(European Patent Office public key infrastructure - subscriber agreement)
The submission of an application for a smart card signifies acceptance by the User/Subscriber of the terms and conditions for the use of EPO smart cards and smart card readers. An agreement between the User/Subscriber and the European Patent Organisation (the Organisation) will not be deemed to exist until the Organisation has accepted the User's/Subscriber's application by providing him with a smart card.
By submitting an application for a smart card the User/Subscriber is asking the Certification Authority (CA) for the European Patent Office (EPO) to issue him with a smart card containing an EPO CA digital certificate for authentication (encryption) and non-repudiation (signing). This will enable him to carry out secure online transactions with the EPO and other relying parties as set out in the EPO public key infrastructure (PKI) certificate policy (CP). The certificate is stored on an EPO smart card together with the associated private and public key pairs. The smart card can be used to digitally sign and decrypt secure communications with the EPO, which have been encrypted with the User's/Subscriber's public key.
A. Certification and repository services
1. General principles
These terms and conditions of use form an integral part of the EPO PKI and are governed by the CP and the EPO PKI certification practice statement (CPS), as amended from time to time, all of which are incorporated into these terms and conditions of use by reference.
They can be requested via e-mail from firstname.lastname@example.org. Smart cards and the certificates and public and private key pairs stored on them may only be used in accordance with the CP and CPS.
2. Validity period
Certificates are valid for a maximum of five years, starting on the date of issue. Information about the validity period can be found in the certificates.
3. User/Subscriber obligations
Users/Subscribers undertake to
- provide full and accurate information when requesting a smart card
- check on receipt of their smart card that the User/Subscriber information stored on the digital certificate is accurate
- indicate their acceptance/rejection of the digital certificate, in the former case by using the smart card and in the latter by informing the Registration Authority (RA) for the EPO thereof without delay (European Patent Office, EPO Customer Desk, Patentlaan 2, 2280 HV Rijswijk (ZH), The Netherlands, Tel.: +31 70 340 4500, e-mail: email@example.com)
- use the public and private keys, the certificate and the smart card for their intended purpose only (as set out in the CP) and in accordance with the CP, the CPS and these terms and conditions of use
- ensure that the private key, the smart card and the PIN protecting the smart card are protected at all times against loss, disclosure to any unauthorised party, modification or unauthorised use
- ensure that their PIN is known only to them and to no-one else
- submit a revocation request to the RA immediately in the event of actual or suspected compromise of the private and/or public keys, the PIN, Admin PIN or smart card, or in the event of any change in the information provided as part of the application for the smart card
- inform the RA and the EPO's client data registration department (EPO Client Data Registration, European Patent Office, D-80298 Munich, Germany, Tel.: +49 89 2399 2780, e-mail: firstname.lastname@example.org) immediately of any change to the additional information stored on the smart card or relevant for its use, including changes relating to their person (title, name, address) and their relation to their employer, law firm or client/applicant (where they act for such), and any general information relating to said employer, law firm or client/applicant, as well as their status regarding any specific file with regard to which they are allowed to communicate with the EPO within a secure environment
- inform the RA immediately if, for any reason, their entitlement to hold the certificate is curtailed
- observe any legal restrictions or prohibition of use imposed by third parties with regard to the import or export of encryption technologies or products.
By submitting an application for a smart card the User/Subscriber undertakes to comply with the obligations set out above.
The User/Subscriber will indemnify and hold the Organisation harmless from any and all liability arising out of or in connection with the use of the smart card by the User/Subscriber for any other than its intended use or in any way that breaches the User's/Subscriber's obligations under these terms and conditions of use. This particularly applies to third-party claims.
5. The Organisation's obligations
The Organisation undertakes to ensure that, in its capacity as CA or RA, the EPO shall
- act in accordance with the CP, the CPS and these terms and conditions of use
- in its capacity as CA take reasonable measures to ensure that its own private key remains confidential and to provide a secure environment to control its use and access
- in its capacity as RA receive and process applications for certificates
- in its capacity as RA take reasonable measures to ensure that certificate requests are valid
- protect the contents of any request for the issue or revocation of a smart card, whether successful or unsuccessful, as confidential data known only to the CA and the User/Subscriber, except where such information is contained in a certificate, the certificate revocation list (CRL) or the CP, and excluding the circumstances mentioned in sections 2.8.2 - 2.8.7 of the CP
- in its capacity as CA issue smart cards to Users/Subscribers upon receipt of a valid request from the RA, in accordance with the CP, the CPS and these terms and conditions of use
- in its capacity as RA receive revocation requests from authorised parties (CA, RA, Users/Subscribers or other parties authorised by the EPO), make reasonable enquiries to establish the validity of those requests, and forward validated requests to the CA
- in its capacity as CA revoke certificates on receipt of a valid revocation request, and, in its capacity as RA, inform the User/Subscriber of the revocation, in accordance with the CP, the CPS and these terms and conditions of use
- in its capacity as CA post issued certificates to the repository
- in its capacity as CA generate key pairs for Users/Subscribers on the smart cards, forward user/subscriber certificate requests for certification, return the User/Subscriber certificate to the smart card and mail the User/Subscriber the smart card and - under separate cover - the PIN of the smart card
- in its capacity as CA generate a CRL and publish the CRL in the repository.
