation
9.3.1Scopeofconfidentialinformation
9.3.2Informationnotwithinthescopeofconfidentialinformation
9.3.3Responsibilitytoprotectconfidentialinformation
9.4Privacyofpersonalinformation

9.5Intellectualpropertyrights
9.6Representationsandwarranties
9.6.1CArepresentationsandwarranties
9.6.1.1Limitedwarranty
9.6.1.2CABFWarrantiesandObligations
9.6.2RArepresentationsandwarranties
9.6.3Subscriberrepresentationsandwarranties
9.6.4Relyingpartyrepresentationsandwarranties
9.6.5Representationsandwarrantiesofotherparticipants
9.7Disclaimersofwarranties
9.8Limitationsofliability
9.9Indemnities
9.9.1Bysubscriber
9.9.2Byrelyingparties
9.9.3ByCAofApplicationSoftwareSuppliers
9.10Termandtermination
9.10.1Term
9.10.2Termination
9.10.3Effectofterminationandsurvival
9.11Individualnoticesandcommunicationswithparticipants
9.12Amendments
9.12.1Procedureforamendment
9.12.2Notificationmechanismandperiod
9.12.3CircumstancesunderwhichOIDmustbechanged
9.13Disputeresolutionprovisions
9.14Governinglaw
9.15Compliancewithapplicablelaw
9.16Miscellaneousprovisions
9.16.1Entireagreement
9.16.2Assignment
9.16.3Severability
9.16.4Enforcement(attorneys'feesandwaiverofrights)
9.16.5ForceMajeure
9.17Otherprovisions

1.INTRODUCTION
1.1Overview
TheGooglePublicKeyInfrastructure(GooglePKI),hasbeenestablishedbyGoogle
Inc.(Google),toenablereliableandsecureauthenticationofidentity,andtofacilitatethe
confidentialityandintegrityofelectronictransactions.ThisdocumentisissuedbyGoogle
toidentifythepracticesandproceduresthatGoogleemploysinissuingcertificatesfrom
theGoogleInternetAuthoritywithintheGooglePKI.

1.2Documentnameandidentification
ThisdocumentistheGoogleCertificationPracticesStatement("CPS").

ThisCPSistheprincipalstatementofpolicygoverningtheGooglePKI.Itsetsforththe
business,legal,andtechnicalrequirementsforapproving,issuing,managing,using,
revoking,andrenewing,GoogleCertificateswithintheGooglePKIandproviding
associatedtrustservicesforallParticipantswithintheGooglePKI.
ThisCPScoversallcertificatesissuedandsignedbythefollowingIntermediate
CertificateAuthority:
Subject:C=US,O=GoogleInc,CN=GoogleInternetAuthorityG2
certificatePolicies.policyIdentifiers:1.3.6.1.4.1.11129.2.5.1
TheIntermediateCertificateAuthoritycertificatecanberetrievedat
http://pki.google.com/GIAG2.crt.

1.3PKIparticipants
ThefollowingcategoriesofPKIparticipantsaredefinedinthesectionsthatfollow:
CertificateAuthorities
RegistrationAuthorities
Subscribers
RelyingParties
1.3.1CertificateAuthorities
ThetermCertificationAuthority(CA)isanumbrellatermthatreferstoallentities
authorizedtoissue,manage,revoke,andrenewcertificates.TheGooglePKIoperates
withinthecontextofatwotierCAhierarchy,consistingofaRootCAandasubordinate
CAknownastheGoogleInternetAuthority,whicharedescribedasfollows:
TheGooglePKIwillutilizeanexternalRootCertificationAuthorityoperatedbyGeoTrust,
Inc.TheRootCAservesasthetrustanchorandtoplayerfortheGooglePKI.It
operatesinaccordancewiththerequirementsoftheapplicableGeoTrustCPS,andis
notsubjecttothisCPS.However,bycontractbetweenGeoTrustandGoogle,theRoot
CAhasimposedcertainrequirementsontheGooglePKI,whicharereflectedinthisCPS
oraseparatecontractbetweenGoogleandGeotrust.TheRootCAwillissuea
CompanyCACertificatetotheGoogleInternetAuthority.
ThesecondleveloftheGooglePKIisknownastheGoogleInternetAuthority.The
GoogleInternetAuthoritymayissueendentitycertificatesasauthorizedbythisCPS,and
operatesinaccordancewith,andsubjectto,thisCPS.Theremaybemorethanone
GoogleInternetAuthorityCAtosupportdifferentcryptographicalgorithmsorkeylength
requirements.
1.3.2RegistrationAuthorities

RegistrationAuthorities(RAs)areentitiesthatapproveandauthenticaterequeststo
obtain,renew,orrevokeCertificates.RAsaregenerallyresponsibleforidentifyingand
authenticatingApplicantsforCertificates,verifyingtheirauthorizationtorequest
Certificates,approvingindividuals,entities,and/ordevicestobenamedinCertificates,
andauthorizingand/orrequestingaCAtoissue,renew,orrevokeaCertificatetosuch
person/entity/device.
AllfunctionsnormallyperformedbyanRAwillbeperformedbytheGoogleInternet
Authority.
1.3.3Subscribers
IntheGooglePKI,aSubscriberisanindividualoranorganizationcapableofusing,and
authorizedtouse,thePrivateKeythatcorrespondstothePublicKeylistedina
Certificate,andthat:(1)isnamedinaCertificate'sSubjectfield,and(2)hasagreedto
thetermsofaSubscriberAgreementwithGoogleactinginitscapacityastheGoogle
InternetAuthority.OnlyGoogleandGoogleAffiliatesmaybeSubscribers.
TheGoogleInternetAuthoritymayissueendentityCertificatesonlytothefollowing
organizations:GoogleandGoogleAffiliates.
AllSubscribersarerequiredtoenterintoanagreementthat,withrespecttoeachGoogle
CertificateissuedtothemasaSubscriber,obligatesthemto:

MaketruerepresentationatalltimestotheGoogleInternetAuthorityregarding
informationintheCertificateandotheridentificationandauthenticationinformation
requestedbytheGoogleInternetAuthority.
MaintainpossessionandcontrolofthePrivateKeycorrespondingtothePublicKeyin
theCertificateatalltimes
UsetheCertificateexclusivelyforlegalandauthorizedcompanybusinessandin
accordancewiththeCPS.
ImplementappropriatesecuritymeasurestoprotecttheirPrivateKeycorresponding
tothePublicKeyincludedintheCertificate.
PromptlyinformtheGoogleInternetAuthorityofachangetoanyinformationincluded
intheCertificateorinthecertificateapplicationrequest.
PromptlyinformtheGoogleInternetAuthorityofanysuspectedcompromiseofthe
PrivateKey.
ImmediatelyceaseusingtheCertificateuponexpirationoftheCertificate,revocation
oftheCertificate,orintheeventofanysuspectedcompromiseofthePrivateKey.

ByissuingthisCPS,Googleagreestotheforegoingobligationswithrespectto
Certificatesthatitissuestoitselforitsaffiliates.
1.3.4RelyingParties

ARelyingPartyisanyindividualorentitythatactsinrelianceonaGoogleCertificateto
verifyadigitalsignatureand/ordecryptanencrypteddocumentormessage.Relying
PartiesincludeGoogleandGoogleAffiliates,aswellasunaffiliatedindividualsorentities
thatrelyonGoogleCertificates.

1.4Certificateusage
1.4.1.Appropriatecertificateuses
TheGoogleInternetAuthoritymayissuethefollowingcertificates:
CertificateType

AuthoritytoIssue

ServerAuthentication

Yes

ClientAuthentication

Yes

Afurtherdescriptionofthesetypesofcertificatescanbefoundbelow:
AServerCertificateisacertificatethattheGoogleInternetAuthoritycanissueto
Subscribersforthepurposeofidentifyingthedomainnameofaserviceoperated
byoronbehalfofGoogleoraGoogleAffiliate.ExceptasnotedinthisCPS,it
mustidentifyadomainnamethatisownedbyoronbehalfofGoogleorthe
GoogleAffiliatenamedinthesubject:organizationNamefieldoftheCertificate.Its
useislimitedto(i)validatingthattheSubjectnamedintheCertificateisthe
organization(or,parentoftheorganization)thatownsorhasexclusivecontrolof
alldomainsnamedintheCertificate,(ii)validatingthattheSubjectnamedinthe
Certificateistheorganizationthatoperatestheservice,oronwhosebehalfthe
serverisoperated,and(iii)enablingencryptedcommunicationbetweentheclient
andserverorbetweentwoservers.
AClientAuthenticationCertificateisaGoogleCertificatethattheGoogleInternet
Authoritycanissuetoindividuals(aswellasorganizationsowningdevicesnot
actinginthecapacityofaserver),solelyforthepurposeofidentifyingthatthe
holderoftheprivatekeyisinfacttheindividualororganizationnamedinthe
Certificatessubjectfield.
1.4.2Prohibitedcertificateuses
Nostipulation.

1.5Policyadministration
1.5.1Organizationadministeringthedocument
Googleisresponsibleforthedrafting,maintenance,andinterpretationofthisCertification
PracticesStatement.
1.5.2Contactperson

TheteamresponsiblefortheCPSdocumentationcanbecontactedat:
GoogleInc
InformationSecurityTeam
pkicontact@google.com
Forsecurityissues,suchasvulnerabilityreportsorexternalreportsofkeycompromise,
pleasecontactsecurity@google.com.
1.5.3PersondeterminingCPSsuitabilityforthepolicy
TheGoogleCAPolicyAuthoritydeterminesthesuitabilityandapplicabilityofthisCPS.
1.5.4CPSapprovalprocedures
GooglemayupdatethisCPSasrequired,inthejudgmentofGoogle.Anysuggestions
astomodificationsshouldbecommunicatedtotheaddresslistedinSection1.5ofthis
CPS.ChangestothisCPS,thatinthejudgmentofGooglewillhavenooronlyaminimal
effectonParticipantsintheGooglePKI,maybemadewithoutnotification.Changes,that
inthejudgmentofGooglewillhaveasignificantimpactonParticipantsintheGooglePKI,
willbemadewithpriornoticetosuchParticipants.
ThisCPSwillbepublishedbypostingitathttp://pki.google.com/.
IntheeventGoogledecidestomakesignificantchangestothisCPS,notificationofsuch
changeswillbepostedathttp://pki.google.com/.
AnewversionoftheCPSwillbecomeeffectivefifteen(15)daysaftersuchposting,and
willsupersedeallpreviousversionsandwillbebindingonallParticipantsintheGoogle
PKIfromthatpointforward.
TheGoogleInternetAuthoritywillmaintainandoperatearepositoryoftheCPSand
associatedcertificatesandCRLsonthehttp://pki.google.com/server.

1.6Definitionsandacronyms
SeeappendixA.

