Wiki source code of 1.3.6.1.4.1.27630.1.3
Last modified by Network Administrator on 2021/02/10 15:46
Show last authors
| author | version | line-number | content |
|---|---|---|---|
| 1 | (% class="box" %) | ||
| 2 | ((( | ||
| 3 | **(1.3.6.1.4.1.27630.1.3 DESC 'intermediate' )** | ||
| 4 | ))) | ||
| 5 | |||
| 6 | === Intermediate certification practices statement of class 3 === | ||
| 7 | |||
| 8 | //This object identifier (OID) describes our intermediate certification practices statement of class 2.// | ||
| 9 | |||
| 10 | |||
| 11 | (% class="box infomessage" %) | ||
| 12 | ((( | ||
| 13 | ASN1 notation: {iso(1) identified-organization(3) dod(6) internet(1) private(4) enterprise(1) openosi(27630) cps(1) intermediate(3)} | ||
| 14 | URN notation: urn:oid:1.3.6.1.4.1.27630.1.3 | ||
| 15 | IETF DOT notation: 1.3.6.1.4.1.27630.1.3 | ||
| 16 | BNF notation (RFC822 Backus-Naur form): ( 1.3.6.1.4.1.27630.1.3 DESC 'intermediate' ) | ||
| 17 | Description: Intermediate certification practices statement of class 3 - INTERMEDIATE | ||
| 18 | |||
| 19 | ))) | ||
| 20 | |||
| 21 | |||
| 22 | === Class3 Certification authority (CA) identification - "e.g openosiCA3-EU" === | ||
| 23 | |||
| 24 | |||
| 25 | *openosiCA3-EU* issues class 3 certificates with DN ( Distinguished Names) complying with DC scheme, that is using *dc components* instead of classical Organisation (o) and Country (c) components. This certificate practice statement (CPS) with OID 1.3.6.1.4.1.27630.1.3 defines an INTERMEDIATE security framework for open source authentication of end entities. This OID is embedded in certificates issued by "openosiCA3-EU" which is a root certification authority; notably, "openosiCA3-EU" signs the certificate of the "openosiCA1-DC, openosiCA2-DC, and openosiCA3-DC' certification authorities, therefore subordinated to openosiCA3-EU. | ||
| 26 | \\The openOSI *_INTERMEDIATE certificate policy_* defines our set of rules for usage, extended usage, enrollment and issuance procedures, as well as corresponding liability issues of openosi class3 certificates. Our INTERMEDIATE certificate policy is independent of the certified entity (Virtual person, Host or software service) that is, there si no "name constraints". The enforcement of our certificate policy relies on the following cumulative conditions: | ||
| 27 | |||
| 28 | # The Certificate Signing Request (CSR) MUST be submitted by a person or a virtual person already having a valid class 1 certificate signed by openosiCA1-DC or others accepted CA. *or* | ||
| 29 | |||
| 30 | * Automated checks required for a [class 1 (BASIC)|1.3.6.1.4.1.27630.1.1] certificate will be enforced | ||
| 31 | * Automated checks required for a [class 2 (CLOUD)|1.3.6.1.4.1.27630.1.2] certificate will be enforced | ||
| 32 | * Human investigation will authenticate the identity required in the subject DN of the CSR | ||
| 33 | |||
| 34 | 1. Scope is collaboration with : | ||
| 35 | 1.1 Open source community | ||
| 36 | 1.2 Education entity | ||
| 37 | 1.3 Research and development activities | ||
| 38 | 1. Investigation policy | ||
| 39 | 2.1 Cross authentication with recognized organizations | ||
| 40 | 2.2 Cross authentication with already authenticated persons | ||
| 41 | |||
| 42 | * Update of a public directory entry with virtual identity and public certificate | ||
| 43 | * Setting up and update of a personal space with authentication results | ||
| 44 | |||
| 45 | This **INTERMEDIATE certification practices statement** (INTERMEDIATE) helps the user of an X.509 certificate to determine the level of trust that its organization or given services can put in the certificates that are issued by the openosiCA3-DC certification authority embedding *this OID*. For this INTERMEDIATE level of assurance openOSI define several *_certificate profile_*. For each certificate profile there is an appropriate process for authentication with INTERMEDIATE level of assurance. | ||
| 46 | |||
| 47 | * Common certificate profile elements for class 3 level of assurance OID [1.3.6.1.4.1.27630.1.1.0] | ||
| 48 | * Certificate profile for persons OID [1.3.6.1.4.1.27630.1.3.1] | ||
| 49 | * Certificate profile for virtual persons OID [1.3.6.1.4.1.27630.1.3.2] | ||
| 50 | * Certificate profile for software or appliance services OID [1.3.6.1.4.1.27630.1.3.5] | ||
| 51 | * Certificate profile for software code authentication OID [1.3.6.1.4.1.27630.1.3.6] | ||
| 52 | |||
| 53 | === | ||
| 54 | Objective === | ||
| 55 | |||
| 56 | With this OID, the aim of openOSI is to publish its certificate policy as a support service, and as a legal framework. For other class (level of assurance) see OID [1.3.6.1.4.1.27630.1] | ||
| 57 | |||
| 58 | As an Identity provider *openOSI* is a certification authority providing, exceptionally, free class 3 certificates. See also ([1.3.6.1.4.1.27630.1.0.9.1] DESC 'fees' ). Exceptions are: | ||
| 59 | |||
| 60 | * Persons for openOSI cooperation | ||
| 61 | * Virtual persons for openOSI roles | ||
| 62 | * Virtual hosts for openOSI | ||
| 63 | * Services for openOSI | ||
| 64 | * Code for openOSI software | ||
| 65 | |||
| 66 | === | ||
| 67 | Usage === | ||
| 68 | |||
| 69 | The usage of certificate policy is to process an X.509 extension called "certificate policy" [[RFC3280>>url:http:~/~/ietfreport.isoc.org/idref/rfc3280/]]. "//Applications with specific policy requirements are expected to have a list of those policies which they will accept and to compare the policy OIDs in the certificate to that list//". | ||
| 70 | |||
| 71 | |||
| 72 | (% class="box warningmessage" %) | ||
| 73 | ((( | ||
| 74 | NOTE: According RFC3280, if this extension is critical, the path validation software MUST be able to interpret this extension (including the optional qualifier), or MUST reject the certificate. Therefore openOSI always mark this extension as NON CRITICAL | ||
| 75 | |||
| 76 | ))) | ||
| 77 | |||
| 78 | |||
| 79 | === Documents === | ||
| 80 | |||
| 81 | |||
| 82 | {{children/}} | ||
| 83 | |||
| 84 |