B. Smart card readers
6. Requirements for smart card readers
GemSAFE smart card reader software and drivers for the smart card reader (the "software") are necessary in order to communicate using the FPO smart card and smart card reader. The software and smart card reader are supplied by the EPO. The software is licensed by Gemplus under separate licence terms which Users/Subscribers must accept before installing it. Users/Subscribers who do not accept the separate licence terms must return the smart card and the smart card reader to the EPO
7. New version of software/new smart card reader
When a new version of the software is released and/or a new smart card reader is made available in order to ensure compliance with the technical standard prescribed by the EPO, they may be ordered from the EPO. Users/Subscribers must cease using the previous version of the software/smart card reader within six months of the release of the new version.
C. General provisions
8. Revocation of certificate/blockage of smart card
Should the User/Subscriber breach any of his obligations under these terms and conditions, the Organisation is entitled to revoke the certificate and block the smart card.
9. Liability of the Organisation
The Organisation is not liable for any damages arising out of or in connection with any use of certificates or smart cards issued or of software and smart card readers supplied under these terms and conditions of use other than for communication between the EPO (section 1.1.3 of the CP) or other authorised Relying Parties (section 188.8.131.52 - 184.108.40.206 of the CP) and permitted users (section 1.1.2 of the CP).
The Organisation disclaims all liability for the non-availability of the EPO PKI due to system maintenance or repair or to factors outside the control of the Organisation or the EPO. Furthermore, it accepts no responsibility for any delays in the delivery of the smart card, smart card reader or software.
The Organisation does not guarantee that the smart card, smart card reader or the software will meet the User/Subscriber's requirements or will operate in an error-free manner. No guarantee is given or representation made, either express or implied, with respect to the quality of the products provided, their performance or their fitness for a particular purpose.
Liability for defects covers product defects which existed at the time of shipment to the User/Subscriber. The Organisation undertakes to remedy defects by way of either correction or substitution, but reserves the right to test the products to ascertain their defectiveness. Should a product prove not to be defective, the Organisation will charge the costs for the substituted product to the User/Subscriber (as set out in section 10).
Further defect or damage liability claims are excluded unless the Organisation or the EPO has caused the damage wilfully or through gross negligence, or the damage consists of an injury to life, body or health, or the obligation breached is of a fundamental nature. In the latter case, if the claimant is not a consumer within the meaning of Section 13 of the German Civil Code, the Organisation's liability shall be limited to typical and foreseeable damages.
In accordance with section 2.5 of the CP the fees for using the smart card, smart card reader and software are included in the fees for the services rendered by the EPO or mentioned separately. The Organisation therefore supplies the smart cards, smart card readers and software at no extra charge. However, if a User/Subscriber applies for more than one smart card within five years (because of loss, theft, blockage due to use of the wrong AdminPIN, or other certificate revocation) or applies for a further smart card reader before a new one is made available to ensure compliance with the technical standard prescribed by the EPO, it is within the Organisation's discretion to charge the associated costs to the User/Subscriber. Where a certificate revocation or smart card blockage can be traced to a User/Subscriber's breach of these terms and conditions of use, it is within the Organisation's discretion to either not supply another smart card or to supply it at extra cost.
11. Changes to these terms and conditions of use
Users/Subscribers will be notified in writing of any changes to these terms and conditions of use. The changes will be considered to have been accepted if the User/Subscriber does not object in writing within six weeks after having received such notification. The Organisation will draw this to the attention of Users/Subscribers when notifying them of any changes. Objections will be considered as having been lodged in time if dispatched within the six-week period.
12. Applicable law
These terms and conditions of use/subscriber agreement are subject to German law without regard to the provisions of German private international law. The United Nations Convention on Contracts for the International Sale of Goods shall not apply.
13. Dispute resolution
If a dispute arises out of or in connection with these terms and conditions of use, the parties shall undertake in good faith to use all reasonable endeavours to settle the dispute by negotiation. Should this fail, any such dispute shall be finally settled by binding arbitration with one single arbitrator in accordance with the provisions of the German Code of Civil Procedure (ZPO). The venue for arbitration shall be Munich. Notwithstanding the aforementioned, if the Organisation waives its immunity from national jurisdiction, the courts of Munich shall have jurisdiction for any such dispute.
Where under applicable patent law an event arising out of or in connection with these terms and conditions of use allows a party to seek resolution, the judicial means provided thereunder shall take precedence over the above-indicated dispute resolution procedure.
These terms and conditions of use shall be interpreted in such a way that the rights of the Organisation and the EPO arising from the European Patent Convention (EPC), including the Protocol on Privileges and Immunities of the European Patent Organisation, signed in Munich on 5 October 1973, are in all cases preserved.
Data protection information
Users'/Subscribers' certificate data are stored and processed by the Organisation/EPO and are used only for the purposes of secure communication by means of the smart card and in accordance with the CP and CPS. To verify the validity of the certificate it is necessary to transmit the data contained therein, and this data will therefore be visible to the entities with whom the User/Subscriber communicates.