2.PUBLICATIONANDREPOSITORYRESPONSIBILITIES
TheGoogleInternetAuthorityisoperatedbyGoogleInc.sInformationSecurityTeam,
whocanbereachedatpkicontact@google.com.

2.1

Repositories

TheRepositorywillincludecopiesof:
ThecurrentversionofthisCPS.

Themostrecentcertificaterevocationlist(CRL)issuedbytheGoogleInternet
Authority.
OtherpublicinformationregardingtheGooglePKI,atGooglesdiscretion.

2.2

Publicationofcertificationinformation

TheCRLispubliclyavailableathttp://pki.google.com/GIA2G.crl

2.3Timeorfrequencyofpublication
TheCRLshallbeupdatedpromptlyupontherevocationofaCertificate,butinnocase
shallsuchupdateoccurmorethanone(1)businessdaysfollowingrevocation.The
CRLsareperiodicallyupdatedandreissuedatleasteveryseven(7)days,andtheir
validityperiodshallnotexceedten(10)days.

2.4Accesscontrolsonrepositories
Therepositoryispubliclyavailable.

3.IDENTIFICATIONANDAUTHENTICATION
3.1Naming
3.1.1Typesofnames
CertificatescontainanX.501distinguishednameintheSubjectnamefield,and
incorporatethefollowingattributes:

Country(C)
Organization(O)
OrganizationalUnit(OU)
StateorProvince(S)
Locality(L)
CommonName(CN)
EmailAddress(E)

CertificateswillalsoincorporatetheSubjectAlternativeName(SAN)attribute,whichwill
repeattheCommonName,aswellasanyothernamesthatmayapplytothesubject.
3.1.2Needfornamestobemeaningful
DomainnamesincludedintheCNorSANattributesmustidentifyoneormorespecific
hosts.Googlemayissuewildcardcertificates,whichidentifyasetofhosts.
3.1.3Anonymityorpseudonymityofsubscribers
Subscribersarenotpermittedtousepseudonyms.
3.1.4Rulesforinterpretingvariousnameforms
Nostipulation

3.1.5Uniquenessofnames
Nostipulation
3.1.6Recognition,authentication,androleoftrademarks
CertificateApplicantsareprohibitedfrominfringingontheintellectualpropertyand
commercialrightsofothers.Thesecommercialrightsarevalidatedbyotherprocesses
withinGoogle,priortotheapprovalofanycertificatesigningrequest.

3.2Initialidentityvalidation
3.2.1Methodtoprovepossessionofprivatekey
ThecertificateapplicantmustproveownershipoftheprivatekeybyprovidingaPKCS
#10compliantcertificatesigningrequest,oracryptographicallyequivalentproof.This
requirementdoesnotapplywhenakeypairisgeneratedbytheGoogleInternetAuthority
onbehalfoftheapplicant.
3.2.2Authenticationoforganizationidentity
IdentificationandAuthentication(I&A)procedureswillbeperformedonallApplicants,
andonallpersons,entities,devices,anddomainstobenamedinaCertificate,inthe
followingcircumstance:

DuringtheCertificateapplicationprocess
DuringtheCertificaterekeyprocess

AppropriateI&Aoftheapplicantmustalsobeperformedinconnectionwithrequestsfor
RevocationofCertificatestoensuretheidentityandauthorityofthepersonrequesting
RevocationtotheextentrequiredbythisCPS.
I&AproceduresmustensurethatallApplicantsforGoogleCertificates,andallSubject
informationtobeincludedintheGoogleCertificate,conformtotherequirementsof,and
havebeenverifiedinaccordancewith,thisCPS.Suchverificationprocessesare
intendedtoaccomplishthefollowing:

VerifytheidentityoftheApplicantapplyingfortheGoogleCertificate
VerifytheexistenceandidentityoftheSubject
VerifytheSubjectslegalexistenceandidentity
VerifytheSubjectsphysicalexistence(businesspresenceataphysical
address)
VerifytheSubjectsownershipof(orexclusiverighttocontrol)thedomainname
tobeincludedintheCertificate(whereapplicable)
VerifytheSubjectsownershipandcontrolof,thedevicenametobeincludedin

theCertificate(whereapplicable)
VerifyApplicantsauthorizationtoapplyfortheCertificate.
3.2.3Authenticationofindividualidentity
TheI&AproceduresforindividualApplicantsapplyingforCertificatesthatwillnamean
individualastheSubjectincludethefollowing:
(1)verifythenameoftheApplicant,andthathe/sheisanemployeeofor
contractoroftheorganizationalentitytobenamedastheSubjectinthe
Certificatetobeissuedand
(2)verifythattheApplicantisauthorizedtoapplyforandobtaintheCertificateon
behalfoftheindividualtobenamedastheSubjectintheCertificatetobeissued.
3.2.3.1DomainNames

AllthedomainsrequestedinacertificatemustbeGoogleownedandmanaged,or
domainsownedbycompaniesinwhichthecorporation(Google)hasamajority
ownershipinterest.Domainswhichdonotmeetthesecriteriawillnotbeissueda
certificatefromthecertificateauthorityandmustuseathirdpartysupplier.
TheI&AproceduresforCertificatesthatwillincludethedomainnameofaserverinclude
thefollowing:
VerifythatthedomainnameisregisteredwithanInternetCorporationfor
AssignedNamesandNumbers(ICANN)approvedregistraroraregistrylistedby
theInternetAssignedNumbersAuthority(IANA).Subdomainsmustbefora
domainappropriatelyregisteredwiththeseorganizations.
VerifythattheDomainregistrationinformationintheWHOISdatabaseispublic
andshowsthename,physicaladdress,andadministrativecontactinformation
fortheentitytobenamedastheSubjectintheCertificate.WhenaWHOIS
databaseisnotavailable,obtaincompensatingconfirmationfromtheregistry
VerifythattheentitytobenamedastheSubjectintheCertificateistheregistered
holderofthedomainname,oralternatively,thatithastheexclusiverighttouse
thedomainnameby(i)verifyingtheidentityofthepersonthatisistheregistered
holderofthedomainname,and(ii)obtainingaverifiedconfirmationfromsuch
ownerofthedomainnameconfirmingsuchexclusiverighttousethedomain
name
VerifythattheentitytobenamedastheSubjectintheCertificateisawareofits
registrationofthedomainname.
3.2.3.2Domainnamesnotregisteredtothecorporation

Ifadomainisnotpubliclyregisteredtothecorporation,butismanagedbyit,theapplicant
mustsupplyproofofboth:
Arequesteddomaintransfertocorporateinfrastructure
Proofofownershipofthedomain.Wewillrequireadditionalproofsofownership

fromtheapplicantsteamincaseofanydoubt
Or:

Proofthatthecompanytowhichthedomainispubliclyregisteredis
majorityownedbythecorporation.
Oncewehavethisinformationwewillrequestfromtheapplicant'steamthat:
thedomainisGoogleownedandmanaged
thedomainwillremainownedandmanagedbyGoogleduringthecertificate
lifetime.
3.2.4Nonverifiedsubscriberinformation
Nonverifiedsubscriberinformationforallproductsincludes:
OrganizationalUnit(OU)
Oganizationspecificinformationnotusedforidentificationpurposes
Otherinformationdesignatedasnonverifiedinthecertificate.
3.2.5I&ADataValidityPeriod
ThemaximumvalidityperiodforvalidateddatathatcanbeusedtosupportI&A
proceduresforissuanceofaGoogleCertificate(beforerevalidationoftheinformationis
required)isasfollows:
LegalexistenceandidentityofentityOne(1)year
DomainnameOne(1)year
IdentityandauthorityofApplicantOne(1)year.
3.2.6Criteriaforinteroperation
Nostipulation
3.3I&AforRenewalandRekeyRequests
SameasI&AproceduresforinitialCertificateapplication.SeeSection3.2.2.
3.4I&AforRevocationRequests
SeeSection3.2.1.

4.CERTIFICATELIFECYCLEOPERATIONAL
REQUIREMENTS(11)
4.1CertificateApplication
AllapplicationsforaGoogleCertificatemustcontaintheinformationrequiredbythe
GoogleInternetAuthority.

4.1.1Whocansubmitacertificateapplication
ApplicationsforaGoogleCertificatethatnameanentityastheSubjectmaybesubmitted
onlybyanApplicantemployedbyorcontractedby,andauthorizedtoactonbehalfof,the
entitytobenamedastheSubjectintheCertificatetobeissued.
ApplicationsforaGoogleCertificatethatwillincludeadomainnamealsorequire
verificationthattheentitytobenamedastheSubjectintheCertificateisawareofits
registrationofthedomainname.
ApplicantsseekingtoobtainaGoogleCertificatemusthaveaccesstoacomputer,their
ownpersonalGoogleissuedindividualcorporatecredentials,andawebbrowser.
4.1.2Enrollmentprocessandresponsibilities
ApplicantsseekingtoobtainaGoogleCertificatemustprovidetotheGoogleInternet
Authority,ataminimum,thefollowinginformation:
TheidentityoftheSubscribertobenamedastheSubjectintheCertificateunlessthe
SubscriberisGoogleInc
ThePublicKeytobeincludedintheCertificate(iftheSubscriberhasgeneratedits
ownKeyPair)
ThefullyqualifieddomainnamestobeincludedintheCertificate(iftheCertificatewill
containadomainname)
AnyotherinformationastheGoogleInternetAuthorityrequests.

4.2Certificateapplicationprocessing
TheGoogleInternetAuthoritymustperformtheapplicableI&Aproceduresandmust
verifytheaccuracyandauthenticityoftheinformationprovidedbytheApplicantatthe
timeofapplicationforaGoogleCertificate.Thisincludes:
ObtainingaPublicKeyfromtheApplicantor,optionally,generatinganasymmetric
KeyPaironbehalfoftheApplicant.
VerifyingthatidentifyingdataprovidedbytheApplicantisvalid.
VerifyingthattheidentifyingdatapertainstotheApplicantand/ortheSubjectofthe
Certificate,asapplicable
VerifyingthattheSubjectisentitledtoobtainaCertificateundertherelevant
operationsandguidelinesdefinedinthisCPS.
VerifyingthattheSubjectprovidesawellformed,validCSR,containingavalid
signature.
4.2.1Performingidentificationandauthenticationfunctions
Googleperformsidentificationandauthenticationofallrequiredsubscriberinformation,
asspecifiedinsection3.2.Whenthisinformationisunavailable,theemployeefillingthe
RegistrationAuthorityfunctionwillreachouttotheapplicanttoobtaintherequired
additionalinformationsotherequestcanbefulfilled.
4.2.2Approvalorrejectionofcertificateapplications

Googlemayapproveanapplicationifallrequiredsubscriberinformationhasbeen
providedandvalidated.Anyotherrequestwillberejected.
4.2.3Timetoprocesscertificateapplications
Googlewillprocesscertificateapplicationswithinareasonabletimeframe.Noservice
levelagreementisinplacethatprescribesaspecificissuancetime.

