[Sks-devel] HPKS Certificates and Revokation?

[Benny Baumann]

Hi folks, hi Kristian,

I just had a review of my cert after I got hinted on a small, but
essential problem with the HPKS certificates:

They contain no revokation information.
Neither CRL nor OCSP.

Thus even IF Kristian was going to revoke them, nobody could ever notice
(from the certificates alone) because the certificates don't say where
to find this information.

And while we are at problems in those certificates:

The issuer reads C=NO, ST=Oslo, O=... CA, CN=... CA
I doubt that Oslo is a state.

And to make things even worse, given a correct CSR with

C=DE, ST=SH, L=Kiel
the certificate I got lacks the L= information, thus the certificate
indicates only that it's for somewhere in Schleswig-Holstein (northern
part of Germany).

Thus I'd like to ask Kristian for the following changes:

1. Reissue all certificates under a new root (might as well be using the
same key material) that gets the DN of itself right
2. Reissue all certificates unter this new root with either C, C,L or
C,ST,L for the location
3. Ensure EVERY issued certificate contains a CRL extension to know
where to download the necessary CRLs to check revokation
4. Ensure EVERY issued certificate contains a OCSP extension so clients
can check for revokation using OCSP
4a) (libmoz-pkix requirement) Ensure responses are valid for no longer
than 10 days; but better: restrict them to about 5 days at most.
4b) Ensure this responder is reachable via IPv4 and IPv6 and understands
dynamic requests
5. Establish an official document specifying minimum key size
constraints (at least 4096 bit RSA or equivalent) and a signing policy
5a) Include a link to this document into the certificates

Kind regards,
BenBE.

signature.asc
Description: OpenPGP digital signature