Some content is incorporated under
<!-- <a href="http://xkcd.com/license.html">Creative Commons license</a> -->
<!-- from <a href="http://xkcd.com/">xkcd.com</a>. -->
- 198 177 515
+<!-- 198 177 515
</li>
-->
</ul>
<center>
<table border="1" cellpadding="5">
<tr>
- <td colspan="2"><center><i>Type</center></i></td>
- <td colspan="2"><center><i>Appropriate Certificate uses</center></i></th>
+ <td colspan="2"><center><i>Type</i></center></td>
+ <td colspan="2"><center><i>Appropriate Certificate uses</i></center></td>
</tr>
<tr>
<th>General</th>
<table border="1" cellpadding="5">
<tr>
<td></td>
- <td colspan="5"><center><i>Level of Assurance</center></i></td>
+ <td colspan="5"><center><i>Level of Assurance</i></center></td>
<th> </th>
</tr>
<tr>
<td>Anon</td>
<th>Name</th>
<td>Name+Anon</td>
- <td colspan="1"><center><i>Remarks</center></i></td>
+ <td colspan="1"><center><i>Remarks</i></center></td>
</tr>
<tr>
<td><center>Top level<br><big><b>Root</b></big></center></td>
- <td> <center> <font title="pass." color="green" size="+3"> • </font> </center> </th>
- <td> <center> <font title="pass." color="green" size="+3"> • </font> </center> </th>
+ <td> <center> <font title="pass." color="green" size="+3"> • </font> </center> </td>
+ <td> <center> <font title="pass." color="green" size="+3"> • </font> </center> </td>
<td> <center> <font title="pass." color="green" size="+3"> • </font> </center> </td>
<td> <center> <font title="pass." color="green" size="+3"> • </font> </center> </td>
<td> <center> <font title="pass." color="green" size="+3"> • </font> </center> </td>
<tr>
<td><center><big><b>Member</b></big><br>SubRoot</center></td>
<td> <center> <font title="pass." color="green" size="+3"> ✔ </font> </center> </td>
- <td> <center> <font title="pass." color="red" size="+3"> ✘ </font> </center> </th>
+ <td> <center> <font title="pass." color="red" size="+3"> ✘ </font> </center> </td>
<td> <center> <font title="pass." color="green" size="+3"> ✔ </font> </center> </td>
<td> <center> <font title="pass." color="green" size="+3"> ✔ </font> </center> </td>
<td> <center> <font title="pass." color="green" size="+3"> ✔ </font> </center> </td>
</tr>
<tr>
<td><center><big><b>Assured</b></big><br>SubRoot</center></td>
- <td> <center> <font title="pass." color="red" size="+3"> ✘ </font> </center> </th>
- <td> <center> <font title="pass." color="red" size="+3"> ✘ </font> </center> </th>
+ <td> <center> <font title="pass." color="red" size="+3"> ✘ </font> </center> </td>
+ <td> <center> <font title="pass." color="red" size="+3"> ✘ </font> </center> </td>
<td> <center> <font title="pass." color="green" size="+3"> ✔ </font> </center> </td>
<td> <center> <font title="pass." color="green" size="+3"> ✔ </font> </center> </td>
<td> <center> <font title="pass." color="green" size="+3"> ✔ </font> </center> </td>
</tr>
<tr>
<td><center><big><b>Organisation</b></big><br>SubRoot</center></td>
- <td> <center> <font title="pass." color="red" size="+3"> ✘ </font> </center> </th>
- <td> <center> <font title="pass." color="red" size="+3"> ✘ </font> </center> </th>
+ <td> <center> <font title="pass." color="red" size="+3"> ✘ </font> </center> </td>
+ <td> <center> <font title="pass." color="red" size="+3"> ✘ </font> </center> </td>
<td> <center> <font title="pass." color="green" size="+3"> ✔ </font> </center> </td>
<td> <center> <font title="pass." color="green" size="+3"> ✔ </font> </center> </td>
<td> <center> <font title="pass." color="green" size="+3"> ✔ </font> </center> </td>
</tr>
<tr>
<th>Expiry of Certificates</th>
- <td colspan="2"><center>6 months</center></th>
- <td colspan="3"><center>24 months</center></th>
+ <td colspan="2"><center>6 months</center></td>
