Dashboard > openOSI Object Identifier name space > ... > >
  openOSI Object Identifier name space Log In   View a printable version of the current page.
Added by Jose REMY, last edited by Jose REMY on Jun 18, 2009

( DESC 'servicess' )

Intermediate certification practices statement of class 3 for services

 This object identifier (OID) describes our Intermediate certification practices statement of class 3.

ASN1 notation: {iso(1) identified-organization(3) dod(6) internet(1) private(4) enterprise(1) openosi(27630) cps(1) Intermediate(3) servicess(5)}
URN notation: urn:oid:
IETF DOT notation:
BNF notation (RFC822 Backus-Naur form): ( DESC 'services' )
Description: Intermediate certification practices statement of class 3 for services - SERVICES

Class3 Certificate policy for servicess

The openOSI Intermediate certificate policy for servicess defines our set of rules for usage, extended usage, enrollment and issuance procedures, as well as corresponding liability issues of openosi class3 certificates for services. Our Intermediate certificate policy is independent of the certified entity (services) that is, there is no "name constraints". The enforcement of our certificate policy relies on software workers coming from the open source community as stated in OID The level of assurance is achieved using Robot intelligence and human intelligence as follows:

  1. The requester MUST holds a Class 3 certificate for persons
  2. The requester MUST holds for the related fully qualified domain name:
    • either a [Class 3 certificate for hosts]
    • or a [Class 3 certificate for virtualHosts]
  3. End Entity (EE) pre registration by robot enrollment agent
    • Identification elements
  4. Certificate request authorization
    • Build a constraint for class 3 Intermediate certificate subject DN request
      • CN must be build with fully qualified domain name
      • UID is free
      • URI MUST relates to a certified URL or to an existing urn:OID
        • Either in openosi.org name space
        • or in an other registered urn name space
      • OU=Services,DC=openosi,DC=org
      • OU is agreed organization for cooperation (static group management)
    • Securely transmit the certificate request constraints to appropriate registration authority (RA)
  5. Certificate request authorization and processing by human registration agent
    • Check with results of private investigation
    • Transmit to class 3 robot registration agent or deny
  6. Certificate request authorization and processing by robot registration agent
    • Attach an authorized certificate profile (this one) to the request
    • Attach an authorized certification authority to the request (openosiCA3-DC)
    • Notify request clearance to the applicant person
    • Register requested common name (CN) and related password with registration agent (16h validity)
    • Set a one time limit to process the request
    • Ensure authorization for certificate retrieval
    • If a PKCS10 request is submitted, apply request constraints filter
    • Securely transmit the certificate request to appropriate certification authority
  7. Certificate delivery and public directory update by certification authority
    • If needed generate private key
    • Sign certificate request
    • Build an appropriate certificate bundle (e.g. PKCS12 format) with registration password
    • Make certificate bundle available for secure download
    • Close request access unless there is a new RA authorization
    • Update openOSI public directory
      • URI: ldap://directory.openosi.org or ldaps://directory.openosi.org
      • DIT
        • DC=org
        • DC=openosi
        • OU=Services
        • CN=<serviceName>
      • Distinguished name (DN) of the entry
        • CN=<serviceName>,UID=<any>,OU=Services,DC=openosi,DC=org
      • Update corresponding entry's attribute
        • with public certificate holding published DN
        • With serviceName
        • With group "OU=organization" inside "OU=groups",OU=Services,DC=openosi,DC=org"
        • With group "CN=group.<CN>" inside "OU=groups",OU=Services,DC=openosi,DC=org"
  8. Certificate revocation processing and public directory update
  9. On line services for certificate status
    • URI embedded in certificate: ocsp.openosi.org/pki/publicweb/status/ocsp

This Intermediate certification practices statement for services (Intermediate) helps the service user of an X.509 certificate to determine the level of trust that its organization or given services can put in the certificates that are issued by the openosiCA3-DC certification authority embedding this OID.


With this OID, the aim of openOSI is to publish its certificate policy as a support service, and as a legal framework. It is also to allow cooperation with other services (Web services!..). For other class (level of assurance) see OID


The usage of certificate policy is to process an X.509 extension called "certificate policy" RFC3280. "Applications with specific policy requirements are expected to have a list of those policies which they will accept and to compare the policy OIDs in the certificate to that list".

NOTE: According RFC3280, if this extension is critical, the path validation software MUST be able to interpret this extension (including the optional qualifier), or MUST reject the certificate. Therefore openOSI always mark this extension as NON CRITICAL

You can use this CPS and associated software or formal description of abstract processes under GPL license. Formal descriptions produced by an open source engine may be used under LGPL license

XML format

	<asn1-notation>\{iso(1) identified-organization(3) dod(6) internet(1) private(4) enterprise(1) openosi(27630) cps(1) Intermediate(3) services(5)\</asn1-notation>
	<description> Certificate policy with Intermediate certification practices statement for services</description>
	<information>More <i>information</i> can be found in <a href="http://openosi.org/osi/display/oid/">openOSI Intermediate CPS for services</a> </information>

Site powered by a free Open Source Project / Non-profit License (more) of Confluence - the Enterprise wiki.
Learn more or evaluate Confluence for your organisation.
Powered by Atlassian Confluence, the Enterprise Wiki. (Version: 2.4.2 Build:#703 Mar 12, 2007) - Bug/feature request - Contact Administrators