4.3Certificateissuance
4.3.1CAactionsduringcertificateissuance
Oncethecertificateapplicationprocessingiscompleted,andtheSubjecttobenamedin
theCertificateisapprovedforaCertificate,theCAwillgeneratetheCertificate.TheCA
willaddtheappropriatekeyusageextensionstotheCertificateatthetimeofissuance.
TheCAmaygenerate,issue,andpublishaGoogleCertificateonlyafterithasperformed
therequiredI&AproceduresandCertificateapplicationprocessinginaccordancewith
thisCPS.
4.3.2NotificationtosubscriberbytheCAofissuanceofcertificate
TheApplicantwillbenotifiedthattheCertificateisissuedviaemailoraninternalGoogle
serviceandwillbeprovidedwithappropriateinstructionsonhowtoobtaintheCertificate.
DeliveryoftheGoogleCertificatewilloccurviaGooglecorporateservices.

4.4Certificateacceptance
TheSubjectnamedintheCertificate(theSubscriber)indicatesacceptanceofa
CertificatebyobtainingtheCertificate.
ByacceptingaCertificate,theSubjectagreestobeboundbythecontinuing
responsibilities,obligationsanddutiesimposedbythisCPSandtheSubscriber
Agreement,andrepresentsandwarrantsthat:

ToitsknowledgenounauthorizedpersonhashadaccesstothePrivateKey
associatedwiththeCertificate
Theinformationithassuppliedduringtheregistrationprocessistruthfulandto
theextentapplicable,hasbeenaccuratelyandfullypublishedwithinthe
certificate
ItwillatalltimesretaincontrolofthePrivateKeycorrespondingtothePublicKey
listedintheCertificate
ItwillimmediatelyinformtheGoogleInternetAuthorityofanyeventthatmay
invalidateorotherwisediminishtheintegrityoftheCertificate,suchasknownor
suspectedloss,disclosure,orothercompromiseofitsPrivateKeyassociated
withitsCertificate.
TheobligationssetforthinthisSectionareinadditiontootherobligationssetforthinthis
CPSandtheSubscriberAgreement.

4.4.1Conductconstitutingcertificateacceptance
Nostipulation
4.4.2PublicationofthecertificatebytheCA
Nostipulation.
4.4.3NotificationofcertificateissuancebytheCAtoother
entities
Nostipulation.

4.5Keypairandcertificateusage
TheSubscribermayonlyusethePrivateKeyandCertificateforapplicationsconsistent
withthekeyusageextensionsoftheCertificate.TheSubscribermustdiscontinueuseof
thePrivateKeyandCertificatefollowingtherevocationorexpirationoftheCertificate.
RelyingPartiesmayrelyontheCertificateonlyfortheapplicationsspecifiedinthekey
usageextensionsoftheCertificate.
4.5.1Subscriberprivatekeyandcertificateusage
Nostipulation
4.5.2Relyingpartypublickeyandcertificateusage
Nostipulation.

4.6Certificaterenewal
CertificaterenewalistheprocesswherebyanewCertificatewithanupdatedvalidity
periodiscreatedforanexistingKeyPair.
Asageneralmatter,theGooglePKIdoesnotsupportCertificaterenewal.Whenevera
GoogleCertificateexpires,theSubscriberisrequiredtogenerateanewKeyPairand
requestanewCertificate(i.e.,)inaccordancewiththerequirementsofthisCPS.
4.6.1Circumstanceforcertificaterenewal
Nostipulation
4.6.2Whomayrequestrenewal
Nostipulation
4.6.3Processingcertificaterenewalrequests
Nostipulation
4.6.4Notificationofcertificaterenewaltosubscriber
Nostipulation
4.6.5Conductconstitutingacceptanceofarenewalcertificate

Nostipulation
4.6.6PublicationoftherenewalcertificatebytheCA
Nostipulation
4.6.7NotificationofcertificateissuancebytheCAtoother
entities
Nostipulation

4.7Certificaterekey
4.7.1Circumstanceforcertificaterekey
Anyrekeyrequestistreatedasanewcertificateissuancerequest.
4.7.2Whomayrequestcertificationofanewpublickey
Notapplicable.
4.7.3Processingcertificaterekeyingrequests
Notapplicable.
4.7.4Notificationofnewcertificateissuancetosubscriber
Notapplicable.
4.7.5Conductconstitutingacceptanceofarekeyedcertificate
Notapplicable.
4.7.6PublicationoftherekeyedcertificatebytheCA
Googledoesnotpublishalistofallcertificatesitissuesatthistime.However,any
revocationofapriorcertificatewhichresultedinrekeyingwillbepublishedusingthe
standardrevocationmethods.
4.7.7NotificationofcertificateissuancebytheCAtoother
entities
TheRegistrationAuthoritymay,andtheSubscriberwill,benotifiedofcertificate
issuance.

4.8Certificatemodification
Googledoesnotmodifypreviouslyissuedcertificates.Anyrequestformodificationwill
resultintherenewedvalidationandissuanceofanewcertificate,asgovernedby
sections4.1and3.2.
4.8.1Circumstanceforcertificatemodification
Notapplicable.

4.8.2Whomayrequestcertificatemodification
Notapplicable.
4.8.3Processingcertificatemodificationrequests
Notapplicable.
4.8.4Notificationofnewcertificateissuancetosubscriber
Notapplicable.
4.8.5Conductconstitutingacceptanceofmodifiedcertificate
Notapplicable.
4.8.6PublicationofthemodifiedcertificatebytheCA
Notapplicable.
4.8.7NotificationofcertificateissuancebytheCAtootherentities
Notapplicable.

4.9Certificaterevocationandsuspension
TheGooglePKIsupportsCertificateRevocation.Certificatesuspensionisnotallowed.
WhenaCertificateisRevoked,itismarkedasrevokedbyhavingitsserialnumberadded
totheCRLtoindicateitsstatusasrevoked.Inaddition,asignedOCSPresponseis
generated.
4.9.1Circumstancesforrevocation
TheGoogleInternetAuthoritywillrevokeaCertificateithasissuedif,atanytime,iteither
hasknowledgeorareasonablebasisforbelievingthatanyofthefollowingeventshave
occurred:

TheGoogleInternetAuthorityceasesoperationsforanyreason
TheCompanyCACertificateoftheGoogleInternetAuthorityisrevoked
ThePrivateKeyoftheGoogleInternetAuthorityhasbeenstolen,disclosedinan
unauthorizedmanner,orotherwisecompromised
ThePrivateKeyassociatedwiththePublicKeylistedintheCertificate,orthe
mediaholdingsuchPrivateKey,issuspectedorknowntohavebeenstolen,
disclosedinanunauthorizedmanner,orotherwisecompromised
TheActivationDataforthePrivateKeyassociatedwiththePublicKeylistedinthe
Certificateissuspectedorknowntohavebeendisclosedandmisusedinan
unauthorizedmanner,orotherwisecompromised
ViolationbytheSubscriberofanyofitsmaterialobligationsunderthisCPSorthe
SubscriberAgreement

Adetermination,intheGoogleInternetAuthority'ssolediscretion,thatthe
Certificatewasnotissuedinaccordancewiththetermsandconditionsofthis
CPS
AdeterminationbytheGoogleInternetAuthoritythatcontinueduseofthe
Certificateisinappropriateorinjurioustotheproperfunctioningorintentofthe
GooglePKI
WhenrequestedbyGoogle
WhentheSubscriberisnolongerauthorizedtohaveaCertificate.
Inallothercircumstances,theSubscribermayrequestRevocationofaCertificate
identifyingitintheSubjectfieldatitsdiscretion.
4.9.2Whocanrequestrevocation
CertificateRevocationcanberequestedby:

TheApplicantthatsubmittedtheinitialCertificateapplication,solongasthe
ApplicantremainsanauthorizedemployeeoftheSubjectoftheCertificateor
maintainsacontractualagreementandauthorizationfromtheSubject
AnyotherauthorizedemployeeoftheSubjectoftheCertificate
Anyoneinpossessionof,orwithaccessto,thePrivateKeythatcorrespondsto
thePublicKeyintheCertificate
Anyotherindividualwhoprovidesreasonableproofofkeycompromiseforthe
Certificate
TheSubjectnamedintheCertificateinquestion
AnyauthorizedmemberofGooglesInformationSecurityTeam.

4.9.3Procedureforrevocationrequest
AllCertificateRevocationrequestsmustbemadetotheGoogleInternetAuthority.
Arequestforrevocationmaybemadethroughthesystemsmadeavailableto
subscribersorbyemailtopkicontact@google.comorbysubmittingatickettoGoogles
internalticketingsystem.Iftherequestisrelatedtoapotentialcompromiseofaprivate
key,therequestershouldalsocontactsecurity@google.com.
AllCertificateRevocationrequestsmustincludeareasonfortherequest(e.g.,
suspectedPrivateKeycompromise).

ForallRevocationrequests,theGoogleInternetAuthoritymustperformappropriateI
&AoftheApplicant(i.e.,theindividualsubmittingtheRevocationrequest)as
specifiedinthisCPS
IncircumstanceswherearequesthasbeenreceivedbutI&Acannotbeimmediately
completed,theGoogleInternetAuthoritywillcheckforreasonableproofofPrivate
Keycompromiseormisuse,butneednotcompletetherequestifthereisnosuch
proofuntilcompletionofappropriateI&A.

4.9.4Revocationrequestgraceperiod
Notapplicable.
4.9.5TimewithinwhichCAmustprocesstherevocationrequest
TheGoogleInternetAuthoritywillbegininvestigationofanycertificateproblemrequests
forRevocationofCertificatesithasissuedwithinonebusinessday.
TheCRLshallbeupdatedpromptlyupontheRevocationofaCertificate,butinnocase
shallsuchupdateoccurmorethanone(1)businessdayfollowingRevocation.
ForSubscriberswhoseCertificateshavebeenRevoked,arekeywillonlybepermitted
onceallcircumstancesthatcausedtheRevocationhavebeenremediated.
TheendofsubscriptionmayoccureitherwhenaCertificateexpiresorwhenaCertificate
isRevoked.IftheCertificateexpires,noactionistakenbytheGoogleInternetAuthority.
IftheGoogleInternetAuthorityreceivesarequestforRevocationofaCertificate,the
processdescribedinthisCPSforCertificateRevocationwillbefollowed.
4.9.6Revocationcheckingrequirementforrelyingparties
Certificatestatus(forRevokedCertificates)willbeavailableontheWebviaaCRLat
http://pki.google.com/GIA2G.crl.
RelyingPartiesarerequiredtocheckCertificatestatususingtheapplicableCRLbefore
relyinguponaGoogleCertificate.
4.9.7CRLissuancefrequency(ifapplicable)
TheseCRLsareperiodicallyupdatedandreissuedatleasteveryseven(7)days,and
theirvalidityperiodshallnotexceedten(10)days.TheupdatedCRLispublishedatleast
weeklyinaDERformatontheCRLlocationmentionedinthisCPS.
4.9.8MaximumlatencyforCRLs(ifapplicable)
CRLsarepostedtotheCRLrepositorywithinonebusinessdayaftergeneration.
4.9.9Onlinerevocation/statuscheckingavailability
OCSPissupportedbytheGoogleInternetAuthority.TheOCSPresponderlocationis
includedinthecertificate,andis:
client1.google.com/ocsp
TheOCSPdataisupdatedatleasteveryfourdays,andhaveamaximumexpirationtime
oftendays.
4.9.10Onlinerevocationcheckingrequirements
Notapplicable.