+ <td colspan="3"><center>24 months</center></td>
</tr>
<tr>
<th>Types</th>
- <td colspan="2"><center>client, server</center></th>
- <td colspan="2"><center>wildcard, subjectAltName</center></th>
- <td colspan="1"><center>code-signing</center></th>
+ <td colspan="2"><center>client, server</center></td>
+ <td colspan="2"><center>wildcard, subjectAltName</center></td>
+ <td colspan="1"><center>code-signing</center></td>
<td> (Inclusive to the left.) </td>
</tr>
</table>
<table border="1" cellpadding="5">
<tr>
<td></td>
- <td colspan="4"><center><i>Level of Assurance</center></i></td>
+ <td colspan="4"><center><i>Level of Assurance</i></center></td>
<th> </th>
</tr>
<tr>
<td>Named</td>
<td>Anonymous</td>
<th>Named</th>
- <td colspan="1"><center><i>Remarks</center></i></td>
+ <td colspan="1"><center><i>Remarks</i></center></td>
</tr>
<tr>
<td><center>Class<br><big><b>1</b></big></center></td>
</tr>
<tr>
<td><center>Class<br><big><b>3</b></big></center></td>
- <td> <center> <font title="pass." color="red" size="+3"> ✘ </font> </center> </th>
- <td> <center> <font title="pass." color="red" size="+3"> ✘ </font> </center> </th>
+ <td> <center> <font title="pass." color="red" size="+3"> ✘ </font> </center> </td>
+ <td> <center> <font title="pass." color="red" size="+3"> ✘ </font> </center> </td>
<td> <center> <font title="pass." color="green" size="+3"> ✔ </font> </center> </td>
<td> <center> <font title="pass." color="green" size="+3"> ✔ </font> </center> </td>
- <td> Assured Members only.<br> Intended for Reliance. </center> </td>
+ <td> Assured Members only.<br> Intended for Reliance. </td>
</tr>
<tr>
<th>Expiry of Certificates</th>
- <td colspan="2"><center>6 months</center></th>
- <td colspan="2"><center>24 months</center></th>
+ <td colspan="2"><center>6 months</center></td>
+ <td colspan="2"><center>24 months</center></td>
</tr>
<tr>
<th>Types available</th>
- <td colspan="2"><center>simple only</center></th>
- <td colspan="2"><center>wildcard, subjectAltName</center></th>
+ <td colspan="2"><center>simple only</center></td>
+ <td colspan="2"><center>wildcard, subjectAltName</center></td>
</tr>
</table>
<b><a name="d_assured" id="d_assured">Assured Member</a></b>.
A Member whose identity has been sufficiently
verified by Assurers or other
- approved methods under Assurance Policy.</p>
+ approved methods under Assurance Policy.
</p>
<p>
<b><a name="d_assurer" id="d_assurer">Assurer</a></b>.
ACE prefix (<a href="http://www.ietf.org/rfc/rfc3490#section-5">RFC3490
Section 5</a>), will only be issued to domains satisfying one or more
of the following conditions:
+</p>
<ul>
<li>The Top Level Domain (TLD) Registrar associated with the domain has a policy
that has taken measures to prevent two homographic domains being registered to
characters [0-9], and an ACSII hyphen '-'.
</li>
</ul>
-</p>
+
<p>Email address containing International Domain Names in the domain portion of
the email address will also be required to satisfy one of the above conditions.
</p>
<p>
-The following is a list of accepted TLD Registrars:
+The following is a list of accepted TLD Registrars:</p>
<table>
<tr>
<td><a href="http://www.vnnic.vn/english/5-6-300-2-2-04-20071115.htm">Policy</a> (<a href="http://vietunicode.sourceforge.net/tcvn6909.pdf">character list</a>)</td>
</tr>
</table>
-</p>
+
<p>
This criteria will apply to the email address and server host name fields for all certificate types.
<p>
The general life-cycle for a new certificate for an Individual Member is:
-
+</p>
<ol><li>
Member adds claim to an address (domain/email).
</li><li>
Member accepts certificate.
</li></ol>
-</p>
+
<p>
(Some steps are not applicable, such as anonymous certificates.)
a domain or email address on the online system.
