7. CERTIFICATE AND CRL PROFILES

7. CERTIFICATE AND CRL PROFILES
Prev		Next

7.1. Certificate Profile

In order to promote interoperability this policy strongly encourages conforming CAs to issue certificates profiling them accordingly to RFC 3280. In every case CPS MUST detail the specific profile adopted.

7.1.1. Version number(s)

The version field in the certificate SHALL state 2, indicating X.509v3 certificates.

7.1.2. Certificate extensions

In compliance with RFC 3280, the inclusion of the following certificate extensions is RECOMMENDED:

`subjectKeyIdentifier`	NOT CRITICAL
`authorityKeyIdentifier`	NOT CRITICAL
`basicConstraints`	CRITICAL
`keyUsage`	CRITICAL
`certificatePolicies`	NOT CRITICAL
`cRLDistributionPoint`	NOT CRITICAL
`subjectAltNames`	NOT CRITICAL

7.1.3. Algorithm object identifiers

No stipulation.

7.1.4. Name forms

All related issues MUST be specified in the CPS.

7.1.5. Name constraints

All related issues MUST be specified in the CPS.

7.1.6. Certificate policy Object Identifier

Other certificate policy object identifiers are applicable if and only if the other policies identified are compliant with this policy. Conforming CA MUST contact the maintainers of the various policies to verify the level of mutual compliance. However in order to promote interoperability, following RFC 3280, this policy suggests to include only one certificate policy object identifier in a certificate.

7.1.7. Usage of Policy Constraints extension

All related issues MUST be specified in the CPS.

7.1.8. Policy qualifiers syntax and semantics

The certificates issued under this CP SHOULD NOT use the policy qualifiers.

7.1.9. Processing semantics for the critical certificate policy extension

No stipulation.

7.2. CRL Profile

7.2.1. Version number(s)

The version field in the certificate SHALL state 1, indicating X.509v2 CRL.

7.2.2. CRL and CRL entry extensions

No stipulation.

Prev		Next
6. TECHNICAL SECURITY CONTROLS	Home	8. SPECIFICATION ADMINISTRATION