Security and Communication Networks

Research Article

Trust Management for Public Key Infrastructures: Implementing the X.509 Trust Broker

Listing 4

Example of XML profile for EVS certificate.
<CertProfile>
   <! Verisign CA id of EV Certificate ––>
   <CAId value=” 3 C : 48 : 42 : 0D : FF : 58 : 1A : 38 : 86 : BC : FD : 41 : D4 : 8A : 41 : DE” />
   <Profile Version value=” 5.0” />
   <Subject type=” field” component=”O” presence=” Obligatory” />
   <Subject type=” field” component=”CN” presence=” Obligatory”
   value=” dnshostname” valueExclude=”” />
   <Subject type=” field” component=”C” presence=” Obligatory” />
   <Subject type=” field” component=”L” presence=” Obligatory” />
   <Subject type=” field” component=”ST” presence=” Obligatory” />
   <! –– : this field MUST contain the Registration (or similar)
   Number assigned to the Subject by the Incorporating or Registration
   Agency in its Jurisdiction of Incorporation or Registration––>
   <Subject component=” ObjectIdentifier.2545.” Type=” field”
   presence=” Obligatory”/>
   <!–– : The validity period for an EV Certificate SHALL NOT exceed
   twenty seven months.––>
   <Validity type=” field” value=” 27” />
      <DigestSignatureAlgorithm value=” (SHA-1∣SHA-256∣SHA-384∣SHA-512)” />
      <KeySize component=” KeySize” value=” (1024∣2048)” />
   <!–– : MUST be present and SHOULD NOT be marked critical. The set of
   policyIdentifiers MUST include the identifier for the CAs extended
   validation policy.––>
   <Certificate_Policies type=” extension” critical=” NotCritical”
   presence=” Obligatory” value=” oid” />
   <!–– : SHOULD be present and MUST NOT be marked critical. It MUST
   contain the HTTP URL of the CAs CRL service. This extension MUST
   be present if the certificate does not specify OCSP responder.––>
   <CRL_Distribution_Point type=” extension” critical=” NotCritical”
   presence=” Obligatory” value=” httpservicehost” />
   <!–– : SHOULD be present and MUST NOT be marked critical. SHALL
   contain the HTTP URL of the CAs OCSP responder. This extension
   MUST be present if the certificate does not contain a
   cRLDistributionPoint extension.––>
   <Authority_Information_Access type=” extension” critical=” NotCritical”
   presence=” Obligatory” value=” httpservicehost” />
   <!–– : the presence of key usage extension is optional. If present,
   the CA field MUST be set false.––>
   <Basic_Constraints type=” extension” critical=” NotCritical”
   presence=”optional” value=” false” />
   <!–– : the presence of key usage extension is optional. If present,
   bit positions for keyCertSign and cRLSign MUST NOT be set––>
   <key_Usage type=” extension” critical=” NotCritical”
   presence=” Optional” valueExclude=” (CertificateSigner∣CRLSigner)” />
</ CertProfile>