ORC ACES PKI Certificate Profile

ORC ACES Program CPS Revised September 12, 2000

Attachment A

Summary of ACES Certificates

Certificate Type / Subscriber / Use of Certificate /
Individual / Individual / To enable an individual to authenticate itself to agency applications electronically for information and transactions and to verify digitally signed documents/transactions
Business Representative / Individual authorized to act on behalf of a business entity / To enable a business representative to authenticate itself to agency applications to conduct business-related activities electronically and to verify digitally signed documents/transactions
Agency Application / Agency application / To enable the agency application to authenticate itself to individuals, business representatives, and ACES contractors and to verify digitally signed documents/transactions
CA / Self Signing Certificate, Sign Subordinate CAs, Sign End Entity Certificates, Sign Certificate Revocation Lists.

Standard ORC ACES End-Entity Signature Certificate Profiles

FIELD / Digital Signature / Digital Signature / Digital Signature /
Basic Certificate / INDIVIDUAL / BUSINESS REPRESENTATIVE / AGENCY APPLICATION
Version / V3 (2) / V3 (2) / V3 (2)
Serial Number / Sequentially as issued / Sequentially as issued / Sequentially as issued
Issuer Signature Algorithm / sha-1WithRSAEncryption / sha-1WithRSAEncryption / sha-1WithRSAEncryption
Issuer Distinguished Name / Distinguished Name of CA below / Distinguished Name of CA below / Distinguished Name of CA below
Validity Period
notBefore
notAfter / Date certificate is issued
<= 2 years after notBefore date / Date certificate is issued
<= 2 years after notBefore date / Date certificate is issued
<= 2 years after notBefore date
Subject Distinguished Name / CN=Name of Applicant / CN=Name of Applicant, O=Name of Business / CN=Agency Application Name, OU=As listed in AB Codelist,
O=U.S. Government
Subject Public Key Information / 1024 bit RSA key modulus, rsaEncryption / 1024 bit RSA key modulus, rsaEncryption / 1024 bit RSA key modulus, rsaEncryption
Issuer Unique Identifier / Never used / Never used / Never used
Subject Unique Identifier / Never used / Never used / Never used
Issuer’s Signature / sha-1WithRSAEncryption / sha-1WithRSAEncryption / sha-1WithRSAEncryption
Extensions
authority key identifier[1] / c=no / c=no / c=no
subject key identifier[2] / c=no / c=no / c=no
key usage / c=yes;
digitalSignature, nonRepudiation / c=yes;
digitalSignature, nonRepudiation / c=yes;
digitalSignature, nonRepudiation
Extended key usage / Never used / Never used / Never used
Private key usage period / Never used / Never used / Never used
Certificate policies[3] / c=no;
aces-ca OBJECT IDENTIFIER ::= { aces 2 } / c=no;
aces-ca OBJECT IDENTIFIER ::= { aces 3 } / c=no;
aces-ca OBJECT IDENTIFIER ::= { aces 4 }
Policy Mapping / Never used / Not used / Not used
subject Alternate Name[4] / c=no; numGeneralNames=1
GeneralName= rfc822Name / c=no; numGeneralNames=1
GeneralName= rfc822Name / c=no; numGeneralNames=1
GeneralName= rfc822Name
Issuer Alternate Name / Not used / Not used / Not used
Name Constraints / Never used / Never used / Never used
Basic Constraints / c=yes; cA False (default) / c=yes; cA False (default) / c=yes; cA False (default)
Authority Information Access / c=no; numADs=2, ad0_method=ocspad0_location_type=URL,
ad0_location=http://
ocspResponder1.aces.orc.com
ad1_location=http://
ocspResponder2.
aces.orc.com / c=no; numADs=2, ad0_method=ocspad0_location_type=URL,
ad0_location=http://
ocspResponder1.aces.orc.com
ad1_location=http://
ocspResponder2.
aces.orc.com / c=no; numADs=2, ad0_method=ocspad0_location_type=URL,
ad0_location=http://
ocspResponder1.aces.orc.com
ad1_location=http://
ocspResponder2.
aces.orc.com

ORC can support RSA public-key algorithm for signing and encryption, DSA public-key algorithm for signing, and MD2, MD5 and SHA-1 for hashing. Signature key lengths up to 1024 bits (DSA) and 4096 (RSA) are supported.

