Document Actions
Certification Practice Statement
This document describes the policies and procedures used by the IRTNOG Certification Authority (CA) when it issues, signs, manages, renews, or revokes digital certificates. This CA does not warrant certificates for any particular use, and it cannot guarantee the confidentiality, availability, or integrity of any aspect of its operation. TRUST THESE CERTIFICATES AT YOUR OWN RISK.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119.
Jurisdiction
The IRTNOG Certification Authority (a.k.a. "the IRTNOG CA" or "this CA") currently resides at 8711 Simpson Court, Mason, OH 45040, USA, and is governed by the laws of the State of Ohio and of the United States of America. In addition to the local, county, and state courts, this CA is subject to the case law and the judgments of the Ohio Southern District Court (part of the Sixth U.S. Circuit Court).
Key Recovery
All IRTNOG system administrators SHALL be authorized key recovery agents (KRAs), including but not limited to Windows EFS key recovery. KRAs SHALL disclose encryption keys to legal authorities only when compelled by a court of law in the jurisdiction in which the certification authority resides.
Limits on Public Participation
The IRTNOG Certification Authority SHOULD NOT issue certificates to (or sign certificates for) members of the general public.
The IRTNOG Certification Authority MAY make public the CA's certificate revocation list (CRL) in addition to this CA's own certificate (a.k.a. "the CA certificate"). The IRTNOG Certification Authority DOES NOT guarantee the integrity or the availability of either the CRL or the CA certificate.
The public CRL Distribution Point (CDP) is http://web.irtnog.org/ca.crl.
The public Authority Information Access (AIA) is http://web.irtnog.org/ca.crt.
Revocation
The IRTNOG system administrators MAY, at any time and for any reason, temporarily or permanently revoke any certificate issued by this CA.
- Key Compromise
-
In the event that keying material related a certificate issued by the IRTNOG Certification Authority is disclosed, altered, or destroyed, the subject of the certificate (or the subject's administrators) MUST contact the IRTNOG system administrators as soon as possible. The IRTNOG system administrators SHALL place the certificate in question on hold while they confirm that certificate's compromise. Upon confirmation, the IRTNOG system administrators MUST permanently revoke the certificate using the "key compromise" reason code.
- Cessation of Operation
- In the event that a certificate issued by the IRTNOG Certification Authority is longer needed or used, the subject of the certificate (or the subject's administrators) MUST contact the IRTNOG system administrators as soon as possible. The IRTNOG system administrators SHALL place the certificate in question on hold while they confirm that certificate's cessation of operation. Upon confirmation, the IRTNOG system administrators MUST permanently revoke the certificate using the "cessation of operation" reason code.
- Continued Operation Under a New Certificate
- If a subject will continue operation with a new certificate (instead of terminating operations altogether), the IRTNOG system administrators MUST permanently revoke the old certificate using the reason codes "superseded" (if merely replacing the old certificate with a new one issued by the IRTNOG Certification Authority) or "affiliation changed" (if replacing the certificate with one issued by different certification authority), instead of "cessation of operation".
- Operational Security
- The IRTNOG system administrators MAY, at their discretion or at the
request of a certificate's subject (or the subject's administrators),
obscure the reason for revoking a certificate by using the
"unspecified" reason code.
- Positive Notification
- The IRTNOG system administrators SHOULD notify a certificate's subject (or the subject's administrators) of the result of any revocation operation.
Certificate Types
The IRTNOG Certification Authority MAY issue the following types of certificates to (or sign the following types of certificates for) authorized users (or components) of IRTNOG's computer systems. (This is not an exclusive list.)
| Name | Description | Key Usage |
Subject Type |
|---|---|---|---|
| Administrator |
Allows trust list signing and user authentication | Signature and encryption | User |
| Authenticated Session | Subject can authenticate to a Web server | Signature | User |
| Basic EFS | Used by Encrypting File System (EFS) to encrypt data | Encryption | User |
| CEP Encryption | Allows the holder to act as a registration authority (RA) for simple certificate enrollment protocol (SCEP) requests | Encryption | Computer |
| Code Signing |
Used to digitally sign software | Signature | User |
| Computer | Allows a computer to authenticate itself on the network | Signature and encryption | Computer |
| Domain Controller |
All-purpose certificates held by domain controllers | Signature and encryption | Computer |
| EFS Recovery Agent |
Allows the subject to decrypt files previously encrypted with EFS | Encryption | User |
| Enrollment Agent |
Used to request certificates on behalf of another subject | Signature | User |
| Enrollment Agent (computer) |
Used to request certificates on behalf of another computer subject | Signature | Computer |
| Exchange Enrollment Agent (offline request) | Used to request certificates on behalf of another subject and supply the subject name in the request | Signature | User |
| Exchange Signature Only | Used by Microsoft Exchange Key Management Service to issue certificates to Exchange users for digitally signing e-mail | Signature | User |
| Exchange User | Used by Microsoft Exchange Key Management Service to issue certificates to Exchange users for encrypting e-mail | Encryption | User |
| IPSec | Used by IP Security (IPSec) to digitally sign, encrypt, and decrypt network communication | Signature and encryption | Computer |
| IPSec (offline request) |
Used by IP Security (IPSec) to digitally sign, encrypt, and decrypt network communication when the subject name is supplied in the request | Signature and encryption | Computer |
| Router (offline request) | Used by a router when requested through SCEP from a CA that holds a CEP Encryption certificate | Signature and encryption | Computer |
| Smartcard Logon |
Allows the holder to authenticate using a smart card | Signature and encryption | User |
| Smartcard User |
Allows the holder to authenticate and protect e-mail using a smart card | Signature and encryption | User |
| Subordinate Certification Authority | Used to prove the identity of the root certification authority, issued by the parent or root certification authority | Signature | CA |
| Trust List Signing |
The holder can digitally sign a trust list | Signature | User |
| User |
Certificate to be used by users for e-mail, EFS, and client authentication | Signature and encryption | User |
| User Signature Only |
Allows users to digitally sign data | Signature | User |
| Web Server | Proves the identity of a Web server | Signature and encryption | Computer |
(The content of this table comes from Microsoft's Certificate Template Overview.)
NO WARRANTY OR GUARANTEE
BECAUSE THE IRTNOG CERTIFICATION AUTHORITY IS OPERATED PRIVATELY AND IS FREE OF CHARGE, THERE IS NO WARRANTY FOR CERTIFICATES ISSUED OR SIGNED BY THIS CERTIFICATION AUTHORITY, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING, THE IRTNOG CERTIFICATION AUTHORITY PROVIDES CERTIFICATES "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE CERTIFICATES IS WITH YOU. SHOULD THE CERTIFICATES PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR, OR CORRECTION.
IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
WILL ANY CERTIFICATE ISSUER, ANY CERTIFICATE HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE THE CERTIFICATES AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE CERTIFICATES (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE CERTIFICATE TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.