This is a necessary step towards issuing a certificate.
There are these controls:
+</p>
<ul><li>
The claim of ownership or control is legally significant
and may be referred to dispute resolution.
the certificate application system automatically initiates the
check of control, as below.
</li></ul>
-</p>
+
<h4><a name="p4.1.3" id="p4.1.3">4.1.3. Preparing CSR </a></h4>
</li> </ol>
<p>
-Notes.
+Notes.</p>
<ul><li>
Other methods can be added from time to time by CAcert.
</li><li>
Domain control checks may be extended to apply to email control
in the future.
</li></ul>
-</p>
+
<ul class="q">
<li> As of the time of writing, only a singular Email-ping is implemented in the technical system. </li>
<h4><a name="p4.2.4" id="p4.2.4">4.2.4. Client Certificate Procedures</a></h4>
<p>
-For an individual client certificate, the following is required.
+For an individual client certificate, the following is required.</p>
<ul>
<li>The email address is claimed and added. </li>
<li>The email address is ping-tested. </li>
<li>To include a Name, the Name must be assured to at least fifty points. </li>
</ul>
-</p>
+
<h4><a name="p4.2.5" id="p4.2.5">4.2.5. Server Certificate Procedures</a></h4>
<p>
-For a server certificate, the following is required:
+For a server certificate, the following is required:</p>
<ul>
<li>The domain is claimed and added. </li>
<li>The domain is checked twice as above. </li>
at least fifty points of Assurance. </li>
</ul>
-</p>
+
<h4><a name="p4.2.6" id="p4.2.6">4.2.6. Code-signing Certificate Procedures</a></h4>
<table border="1" cellpadding="5">
<tr>
<td></td>
- <td colspan="4"><center><i>Statements of Reliance for Members</center></i></td>
+ <td colspan="4"><center><i>Statements of Reliance for Members</i></center></td>
</tr>
<tr>
<td><i>Class of Root</i></td>
<h3><a name="p5.1" id="p5.1">5.1. Physical controls</a></h3>
<p>
-Refer to Security Policy (<a href="http://svn.cacert.org/CAcert/Policies/SecurityPolicy.html">COD8</a>)
+Refer to Security Policy (<a href="http://svn.cacert.org/CAcert/Policies/SecurityPolicy.html">COD8</a>)</p>
<ul><li>
Site location and construction - SP2.1
</li><li>
Physical access - SP2.3
</li></ul>
-</p>
+
<h4><a name="p5.1.3" id="p5.1.3">5.1.3. Power and air conditioning</a></h4>
<td><b>Role</b></td> <td><b>Policy</b></td> <td><b>Comments</b></td>
</tr><tr>
<td>Assurer</td>
- <td><a href="http://www.cacert.org/policy/AssurancePolicy.html"> COD13</td>
+ <td><a href="http://www.cacert.org/policy/AssurancePolicy.html"> COD13 </a></td>
<td>
Passes Challenge, Assured to 100 points.
</td>
</td>
</tr><tr>
<td>Technical</td>
- <td>SM => COD08</td>
+ <td>SM => COD08</td>
<td>
Teams responsible for testing.
</td>
(Refer to <a href="#p1.4">§1.4</a> for limitations to service.)
</p>
-</p>
<h3><a name="p5.8" id="p5.8">5.8. CA or RA termination</a></h3>
Member information will be securely destroyed.
</p>
-<span class="change">
<p>
+<span class="change">
The CA cannot be transferrred to another organisation.
-</p>
</span>
+</p>
<p>
<s>
</ul>
</s>
+<p>
<span class="change">
<s>
-<p>
New root keys and certificates will be made available
by the new organisation as soon as reasonably practical.
-</p>
</s>
</span>
+</p>
<h4><a name="p5.8.2" id="p5.8.2">5.8.2 RA termination</a></h4>
Distributors of the roots are offered the
<span class="q">wip</span>
3rd-Party Vendors - Disclaimer and Licence
-(3PV-DaL => CODx)
+(3PV-DaL => CODx)
and are offered
<span class="q">wip</span>
the same deal as Members to the extent that they agree
projects / gigi.git / commitdiff