Certificate Profiles for ACES

Certification Authority Certificate Profiles

FIELD / Signing CA Certificate / Root CA Certificate /
Basic Certificate
Version / V3 (2) / V3 (2)
Serial Number / Sequentially as issued / Sequentially as issued
Issuer Signature Algorithm[5] / sha-1WithRSAEncryption / sha-1WithRSAEncryption
Issuer Distinguished Name[6] / Distinguished Name of Root CA
CN=ORC Government ROOT, O=ORC PKI, C=US / Distinguished Name of Root CA
CN=ORC Government ROOT, O=ORC PKI, C=US
Validity Period
NotBefore
NotAfter / Date certificate is issued
6 years after notBefore date / Date certificate is issued
36 years after notBefore date
Subject Distinguished Name / Distinguished Name of CA
CN=ORC ACES Signature CA 1, OU=ORC PKI, OU=GSA, O=U.S. Government,C=US / Distinguished Name of Root CA
CN=ORC Government ROOT, O=ORC PKI, C=US
Subject Public Key Information[7] / 1024 bit RSA key modulus, rsaEncryption / 1024 bit RSA key modulus, rsaEncryption
Issuer Unique Identifier / Never used / Never used
Subject Unique Identifier / Never used / Never used
Issuer’s Signature / sha-1WithRSAEncryption / sha-1WithRSAEncryption
Extensions
authority key identifier[8] / c=no / Never used
subject key identifier[9] / c=no / c=no
key usage / c=yes;
digitalSignature, keyCertSign,
cRLSign / Never used
Extended key usage / Never used / Never used
Private key usage period / Never used / Never used
Certificate policies[10] / c=no;
aces-ca OBJECT IDENTIFIER ::= { aces 1 } / c=no;
aces-ca OBJECT IDENTIFIER ::= { aces 1 }
Policy Mapping / Not used / Not used
subject Alternate Name / Not used / Never used
Issuer Alternate Name / Not used / Never used
Subject Directory Attributes / Not used / Not used
Basic Constraints / c=yes;
cA=True;
no path length constraint / c=noyes;
cA=True;
no path length constraint
Name Constraints / Not used / Never used
Policy Constraints / c=no;
requireExplicitPolicy set with skipCerts set to zero.
Implicit taging (30:03:80:01:00) / Never used
CRL Distribution Points / Not used / Never used
Authority Information Access / c=no; numADs=2, ad0_method=ocsp, ad0_location_type=URL, ad0_location=http://
ocspResponder1.aces.orc.com
ad1_location=http://
ocspResponder2.aces.orc.com / c=no; numADs=2, ad0_method=ocsp, ad0_location_type=URL, ad0_location=http://
ocspResponder1.aces.orc.com
ad1_location=http://
ocspResponder2.aces.orc.com

A-1

[1] The value of this field is the 20 byte SHA-1 hash of the binary DER encoding of the signing CA’s public key information.

[2] The value of this field is the 20 byte SHA-1 hash of the binary DER encoding of the subject’s public key information.

[3] aces-ca OBJECT IDENTIFIER ::= { aces n }– { 2 16 840 1 101 3 2 1 1 n }

[4] Allows some browsers to sign email. Field is optional.

[5] The OID will be the RSA registered OID {1 2 840 113549 1 1 5}

[6] The certs signed by the Signing CA will contain various Subject DNs as defined in the EE cert description above.

[7] The OID will be the RSA registered OID {1 2 840 113549 1 1 1}.

[8] The value of this field is the 20 byte SHA-1 hash of the binary DER encoding of the signing CA’s public key information.

[9] The value of this field is the 20 byte SHA-1 hash of the binary DER encoding of the subject’s public key information.

[10] aces-ca OBJECT IDENTIFIER ::= { aces 1 }– { 2 16 840 1 101 3 2 1 1 1 }

Policy Arc: aces OBJECT IDENTIFIER ::= { csor-certpolicy 1 }