Hi all, CAcert is currently working up to create some new roots, as part of their audit process. They've done some research and covered parts of the requirements, but many open questions remain as to the content of a future root.
http://wiki.cacert.org/wiki/Roots/NewRootsTaskForce Below is a list of root uncertainties, if you can fill in any of the easy ones, much appreciated. If not, more research needed by the CAcert team, I guess. (The below is written more expansively than CAcert needs as it might be useful to document these questions for others.) iang ====================================== Business Requirements * the following extended key usage fields within roots: + Server Authentication + Client AUthentication + Secure Email + ... (list...) (format!) + all or none or? * Naming - any constraints? + O + CN + OU - optional? + Firefox 3 displays O whereas Thunderbird displays CN. What is the preference here? Most software seems to prefer CN? * legal notices should be in which field? + OU + duplicates are ok? + "Netscape Certificate Comment" ? + Netscape Certificate Authority Policy URL * support email addresses go in + E field? (Is 'E' the name?) + Technical Requirements * cA=true obligatory and 'critical' * size is RSA 4096 + ECC equivalent? + any viewpoint on size, etc? * expiry should be? + minimum 8 years? + maximum 30 years? * format is PKCS1, Hashes are SHA1 + any chance of SHA-256? * key usage: + keyCertSign and cRLSign only + are these obligatory or optional? * CA Key ID and Identifier + any contstraints? * Maximum number of intermediate CAs: + any constraints? + seems like most say "unlimited" Oddities include: * logotype ? + constraints? * where to put branding or advertising messages? + some use OU + Netscape Certificate Comment - outdated? Things that are uncertain but are probably documented somewhere: * AIA hint for intermediates go in the root or the certs? * OCSP and CRL URLs go in the root or the intermediates or certs? Random questions: * What's missing? What is in emerging practice but is not documented anywhere? * What about all these old Netscape fields, are they replaced or still current? + Netscape Certificate Comment + Netscape Certificate Type + Netscape Certificate Authority Policy URL + Netscape Certificate Authority Revocation URL * what is the document that most people refer to? _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
