CAcert Policy Status
Author: Teus Hagen
Creation date: 2008-05-02
Status: WiP 2008-05-02
Next status: DRAFT 2008

0. Preliminaries

In this policy it is defined what CAcert does with the "Subject" and "SubjectAlternativeName" record in the issued X.509 certificate.

The ITU-T Recommendation X.509 of June 1997 (limited by the used OpenSSL implementation) defines the information types (and formats) "Tagged Modules" for the "Subject" (IETF standard RFC3280/4.1.2.6) for a Distinguished Name (DN): a sequence of X.501 styled elements (type/value pairs), type="value" (e.g. "CN=Saskia the Mystical/emailAddress=sky@limit.net") on the issued certificate (see for "type" below).

Subject and SubjectAlternativeName may be used in the Certificate Signing Request (CSR) sent to CAcert. CAcert will use this information as well information checked from assurances and other means to assemble the Subject and SubjectAlternativeName records.

Other documents: RFC 3039 Qualified Certificate Profile.

1. Information Policies

1.1 Organisation and Individual certificate information policy

The current policy of CAcert on information of individuals and organisations on an issues certificate by CAcert is: only those (exact) names and other information which are checked via an assurance or by well defined means (e.g. email address and domain evaluation). This is pretty much limited by reasons of private information and traceability information. The set of information about the certficate user on the issued certificate is limited and shall meet common usage security practice on internet.

1.2 Information Assurance

CAcert operation will be organised such that the individual or organisation Member of the CAcert Community for which the certificate is issued has been identified by the web of trust of CAcert Assurers (Assurance Policy). Prerequisite is: what is supplied as information on the issued certificate should be well defined and it should be clear what is check by assurances (or other means) and what not.

1.3 Information and Internet Security Practice

CAcert should not violate common security practice of the use of some "type" - records in the Subject field in the issued certificate. Here we talk about two types of certificates (key usage): server certificates and client certificates for individuals (persons) and for organisations ("trade" entities).

2. Subject Information Records

2.1 Overview of Information Types

Information records are defined in definitions of "type=value" (e.g. CN=www.cacert.org) pairs.
The differnet "types":

Remarks:

2.2 Overview of information types used by CAcert

What information types (Tagged Modulels) in the certificates issued by CAcert are implemented?