A conforming CA assigns each entity a X.501 Distinguished Name (DN, see X.501) which serves as a unique identifier of the entity. The DN is inserted in the subject field of the certificate(s) issued to the entity to bind the entity to the certificate(s). The DN MUST be a non-empty printableString.
The certificate DN SHOULD be constructed using following naming attributes:
For personal certificates, this is the official name of the institution the subscriber is affiliated with. For server certificates, it is the official name of the institution operating the server.
OID. OID 18.104.22.168
For personal certificates, this SHOULD be the full name of the person as stated in the proof-of-identity documents, with any diacritical marks removed.
For server certificates, it SHOULD contain the fully qualified domain name of the server.
A conforming SHALL be able to identify the entities associated with subject and issuer names contained in the certificates.
Every name assigned by a conforming CA SHALL be associated with exactly one entity.
The requester is required to prove possession of the private key which corresponds to the public key in the certificate request before signing.
The method used to prove possession of private key MUST be detailed in the CPS.
When a subscriber requires the inclusion of the name of a certain organization into a certificate he or she MUST provide a written statement of affiliation signed by the representatives of the organization.
The RA MUST personally authenticate any requester asking a personal certificate, using officially recognized identity card containing a photograph.
If the entity to be certified is a software or hardware component the requester MUST prove that he has the necessary authorization.
After certificate expiration, the CA MUST NOT issue a new certificate for the same key. The CA MAY issue a new certificate for a new key. The rekey authentication MAY be accomplished with the same procedure indicated in Section 3.1 for initial registration or using requests digitally signed with the old certificate. These requests MUST be sent to the CA before the old certificate expiration.
A public key whose certificate has been revoked for private key compromise MUST NOT be re-certified. The public key MAY be re-certified if the revocation is only due to certificate suspension. In the latter case the rekey authentication MAY be accomplished with the same procedure indicated in Section 3.1 for initial registration or using digitally signed requests. These requests MUST be sent to the CA before certificate expiration.
A proper authentication method is required in order to accept revocation request. The CA MUST accept as a revocation request a message digitally signed with a not expired and not previously revoked certificate issued under this policy. The same procedures adopted for the authentication during initial registration are also considered suitable. Alternative procedures MAY be supported such as secure communication of a revocation passphrases.
The exact procedures supported MUST be detailed in the CPS.