Page 1 of 1

Creating an open CA for ADCS hubs

Posted: 28 Jun 2013, 17:16
by klondike
Hi, as I commented on the hub at the DC4Lan project we have considered creating a CA to sign hubs certificates.

Initially the idea is creating a 15 year CA certificate and use it to sign certificates for both, general servers and event server in (for example) lan parties.

I was thinking of the following policy:
The DC4Lan Certificate Authority Policy
========================================
Certificates will only be signed for usage in ADCS hubs as such, usage of the CA certificate outside of ADCS clients is discouraged.

There are two policies, one for general ADCS hubs and one for event hubs. These share a common set of rules.

Common Policies
----------------
The requester agrees not to use the signed certificates provided by this service for anything other than ADCS (or NMDCS) hubs
If the certificate gets compromised the requester will send a revocation request as soon as possible.
It's the requester responsability to keep the certificate and specially the key files safe.

General ADCS hubs certificates
-------------------------------
These certificates will be signed with a duration of 13 months (so enough time for renewal is provided).
Proof of ownership of the domains associated with the certificate will be required.


Event ADCS hubs certificates
----------------------------
These certificates will be signed only for the duration of the event.
The certificates must not be used outside of the event
Proof of existance of the event (or planning for it) will be required
Proof of ownership of the domains associated with the certificate will be required. If the domains are occuped by cybersquatters or non registrable (for example myparty.lan) these check can be omitted.
As always comments and suggestions are welcome.

Re: Creating an open CA for ADCS hubs

Posted: 28 Jun 2013, 17:26
by klondike
One of the things that I haven't added to the policy yet is which kind of digests will be accepted.

Md5 is obviously out and sha256 is in, but shall we accept sha1 digests?