https://chaoswelle.de/index.php?action=history&feed=atom&title=HAM-PKI%2FPolicyHAM-PKI/Policy - Versionsgeschichte2026-04-18T03:41:03ZVersionsgeschichte für diese Seite in ChaoswelleMediaWiki 1.11.2https://chaoswelle.de/index.php?title=HAM-PKI/Policy&diff=10529&oldid=prevDO1GL: HAM-PKI policy work in progress2014-12-27T18:27:35Z<p>HAM-PKI policy work in progress</p>
<p><b>Neue Seite</b></p><div>= ChaosWelle PKI Certification And Revocation Policy =<br />
<br />
This document is a WIP draft policy listing the conditions required to issue HAM-PKI certificates by Chaoswelle CA, as well as the conditions for revocation of such certificates.<br />
<br />
== Certificate Issuance ==<br />
<br />
The Chaoswelle CA will issue HAM-PKI Certificates ('''Certs''') to '''Applicants''' that have been successfully '''Authorized'''.<br />
<br />
=== Certs ===<br />
<br />
A HAM-PKI '''Cert''' created by Chaoswelle CA must contain the following information in its distinguished name (DN):<br />
<br />
* Full Name (<code>CN</code>)<br />
* E-Mail (<code>OID.1.2.840.113549.1.9.1</code>)<br />
* Callsign (<code>OID.1.3.6.1.4.1.12348.1.1</code>)<br />
<br />
TODO: Are additional fields needed / allowed?<br />
<br />
An audit record is created for every issued '''Cert''' containing the following data:<br />
<br />
* Full Name<br />
* Postal Address<br />
* E-Mail<br />
* Callsign<br />
* HAM-PKI user who approved the request<br />
* Date and Time of approval<br />
* Certificate<br />
<br />
=== Applicants ===<br />
<br />
'''Certs''' are issued to the following entities:<br />
<br />
* Natural persons (the Callsign must be assigned to that person and the assignment must be valid)<br />
* TODO: Training callsigns<br />
* TODO: Club stations (have a separate field in the DN for club vs. natural person assignee?)<br />
* TODO: Other Kinds Of Applicants?<br />
<br />
=== Authorization ===<br />
<br />
==== Natural Person ====<br />
<br />
A natural person needs to provide the following documents to be entitled for a '''Cert''':<br />
<br />
* Callsign assignment document scan(must show the person's full name and be valid)<br />
* A recent utility bill scan (not older than 31 days, must show the person's full name and address)<br />
<br />
== Certificate Revocation ==<br />
<br />
Chaoswelle CA will be operating a [http://en.wikipedia.org/wiki/Revocation_list CRL] and indicate that CRL in the issued '''Certs'''. To put a given '''Cert''' on the CRL, proof is needed that the '''Cert''' was issued to an incorrect '''Applicant''', i.e. the Callsign, Full Name or E-Mail Address values of the '''Cert''' do not belong to the person using the '''Cert'''.<br />
<br />
This proof must be presented by the actual owner of the Callsign or E-Mail Address, or by a third party that can believably show that the '''Cert''' was issued wrongly.<br />
<br />
'''Certs''' will only be revoked if they were issued to the wrong person, or used by a different person. Technical abuse of Internet services by the official owner of a '''Cert''' does not qualify for revocation. Instead, technical measures must be taken at the abused system.</div>DO1GL