Inhaltsverzeichnis

1 ChaosWelle PKI Certification And Revocation Policy
- 1.1 Certificate Issuance
- 1.2 Certificate Revocation

ChaosWelle PKI Certification And Revocation Policy

This document is a WIP draft policy listing the conditions required to issue HAM-PKI certificates by Chaoswelle CA, as well as the conditions for revocation of such certificates.

Certificate Issuance

The Chaoswelle CA will issue HAM-PKI Certificates (Certs) to Applicants that have been successfully Authorized.

Certs

A HAM-PKI Cert created by Chaoswelle CA must contain the following information in its distinguished name (DN):

Full Name (CN)
E-Mail (OID.1.2.840.113549.1.9.1)
Callsign (OID.1.3.6.1.4.1.12348.1.1)

TODO: Are additional fields needed / allowed?

An audit record is created for every issued Cert containing the following data:

Full Name
Postal Address
E-Mail
Callsign
HAM-PKI user who approved the request
Date and Time of approval
Certificate

Applicants

Certs are issued to the following entities:

Natural persons (the Callsign must be assigned to that person and the assignment must be valid)
TODO: Training callsigns
TODO: Club stations (have a separate field in the DN for club vs. natural person assignee?)
TODO: Other Kinds Of Applicants?

Authorization

Natural Person

A natural person needs to provide the following documents to be entitled for a Cert:

Callsign assignment document scan(must show the person's full name and be valid)
A recent utility bill scan (not older than 31 days, must show the person's full name and address)

Certificate Revocation

Chaoswelle CA will be operating a CRL and indicate that CRL in the issued Certs. To put a given Cert on the CRL, proof is needed that the Cert was issued to an incorrect Applicant, i.e. the Callsign, Full Name or E-Mail Address values of the Cert do not belong to the person using the Cert.

This proof must be presented by the actual owner of the Callsign or E-Mail Address, or by a third party that can believably show that the Cert was issued wrongly.

Certs will only be revoked if they were issued to the wrong person, or used by a different person. Technical abuse of Internet services by the official owner of a Cert does not qualify for revocation. Instead, technical measures must be taken at the abused system.