Dashboard > openOSI Object Identifier name space > ... > 1.3.6.1.4.1.27630.1.0.1 > 1.3.6.1.4.1.27630.1.0.1.4
  openOSI Object Identifier name space Log In   View a printable version of the current page.  
  1.3.6.1.4.1.27630.1.0.1.4
Added by Jose REMY, last edited by Jose REMY on Aug 01, 2007
Labels: 
(None)

(1.3.6.1.4.1.27630.1.0.1.4 DESC 'usage' )

Certificate usage

This object identifier (OID) describes openOSI PKI Certificate usage.

ASN1 notation: {iso(1) identified-organization(3) dod(6) internet(1) private(4) enterprise(1) openosi(27630) cps(1) common(0) introduction(1) usage(4)}
URN notation: urn:oid:1.3.6.1.4.1.27630.1.0.1.4
IETF DOT notation: 1.3.6.1.4.1.27630.1.0.1.4
BNF notation (RFC822 Backus-Naur form): (1.3.6.1.4.1.27630.1.0.1.4 DESC 'usage' )
Description: Certificate usage - USAGE

This document identifies and introduces the set of provisions, and indicates the types of entities and applications for which this CP / CPS is targeted.

openOSI Certification authority (CA) certificate usage

The sensitivity of the information processed or protected using certificates issued by openOSI CA will vary significantly. Relying Parties must evaluate the environment and the associated threats and vulnerabilities and determine the level of risk they are willing to accept based on the sensitivity or significance of the information. This evaluation is done by each Relying Party for its application and is not controlled by this CP. To provide sufficient granularity, this CP specifies security requirements at five increasing, qualitative levels of assurance: Basic, Internet2, Intermediate, and High. It is assumed that openOSI CA will issue at least one Intermediate assurance certificate, so openOSI CA will be operated at that level, that is with root CA: openosiCA3-EU. openOSI CA is intended to support applications involving unclassified information, which can include sensitive unclassified data protected pursuant to European Union statues and regulations. It is on the roadmap to operate openOSI CA at level High, with additional root CA openosiCA4-EU.

The following table provides a brief description of the appropriate uses for certificates at each level of assurance defined in this CP. These descriptions are intended as guidance and are not binding.

Assurance level



BASIC
Appropriate certificate use

This level provides a basic level of assurance relevant for environments where basic authentication is required i.e: to avoid SPAM and, or, to set an arbitrary personal profile. A basic authentication only verifies existence and validity of an e-mail address hold by a human, others subject elements will be removed from the signing request. Therefore basic authentication mainly concerns persons. It will be needed for openOSI registration with Internet2 level of assurance for persons, hosts, services and code. Persons could choose a bit length of 512 of 1024 for keys generation. Bit length of 512 allows for faster operations, but is known to bring vulnerability in cryptographic operations. Bit length of 1024 generates strong encryption. Bit length of 1024 is the default setting for this level of assurance, therefore resulting encryption can be trusted.

When the e-mail address domain belongs to an organisation such a corporation that only issue e-mail address for its registered staff, the level of authentication is enhanced; it is based on the authentication policy and procedures of that organisation for staff registration, providing the domain name registrant is an identified organisations. Countries' top domains are known to have more demanding policies, as well as .gov or .mil. Therefore use of basic level of assurance MAY bring enhanced authentication depending on e-mail address domain, although corresponding address may be binded to a role or a group of persons, that is what openOSI CA call a "virtual identity".

When the e-mail address domain belongs to an internet service provider (ISP), the level of authentication is standard; it is based on the authentication policy and procedures of that organisation for customer registration and delivery of service, although corresponding address may be binded to a role or a group of persons, that is what openOSI CA call a "virtual identity".

When the e-mail address domain belongs to a web mail service provider, the level of authentication is basic; it is based on a virtual identity attached to the corresponding e-mail address.



INTERNET2

This level provides an enhanced basic level of assurance relevant for environments, like Internet web services (WS), where enhanced basic authentication is required; i.e: to set authentication for hosts, services and code, or, to set confirmed personal profile. An enhanced basic authentication is based on basic authentication plus cross validity checks in relevant third part data repositories; i.e INTERNET2 host or service authentication can be required by a person with BASIC authentication that is also listed as an authorized contact in the relevant domain name registry (from whois servers). For a person, the belonging organisation is checked against this organisation's databases after specific agreement. Bit length of 1024 is the only default setting for this level of assurance, therefore resulting encryption can be trusted.

Some external CA with similar basic policy may be accepted in place of openOSI CA for basic authentication of persons allowed to require INTERNET2 level of assurance for certificates.



INTERMEDIATE

This level provides an intermediate level of assurance relevant for environments, where strong identification and authentication is required; i.e: to set openOSI policies, or, to set personal profile with confirmed identity. An intermediate authentication is based on Internet2 authentication plus human investigation and cross validity checks in relevant third part data repositories for confirmed identity; i.e INTERMEDIATE authentication is granted to openOSI partners after physical meeting with openOSI authorized staff, and evidence of identity proof. For hosts and services in addition to INTERNET2 check, other evidence of network identity must be available, like DNSSEC trust anchor, DKIM signature for mail or X400 trust agreements. Bit length of 2048 is the only default setting for this level of assurance, therefore resulting encryption can be trusted. As an option, INTERMEDIATE certificate for smart cards or similar hard token can be provided. There are often specific certificate profiles attached to an INTERMEDIATE certificate, they often define qualified statements. INTERMEDIATE certificates are only available to openOSI partners for cooperation.

Some external CA with similar INTERNET2 policy may be accepted in place of openOSI CA for enhanced basic authentication of persons allowed to require INTERMEDIATE level of assurance for certificates.



HIGH

This level provides a high level of assurance relevant for environments, where maximum identification and authentication is required; i.e: to set openOSI CA self signed certificate, or, to set personal profile with biometric confirmed identity. High authentication is based on Intermediate authentication plus biometric elements for confirmed identity generated using hardware modules; i.e HIGH authentication is granted to openOSI core staff like José REMY and allowed substitutes. Bit length of 4092 is the only default setting for this level of assurance, therefore resulting encryption can be trusted. HIGH certificates are not available outside openOSI.

Some external CA with similar INTERMEDIATE policy may be accepted in place of openOSI CA for intermediate authentication of persons allowed to require HIGH level of assurance for certificates.

Usage and prohibited certificate usage

The usage of this common certificate policy is to be a single point of reference for others openOSI CP/CPS OID. This OID can be used by anyone under an LGPL license if corresponding policy is enforced.

Usage of openOSI certificates of basic level of assurance (class1) is prohibited for persons subject of limitations described in OID 1.3.6.1.4.1.27630.1.0.1.3.


XML format

<oid>
	<asn1-notation>{iso(1) identified-organization(3) dod(6) internet(1) private(4) enterprise(1) openosi(27630) cps(1) common(0) introduction(1) usage(4)}</asn1-notation>
	<description> Common certification practices statement for certificate usage</description>
	<information>More <i>information</i> can be found in <a href="http://openosi.org/osi/display/oid/1.3.6.1.4.1.27630.1.0.1.4">openOSI common CP-CPS for certificate usage</a> </information>
</oid>


Site powered by a free Open Source Project / Non-profit License (more) of Confluence - the Enterprise wiki.
Learn more or evaluate Confluence for your organisation.
Powered by Atlassian Confluence, the Enterprise Wiki. (Version: 2.4.2 Build:#703 Mar 12, 2007) - Bug/feature request - Contact Administrators