4.9.11Otherformsofrevocationadvertisementsavailable
Notapplicable.
4.9.12Specialrequirementsuponkeycompromise
Inthecaseofacompromiseoftheprivatekeyusedtosigncertificates,subscribermust
immediatelynotifyGoogleInternetAuthoritythatthesubscriberscertificatehasbeen
compromised.GoogleInternetAuthoritywillrevokethesigningkey,andpublishaCRLto
makerelyingpartiesawarethatthecertificatesoffthissigningkeycannolongerbe
trusted.
Thesubscriberisresponsibleforinvestigatingthecircumstancesofanysuch
compromise.
4.9.13Circumstancesforsuspension
GoogleInternetAuthoritydoesnotsupportsuspensionofcertificates.
4.9.14Whocanrequestsuspension
Notapplicable.
4.9.15Procedureforsuspensionrequest
Notapplicable.
4.9.16Limitsonsuspensionperiod
Notapplicable.

4.10Certificatestatusservices
4.10.1Operationalcharacteristics
GoogleInternetAuthoritymaintainsaCRLrepositorywhichcanbeleveragedtovalidate
revocationofacertificate.
4.10.2Serviceavailability
CertificateStatusServicesareavailable24x7,unlesstemporarilyunavailabledueto
maintenanceorservicefailure.
4.10.3Optionalfeatures
Notapplicable.

4.11Endofsubscription
Subscribersmayendtheirsubscriptionby:
Requestingrevocationoftheircertificatesthroughwrittenrequestto
pkicontact@google.com,andmeetingallrequiredidentificationrequirementsas
documentedinsection3.4
Havingtheircertificatesexpireandnotrequestrenewal.

4.12Keyescrowandrecovery
GoogleInternetAuthoritydoesnotescrowprivatekeys.
4.12.1Keyescrowandrecoverypolicyandpractices
Notapplicable.
4.12.2Sessionkeyencapsulationandrecoverypolicyandpractices
Notapplicable.

5.FACILITY,MANAGEMENT,ANDOPERATIONAL
CONTROLS(11)
5.1Physicalcontrols
TheGoogleInternetAuthoritysystemsarelocatedandoperatedfromaGooglesecure
facility.Detailedsecurityproceduresareinplaceandfollowedthatprohibitunauthorized
accessandentryintotheareasofthefacilityinwhichtheGoogleInternetAuthority
facilitiesreside.
5.1.1Sitelocationandconstruction
GoogleInternetAuthoritysystemsarelocatedinaselectedsetoflocations,evaluatedfor
theirphysicalsecurity,aswellaslocallegalconsiderationsthatmayaffectoperationsof
theCertificateAuthority.
5.1.2Physicalaccess
TheGoogleInternetAuthorityhasinplaceappropriatephysicalsecuritycontrolsto
restrictaccesstoallhardwareandsoftware(includingtheserver,workstations,andany
externalcryptographichardwaremodulesortokens)usedinconnectionwithproviding
CAServices.Accesstosuchhardwareandsoftwareislimitedtothosepersonnel
performinginatrustedroleasdescribedinSection5.2.1.Accessiscontrolledthrough
theuseofelectronicaccesscontrols,mechanicalcombinationlocksets,deadbolts,or
othersecuritymechanisms.Suchaccesscontrolsaremanuallyorelectronically
monitoredforunauthorizedintrusionatalltimes.Onlyauthorizedpersonnelwillbe
allowedaccess,eitherphysicalorlogical,totheGoogleInternetAuthority.
TheGoogleInternetAuthorityserversarelocatedinsideofalockedcabinetorcagearea
inalockedserverroom.Accesstotheserverroomiscontrolledbybadgereaders.The
privatekeysfortheGoogleInternetAuthorityarestoredinhardwaresecuritymodules
thatareFIPS1402Level2thatarephysicallytamperevidentandtamperresistant.
5.1.3Powerandairconditioning
PowerandairconditioningareprovidedwithinGoogleInternetAuthorityfacilitiesto
ensurereliableoperationsoftheCertificateAuthority.
5.1.4Waterexposures

Nostipulation.
5.1.5Firepreventionandprotection
Nostipulation.
5.1.6Mediastorage
Nostipulation.
5.1.7Wastedisposal
TheGoogleInternetAuthorityhastakenreasonablestepstoensurethatallmediaused
forthestorageofinformationsuchaskeys,ActivationDataoritsfilesaresanitizedor
destroyedbeforereleasedfordisposal.
5.1.8Offsitebackup
GoogleInternetAuthoritymaintainsabackupfacilityfortheGIAinfrastructure.
Reasonablestepshavebeentakentoensurethatitsbackupfacilityhasequivalent
securityandcontrolstoitsprimaryfacility.

5.2Proceduralcontrols
TheGoogleInternetAuthorityserversandhardwaresecuritymodulesaremanagedby
GooglesInformationSecurityTeam.
5.2.1Trustedroles
AllGoogleInternetAuthoritypersonnelwhohaveaccesstoorcontrolovercryptographic
operationsthataffecttheissuance,use,andmanagementofCertificatesareconsidered
asservinginatrustedrole("TrustedRole").Suchpersonnelinclude,butarenotlimited
to,membersofGooglesInformationSecurityTeam.
5.2.2Numberofpersonsrequiredpertask
Nostipulation.
5.2.3Identificationandauthenticationforeachrole
Nostipulation.
5.2.4Rolesrequiringseparationofduties
Auditorsoftheinfrastructureandcertificateissuancemustbeindependentfromthe
operatorswhoapproveandissuecertificatesusingtheGoogleInternetAuthority.
Theauditorreviewingconformancewithpolicyandproceduresmustalsobeanexternal
entityindependentoftheCompany.

5.3Personnelcontrols
5.3.1Qualifications,experience,andclearancerequirements

TheGoogleInternetAuthoritywillenforceappropriatepersonnelandmanagement
policiessufficienttoprovidereasonableassuranceofthetrustworthinessand
competenceofitspersonnelandofthesatisfactoryperformanceoftheirdutiesina
mannerconsistentwiththisCPS.
AllpersonneloperatingtheGoogleInternetAuthoritymustbeemployeesofGoogle.
ContractorsorotherthirdpartieswillnotbeallowedtobeinTrustedRolesmaintaining
theGoogleInternetAuthority.
5.3.2Backgroundcheckprocedures
TheGoogleInternetAuthorityimplementsbackgroundchecksofitspersonnelin
accordancewithGooglepolicyforinformationsecurityroles.
5.3.3Trainingrequirements
PersonnelperformingdutiesintheoperationoftheGoogleInternetAuthorityareproperly
trainedintheirdutiesandmustannuallycompleteallrequirementsinvolvedin
maintaininganinformationsecurityrolewithGoogle.
5.3.4Retrainingfrequencyandrequirements
RetrainingmayoccurwhenaCAemployeesdutieschangebecausethatemployeewill
beperforminganewrole,whenanewsystemorproceduralupgradeisimplemented,or
forotherreasons,atthediscretionofthemanagementoftheGIACAPolicyAuthority.
5.3.5Jobrotationfrequencyandsequence
NoStipulation.
5.3.6Sanctionsforunauthorizedactions
TheGoogleInternetAuthoritywillimposesanctions,includingsuspensionand
terminationifappropriate,foritsemployeesactinginTrustedRolesiftheyperform
unauthorizedactions,abusetheirauthority,orforotherappropriatereasons,atthe
discretionofthemanagementoftheGoogleInternetAuthority.
5.3.7Independentcontractorrequirements
IndependentcontractorsmustmeetthesametrainingrequirementsasGoogleInternet
Authorityemployees.IndependentcontractorswillnotbeusedinTrustedRoles.
5.3.8Documentationsuppliedtopersonnel
NecessarytraininganddocumentationisprovidedtoGooglesemployeesinorderfor
themtosuccessfullyconducttheirjobresponsibilitiescompetently.

5.4Auditloggingprocedures
5.4.1Typesofeventsrecorded
TheGoogleInternetAuthorityanditsRAfunctionwillrecordsystemandCAapplication
events,andwillcreatecertificatemanagementlogsfromthedatacollectedin
accordancewithinternalauditprocedures.Thefollowingeventswillberecorded:

ApplicantandSubscriberevents
Requesttocreateacertificate.
Requesttorevokeacertificate.
Certificatelifecycleevents.
Keygeneration.
Keycompromisenotification.
Creationofacertificate.
Deliveryofacertificate.
Revocationofacertificate.
GenerationofaCertificateRevocationList.
GenerationofanOCSPresponse.
ActionsbyTrustedPersonnel
Logineventsanduseofidentificationandauthenticationmechanisms.
ChangestoCApolicies.
ChangestoCAkeys.
ConfigurationchangestotheCA.
TheGoogleInternetAuthoritywillcollecteventinformationandcreateCertificate
managementlogsusingautomatedandmanualpracticesandproceduresthatare
internaltotheGoogleInternetAuthority.
5.4.2Frequencyofprocessinglog
AuditlogswillbereviewedonanasneededbasisbytheGoogleInternetAuthority.
5.4.3Retentionperiodforauditlog
Auditlogswillbekeptforaperiodofatleastseven(7)years,orlongerifrequiredbylaw.
5.4.4Protectionofauditlog
Multiplecopiesarestoredofauditlogs,inaccordancewithappropriatephysicaland
logicalaccesscontrols.
5.4.5Auditlogbackupprocedures
Nostipulation.
5.4.6Auditcollectionsystem(internalvs.external)
Nostipulation.
5.4.7Notificationtoeventcausingsubject
EventsthataredeemedpotentialsecurityissuesinvolvingtheCertificateAuthority
infrastructurewillbeescalatedtoapermanentsecuritymonitoringteam.
5.4.8Vulnerabilityassessments
Nostipulation.

