(HAM-PKI policy work in progress) |
(HAM-PKI policy work in progress) |
Aktuelle Version
Inhaltsverzeichnis |
ChaosWelle PKI Certification And Revocation Policy
This document is a WIP draft policy listing the conditions required to issue HAM-PKI certificates by Chaoswelle CA, as well as the conditions for revocation of such certificates.
Certificate Issuance
The Chaoswelle CA will issue HAM-PKI Certificates (Certs) to Applicants that have been successfully Authorized.
Certs
A HAM-PKI Cert created by Chaoswelle CA must contain the following information in its distinguished name (DN):
- Full Name (
CN
) - E-Mail (
OID.1.2.840.113549.1.9.1
) - Callsign (
OID.1.3.6.1.4.1.12348.1.1
)
TODO: Are additional fields needed / allowed?
An audit record is created for every issued Cert containing the following data:
- Full Name
- Postal Address
- Callsign
- HAM-PKI user who approved the request
- Date and Time of approval
- Certificate
Applicants
Certs are issued to the following entities:
- Natural persons (the Callsign must be assigned to that person and the assignment must be valid)
- TODO: Training callsigns
- TODO: Club stations (have a separate field in the DN for club vs. natural person assignee?)
- TODO: Other Kinds Of Applicants?
Authorization
Natural Person
A natural person needs to provide the following documents to be entitled for a Cert:
- Callsign assignment document scan(must show the person's full name and be valid)
- A recent utility bill scan (not older than 31 days, must show the person's full name and address)
Certificate Revocation
Chaoswelle CA will be operating a CRL and indicate that CRL in the issued Certs. To put a given Cert on the CRL, proof is needed that the Cert was issued to an incorrect Applicant, i.e. the Callsign, Full Name or E-Mail Address values of the Cert do not belong to the person using the Cert.
This proof must be presented by the actual owner of the Callsign or E-Mail Address, or by a third party that can believably show that the Cert was issued wrongly.
Certs will only be revoked if they were issued to the wrong person, or used by a different person. Technical abuse of Internet services by the official owner of a Cert does not qualify for revocation. Instead, technical measures must be taken at the abused system.