1.3.6.1.4.1.27630.1.2

Last modified by Network Administrator on 2021/02/10 15:46

(1.3.6.1.4.1.27630.1.2 DESC 'cloud' )

Cloud certification practices statement of class 2

This object identifier (OID) describes our "cloud" (internet2) certification practices statement of class 2.

ASN1 notation: {iso(1) identified-organization(3) dod(6) internet(1) private(4) enterprise(1) openosi(27630) cps(1) basic(1)}
URN notation: urn:oid:1.3.6.1.4.1.27630.1.2
IETF DOT notation: 1.3.6.1.4.1.27630.1.2
BNF notation (RFC822 Backus-Naur form): ( 1.3.6.1.4.1.27630.1.2 DESC 'basic' )
Description:  Cloud (Internet2) certification practices statement of class 2 - CLOUD
 

Class2 Certification authority (CA) identification - "e.g openosiCA2-DC"

*openosiCA2-DC* issues class 2 certificates with DN ( Distinguished Names) complying with DC scheme, that is using *dc components* instead of classical Organisation (o) and Country (c) components. This certificate practice statement (CPS) with OID 1.3.6.1.4.1.27630.1.2 defines a basic security framework for open source authentication of end entities. This OID is embedded in certificates issued by "openosiCA1-DC" which is a subordinate CA of our class 3 root certification authority "openosiCA3-EU"

The openOSI *_Cloud computing certificate policy_* defines our set of rules for usage, extended usage, enrollment and issuance procedures, as well as corresponding liability issues of openosi class2 certificates. Our Cloud certificate policy is independent of the certified entity that is, there si no "name constraints". The enforcement of our certificate policy relies on _software workers_ coming from the open source community as stated in OID [1.3.6.1.4.1.27630.1.0] . The level of assurance relies on the following cumulative conditions:

  • # The Certificate Signing Request (CSR) MUST be submitted by a person or a virtual person already having a valid class 1 certificate signed by openosiCA1-DC or others accepted CA. *or*
  • # Automated checks required for a [class 1 (BASIC)|1.3.6.1.4.1.27630.1.1]  certificate will be enforced
  • # Human investigation will authenticate the identity required in the subject DN of the CSR
  • #* It is checked that applicant belongs to a partner / client / provider organization
  • #* This check MAY involve physical contacts
  • #* The check relies on contacts with well known persons from related organization
  • #* No formal procedures are further defined for identification, but goodwill of openOSI investigator
  • # Organization Unit (ou) component is inserted in subject DN to reflect identified organization
  • #* The related organization has some kind of presence or production over Internet *or*
  • #* Related organization is well known by openOSI staff
  • #* Legal existence of related organization is NOT checked, nor physical addresses
  • #* Related organization MAY be an INFORMAL entity

This *_Cloud computing certification practices statement_* (Cloud) helps the user of an X.509 certificate to determine the level of trust that its organization or given services can put in the certificates that are issued by the openosiCA2-DC certification authority embedding *this OID*. For this cloud (Internet2) level of assurance openOSI define several *_certificate profile_*. For each certificate profile there is an appropriate process for authentication with basic level of assurance.

  • * Common certificate profile elements for class 2 level of assurance OID [1.3.6.1.4.1.27630.1.0]
  • * Certificate profile for persons OID [1.3.6.1.4.1.27630.1.2.1]
  • * Certificate profile for virtual persons OID [1.3.6.1.4.1.27630.1.2.2]
  • * Certificate profile for hosts OID [1.3.6.1.4.1.27630.1.2.3]
  • * Certificate profile for virtual hosts OID [1.3.6.1.4.1.27630.1.2.4]
  • * Certificate profile for services OID [1.3.6.1.4.1.27630.1.2.5]
  • * Certificate profile for code OID [1.3.6.1.4.1.27630.1.2.6]
  • * Certificate profile for DRM OID [1.3.6.1.4.1.27630.1.2.7]

Objective

With this OID, the aim of openOSI is to publish its certificate policy as a support service, and as a legal framework. It is also an enabling Internet2 service providing class 2 certificates. For other class (level of assurance) see OID [1.3.6.1.4.1.27630.1]

As an Identity provider *openOSI* is a certification authority providing free class 2 certificates, mainly for community entities involved in some kind of partnership. See also ([1.3.6.1.4.1.27630.1.0.9.1] DESC 'fees' )


Usage

So called "CLOUD" certificates refers to "cloud computing", that is Internet 2 web services or others software services delivered on the internet. Usage is to allow open source community to get and provide acceptable level of trust required for operations, including access to openOSI automated certificate services using [XKMS|http://en.wikipedia.org/wiki/XKMS].

The usage of certificate policy is to process an X.509 extension called "certificate policy" [RFC3280|http://ietfreport.isoc.org/idref/rfc3280/].  "Applications with specific policy requirements are expected to have a list of those policies which they will accept and to compare the policy OIDs in the certificate to that list".

NOTE: According RFC3280, if this extension is critical, the path validation software MUST be able to interpret this extension (including the optional qualifier), or MUST reject the certificate. Therefore openOSI always mark this extension as NON CRITICAL
 

Documents

 

Tags:
Created by Network Administrator on 2021/02/08 09:57