5.5Recordsarchival

Nostipulation.
5.5.1Typesofrecordsarchived
RecordstobearchivedarethosespecifiedinSection5.4.1.
5.5.2Retentionperiodforarchive
Archivedrecordsmustberetainedforatleastseven(7)years,orlongerasrequiredby
law.
5.5.3Protectionofarchive
Abackupofarchiveinformationismaintainedatadistinct,separatelocationwithsimilar
securityandavailabilityrequirements.
5.5.4Archivebackupprocedures
Backupandrecoveryproceduresexistandcanbeutilizedsothatacompletesetof
backupcopieswillbeavailableintheeventofthelossordestructionoftheprimary
archives.
5.5.5Requirementsfortimestampingofrecords
AllarchivedrecordswillbetimestampedbytheGoogleInternetAuthoritysnormal
loggingfacilities.Suchtimeinformationneednotbecryptographybased.
5.5.6Archivecollectionsystem(internalorexternal)
Nostipulation.
5.5.7Procedurestoobtainandverifyarchiveinformation
Nostipulation.

5.6Keychangeover
TheproceduretoprovideanewCACertificatetoaSubjectfollowingarekeyisthesame
astheprocedureforinitiallyprovidingtheCACertificate.

5.7Compromiseanddisasterrecovery
5.7.1IncidentandCompromiseHandlingProcedures
IfadisastercausestheGIACAtobecomeinoperative,Googlewillreinitiateits
operationsonreplacementhardwareatacomparable,securedfacilityafterensuringthe
integrityandsecurityoftheCAsystems.
5.7.2CorruptionofComputingResources,Software,and/orData
TheGoogleInternetAuthoritymaintainsabackupsiteinaremotelocationthatmirrorsits
primaryfacility,sothatifanysoftwareordataiscorrupteditcanberestoredfromthe
backupsiteviaasecureconnection.
Backupsofallrelevantsoftwareanddataaretakenonaregularbasisofbothsites
crosssigned.Theyarestoredoffsiteandcanelectronicallyberetrievedwhen

necessary.
5.7.3CompromiseofGoogleInternetAuthorityPrivateKey
IntheeventthatthePrivateKeyoftheGoogleInternetAuthorityiscompromised,its
CompanyCACertificatewillberevokedbytheGeoTrustRootCA.Thiswillcauseall
CertificatesissuedbytheGoogleInternetAuthoritytofailtovalidateduetotherevocation
ofanintermediateauthority.Insuchcase,theGoogleInternetAuthoritywill:
ImmediatelyceaseusingitsCompanyCACertificate
RevokeallCertificatessignedwiththePrivateKeythatcorrespondstothePublic
KeylistedintheRevokedCompanyCACertificate
TakecommerciallyreasonablestepstonotifyallSubscribersoftheRevocation
and
TakecommerciallyreasonablestepstocauseallSubscriberstoceaseusing,for
anypurpose,anysuchCertificates.
IftheRootCAthereafterissuesanewCompanyCACertificatetotheGoogleInternet
Authority,allCertificatesissuedbytheGoogleInternetAuthoritymaythenbereissued
followingtheprocedureforinitiallyprovidingthecertificate.
5.7.4Businesscontinuitycapabilitiesafteradisaster
Buildingsecurityandcontractedsecuritypersonnelwilluseallreasonablemeansto
monitortheGoogleInternetAuthorityfacilityafteranaturalorothertypeofdisasterto
protectagainstloss,additionaldamageto,andtheftofsensitivematerialsand
information.
TheGoogleInternetAuthorityhasinplaceadisasterrecovery/businessresumptionplan.
Thisplanincludesacompleteandperiodictestofreadinessforsuchfacility.

5.8CAorRATermination
WhenitisnecessarytoterminateoperationoftheGoogleInternetAuthority,theimpactof
theterminationistobeminimizedasmuchaspossibleinlightoftheprevailing
circumstances.Thisincludes:
ProvidingpracticableandreasonablepriornoticetoallSubscribers
Assistingwiththeorderlytransferofservice,andoperationalrecords,toa
successorCA,ifany
Preservingallrecordsforaminimumofone(1)yearorasrequiredbythis
CPS,whicheverislongerand
RevokingallCertificatesissuedbytheGoogleInternetAuthoritynolaterthan
atthetimeoftermination.
Ifcommerciallyreasonable,priornoticeoftheterminationoftheGoogleInternetAuthority
orRAwillbegivenatleast3monthsbeforetheterminationdate.

6.TECHNICALSECURITYCONTROLS
6.1Keypairgenerationandinstallation
6.1.1Keypairgeneration
KeyPairsfortheGoogleInternetAuthorityaregeneratedandinstalledinaccordancewith
thecontractbetweenGoogleandtheGeoTrust,Inc.,theRootCA.TheKeyPairis
generatedinsideofaFIPS1402Level2certifiedHardwareSecurityModuleandthe
privatekeycannotbeextractedfromtheHSMinplaintext.
SubscriberKeyPairsaregenerated(i)bytheSubscriberbysoftwaresuppliedbytheir
device/operatingsystem,or(ii)byanauthorizedmemberofGooglesInformation
SecurityTeam.
6.1.2Privatekeydeliverytosubscriber
Ifapplicable,PrivateKeysaredeliveredtoSubscribersinasecuremannerin
accordancewithapplicableGooglepolicyontransferringconfidentialinformation.
6.1.3Publickeydeliverytocertificateissuer
SubscribersprovidetheirpublickeytoGoogleforcertificationthroughaPKCS#10
CertificateSigningRequest.Thepreferredtransfermethodforsendingthisinformationis
HTTPoverSecureSocketsLayer(SSL).
6.1.4CApublickeydeliverytorelyingparties
TheGoogleInternetAuthoritypublickeyissignedbyGeoRoot,andisthusautomatically
trustedbyapplicationsthatincorporatetheGeoRootrootcertificate.TheGoogleInternet
Authorityprovidesinformationtoapplicantsonhowtointegrateandservethecertificate
chain,whichaccommodatesdeliverytorelyingparties.
GooglealsomakesavailableitsCApublickeyfromouronlineCRL/CPSrepository.
6.1.5Keysizes
Keypairsmustalwaysbeofsufficientsizetopreventcryptanalyticattacksonencrypted
communications.GoogleInternetAuthorityadhereswithNISTrecommendationson
cryptographicprotocols,andintendstoadhereorexceedthoserecommendationsfor
anyfuturechangesthatmayapply.
TheGoogleInternetAuthorityCAkeysareaminimumof2048bitRSAkeys.
Subscribersuseaminimumof2048bitRSAkeys.SeeAppendixBfordetailsonthe
cryptographicconsiderationsofGoogleInternetAuthoritysubscriberkeys.
6.1.6Publickeyparametersgenerationandqualitychecking
Nostipulation.

6.1.7Keyusagepurposes(asperX.509v3keyusagefield)
Nostipulation.

6.2PrivateKeyProtectionandCryptographicModuleEngineering
Controls
6.2.1Cryptographicmodulestandardsandcontrols
AllCAprivatekeysusedtosigncertificates,CRLs,oranyrelatedinformationleverage
hardwaresecuritymodulesmeetingFIPS1402Level2andCommonCriteriaEAL4+
securityspecifications.Cryptographyleveragedtoprotectthisinformationisselectedto
withstandcryptanalyticattacksforthelifetimeoftheencryptedkey.
6.2.2Privatekey(noutofm)multipersoncontrol
AllCertificateAuthorityKeyPairsaregeneratedinpreplannedkeygeneration
ceremonies.Uponfinalizationoftheceremony,allindividualsinvolvedsignoffonthe
successfulcompletionofthescript,andthoroughlydescribeanyexceptionsthatmay
havebeenappliedintheprocess.
RecordsaremaintainedbyGoogleatleastforthelifetimeofthekeypair.
6.2.3Privatekeyescrow
GoogleInternetAuthorityCAPrivateKeysarenotescrowed.
6.2.4Privatekeybackup
BackupsoftheCAPrivateKeyaremaintainedinaphysicallysecurelocation,andare
neverstoredunencryptedoutsideofHardwareSecurityModules(HSMs).Backupsare
storedinasecuremannerinaccordancewithapplicableGooglepolicy.
6.2.5Privatekeyarchival
Nostipulation.
6.2.6Privatekeytransferintoorfromacryptographicmodule
Thisprocessoccursfollowingproceduresthatmeettheprocessdescribedbythe
cryptographicmodulevendor.
6.2.7Privatekeystorageoncryptographicmodule
Thisprocessoccursfollowingproceduresthatmeettheprocessdescribedbythe
cryptographicmodulevendor.
6.2.8Methodofactivatingprivatekey
Thisprocessoccursfollowingproceduresthatmeettheprocessdescribedbythe
cryptographicmodulevendor.

6.2.9Methodofdeactivatingprivatekey
Thisprocessoccursfollowingproceduresthatmeettheprocessdescribedbythe
cryptographicmodulevendor.
6.2.10Methodofdestroyingprivatekey
Thisprocessoccursfollowingproceduresthatmeettheprocessdescribedbythe
cryptographicmodulevendor,inadditiontoapplicableGooglepolicyondestructionof
highlyconfidentialGoogleinformation.
6.2.11CryptographicModuleRating
Seesection6.2.1.

6.3Otheraspectsofkeypairmanagement
6.3.1Publickeyarchival
Nostipulation.
6.3.2Certificateoperationalperiodsandkeypairusageperiods
Certificatesarevalidstartingatthemomentofsigning,unlessotherwisespecifiedinthe
certificatevaliditystructure,untiltheendnotedinthecertificateexpirationtime.Google
InternetAuthorityissuessubscribercertificatesforaperiodofoneyearorless.

6.4Activationdata
HSMkeysarestoredintheHardwareSecurityModule,andcanonlybeleveragedby
authorizedCAadministratorsuponauthentication.Passphrasesrequiredtounlockthe
keysarestoredinanencryptedfashion.Physicalactivationdatasuchassmartcards,
whenapplicable,arestoredinaprotectedandsecuredenvironment.
6.4.1Activationdatagenerationandinstallation
Nostipulation.
6.4.2Activationdataprotection
Nostipulation.
6.4.3Otheraspectsofactivationdata
Nostipulation.

6.5Computersecuritycontrols
6.5.1Specificcomputersecuritytechnicalrequirements
GoogleInternetAuthorityCAsysteminformationisprotectedfromunauthorizedaccess
eitherthroughprotectionsprovidedbyitsoperatingsystem,orthroughacombinationof
operatingsystem,physicalsafeguards,andnetworksafeguards.Networksecurity
controlsarespecifiedinSection6.7.

6.5.2Computersecurityrating
Nostipulation.

