From 981fda6de6fe9c40e6c8d60bc44e91f306b15833 Mon Sep 17 00:00:00 2001
From: Teus Hagen <teus@cacert.org>
Date: Fri, 2 May 2008 13:55:29 +0000
Subject: [PATCH] Initiated X.509 Subject policy definition from policy email
 list. Proposed by Teus Hagen.

git-svn-id: http://svn.cacert.org/CAcert/Policies@825 14b1bab8-4ef6-0310-b690-991c95c89dfd
---
 X509ImplementationPolicy.html | 255 ++++++++++++++++++++++++++++++++++
 1 file changed, 255 insertions(+)
 create mode 100644 X509ImplementationPolicy.html

diff --git a/X509ImplementationPolicy.html b/X509ImplementationPolicy.html
new file mode 100644
index 0000000..b8ffe16
--- /dev/null
+++ b/X509ImplementationPolicy.html
@@ -0,0 +1,255 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
+	"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+	<head>
+		<title>
+		</title>
+	</head>
+	<body>
+		<h1>
+		</h1>
+		<p>
+			<a href="../PolicyOnPolicy.html"><img src="../Images/cacert-wip.png" alt="CAcert Policy Status" height="31" width="88" style="border-style: none;" /></a><br />
+			Author: Teus Hagen<br />
+			Creation date: 2008-05-02<br />
+			Status: WiP 2008-05-02<br />
+			Next status: DRAFT 2008<br />
+			<!-- $Id: X509ImplementationPolicy.html 772 2008-05-02 13:46:20Z teus $ -->
+		</p>
+		<h2>
+			0. Preliminaries
+		</h2>
+<p>
+In this policy it is defined
+what CAcert does with the "Subject" and "SubjectAlternativeName" record in the issued X.509 certificate.
+</p>
+<p>
+The ITU-T Recommendation X.509 of June 1997 (limited by the used OpenSSL implementation) defines  the information types (and formats) "Tagged Modules" for the "Subject" (IETF standard RFC3280/4.1.2.6) for
+a Distinguished Name (DN): a sequence of X.501 styled elements (type/value pairs),
+type="value" (e.g. "CN=Saskia the Mystical/emailAddress=sky@limit.net") on the issued certificate (see for "type" below).
+<p>
+</p>
+<p>
+Subject and SubjectAlternativeName may be used in the Certificate Signing Request (CSR) sent to CAcert.
+CAcert will use this information as well information checked from assurances and other means to assemble the Subject and SubjectAlternativeName records.
+</p>
+<P>
+Other documents: RFC 3039 Qualified Certificate Profile.
+</p>
+		<h2>
+			1. Information Policies
+		</h2>
+		<h3>
+			1.1 Organisation and Individual certificate information policy
+		</h3>
+<p>
+The current policy of CAcert  on information of individuals and organisations on an issues certificate by CAcert is:
+only those (exact) names and other information which are checked via
+an assurance or by well defined means (e.g. email address and domain evaluation).
+This is pretty much limited by reasons of private information
+and traceability information.
+The set of information about the certficate user on the issued certificate is
+limited and shall meet common usage security practice on internet.
+</p>
+		<h3>
+			1.2 Information Assurance
+		</h3>
+<p>
+CAcert operation will be organised such that the individual or
+organisation Member of the CAcert Community for which the certificate is
+issued has been identified by the web of trust of CAcert Assurers (Assurance Policy).
+Prerequisite is: what is supplied as information on the issued
+certificate should be well defined and it should be clear what is check
+by assurances (or other means) and what not.
+</p>
+		<h3>
+			1.3 Information and Internet Security Practice
+		</h3>
+<p>
+CAcert should not violate common security practice of the use of some
+"type" - records in the Subject field in the issued certificate.
+Here we talk about two types of certificates (key usage): server certificates and
+client certificates for individuals (persons) and for organisations ("trade" entities).
+		<h2>
+			2. Subject Information Records
+		</h2>
+		<h3>
+			2.1 Overview of Information Types
+		</h3>
+<p>
+Information records are defined in definitions of "type=value" (e.g. CN=www.cacert.org) pairs.
+<br>The differnet "types":
+<ul>
+ <li>country "C"</li>
+ <li>organisation "O"</li>
+ <li>organisation unit "OU"</li>
+ <li>distinguised name qualifier</li>
+ <li>state or province "ST"</li>
+ <li>common name "CN"</li>
+ <li>locality "L"</li>
+ <li>postal address</li>
+ <li>title</li>
+ <li>surname "FN"</li>
+ <li>given name "GN"</li>
+ <li>initials</li>
+ <li>pseudonym</li>
+ <li>generation qualifier</li>
+ <li>serial number "SN".</li>
+</ul>
+<p>
+Remarks:
+<ul>
+ <li>common practice is that the search for a name in an certificate is prioritised: common name, given name / surname, pseudonym.</li>
+ <li>In the following "(<i>not-supported</i>)" will say CAcert will not evaluate the
+information for the certificate, and not provide it in the issued
+certificate.</li>
+ <li>Comparison of values are based on X.500 specification. Note this for the
+comparison of names of individuals and organisations. CAcert may use own
+rules on the comparison.</li>
+</ul>
+		<h3>
+			2.2 Overview of information types used by CAcert
+		</h3>
+<p>
+What  information types (Tagged Modulels) in the certificates issued by CAcert are implemented?
+<ul>
+		<h4>
+			2.2.1 Information on Individual certificates
+		</h4>
+<p>
+An "(<i>optional</i>)" value will say: if required during certificate signing request and defined in the CAcert account information.
