Dashboard > openOSI Object Identifier name space > ... > >
  openOSI Object Identifier name space Log In   View a printable version of the current page.
Added by Jose REMY, last edited by Jose REMY on Sep 18, 2007

( DESC 'virtual-persons' )

Basic certification practices statement of class 1 for virtual persons

 This object identifier (OID) describes our basic certification practices statement of class 1.

ASN1 notation: {iso(1) identified-organization(3) dod(6) internet(1) private(4) enterprise(1) openosi(27630) cps(1) basic(1) virtual-persons(2)}
URN notation: urn:oid:
IETF DOT notation:
BNF notation (RFC822 Backus-Naur form): ( DESC 'virtual-persons' )
Description: Basic certification practices statement of class 1 for virtual persons - VIRTUAL-PERSONS

Class1 Certificate policy for virtual persons

The openOSI Basic certificate policy for virtual persons defines our set of rules for usage, extended usage, enrollment and issuance procedures, as well as corresponding liability issues of openosi class1 certificates for virtual persons. Our Basic certificate policy is independent of the certified entity (Virtual person) that is, there is no "name constraints". The enforcement of our certificate policy relies on software workers coming from the open source community as stated in OID . The level of assurance is achieved using Robot intelligence as follows:

  1. End Entity (EE) pre registration by robot enrollment agent
    • Anonymous access to registration forms reserved for human (CAPTCHA check)
    • Web Service access (XKMS) not available for class 1 (requires at least existing class 1 certificate)
    • Identification elements (no less, no more)
      • pseudo or Nickname (arbitrary content)
      • e-mail address (existing)
      • Country (Request location)
  2. Identity validation
    • Check for existing nickname in openOSI name space
    • Check for uniqueness of requested nickname in openOSI name space
    • Check for limitations regarding country
      • Check for geoIP
      • Check for e-mail domain
    • Register requested nickname and related password with enrollment agent
  3. Identity authentication
    • Send an e-mail asking for confirmation of pre-registration, that is "registration request"
    • Check answer to the validation e-mail
  4. Certificate request authorization
    • Build a constraint for class 1 basic certificate subject DN request
      • CN must be confirmed nickname
      • UID must be confirmed e-mail address
      • DC=openosi,DC=org
      • Forbid any other element
    • Securely transmit the certificate request constrainst to appropriate registration authority (RA)
  5. Certificate request authorization and processing by robot registration agent
    • Attach an authorized certificate profile (this one) to the request
    • Attach an authorized certification authority to the request (openosiCA1-DC)
    • Notify request clearance to the applicant virtual person
    • Register requested nickname and related password with registration agent (16h validity)
    • Set a one time limit to process the request
    • Ensure authorization for certificate retrieval
    • If a PKCS10 request is submitted, apply request constraints filter
    • Securely transmit the certificate request to appropriate certification authority
  6. Certificate delivery and public directory update by certification authority
    • If needed generate private key
    • Sign certificate request
    • Build an appropriate certificate bundle (e.g. PKCS12 format) with registration password
    • Make certificate bundle available for secure download
    • Close request access unless there is a new RA authorization
    • Update openOSI public directory
      • URI: ldap://directory.openosi.org or ldaps://directory.openosi.org
      • DIT
        • DC=org
        • DC=openosi
        • OU=VirtualPeople
        • CN=<nickname>
      • Distinguished name (DN) of the entry
        • CN=<nickname>,UID=<validated e-mail address>,OU=VirtualPeople,DC=openosi,DC=org
      • Update corresponding entry's attribute with public certificate holding published DN
  7. Certificate revocation processing and public directory update
  8. On line services for certificate status
    • URI embedded in certificate: ocsp.openosi.org/pki/publicweb/status/ocsp

This Basic certification practices statement for virtual persons (basic) helps the user of an X.509 certificate to determine the level of trust that its organization or given services can put in the certificates that are issued by the openosiCA1-DC certification authority embedding this OID.


With this OID, the aim of openOSI is to publish its certificate policy as a support service, and as a legal framework. It is also an enabling Internet2 service providing class 1 certificates. For other class (level of assurance) see OID


The usage of certificate policy is to process an X.509 extension called "certificate policy" RFC3280. "Applications with specific policy requirements are expected to have a list of those policies which they will accept and to compare the policy OIDs in the certificate to that list".

NOTE: According RFC3280, if this extension is critical, the path validation software MUST be able to interpret this extension (including the optional qualifier), or MUST reject the certificate. Therefore openOSI always mark this extension as NON CRITICAL

Parameter Value
Default validity 1095 days
Use Basic Constraints yes
Basic Constraints Critical yes
Use Key Usage yes
Key Usage Critical yes
Use Subject Alternative Name yes
CRL Distribution Point URI http://cdp.openosi.org/pki/publicweb/webdist/certdist?cmd=crl&issuer=cn=openosiCA1-DC,ou=PKI,dc=openosi,dc=org
OCSP Service Locator URI http://ocsp.openosi.org/pki/publicweb/status/ocsp
Key usage 1 Digital Signature
Key usage 2 Non-repudiation
Key usage 3 Key encipherment
Key usage 4 Data encipherment
Use Extended Key Usage yes
Extended Key Usage 1 Client Authentication
Extended Key Usage 2 Email protection
Available bit lengths 1 512 bits
Available bit lengths 2 1024 bits
LDAP directory base ou=VirtualPeople,dc=openosi,dc=org

You can use this CPS and associated software or formal description of abstract processes under GPL license. Formal descriptions produced by an open source engine may be used under LGPL license

XML format

	<asn1-notation>\{iso(1) identified-organization(3) dod(6) internet(1) private(4) enterprise(1) openosi(27630) cps(1) basic(1) virtual-persons(2)\</asn1-notation>
	<description> Certificate policy with Basic certification practices statement for virtual persons</description>
	<information>More <i>information</i> can be found in <a href="http://openosi.org/osi/display/oid/">openOSI basic CPS for virtual persons</a> </information>

Site powered by a free Open Source Project / Non-profit License (more) of Confluence - the Enterprise wiki.
Learn more or evaluate Confluence for your organisation.
Powered by Atlassian Confluence, the Enterprise Wiki. (Version: 2.4.2 Build:#703 Mar 12, 2007) - Bug/feature request - Contact Administrators