forked from hellasgrid/hellasgrid-ca-cp-cps
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathchapter7_certificate_crl_ocsp_profiles.tex
129 lines (91 loc) · 3.71 KB
/
chapter7_certificate_crl_ocsp_profiles.tex
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
\chapter{CERTIFICATE, CRL, AND OCSP PROFILES}
\section{Certificate profile}
\subsection{Version number(s)}
All certificates that reference this Policy will be issued in the X.509 version 3 format and will include a reference to the O.I.D. of this Policy within the appropriate field.
\subsection{Certificate extensions}
\begin{itemize}
\item{User and Robot certificates:}
\begin{enumerate}
\item{Basic constraints (Critical): Not a CA.}
\item{Key usage (Critical): Digital signature, key encipherment, data encipherment.}
\item{Extended Key Usage (Not Critical): clientAuth}
\item{Subject key identifier}
\item{Authority key identifier}
\item{Subject alternative name(s)}
\item{Issuer alternative name}
\item{CRL distribution points (pointing to one http URL)}
\item{Certificate policies}
\end{enumerate}
\item{Host and Service certificates:}
\begin{enumerate}
\item{Basic constraints (Critical): Not a CA.}
\item{Key usage (Critical): Digital signature, key encipherment, data encipherment.}
\item{Extended Key Usage (Not Critical): clientAuth, serverAuth}
\item{Subject key identifier}
\item{Authority key identifier}
\item{Subject alternative name(s)}
\item{Issuer alternative name}
\item{CRL distribution points (pointing to one http URL)}
\item{Certificate policies}
\end{enumerate}
\item{CA certificate:}
\begin{enumerate}
\item{Basic constraints (Critical): CA.}
\item{Key usage (Critical): CRL signature, key certificate signature}
\item{Subject key identifier}
\item{Authority key identifier}
\item{Subject alternative name}
\item{Issuer alternative name}
\item{CRL distribution points (pointing to one http URL)}
\item{Certificate policies}
\end{enumerate}
\end{itemize}
\subsection{Algorithm object identifiers}
\begin{enumerate}
\item{Hash Function: id-sha1 1.3.14.3.2.26, sha256 2.16.840.1.101.3.4.2.1, sha384 2.16.840.1.101.3.4.2.2, sha512 2.16.840.1.101.3.4.2.3}
\item{RSA Encryption: rsaEncryption 1.2.840.113549.1.1.1}
\item{Signature Algorithm: sha1WithRSAEncryption 1.2.840.113549.1.1.5, sha256WithRSAEncryption 1.2.840.113549.1.1.11, sha384WithRSAEncryption 1.2.840.113549.1.1.12, sha512WithRSAEncryption 1.2.840.113549.1.1.13}
\end{enumerate}
\subsection{Name forms}
Issuer:
\begin{verbatim}
C=GR,
O=HellasGrid,
OU=Certification Authorities,
CN=HellasGrid CA 2006
\end{verbatim}
Subject:
\begin{verbatim}
C=GR,
O=HellasGrid,
OU=UNIT,
CN=SUBJECT NAME
\end{verbatim}
\subsection{Name constraints}
Subject attribute constraints:
countryName:
Must be GR.
OrganizationName:
Must be HellasGrid.
organizationalUnitName:
Must be the DNS domain name of the Institution/Organization the subject belongs to.
commonName:
See \ref{sub:TypesOfNames} and \ref{sub:UniquenessOfNames}.
\subsection{Certificate policy object identifier}
HellasGrid CA identifies this policy with the object identifier (OID) specified in section \ref{sec:DocumentNameAndIdentification}. All the certificates issued under this policy will also include the O.I.D. of the "Authentication Profile for Classic X.509 Public Key Certification Authorities with secured infrastructure" (1.2.840.113612.5.2.2.1).
\subsection{Usage of Policy Constraints extension}
No stipulation.
\subsection{Policy qualifiers syntax and semantics}
No stipulation.
\subsection{Processing semantics for the critical Certificate Policies extension}
No stipulation.
\section{CRL profile}
\subsection{Version number(s)}
All CRLs will be issued in the X.509 version 2 format.
\subsection{CRL and CRL entry extensions}
CRLs have only the Authority key Identifier extension.
\section{OCSP profile}
\subsection{Version number(s)}
Currently HellasGrid CA does not operate a production level OCSP service.
\subsection{OCSP extensions}
Currently HellasGrid CA does not operate a production level OCSP service.