+</p>
+<p>
+List of supported information types in Subject field of certificates of individual CAcert Community Members:
+<dl>
+ <dt><i>CN: Common Name</i></dt>
+  <dd><dl>
+    <dt>On the <i>server</i> certificate:</dt>
+	<dd>fully routable DNS domain name (evaluated and practiced by external world)
+	</dd>
+    <dt>On the <i>client</i> certificate:</dt>
+        <dd>the full name of the person in the
+account (one of the assured full names, await implementation) with fully
+routable email address(es) (.../emailAddress=RFC822 (email addess)
+tuples) (subset of evaluated email addresses in the CAcert account).
+        </dd>
+     </dl>
+ </dd>
+ <dt><i>FN: surname</i> (<i>optional</i>)</dt>
+	<dd>(?need vote?)
+        <br>if in CAcert archive (see CAP form) archive and on
+request of user it is supported (it is evaluated via Web of Trust).
+ </dd>
+<dt><i>GN: given name</i> (<i>optional</i>)</dt>
+	<dd>(?need vote?)
+        <br>if in CAcert archive (see CAP form) archive and on
+ </dd>
+<dt><i>PS: pseudonym</i> (<i>optional</i>)</dt>
+       <dd>(?need vote? leave to future?)
+	<br>presentation layer full name discussion: if evaluated by
+Wob of Trust it can be supported (implies X persons from CAcert
+Community ack this?)
+	Or it is simply (<i>not-supported</i>) (user may decide, CAcert will follow the sugestion).
+ </dd>
+</dl>
+</p>
+
+		<h4>
+			2.2.2 Information on Organisation certificates
+		</h4>
+<p>
+<p>
+An "(<i>optional</i>)" value will say: if required during certificate signing request and defined in the CAcert account information.
+</p>
+<p>
+List of supported information types in Subject field of certificates of organisation CAcert Community Members:
+<dl>
+<dt><i>CN: Common Name</i></dt>
+	<dd>
+	<dl>
+    <dt>On the <i>server</i> certificate:</dt>
+	<dd>fully routable DNS domain name (evaluated and
+practiced by external world);</dd>
+    <dt>On the <i>client</i> certificate: </dt>
+	<dd>organisation <i>client</i> cert: ?? (what is the practice? :
+	organisation name and/or contact email address(es)?).
+	</dd>
+	</dl>
+  </dd>
+<dt><i>O: Organisation name</i> (<i>optional</i>)</dt>
+	<dd>checked from COAP/trade office registry extract.
+       (? add contact email address here?)
+ </dd>
+<dt><i>OU: Organisation Unit name</i> (<i>optional</i>)</dt>
+	<dd>checked from COAP/trade office registry extract.
+       (? add contact email address here?)
+ </dd>
+<dt><i>L: Locality name</i> (<i>not-supported</i>) </dt>
+	<dd>CAcert will follow suggestiuon of requester, but not check values provided.
+ </dd>
+<dt><i>ST: State</i> (<i>optional</i>) </dt>
+	<dd>only some countries as eg USA, Germany?
+	<br>checked from COAP/trade office registry extract.
+ </dd>
+<dt><i>C: Country name</i> (<i>optional</i>)</dt>
+	<dd>checked from COAP/trade office registry extract.
+ </dd>
+<dt><i>pseudonym: (?)</i> (<i>optional</i>)</dt>
+	<dd>?need vote? leave to future?
+	<br>trademarks? Not checkeced by CAcert? or COAP form?
+ </dd>
+</dl>
+</p>
+		<h3>
+			2.3 What Information Types are not supported
+		</h3>
+<p>
+<dl>
+ <dt>Directory attributes:</dt>
+	<dd>title, date of birth, place of birth, gender,
+ country of citizenship, country of residence information types are not supported by CAcert.
+ </dd>
+ <dt>Biometric information extension </dt>
+	<dd>is not supported by CAcert.
+ </dd>
+ <dt>Qualified certificate statements</dt>
+	<dd>are not supported by CAcert.
+ </dd>
+ <dt>Application names</dt>
+	<dd>are not supported by CAcert.
+ </dd>
+</dl>
+</p>
+		<h2>
+			3. Certificate types and Services Remarks
+		</h2>
+<p>
+CAcert does not support Identity Certificates.
+</p><p>
+CAcert does not have other downwards trusted roles (Registration
+Authorities (RA), Local Regsitration Authorities (LRA), or Trusted
+Agents (TA).
+</p><p>
+Alternate login certificate names: CAcert uses Common Name (CN) of the
+CAcert certificate.
+</p><p>
+Code Signing certificates are supported, currently requires a higher degree of
+assurances (100 points). More about Code Signing certificates is defined in the Code Signing policy.
+<br>
+?cn=CS.<O_org_name_or_full_name>.<code-signing_identification_number>..???
+</p><p>
+Trusted Timestamp service: is planned.
+</p><p>
+CAcert does not: private key multi-person (n out of m) control, private
+key escrow, private key backup, private key archival, certificate backup.
+</p><p>
+CAcert does Certificate Signature Request backup (but it is not
+guaranteed). CSR can have user provided "Subject" X.501 information.
+</p>
+
+		<p>
+			<a href="http://validator.w3.org/check?uri=referer"><img src="../Images/valid-xhtml11-blue" alt="Valid XHTML 1.1" height="31" width="88" style="border-style: none;" /></a>
+		</p>
+	</body>
+</html>