|
|
@ -69,7 +69,7 @@ a:hover {
|
|
|
|
<a href="PolicyOnPolicy.html"><img src="cacert-draft.png" alt="CAcert Policy Status" height="31" width="88" style="border-style: none;" /></a><br />
|
|
|
|
<a href="PolicyOnPolicy.html"><img src="cacert-draft.png" alt="CAcert Policy Status" height="31" width="88" style="border-style: none;" /></a><br />
|
|
|
|
Creation date: 20060726<br />
|
|
|
|
Creation date: 20060726<br />
|
|
|
|
Status: DRAFT p20091108<br />
|
|
|
|
Status: DRAFT p20091108<br />
|
|
|
|
<!-- $Id: CertificationPracticeStatement.php,v 1.2 2011/07/27 10:41:01 wytze Exp $ -->
|
|
|
|
<!-- $Id: CertificationPracticeStatement.php,v 1.3 2012/07/27 16:00:29 wytze Exp $ -->
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
<font size="-1">
|
|
|
|
<font size="-1">
|
|
|
@ -3203,54 +3203,50 @@ The form of the PGP signatures depends on several factors, therefore no stipulat
|
|
|
|
<h4><a name="p7.1.2" id="p7.1.2">7.1.2. Certificate extensions</a></h4>
|
|
|
|
<h4><a name="p7.1.2" id="p7.1.2">7.1.2. Certificate extensions</a></h4>
|
|
|
|
|
|
|
|
|
|
|
|
<p>
|
|
|
|
<p>
|
|
|
|
Client certificates include the following extensions:.
|
|
|
|
Client certificates include the following extensions:
|
|
|
|
</p>
|
|
|
|
</p>
|
|
|
|
<ul><li>
|
|
|
|
<ul>
|
|
|
|
basicConstraints=CA:FALSE (critical)
|
|
|
|
<li>basicConstraints=CA:FALSE (critical)</li>
|
|
|
|
</li><li>
|
|
|
|
<li>keyUsage=digitalSignature,keyEncipherment,keyAgreement (critical)</li>
|
|
|
|
keyUsage=digitalSignature,keyEncipherment,cRLSign
|
|
|
|
<li>extendedKeyUsage=emailProtection,clientAuth,msEFS,msSGC,nsSGC</li>
|
|
|
|
</li><li>
|
|
|
|
<li>authorityInfoAccess = OCSP;URI:http://ocsp.cacert.org</li>
|
|
|
|
</li><li>
|
|
|
|
<li>crlDistributionPoints=URI:<crlUri> where <crlUri> is replaced
|
|
|
|
extendedKeyUsage=emailProtection,clientAuth,serverAuth,msEFS,msSGC,nsSGC
|
|
|
|
with the URI where the certificate revocation list relating to the
|
|
|
|
</li><li>
|
|
|
|
certificate is found</li>
|
|
|
|
authorityInfoAccess = OCSP;URI:http://ocsp.cacert.org
|
|
|
|
<li>subjectAltName=(as per <a href="#p3.1.1">§3.1.1.</a>).</li>
|
|
|
|
</li><li>
|
|
|
|
</ul>
|
|
|
|
subjectAltName=(as per <a href="#p3.1.1">§3.1.1.</a>).
|
|
|
|
|
|
|
|
</li></ul>
|
|
|
|
|
|
|
|
<ul class="q">
|
|
|
|
<ul class="q">
|
|
|
|
<li> what about Client Certificates Adobe Signing extensions ?</li>
|
|
|
|
<li> what about Client Certificates Adobe Signing extensions ?</li>
|
|
|
|
<li> SubjectAltName should become critical if DN is removed http://tools.ietf.org/html/rfc5280#section-4.2.1.6</li>
|
|
|
|
<li> SubjectAltName should become critical if DN is removed http://tools.ietf.org/html/rfc5280#section-4.2.1.6</li>
|
|
|
|
</ul>
|
|
|
|
</ul>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
<p>
|
|
|
|
<p>
|
|
|
|
Server certificates include the following extensions:
|
|
|
|
Server certificates include the following extensions:
|
|
|
|
</p>
|
|
|
|
</p>
|
|
|
|
<ul><li>
|
|
|
|
<ul>
|
|
|
|
basicConstraints=CA:FALSE (critical)
|
|
|
|
<li>basicConstraints=CA:FALSE (critical)</li>
|
|
|
|
</li><li>
|
|
|
|
<li>keyUsage=digitalSignature,keyEncipherment,keyAgreement (critical)</li>
|
|
|
|
keyUsage=digitalSignature,keyEncipherment
|
|
|
|
<li>extendedKeyUsage=clientAuth,serverAuth,nsSGC,msSGC</li>
|
|
|
|
</li><li>
|
|
|
|
<li>authorityInfoAccess = OCSP;URI:http://ocsp.cacert.org</li>
|
|
|
|
extendedKeyUsage=clientAuth,serverAuth,nsSGC,msSGC
|
|
|
|
<li>crlDistributionPoints=URI:<crlUri> where <crlUri> is replaced
|
|
|
|
</li><li>
|
|
|
|
with the URI where the certificate revocation list relating to the
|
|
|
|
authorityInfoAccess = OCSP;URI:http://ocsp.cacert.org
|
|
|
|
certificate is found</li>
|
|
|
|
</li><li>
|
|
|
|
<li>subjectAltName=(as per <a href="#p3.1.1">§3.1.1.</a>).</li>
|
|
|
|
subjectAltName=(as per <a href="#p3.1.1">§3.1.1.</a>).
|
|
|
|
</ul>
|
|
|
|
</li></ul>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
<p>
|
|
|
|
<p>
|
|
|
|
Code-Signing certificates include the following extensions:
|
|
|
|
Code-Signing certificates include the following extensions:
|
|
|
|
</p>
|
|
|
|
</p>
|
|
|
|
|
|
|
|
<ul>
|
|
|
|
<ul><li>
|
|
|
|
<li>basicConstraints=CA:FALSE (critical)</li>
|
|
|
|
basicConstraints=CA:FALSE (critical)
|
|
|
|
<li>keyUsage=digitalSignature,keyEncipherment,keyAgreement (critical)</li>
|
|
|
|
</li><li>
|
|
|
|
<li>extendedKeyUsage=emailProtection,clientAuth,codeSigning,msCodeInd,msCodeCom,msEFS,msSGC,nsSGC</li>
|
|
|
|
keyUsage=digitalSignature,keyEncipherment
|
|
|
|
<li>authorityInfoAccess = OCSP;URI:http://ocsp.cacert.org</li>
|
|
|
|
</li><li>
|
|
|
|
<li>crlDistributionPoints=URI:<crlUri> where <crlUri> is replaced
|
|
|
|
extendedKeyUsage=emailProtection,clientAuth,codeSigning,msCodeInd,msCodeCom,msEFS,msSGC,nsSGC
|
|
|
|
with the URI where the certificate revocation list relating to the
|
|
|
|
</li><li>
|
|
|
|
certificate is found</li>
|
|
|
|
authorityInfoAccess = OCSP;URI:http://ocsp.cacert.org
|
|
|
|
<li>subjectAltName=(as per <a href="#p3.1.1">§3.1.1.</a>).</li>
|
|
|
|
</li></ul>
|
|
|
|
</ul>
|
|
|
|
<ul class="q">
|
|
|
|
<ul class="q">
|
|
|
|
<li> what about subjectAltName for Code-signing</li>
|
|
|
|
<li> what about subjectAltName for Code-signing</li>
|
|
|
|
</ul>
|
|
|
|
</ul>
|
|
|
|