|
Draft: 1 Date: May 16, 2006 |
| Item | SubItem | Description | Importance |
|---|---|---|---|
| 1 | User Interface | ||
| a | Assumption that this is an on-line CA | ||
| b | Direct support for Internet Explorer | ||
| c | Direct support for FireFox | ||
| d | Direct support for Netscape | ||
| e | Direct support for other browsers | ||
| f | Cut and paste web interface for uploading certificate requests. Can be especially important for server certificates. | ||
| 2 | CA Operation and Security | ||
| a | Use of native OpenSSL with "Engine" support to enable the use of HSMs for CA Private Key Protection | ||
| a-1 | Directs support and documentation for Rainbow iKey and/or Alladin eToken for low-throughput CAs | ||
| a-2 | Direct support for nCipher and/or other high-speed HSMs | ||
| b | Rational software mechanism for CA private key protection | ||
| c | Ability to sign requests for End Entity certificates | ||
| d | Ability to generate key pair and request and deliver a PKCS-12 containing the user's key pair, their personal certificate, and the root and intermediate certificates. | ||
| e | CA will maintain a database of the certificates that it issues | ||
| f | Support for revocation and the needed datanase/directory | ||
| g | Ability to email the end user receiving the certificate with instructions, a copy of a click-through agreement, etc | ||
| 3 | Default Certificate Profile | ||
| a | By default upon installation, the CA will issue certificates using the PKI-Lite certificate profile for users. A matching profile for server certificates needs to be developed. Some fields such as Subject, SubjectAlt Name, and Serial Number will vary for each certificate issued. Naming information will come from the validated user's certificate request. | ||
| 4 | Logging Information | ||
| a | Each certificate issued | ||
| b | Each certificate revoked | ||
| c | Failed request validations | ||
| d | ?? | ||
| 5 | Campus Identity Management Interface | ||
| a | Assume that the site will preauthenticate the user and deliver the validated user in the Remote User environment variable? | ||
| b | Assume that the site will provide whatever data is needed to validate the request. A likely interface might be a call-out that the CA can make, providing the user's login name and receiving back the information needed to validate the certificate request. What information in the request should be validated? | ||
| 6 | Installation Process :-) | ||
| a | ./configure | ||
| b | make install | ||
| 7 | Documentation | ||
| a | Recommended campus deployment guide | ||
| b | USHER subordination how-to | ||
| c | Summary of known-supported applications | ||
| 8 | Some software candidates | ||
| a | CA software developed by HEPKI schools | ||
| b | Our Opensource crypto software list. |