Ĩesky | english
Contents of the Roots
Comparison betweent the content of the root certificates generated in 2003, 2008 and 2014 (tbd). See Roots/ContentsDiscussion for the evolving debate on all questions; see Roots/Structure for the hierarchy of all roots.
Layout
Technical Layout
Field |
2003 |
2008 |
tbd |
comments |
Version |
version 3 |
Required, No problems |
||
serialNumber |
0,1 |
2,3,4 (,5,6) |
|
Needs to be unique within space of DN (somewhat undefined, probably CN). same as SKID? |
subjectKeyIdentifier |
"hash" == sha1(own public key) |
non-critical extension, obligatory. See RFC 5280 for format & contents. |
||
authorityKeyIdentifier |
"hash" == sha1(signing public key), or the signing key's sKID. |
non-critical extension, obligatory. See RFC 5280 for format & contents. |
||
Validity |
2033 |
2038 |
2034 |
Reduced validity fom 30 to 20 years to ensure cryptographis sanity |
Cryptographic algorithms |
|
|||
PK Type |
MD5 with RSA Encryption (1.2.840.113549.1.1.4) |
SHA-1 with RSA Encryption (1.2.840.113549.1.1.5) |
SHA-512 with RSA Encryption (1.2.840.113549.1.1.13) |
Recently issued roots expiring out to 2040 use SHA-1+RSA. Windows-XP does not support (roots with) SHA2 until SP3 |
Size |
4096 bits |
4096 bits |
4096 bits |
good for 30 years, see BlueKrypt |
Format |
PKCS1 |
standard. |
||
Hash |
MD5 |
SHA1 |
SHA-512 |
|
basicConstraints |
Critical |
Critical Basic Constraints extension. |
||
cA |
true |
Is a Certification Authority |
||
pathLen |
|
3 |
Max. lenght of chain between root and leaf (optional field) |
|
keyUsage |
keyCertSign and cRLSign only |
Critical Extension, obligatory for roots. bits 5, 6 to be set. EV-G-AppB concurs. |
||
CPS6.3.2 specifies 30 years for root certificates (2008 root by Y2038 bug so has 29.5 years) and 10 years for sub-root certificates. CAB Baseline Requirements for Certificates
Business Layout
Field |
Name |
2003 |
2008 |
tbd |
comments |
O |
Organisation |
Root CA |
CAcert.org - Community Certification Authority |
is standard layout, see below |
|
OU |
Organisational Unit |
Permission to USE |
cacert.org |
|
|
CN |
Common Name |
CA Cert Signing Authority |
CAcert.org |
CAcert Root |
|
Extensions |
(mark which critical) |
|
|||
Certificate Policies |
Permission to USE |
|
this is the "preferred" field for policies. "use" document is the first and most important. Not critical. |
||
Subject:serialNumber (OID: 2.5.4.5) |
none |
none |
none |
(Association Registration Number) INC9880170 for Sub-Roots. Not critical. |
|
Serial numbers
Serial numbers issued under the 2003 Class 1 root start out with 10 (hex). The serial numbers in the range 0 - F can be considered "reserved", and the following allocations have been made:
0 |
Class 1 Root with MD5 signature |
1 |
Class 3 Root with MD5 signature (old) |
E |
Class 3 Root with SHA256 signature with hash-only Authority Key Identifier (tbd) |
F |
Class 1 Root with SHA256 signature with hash-only Authority Key Identifier (tbd) |
Note that the Class 3 Root with SHA256 signature (re-signed in 2011) has a serial number in the upper (non-reserved) range (0A:41:8A).
Serial numbers issued under the 2003 Class 3 root start out with 2 (hex). The serial numbers 0 and 1 can be considered "reserved", and no allocations have been made for these.