Dashboard > openOSI Object Identifier name space > ... > >
  openOSI Object Identifier name space Log In   View a printable version of the current page.
Added by Jose REMY, last edited by Jose REMY on Sep 25, 2007

( DESC 'roles' )

Intermediate certification practices statement of class 3 for roles

This object identifier (OID) NOTATION

ASN1 notation: {iso(1) identified-organization(3) dod(6) internet(1) private(4) enterprise(1) openosi(27630) cps(1) Intermediate(3) roles(2)}
URN notation: urn:oid:
IETF DOT notation:
BNF notation (RFC822 Backus-Naur form): ( DESC 'roles' )
Description: Intermediate certification practices statement of class 3 for roles - ROLES

Class3 Certificate policy for roles

The openOSI Intermediate certificate policy for roles defines our set of rules for usage, extended usage, enrollment and issuance procedures, as well as corresponding liability issues of openosi class3 certificates for roles. Our Intermediate certificate policy is independent of the certified entity (person) that is, there is no "name constraints". The enforcement of our certificate policy relies on software workers coming from the open source community as stated in OID The level of assurance is achieved using Robot intelligence and human intelligence as follows:

  1. End Entity (EE) pre registration by robot enrollment agent
    • Anonymous access to registration form reserved for human (CAPTCHA check)
    • Identification elements
      • Role name (first part)
      • Role name (last part)
      • e-mail address (existing)
      • Organization name
      • Organization URI / URL (should exist if supplied)
      • Country of residence
  2. Identity validation by Robot intelligence
    • Check for existing "RoleNameFirst.RoleNameLast" in openOSI name space
    • Check for uniqueness of "RoleNameFirst.RoleNameLast" in openOSI name space
    • Check for limitations regarding country
      • Check for geoIP
      • Check for e-mail domain
    • Register requested Username and related password with enrollment agent
  3. Identity validation by Human intelligence
    • Evidence of known identity and / or
    • Cross checking with other trusted organization
    • e-mail address identification
  4. Identity authentication
    • Send an e-mail asking for confirmation of pre-registration, that is "registration request"
    • Check answer to the validation e-mail
  5. Certificate request authorization
    • Build a constraint for class 3 Intermediate certificate subject DN request
      • CN must be build with FirstName and LastName (may have additional digits for uniqueness)
      • UID must be confirmed e-mail address
      • OU=Roles,OU=VirtualPeople,DC=openosi,DC=org
      • Forbid any other element
    • Allow identity attributes
      • Role name (first part)
      • Role name (last part)
    • Securely transmit the certificate request constraints to appropriate registration authority (RA)
  6. Certificate request authorization and processing by human registration agent
    • Check with results of private investigation
    • Transmit to class 3 robot registration agent or deny
  7. Certificate request authorization and processing by robot registration agent
    • Attach an authorized certificate profile (this one) to the request
    • Attach an authorized certification authority to the request (openosiCA3-DC)
    • Notify request clearance to the applicant person
    • Register requested common name (CN) and related password with registration agent (16h validity)
    • Set a one time limit to process the request
    • Ensure authorization for certificate retrieval
    • If a PKCS10 request is submitted, apply request constraints filter
    • Securely transmit the certificate request to appropriate certification authority
  8. Certificate delivery and public directory update by certification authority
    • If needed generate private key
    • Sign certificate request
    • Build an appropriate certificate bundle (e.g. PKCS12 format) with registration password
    • Make certificate bundle available for secure download
    • Close request access unless there is a new RA authorization
    • Update openOSI public directory
      • URI: ldap://directory.openosi.org or ldaps://directory.openosi.org
      • DIT
        • DC=org
        • DC=openosi
        • OU=VirtualPeople
        • OU=Roles
        • CN=<RolenameFirst.RolenameLast>
      • Distinguished name (DN) of the entry
        • CN=<RolenameFirst.RolenameLast>,UID=<validated e-mail address>,OU=VirtualPeople,DC=openosi,DC=org
      • Update corresponding entry's attribute
        • with public certificate holding published DN
        • With RolenameFirst and RolenameLast
  9. Certificate revocation processing and public directory update
  10. On line services for certificate status
    • URI embedded in certificate: ocsp.openosi.org/pki/publicweb/status/ocsp

This Intermediate certification practices statement for roles (Intermediate) helps the user of an X.509 certificate to determine the level of trust that its organization or given services can put in the certificates that are issued by the openosiCA3-DC certification authority embedding this OID.


With this OID, the aim of openOSI is to publish its certificate policy as a support service, and as a legal framework. It is also to allow cooperation with roles and organizations. For other class (level of assurance) see OID


The usage of certificate policy is to process an X.509 extension called "certificate policy" RFC3280. "Applications with specific policy requirements are expected to have a list of those policies which they will accept and to compare the policy OIDs in the certificate to that list".

NOTE: According RFC3280, if this extension is critical, the path validation software MUST be able to interpret this extension (including the optional qualifier), or MUST reject the certificate. Therefore openOSI always mark this extension as NON CRITICAL

You can use this CPS and associated software or formal description of abstract processes under GPL license. Formal descriptions produced by an open source engine may be used under LGPL license

XML format

	<asn1-notation>\{iso(1) identified-organization(3) dod(6) internet(1) private(4) enterprise(1) openosi(27630) cps(1) Intermediate(3) roles(2)\</asn1-notation>
	<description> Certificate policy with Intermediate certification practices statement for roles</description>
	<information>More <i>information</i> can be found in <a href="http://openosi.org/osi/display/oid/">openOSI Intermediate CPS for roles</a> </information>

Site powered by a free Open Source Project / Non-profit License (more) of Confluence - the Enterprise wiki.
Learn more or evaluate Confluence for your organisation.
Powered by Atlassian Confluence, the Enterprise Wiki. (Version: 2.4.2 Build:#703 Mar 12, 2007) - Bug/feature request - Contact Administrators