Author: Teus Hagen
Creation date: 2008-05-02
Status: WiP 2008-05-02
Next status: DRAFT 2008
In this policy it is defined what CAcert does with the "Subject" and "SubjectAlternativeName" record in the issued X.509 certificate.
The ITU-T Recommendation X.509 of June 1997 (limited by the used OpenSSL implementation) defines the information types (and formats) "Tagged Modules" for the "Subject" (IETF standard RFC3280/4.1.2.6) for a Distinguished Name (DN): a sequence of X.501 styled elements (type/value pairs), type="value" (e.g. "CN=Saskia the Mystical/emailAddress=sky@limit.net") on the issued certificate (see for "type" below).
Subject and SubjectAlternativeName may be used in the Certificate Signing Request (CSR) sent to CAcert. CAcert will use this information as well information checked from assurances and other means to assemble the Subject and SubjectAlternativeName records.
Other documents: RFC 3039 Qualified Certificate Profile.
The current policy of CAcert on information of individuals and organisations on an issues certificate by CAcert is: only those (exact) names and other information which are checked via an assurance or by well defined means (e.g. email address and domain evaluation). This is pretty much limited by reasons of private information and traceability information. The set of information about the certficate user on the issued certificate is limited and shall meet common usage security practice on internet.
CAcert operation will be organised such that the individual or organisation Member of the CAcert Community for which the certificate is issued has been identified by the web of trust of CAcert Assurers (Assurance Policy). Prerequisite is: what is supplied as information on the issued certificate should be well defined and it should be clear what is check by assurances (or other means) and what not.
CAcert should not violate common security practice of the use of some "type" - records in the Subject field in the issued certificate. Here we talk about two types of certificates (key usage): server certificates and client certificates for individuals (persons) and for organisations ("trade" entities).
Information records are defined in definitions of "type=value" (e.g. CN=www.cacert.org) pairs.
The differnet "types":
Remarks:
What information types (Tagged Modulels) in the certificates issued by CAcert are implemented?
An "(optional)" value will say: if required during certificate signing request and defined in the CAcert account information.
List of supported information types in Subject field of certificates of individual CAcert Community Members:
An "(optional)" value will say: if required during certificate signing request and defined in the CAcert account information.
List of supported information types in Subject field of certificates of organisation CAcert Community Members:
CAcert does not support Identity Certificates.
CAcert does not have other downwards trusted roles (Registration Authorities (RA), Local Regsitration Authorities (LRA), or Trusted Agents (TA).
Alternate login certificate names: CAcert uses Common Name (CN) of the CAcert certificate.
Code Signing certificates are supported, currently requires a higher degree of
assurances (100 points). More about Code Signing certificates is defined in the Code Signing policy.
?cn=CS.
Trusted Timestamp service: is planned.
CAcert does not: private key multi-person (n out of m) control, private key escrow, private key backup, private key archival, certificate backup.
CAcert does Certificate Signature Request backup (but it is not guaranteed). CSR can have user provided "Subject" X.501 information.