Adjustments to the CPS Regarding the Key Usage Attributes in Certificates

Abstract

Full Version

It is resolved that the CPS section 7.1.2 "Certificate Extensions" is changed as following:

Client Certificates

keyUsage=digitalSignature,keyEncipherment,cRLSign

Changed to

keyUsage=digitalSignature,keyEncipherment,keyAgreement(critical)

Reasons:

extendedKeyUsage=emailProtection,clientAuth,serverAuth,msEFS,msSGC,nsSGC

Changed to

extendedKeyUsage=emailProtection,clientAuth,msEFS,msSGC,nsSGC

Reasons:

Add

crlDistributionPoints=URI:<crlUri> where <crlUri> is replaced with the URI where the certificate revocation list relating to the certificate is found

Reasons:

Server Certificates

keyUsage=digitalSignature,keyEncipherment

Change to

keyUsage=digitalSignature,keyEncipherment,keyAgreement (critical)

Reasons:

Add

crlDistributionPoints=URI:<crlUri> where <crlUri> is replaced with the URI where the certificate revocation list relating to the certificate is found

Reasons:

Code Signing Certificates

keyUsage=digitalSignature,keyEncipherment

Change to

keyUsage=digitalSignature,keyEncipherment,keyAgreement (critical)

Reasons:

Add

crlDistributionPoints=URI:<crlUri> where <crlUri> is replaced with the URI where the certificate revocation list relating to the certificate is found

Reasons:

Add

subjectAltName=(as per ยง3.1.1.).

Reasons:

References

Additional information on those extensions:


CategoryPolicy

PolicyDrafts/CPSKeyUsageChanges (last edited 2011-11-14 21:41:58 by UlrichSchroeter)