|
|
|
|
@ -3121,16 +3121,11 @@ Refer to SM3.1 "Logical Security - Network".
|
|
|
|
|
|
|
|
|
|
<h3><a name="p6.8" id="p6.8">6.8. Time-stamping</a></h3>
|
|
|
|
|
<p>
|
|
|
|
|
Each server synchronises with NTP.
|
|
|
|
|
No "timestamping" service is currently offered.
|
|
|
|
|
The Signing Server receives the time through the serial link, but the synchronisation has to be done manually by a sysadmin.
|
|
|
|
|
All other servers synchronise with NTP or HTTPDATE.
|
|
|
|
|
CAcert might offer a Timestamping Service, or might approve an existing Timestamping Service.
|
|
|
|
|
</p>
|
|
|
|
|
|
|
|
|
|
<ul class="q">
|
|
|
|
|
<li> How does the signing server syncronise if only connected over serial?</li>
|
|
|
|
|
<li> How is timestamping done on records?</li>
|
|
|
|
|
</ul>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
<!-- *************************************************************** -->
|
|
|
|
|
@ -3148,7 +3143,6 @@ by the Member or the Non-related Person.
|
|
|
|
|
|
|
|
|
|
<h3><a name="p7.1" id="p7.1">7.1. Certificate profile</a></h3>
|
|
|
|
|
<h4><a name="p7.1.1" id="p7.1.1">7.1.1. Version number(s)</a></h4>
|
|
|
|
|
<p class="q"> What versions of PGP are signed? v3? v4? </p>
|
|
|
|
|
|
|
|
|
|
<p>
|
|
|
|
|
Issued X.509 certificates are of v3 form.
|
|
|
|
|
@ -3163,18 +3157,16 @@ Client certificates include the following extensions:.
|
|
|
|
|
<ul><li>
|
|
|
|
|
basicConstraints=CA:FALSE (critical)
|
|
|
|
|
</li><li>
|
|
|
|
|
keyUsage=digitalSignature,keyEncipherment,cRLSign
|
|
|
|
|
</li><li>
|
|
|
|
|
keyUsage=digitalSignature,keyEncipherment
|
|
|
|
|
</li><li>
|
|
|
|
|
extendedKeyUsage=emailProtection,clientAuth,serverAuth,msEFS,msSGC,nsSGC
|
|
|
|
|
</li><li>
|
|
|
|
|
authorityInfoAccess = OCSP;URI:http://ocsp.cacert.org
|
|
|
|
|
</li><li>
|
|
|
|
|
subjectAltName=(as per <a href="#p3.1.1">§3.1.1.</a>).
|
|
|
|
|
subjectAltName=(as per <a href="#p3.1.1">§3.1.1.</a>) (can be marked critical).
|
|
|
|
|
</li></ul>
|
|
|
|
|
<ul class="q">
|
|
|
|
|
<li> what about Client Certificates Adobe Signing extensions ?</li>
|
|
|
|
|
<li> SubjectAltName should become critical if DN is removed http://tools.ietf.org/html/rfc5280#section-4.2.1.6</li>
|
|
|
|
|
</ul>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
@ -3190,7 +3182,7 @@ Server certificates include the following extensions:
|
|
|
|
|
</li><li>
|
|
|
|
|
authorityInfoAccess = OCSP;URI:http://ocsp.cacert.org
|
|
|
|
|
</li><li>
|
|
|
|
|
subjectAltName=(as per <a href="#p3.1.1">§3.1.1.</a>).
|
|
|
|
|
subjectAltName=(as per <a href="#p3.1.1">§3.1.1.</a>) (can be marked critical).
|
|
|
|
|
</li></ul>
|
|
|
|
|
|
|
|
|
|
<p>
|
|
|
|
|
@ -3205,10 +3197,9 @@ Code-Signing certificates include the following extensions:
|
|
|
|
|
extendedKeyUsage=emailProtection,clientAuth,codeSigning,msCodeInd,msCodeCom,msEFS,msSGC,nsSGC
|
|
|
|
|
</li><li>
|
|
|
|
|
authorityInfoAccess = OCSP;URI:http://ocsp.cacert.org
|
|
|
|
|
</li><li>
|
|
|
|
|
subjectAltName=(as per <a href="#p3.1.1">§3.1.1.</a>) (can be marked critical).
|
|
|
|
|
</li></ul>
|
|
|
|
|
<ul class="q">
|
|
|
|
|
<li> what about subjectAltName for Code-signing</li>
|
|
|
|
|
</ul>
|
|
|
|
|
|
|
|
|
|
<p>
|
|
|
|
|
OpenPGP key signatures currently do not include extensions.
|
|
|
|
|
@ -3251,7 +3242,7 @@ into certificates:
|
|
|
|
|
</tr>
|
|
|
|
|
<tr>
|
|
|
|
|
<td>
|
|
|
|
|
1.3.6.1.4.1.18506.4.4
|
|
|
|
|
1.3.6.1.4.1.18506.4.4.1
|
|
|
|
|
</td>
|
|
|
|
|
<td>
|
|
|
|
|
Certification Practice Statement
|
|
|
|
|
|
source
14 years ago