Certification Practice Statement

1. Introduction

1.1 Overview

This Certification Practice Statement (CPS) describes the practices and procedures employed by Continuum Trust Services in the issuance, management, revocation, and renewal of digital certificates. This CPS implements the requirements set forth in the Continuum Trust Services Certificate Policy (CP).

1.2 Document Identification

1.3 CA Description

Continuum Trust Services operates a two-tier PKI hierarchy consisting of an offline Root CA and one or more online Issuing CAs. The Root CA is maintained in an air-gapped environment and is only brought online for certificate signing operations.

2. PKI Infrastructure

2.1 CA Hierarchy

2.2 Repository Locations

• CA Certificates: https://pki.continuum.lat/certs/
• CRL: http://crl.continuum.lat/
• OCSP: http://ocsp.continuum.lat/
• Policy Documents: https://continuum.lat/policy/

2.3 OCSP Service

Continuum Trust Services operates an OCSP responder that provides real-time certificate status information. The OCSP responder is available 24/7 with 99.9% uptime SLA. OCSP responses are signed by a dedicated OCSP signing certificate issued by the relevant Issuing CA.

3. Certificate Application Process

3.1 Application Submission

Certificate applications are submitted through the following process:

1. Initial contact via email (hello@continuum.lat)
2. Preliminary discussion of requirements and use cases
3. Submission of formal application with required documentation
4. Validation and verification procedures
5. Certificate issuance upon successful validation

3.2 Required Documentation

• Organization legal documentation (for OV certificates)
• Domain ownership verification
• Authorization letter from organization
• Technical contact information
• Certificate Signing Request (CSR)

3.3 Processing Time

Standard certificate applications are processed within 1-5 business days, depending on the complexity of validation requirements. Complex or non-standard requests may require additional time.

4. Validation Procedures

4.1 Domain Validation (DV)

Domain control is verified using one or more of the following methods:

• Email to domain contacts (admin@, hostmaster@, etc.)
• DNS TXT record verification
• HTTP/.well-known validation
• ACME DNS-01 challenge

4.2 Organization Validation (OV)

Organization identity is verified through:

• Government-issued registration documents
• Third-party databases (D&B, government registries)
• Phone verification to organization's verified number
• Physical address verification

4.3 Individual Validation

Individual identity for client certificates is verified through government-issued identification documents and, where applicable, video verification calls.

5. Certificate Issuance

5.1 Issuance Process

1. Validation team completes all verification procedures
2. CSR is reviewed for technical compliance
3. Certificate request is approved by authorized personnel
4. Certificate is generated and signed by the Issuing CA
5. Certificate is delivered to subscriber via secure channel

5.2 Certificate Format

All certificates conform to X.509 version 3 and are encoded using DER/PEM format. Certificate chains are provided in PEM format for easy deployment.

5.3 Certificate Delivery

Certificates are delivered via encrypted email or secure download portal. Private keys are never transmitted; they remain solely with the subscriber.

6. Certificate Revocation

6.1 Revocation Request

Subscribers may request revocation by contacting Continuum Trust Services via:

• Email: hello@continuum.lat
• Authenticated portal access (for existing customers)

6.2 Revocation Timeframes

6.3 CRL Issuance

CRLs are published at least every 24 hours or immediately upon emergency revocation. CRL validity period is 7 days with a 24-hour overlap.

7. Technical Security

7.1 Hardware Security Modules

All CA private keys are stored in FIPS 140-2 Level 3 certified Hardware Security Modules (HSMs). The HSMs are configured in high-availability clusters with geographic redundancy.

7.2 Key Ceremonies

Key generation ceremonies are conducted with witnesses, video recording, and detailed documentation. Ceremonies follow documented procedures with multiple trusted roles participating.

7.3 Network Security

• CA systems are isolated in dedicated network segments
• Intrusion detection and prevention systems
• Regular vulnerability assessments and penetration testing
• Encrypted communications for all administrative access

8. Disaster Recovery

8.1 Business Continuity

Continuum Trust Services maintains comprehensive business continuity and disaster recovery plans. Critical systems are replicated across multiple geographic locations.

8.2 Key Recovery

CA keys are backed up in encrypted form and can be recovered using multi-party key shares held by trusted custodians. Recovery procedures are tested annually.

8.3 Service Availability

9. Audit and Compliance

9.1 Internal Audits

Internal audits are conducted quarterly to verify compliance with this CPS and the Certificate Policy. All CA operations are logged and reviewed.

9.2 External Audits

Annual third-party audits are conducted to verify compliance with industry standards and this CPS.

9.3 Audit Logging

• All certificate lifecycle events are logged
• Administrative actions are logged with user identification
• Logs are cryptographically protected against tampering
• Log retention: minimum 7 years

10. Subscriber Obligations

10.1 Key Protection

Subscribers are responsible for protecting their private keys using appropriate security controls, including encryption, access controls, and secure storage.

10.2 Reporting Obligations

Subscribers must immediately report any suspected or actual key compromise, certificate misuse, or changes in the accuracy of certificate information.

10.3 Acceptable Use

Certificates may only be used for the purposes specified in the subscriber agreement. Use of certificates for illegal activities is strictly prohibited.