6.6Lifecycletechnicalcontrols
6.6.1Systemdevelopmentcontrols
TheGoogleInternetAuthorityusessoftwarethathasbeenformallytestedforsuitability
andfitnessforpurpose.Hardwareisprocuredthroughamanagedprocessleveraging
industrystandardvendors.
6.6.2Securitymanagementcontrols
Nostipulation.
6.6.3Lifecyclesecuritycontrols
Systemsecuritymanagementiscontrolledbytheprivilegesassignedtoitsoperating
systemaccounts,andbytheTrustedRolesdescribedinthisCPS.

6.7Networksecuritycontrols
TheGoogleInternetAuthorityCAserversarelocatedbehindhardwarefirewalldevices
thatrestrictaccessonlytotheinternalGooglecorporatenetwork,andonlytoportsused
formanagingtheGoogleInternetAuthorityCAandissuingCertificates.

6.8Timestamping
Alllogswillcontainsynchronizedtimestamps.

7.CERTIFICATE,CRL,ANDOCSPPROFILES
7.1Certificateprofile
GoogleCertificatesconformtoRFC5280,InternetX.509PublicKeyInfrastructure
CertificateandCRLProfile.Certificateextensionsandtheircriticality,aswellas
cryptographicalgorithmobjectidentifiers,arepopulatedaccordingtotheIETFRFC5280
standards.
IncaseswherestipulationsofRFC5280andtheapplicableCA/BrowserForumBaseline
Requirementsdiffer,theBaselineRequirementsnotionwillbeadheredto.
7.1.1Versionnumber(s)
EndentitycertificatesissuedbytheGoogleInternetAuthoritywillbeX.509Version3.
7.1.2Certificateextensions
Nostipulation.
7.1.3Algorithmobjectidentifiers

Nostipulation.
7.1.4Nameforms
Nostipulation.
7.1.5Nameconstraints
Nostipulation.
7.1.6Certificatepolicyobjectidentifier
ThecertificatesissuedbytheGoogleInternetAuthoritycontainaPolicyIdentifierwhich
identifiestheuseofthisCPSasthegoverningpolicyforcertificateissuance.
7.1.7UsageofPolicyConstraintsextension
ThePolicyConstraintsextensionshallbeempty.
7.1.8Policyqualifierssyntaxandsemantics
Nostipulation.
7.1.9ProcessingsemanticsforthecriticalCertificatePoliciesextension
Nostipulation.

7.2CRLprofile
CRLsissuedbytheGoogleInternetAuthorityconformtoRFC5280standards.
7.2.1Versionnumber(s)
Nostipulation.
7.2.2CRLandCRLentryextensions
Nostipulation.

7.3OCSPprofile
TheGoogleInternetAuthoritysupportsOCSP,anditsrespondersconformtotheRFC
2560standard.WeidentifytheOCSPresponderwithintheAuthorityInformationAccess
(AIA)extensionviaanOCSPresponderURL.Theresponderdoesnotrespondwitha
goodstatusoncertificateswhichhavenotbeenissued.
7.3.1Versionnumber(s)
Nostipulation.
7.3.2OCSPextensions
Nostipulation.

8.ComplianceAuditandOtherAssessments
8.1FrequencyandCircumstancesofAssessment

ComplianceAuditsareconductedatleastannually.

8.2Identity/QualificationofAssessor
GoogleInternetAuthoritycomplianceauditsareperformedbyapublicaccountingfirm
thatdemonstratesproficiencyinpublickeyinfrastructuretechnology,andisaccredited
bytheAmericanInstituteofCertifiedPublicAccountants(AICPA).

8.3AssessorsRelationshiptoAssessedEntity
ComplianceauditsofGoogleInternetAuthorityareperformedbyapublicaccountingfirm
thatisindependentofGoogle.

8.4TopicsCoveredbyAssessment
ThecomplianceauditoftheGoogleInternetAuthorityincludesvalidationofrelevant
controlstosupporttheproperoperationoftheGoogleInternetAuthority,basedonthe
WebTrustforCertificateAuthoritiesandCA/BrowserForumBaselineRequirements
standards.

8.5ActionsTakenasaResultofDeficiency
SignificantdeficienciesidentifiedduringtheComplianceAuditwillresultina
determinationofactionstobetakenbyGoogleInternetAuthoritymanagement.These
decisionsaremadewithinputfromtheauditor,andimplementedwithinacommercially
reasonableperiodoftime.

8.6CommunicationsofResults
Acopyofthethirdpartyauditor'sstatementwillbeprovidedtoappropriatetrustprograms
whenrequiredbythemtosupporttrustintheGoogleInternetAuthority.

9.OTHERBUSINESSANDLEGALMATTERS
9.1Fees
9.1.1Certificateissuanceorrenewalfees
GoogleInternetAuthoritymaychargeSubscribersfortheissuance,managementand
renewalofCertificates.GoogleInternetAuthoritywillneverchargefortherevocationof
previouslyissuedcertificates.
9.1.2Certificateaccessfees
GoogleInternetAuthoritymaychargeareasonablefeeforaccesstoitsCertificate
databases.
9.1.3Revocationorstatusinformationaccessfees
GoogleInternetAuthoritydoesnotchargeafeeasaconditionofmakingtheCRLs
requiredbythisCPSavailableinaRepositoryorotherwiseavailabletoRelyingParties.
GoogleInternetAuthoritymaychargeafeeforprovidingcustomizedCRLs,OCSP
services,orothervalueaddedrevocationandstatusinformationservices.Google
InternetAuthoritydoesnotpermitaccesstorevocationinformation,Certificatestatus

information,ortimestampinginitsRepositorybythirdpartiesthatprovideproductsor
servicesthatutilizesuchCertificatestatusinformationwithoutGoogleInternetAuthoritys
priorexpresswrittenconsent.
9.1.4Feesforotherservices
GoogleInternetAuthoritydoesnotchargeafeeforaccesstothisCPS.Anyusemadefor
purposesotherthansimplyviewingthedocument,suchasreproduction,redistribution,
modification,orcreationofderivativeworks,shallbesubjecttoalicenseagreementwith
theentityholdingthecopyrighttothedocument.
9.1.5Refundpolicy
Nostipulation.

9.2Financialresponsibility
9.2.1Insurancecoverage
GoogleInternetAuthoritymaintainsgeneralliabilityinsurancecoverage.
9.2.2Otherassets
Nostipulation.
9.2.3Insuranceorwarrantycoverageforendentities
Nostipulation.

9.3Confidentialityofbusinessinformation
Nostipulation.
9.3.1Scopeofconfidentialinformation
Nostipulation.
9.3.2Informationnotwithinthescopeofconfidentialinformation
Nostipulation.
9.3.3Responsibilitytoprotectconfidentialinformation
Nostipulation.
9.4Privacyofpersonalinformation
Googlemaintainsresourcesdescribingitsprivacypolicyat:
http://www.google.com/policies/privacy/

9.5Intellectualpropertyrights
Google,oritslicensors,owntheintellectualpropertyrightsinGoogleInternetAuthoritys

services,includingtheCertificates,trademarksusedinprovidingCertificateservicesand
thisCPS.
CertificateandrevocationinformationaretheexclusivepropertyofGoogle.Googlegrants
permissiontoreproduceanddistributecertificatesonanonexclusiveandroyaltyfree
basis,providedthattheyarereproducedanddistributedinfull.Googledoesnotallow
derivativeworksofitsCertificatesorproductswithoutpriorwrittenpermission.
PrivateandPublicKeysremainthepropertyoftheSubscriberswhorightfullyholdthem.
Allsecretshares(distributedelements)oftheGooglePrivateKeysarethepropertyof
Google.

9.6Representationsandwarranties
9.6.1CArepresentationsandwarranties
9.6.1.1Limitedwarranty

GoogleInternetAuthorityprovidesthefollowinglimitedwarrantytotheCertificate
BeneficiariesatthetimeofCertificateissuance:(a)itissuedtheCertificatesubstantially
incompliancewiththisCPSb)theinformationcontainedwithintheCertificateaccurately
reflectstheinformationprovidedtoGoogleInternetAuthoritybytheApplicantinall
materialrespectsand(c)ithastakenreasonablestepstoverifythattheinformation
withintheCertificateisaccurate.ThestepsGoogleInternetAuthoritytakestoverifythe
informationcontainedinaCertificatearesetforthinthisCPS.
9.6.1.2CABFWarrantiesandObligations

DomainvalidatedandorganizationvalidatedSSLCertificatesconformtothe
CA/BrowserForumBaseline(CABF)requirements.ByissuingsuchaCertificate,
GoogleInternetAuthorityrepresentsandwarrantstotheCertificateBeneficiariesthat,
duringtheperiodwhentheCertificateisvalid,GoogleInternetAuthorityhascompliedwith
thissectionanditsCPSinissuingandmanagingtheCertificate.
TheCertificatewarrantiestoCertificateBeneficiariesareasfollows::
1.RighttoUseDomainNameorIPAddress:That,atthetimeofissuance,Google
InternetAuthority(i)implementedaprocedureforverifyingthattheApplicanteither
hadtherighttouse,orhadcontrolof,thedomainname(s)andIPaddress(es)listed
intheCertificatessubjectfieldandsubjectAltNameextension(or,onlyinthecaseof
domainnames,wasdelegatedsuchrightorcontrolbysomeonewhohadsuchrightto
useorcontrol)(ii)followedtheprocedurewhenissuingtheCertificateand(iii)
accuratelydescribedtheprocedureinthisCPS
2.AuthorizationforCertificate:That,atthetimeofissuance,GoogleInternetAuthority(i)
implementedaprocedureforverifyingthattheSubjectauthorizedtheissuanceofthe
CertificateandthattheApplicantisauthorizedtorequesttheCertificateonbehalfofthe
Subject(ii)followedtheprocedurewhenissuingtheCertificateand(iii)accurately
describedtheprocedureinthisCPS

3.AccuracyofInformation:That,atthetimeofissuance,GoogleInternetAuthority
(i)implementedaprocedureforverifyingtheaccuracyofalloftheinformation
containedintheCertificate(withtheexceptionofthesubject:organizationalUnitName
attribute)(ii)followedtheprocedurewhenissuingtheCertificateand(iii)accurately
describedtheprocedureinthisCPS
4.NoMisleadingInformation:That,atthetimeofissuance,GoogleInternetAuthority(i)
implementedaprocedureforreducingthelikelihoodthattheinformationcontainedinthe
Certificatessubject:organizationalUnitNameattributewouldbemisleading(ii)followed
theprocedurewhenissuingtheCertificateand(iii)accuratelydescribedtheprocedurein
thisCPS
5.IdentityofApplicant:That,iftheCertificatecontainsSubjectidentityinformation,
GoogleInternetAuthority(i)implementedaproceduretoverifytheidentityofthe
ApplicantinaccordancewithSections3.1.1.1and3.2.2.1(ii)followedtheprocedure
whenissuingtheCertificateand(iii)accuratelydescribedtheprocedureinthisCPS
6.SubscriberAgreement:That,ifSubscriberisnotaGoogleAffiliate,theSubscriber
andGoogleInternetAuthorityarepartiestoalegallyvalidandenforceable
SubscriberAgreementthatsatisfiestherequirementsofthissection,or,ifSubscriberis
aGoogleAffiliate,theApplicantacknowledgedandacceptedGoogleInternetAuthoritys
Certificatetermsofuse,noticeofwhichisprovidedbyGoogleInternetAuthorityto
ApplicantduringtheCertificateissuanceprocess
7.Status:ThatGoogleInternetAuthoritymaintainsa24x7publiclyaccessible
Repositorywithcurrentinformationregardingthestatus(validorrevoked)ofall
unexpiredCertificatesand
8.Revocation:ThatGoogleInternetAuthoritywillrevoketheCertificateforanyofthe
reasonsspecifiedinthissection.
9.6.2RArepresentationsandwarranties
RAswarrantthat:(a)therearenomaterialmisrepresentationsoffactintheCertificate
knownororiginatingfromtheentitiesapprovingtheCertificateapplicationorissuingthe
Certificate(b)therearenoerrorsintheinformationintheCertificatethatwere
introducedbyentitiesapprovingtheCertificateapplicationasaresultofafailureto
providereasonablecareinmanagingtheCertificateapplication(c)theirCertificates
meetallmaterialrequirementsofthisCPSand(d)revocationservices(when
applicable)anduseofaRepositorycomplywiththisCPSinallmaterialaspects.
SubscriberAgreementsmayincludeadditionalrepresentationsandwarranties.
9.6.3Subscriberrepresentationsandwarranties
Nostipulation.
9.6.4Relyingpartyrepresentationsandwarranties
RelyingPartiesrepresentandwarrantthat:(a)theyhaveread,understandandagreeto
thisCPS(b)theyhaveverifiedboththeGoogleInternetAuthorityCertificateandany

othercertificatesinthecertificatechainusingtherelevantCRLorOCSP(c)theywillnot
useaCertificateiftheCertificatehasexpiredorbeenrevoked(d)theyhavesufficient
informationtomakeaninformeddecisionastotheextenttowhichtheychoosetorelyon
theinformationinaCertificate(c)theyhavestudiedtheapplicablelimitationsonthe
usageofCertificatesandagreetoGoogleInternetAuthorityslimitationsonliabilityrelated
totheuseofCertificates(d)
theyaresolelyresponsiblefordecidingwhetherornottorelyoninformationina
Certificateand(e)theyaresolelyresponsibleforthelegalandotherconsequencesof
theirfailuretoperformtheRelyingPartyobligationsinthisCPS.
RelyingPartiesalsorepresentandwarrantthattheywilltakeallreasonablestepsto
minimizetheriskassociatedwithrelyingonadigitalsignature,includingonlyrelyingona
Certificateafterconsidering:
1.Applicablelawandthelegalrequirementsforidentificationofaparty,protectionofthe
confidentialityorprivacyofinformation,andenforceabilityofthetransaction
2.TheintendeduseoftheCertificateaslistedintheCertificateorthisCPS
3.ThedatalistedintheCertificate
4.Theeconomicvalueofthetransactionorcommunication
5.Thepotentiallossordamagethatwouldbecausedbyanerroneousidentification
oralossofconfidentialityorprivacyofinformationintheapplication,transaction,or
communication
6.TheRelyingPartyspreviouscourseofdealingwiththeSubscriber
7.TheRelyingPartysunderstandingoftrade,includingexperiencewithcomputerbased
methodsoftradeand
8.AnyotherindiciaofreliabilityorunreliabilitypertainingtotheSubscriberand/orthe
application,communication,ortransaction.
9.6.5Representationsandwarrantiesofotherparticipants
Nostipulation.

9.7Disclaimersofwarranties
EXCEPTASEXPRESSLYSTATEDINSECTION9.6.1OFTHISCPS,ALL
CERTIFICATESANDANYRELATEDSOFTWAREANDSERVICESAREPROVIDED
"ASIS"ANDASAVAILABLE.TOTHEMAXIMUMEXTENTPERMITTEDBYLAW,
GOOGLEINTERNETAUTHORITYDISCLAIMSALLOTHERWARRANTIES,BOTH
EXPRESSANDIMPLIED,INCLUDING,WITHOUTLIMITATION,ANYIMPLIED
WARRANTYOFMERCHANTABILITY,ANYWARRANTYOFFITNESSFORA
PARTICULARPURPOSEANDANYWARRANTYOFACCURACYOFINFORMATION
PROVIDEDWITHRESPECTTOCERTIFICATESISSUED

BYGOOGLE,THECRL,ANDANYPARTICIPANTSORTHIRDPARTYS
PARTICIPATIONINTHEGOOGLEPKI,INCLUDINGUSEOFKEYPAIRS,
CERTIFICATES,THECRLORANYOTHERGOODSORSERVICESPROVIDEDBY
GOOGLETOTHEPARTICIPANT.
EXCEPTASEXPRESSLYSTATEDINSECTION9.6.1OFTHISCPS,GOOGLE
INTERNETAUTHORITYDOESNOTWARRANTTHATANYSERVICEORPRODUCT
WILLMEETANYEXPECTATIONSORTHATACCESSTOCERTIFICATESWILLBE
TIMELYORERRORFREE.
GoogleInternetAuthoritydoesnotguaranteetheavailabilityofanyproductsorservices
andmaymodifyordiscontinueanyproductorserviceofferingatanytime.Afiduciary
dutyisnotcreatedsimplybecauseanindividualorentityusesGoogleInternetAuthoritys
services.

9.8Limitationsofliability
TOTHEEXTENTPERMITTEDBYAPPLICABLELAW,GOOGLESHALLNOTBE
LIABILEFORANYDIRECT,INDIRECT,SPECIAL,INCIDENTAL,CONSEQUENTIAL,
EXEMPLARYORPUNITIVEDAMAGES,INCLUDINGBUTNOTLIMITEDTODAMAGES
FORLOSTDATA,LOSTPROFITS,LOSTREVENUEORCOSTSOF
PROCUREMENTOFSUBSTITUTEGOODSORSERVICES,HOWEVERCAUSED
ANDUNDERANYTHEORYOFLIABILITY,INCLUDINGBUTNOTLIMITEDTO
CONTRACTORTORT(INCLUDINGPRODUCTSLIABILITY,STRICTLIABILITYAND
NEGLIGENCE),ANDWHETHERORNOTITWAS,ORSHOULDHAVEBEEN,AWARE
ORADVISEDOFTHEPOSSIBILITYOFSUCHDAMAGEANDNOTWITHSTANDING
THEFAILUREOFESSENTIALPURPOSEOFANYLIMITEDREMEDYSTATED
HEREIN.GOOGLE'SAGGREGATELIABILITYUNDERTHISCPSISLIMITEDTO$500

9.9Indemnities
9.9.1Bysubscriber
Nostipulation.
9.9.2Byrelyingparties
Totheextentpermittedbyapplicablelaw,RelyingPartiesshallindemnifyGooglefortheir:
(a)violationofanyapplicablelaw(b)breachofrepresentationsandobligationsasstated
inthisCPS(c)relianceonaCertificatethatisnotreasonableunderthecircumstances
or(d)failuretocheckthestatusofsuchCertificatetodetermineiftheCertificateis
expiredorrevoked.

9.10Termandtermination
9.10.1Term
TheCPSbecomeseffectiveuponpublicationintheRepository.Amendmentstothis
CPSbecomeeffectiveuponpublicationintheRepository.

9.10.2Termination
ThisCPSandanyamendmentsremainineffectuntilreplacedbyanewerversion.
9.10.3Effectofterminationandsurvival
UponterminationofthisCPS,Participantsareneverthelessboundbyitstermsforall
CertificatesissuedfortheremainderofthevalidityperiodsofsuchCertificates.

9.11Individualnoticesandcommunicationswithparticipants
Unlessotherwisespecifiedbyagreementbetweentheparties,Participantsshalluse
commerciallyreasonablemethodstocommunicatewitheachother,takingintoaccount
thecriticalityandsubjectmatterofthecommunication.

9.12Amendments
9.12.1Procedureforamendment
GoogleInternetAuthoritymaychangethisCPSatanytimeinitssolediscretionand
withoutpriornoticetoSubscribersorRelyingParties.TheCPSandanyamendments
theretoareavailableintheRepository.AmendmentstothisCPSwillbeevidencedbya
newversionnumberanddate,exceptwheretheamendmentsarepurelyclerical.
9.12.2Notificationmechanismandperiod
GoogleInternetAuthoritymayprovideadditionalnotice(suchasintheRepositoryorona
separatewebsite)intheeventthatitmakesanymaterialchangestoitsCPS.Google
InternetAuthorityisresponsiblefordeterminingwhatconstitutesamaterialchangeofthe
CPS.GoogleInternetAuthoritydoesnotguaranteeorsetanoticeandcommentperiod.
9.12.3CircumstancesunderwhichOIDmustbechanged
Nostipulation.

9.13Disputeresolutionprovisions
Nostipulation

9.14Governinglaw
ThisCPSisgovernedbythelawsoftheStateofCaliforniaoftheUnitedStatesof
America,excluding(i)itschoiceoflawsprinciples,and(ii)theUnitedNationsConvention
onContractsfortheInternationalSaleofGoods.AllParticipantsherebysubmittothe
exclusivejurisdictionandvenueofthefederalorstatecourtsinSantaClaraCounty,
California.

9.15Compliancewithapplicablelaw
ThisCPSissubjecttoapplicablenational,state,localandforeignlaws,rules,
regulations,ordinances,decrees,andordersincluding,butnotlimitedto,restrictionson
exportingorimportingsoftware,hardware,ortechnicalinformation.Googlelicensesits
CAsineachjurisdictionthatitoperateswherelicensingisrequiredbythelawofsuch

jurisdictionfortheissuanceofCertificates.

9.16Miscellaneousprovisions
9.16.1Entireagreement
Nostipulation.
9.16.2Assignment
RelyingPartiesandSubscribersmaynotassigntheirrightsorobligationsunderthis
CPS,byoperationoflaworotherwise,withoutGooglespriorwrittenapproval.Anysuch
attemptedassignmentshallbevoid.Subjecttotheforegoing,thisCPSshallbebinding
uponandinuretothebenefitofthepartieshereto,theirsuccessorsandpermitted
assigns.
9.16.3Severability
IfanyprovisionofthisCPSshallbeheldtobeinvalid,illegal,orunenforceable,the
validity,legality,orenforceabilityoftheremainderofthisCPSshallnotinanywaybe
affectedorimpairedhereby.
9.16.4Enforcement(attorneys'feesandwaiverofrights)
Googlemayseekindemnificationandattorneys'feesfromapartyfordamages,losses,
andexpensesrelatedtothatparty'sconduct.Googlesfailuretoenforceaprovisionof
thisCPSdoesnotwaiveGooglesrighttoenforcethesameprovisionlaterorrightto
enforceanyotherprovisionofthisCPS.Tobeeffective,waiversmustbeinwritingand
signedbyGoogle.
9.16.5ForceMajeure
Googleshallnotbeliableforanydefaultordelayintheperformanceofitsobligations
hereundertotheextentandwhilesuchdefaultordelayiscaused,directlyorindirectly,by
fire,flood,earthquake,elementsofnatureoractsofGod,actsofwar,terrorism,riots,
civildisorders,rebellionsorrevolutionsintheUnitedStates,strikes,lockouts,orlabor
difficultiesoranyothersimilarcausebeyondthereasonablecontrolofGoogle.

9.17Otherprovisions
Nostipulation.

AppendixA
DefinitionsandAcronyms
ActivationData:Data,otherthankeys,thatisrequiredtoaccessoroperate
cryptographicmodules(e.g.,apassphraseoraPersonalIdentificationNumberor"PIN").
Applicant:Anindividualthatrequeststheissuance,renewal,rekey,orrevocationofa
GoogleCertificateonbehalfofanentity(i.e.,GoogleoraGoogleAffiliate),orwhere
authorized,onbehalfofhimselforherself.
ApplicationSoftwareSupplier:AsupplierofInternetbrowsersoftwareorother
relyingpartyapplicationsoftwarethatdisplaysorusesCertificatesandincorporatesRoot
Certificates.
CA:SeeCertificationAuthority.
CAServices:ServicesprovidedbytheGoogleInternetAuthorityunderthisCPSrelating
tothecreation,issuance,ormanagementofCertificates.
Certificate:AdigitallysignedelectronicrecordissuedwithintheGooglePKIthat:(i)
identifiestheGoogleInternetAuthorityissuingtheCertificateasthe"Organization(o)"in
theCertificate's"IssuerDistinguishedName"field(ii)identifiestheOrganizationtowhich
theCertificateisissuedasthe"Organization(o)"intheCertificate's"Subject"field(iii)
uniquelyidentifiestheSubjectasthe"CommonName(cn)"inthe"Subject"fieldofthe
Certificate(iv)containsthePublicKeyassociatedwiththeSubjectand(v)statesthe
CertificatesOperationalPeriod.AlsoreferredtoasaGoogleCertificate.
CertificationAuthority(CA):Generally,anorganizationthatisresponsibleforthe
creation,issuanceandmanagementofcertificates.IntheGooglePKI,Google,actingin
itscapacityastheGoogleInternetAuthority,istheCertificationAuthority.Alsoreferredto
inthisCPSastheCA.
ClientAuthenticationCertificate:ACertificateintendedtobeissuedtoindividuals(as
wellasdevicesnotactinginthecapacityofaserver),solelyforthepurposeofidentifying
thattheholderofthePrivateKeyisinfacttheindividualordevicenamedinthe
Certificatessubjectfield.
Certificates:TheCertificatesthattheGoogleInternetAuthorityisauthorizedtoissueby
thisCPS.SeeCertificate.
CertificateBeneficiaries:anyofthefollowingparties:
(i)allApplicationSoftwareSupplierswithwhomtheRootCAhasenteredintoacontract
forinclusionofitsRootCertificateinsoftwaredistributedbysuchApplicationSoftware
Supplierand
(ii)allRelyingPartieswhoreasonablyrelyonavalidCertificate.
CertificationPracticesStatement(CPS)Thisdocument.
CertificateRevocationList(CRL):AregularlyupdatedlistofrevokedGoogle
CertificatesthatiscreatedanddigitallysignedbytheGoogleInternetAuthoritythat
originallyissuedtheCertificateslistedinsuchCRL.
CompanyCACertificate:ThesingleCACertificatesignedbytheGeoTrustRoot

CertificateandissuedtotheGoogleInternetAuthoritybytheGeoTrustRootCAsolelyto
enablevalidationoftheGoogleInternetAuthoritysPublicKey.ThisCertificatecontains
thePublicKeythatcorrespondstothePrivateKeythattheGoogleInternetAuthorityuses
tosigntheGoogleCertificatesitissuestoSubscribers.SeeSection1.3.1.1.
GeoTrustRootCertificate:TheEquifaxSecureCACertificateAuthoritycertificatewith
anexpirationdateofAugust22,2018issuedbyGeoTrustandwhichhasbeencreated
usingaspecialKeyPairwhichcertificatebindsGeoTrustsnameasissuertothepublic
keycontainedinthecertificate.
Google:GoogleInc.,aDelawarecorporation.
GoogleAffiliate:AcompanyinwhichGoogleInc.ownsamajorityinterest.
GoogleInternetAuthority:Google,actinginitscapacityastheCAauthorizedbythis
CPS.SeealsoCertificationAuthority.
GooglePKI:TheGooglePublicKeyInfrastructureestablished,operatedand
maintainedbyGoogleinaccordancewiththisCPS.
I&A:SeeIdentificationandAuthentication.
IdentificationandAuthentication(I&A):Theprocessforascertainingandconfirming
throughappropriateinquiryandinvestigationtheidentityandauthorityofapersonor
entity.SeeSection3.2
IncorporatingAgency:Thegovernmentagencyinthejurisdictioninwhichanentityis
incorporatedunderwhoseauthoritythelegalexistenceoftheentitywasestablished(e.g.,
thegovernmentagencythatissuedtheCertificateofIncorporation).
InformationSecurityTeam:EmployeesofGoogleholdingthepositionofSecurity
EngineerorbelongingtotheSecurityOperationsteam.
KeyPair:Twomathematicallyrelatednumbers,referredtoasaPublicKeyandits
correspondingPrivateKey,possessingpropertiessuchthat:(i)thePublicKeymaybe
usedtoverifyaDigitalSignaturegeneratedbythecorrespondingPrivateKeyand/or(ii)
thePublicKeymaybeusedtoencryptanelectronicrecordthatcanbedecryptedonlyby
usingthecorrespondingPrivateKey.
OperationalPeriod:TheintendedtermofvalidityofaGoogleCertificate,including
beginningandendingdates.TheOperationalPeriodisindicatedintheGoogle
Certificate's"Validity"field.SeealsoExpire.
Participants:ThepersonsauthorizedtoparticipateintheGooglePKI,asidentifiedin
Section1.3.ThistermincludestheGoogleInternetAuthority,andeachSubscriberand
RelyingPartyoperatingundertheauthorityoftheGooglePKI.
PrivateKey:ThekeyofaKeyPairthatmustbekeptsecretbytheholderoftheKey
Pair,andthatisusedtogeneratedigitalsignaturesand/ortodecryptelectronicrecords
thatwereencryptedwiththecorrespondingPublicKey.
PublicKey:ThekeyofaKeyPairthatisintendedtobepubliclysharedwithrecipients
ofdigitallysignedelectronicrecordsandthatisusedbysuchrecipientstoverifyDigital
SignaturescreatedwiththecorrespondingPrivateKeyand/ortoencryptelectronic
recordssothattheycanbedecryptedonlywiththecorrespondingPrivateKey.
PublicKeyCryptography:Atypeofcryptography,alsoknownasasymmetric

cryptography,thatusesauniqueKeyPairinamannersuchthatthePrivateKeyofthat
KeyPaircandecryptanelectronicrecordencryptedwiththePublicKey,orcangenerate
adigitalsignature,andthecorrespondingPublicKey,toencryptthatelectronicrecordor
verifythatDigitalSignature.
PublicKeyInfrastructure(PKI):Asetofhardware,software,people,procedures,
rules,policies,andobligationsusedtofacilitatethetrustworthycreation,issuance,
management,anduseofCertificatesandkeysbasedonPublicKeyCryptography.
RA:SeeRegistrationAuthority.
RegistrationAuthority(RA):Anentitythatisresponsibleforidentificationand
authenticationofcertificatesubjects,butthatdoesnotsignorissuecertificates(i.e.,an
RAisdelegatedcertaintasksonbehalfofaCA).ArolewithintheGooglePKI,underthe
authorityoftheGoogleInternetAuthoritythatadministerstheRegistrationProcessand
processesrequestsforCertificateReissuanceandRevocation.
RegistrationProcess:Theprocess,administeredbytheCAoranRA,thata
SubscriberusestoapplyforandobtainaGoogleCertificate.
Reissuance:TheprocessofacquiringanewGoogleCertificateandassociatedKey
PairtoreplaceanexistingGoogleCertificateandassociatedKeyPair,priortothe
ExpirationoftheexistingGoogleCertificateandassociatedKeyPair'sOperational
Period.
RelyingParty:ArecipientofaCertificatewhoactsinrelianceontheCertificateand/or
digitalsignaturesverifiedusingtheCertificate.
Repository:AnonlineaccessibledatabaseintheGooglePKIcontainingthisCPS,the
CRLforrevokedGoogleCertificates,andanyotherinformationspecifiedbyGoogle.
RevocationTheprocessofrequestingandimplementingachangeinthestatusofa
CertificatefromvalidtoRevoked.
Revoked:ACertificatestatusdesignationthatmeanstheCertificatehasbeenrendered
permanentlyInvalid.
Subject:Theindividualororganization(GoogleoraGoogleAffiliate)namedina
Certificate'sSubjectfield.
Subscriber:Theindividualororganization(GoogleoraGoogleAffiliate)thatisnamed
astheSubjectofaGoogleCertificateandthathasagreedtothetermsofaSubscriber
AgreementwithGoogleactinginitscapacityastheGoogleInternetAuthority.
SubscriberAgreement:ThecontractbetweentheGoogleInternetAuthorityanda
SubscriberwherebytheSubscriberagreestothetermsrequiredbythisCPSwith
respecttoeachCertificateissuedtotheSubscriberandnamingtheSubscriberasthe
Subject.IncaseswheretheSubscriberisGoogle,theissuanceofthisCPSconstitutes
GooglesagreementthetermsrequiredbythisCPS,andnoadditionalcontractis
required.
Token:Ahardwaredevice(suchasasmartcard)usedtostoreaKeyPairand
associatedCertificateandtoperformcryptographicfunctions.

AppendixB
PermissibleCryptographicAlgorithmsandKeySizes

Thefollowingalgorithmsandkeylengthsarepermissibleforsubscribercertificates:
DigestAlgorithm

SHA1,SHA256,SHA384orSHA512

RSA

2048orlonger

ECC

P256,P384,orP521

AppendixC
DocumentHistory

Version

Date

Changeowner

Note

1.0

July3rd,2013

CAPolicyAuthority

Initialpublication

1.1

September2nd,
2013

CAPolicyAuthority

Minorupdateremovinginaccurate
hyperlink,addinglinkto
intermediatecertificate,and
addingpublicchangehistory