Higher Education PKI-Lite
End Entity Certificate Profile

Document: hepki-tag-pkilite-profile-07.html
Editor: James Jokl
Date: March 12, 2002
Comments to: hepki-tag@internet2.edu

Reference: Implementors should reference RFC-2459 for additional details.

HE-PKI-Lite Certificate Profile Summary Table

Field Name Value Example Specified Explanation

Version 0x2 0x2 Y Version 3 certificates are specified by the PKI-lite profile

Serial Number a unique integer 334 Y An integer that is unique to all certificates issued by your CA.

Signature Algorithm SHA1/RSA N We recommend the use of SHA1/RSA. You are likely to experience interoperability problems if you choose DSA.

Issuer DN Identical to the CA's Subject field. Typically:
cn=your pki's name, o=YourUniversity, c=US, dc=youruniversity, dc=edu Y This field is defined by the Certification Authority that signs this End Entity certificate. HEPKI-TAG recommends that you keep this field simple when you design your CA to avoid problems with some software. The use of domain component naming as per the HEPKI-TAG dc naming recommendation is optional. Notes for PKI implementors

Validity Time Not valid before: date
Not valid after: date plus 12 to 13 months Y Notes for PKI implementors

Subject DN E=jas@youruniversity.edu, cn=Joe A. Smith, ou=your PKI's name, o=YourUniversity, c=US, dc=youruniversity, dc=edu Y HEPKI-TAG recommends that you keep this field simple to avoid problems with some software. The use of domain component naming as per the HEPKI-TAG dc naming recommendation is optional. Notes for PKI implementors

Public Key N Recommend a minimim of a 1024 bit key. Notes for PKI implementors

Certificate Extensions

Key Usage N Key usage is not specified by the PKI-lite profile. We suggest either skipping this extension or specifying Digital Signature and Key Encipherment.

Basic Constraints CA=false CA=false Y This field can also be left out as the default value for an End Entity certificate is False.

CRL Distribution Points N If the certificate specifies a CRL location, the CA must produce CRLs. Furthermore, the CA must update the CRL as promised in the CRL's next issue field. Notes for PKI implementors

Certification Policy HE PKI-Lite Policy OID N We recommend that you omit the HEPKI PKI-Lite policy OID. If you are willing to take some risk about how future applications may interpret this field you may choose to include the HE PKI-Lite policy OID. If this field is included, the meaning of the OID should be described in the Certification Policy and Practices statement.

Subject Alt Name E= email:jas@youruniversity.edu Y The Email identifier should be in both the Subject and SubjectAlt name field if S/MIME is a planned application.

CPS Pointer URI Pointer to CA's Certification Practices Statement Y The publication of a Certification Practices Statement is required by the HE PKI-Lite Policy. This pointer should point to an on-line copy of your Certification Policy and Certification Practices Statement. Notes for PKI implementors

Other fields ? CAs may include other elements in certificated as needed. HEPKI-TAG recommends that certificates be kept as simple as possible to maximize interoperability.

HE-PKI-Lite Certificate Profile Summary Table
Field Name	Value	Example	Specified	Explanation
Version	0x2	0x2	Y	Version 3 certificates are specified by the PKI-lite profile
Serial Number	a unique integer	334	Y	An integer that is unique to all certificates issued by your CA.
Signature Algorithm	SHA1/RSA		N	We recommend the use of SHA1/RSA. You are likely to experience interoperability problems if you choose DSA.
Issuer	DN	Identical to the CA's Subject field. Typically: cn=your pki's name, o=YourUniversity, c=US, dc=youruniversity, dc=edu	Y	This field is defined by the Certification Authority that signs this End Entity certificate. HEPKI-TAG recommends that you keep this field simple when you design your CA to avoid problems with some software. The use of domain component naming as per the HEPKI-TAG dc naming recommendation is optional. Notes for PKI implementors
Validity	Time	Not valid before: date Not valid after: date plus 12 to 13 months	Y	Notes for PKI implementors
Subject	DN	E=jas@youruniversity.edu, cn=Joe A. Smith, ou=your PKI's name, o=YourUniversity, c=US, dc=youruniversity, dc=edu	Y	HEPKI-TAG recommends that you keep this field simple to avoid problems with some software. The use of domain component naming as per the HEPKI-TAG dc naming recommendation is optional. Notes for PKI implementors
Public Key			N	Recommend a minimim of a 1024 bit key. Notes for PKI implementors
Certificate Extensions
Key Usage			N	Key usage is not specified by the PKI-lite profile. We suggest either skipping this extension or specifying Digital Signature and Key Encipherment.
Basic Constraints	CA=false	CA=false	Y	This field can also be left out as the default value for an End Entity certificate is False.
CRL Distribution Points			N	If the certificate specifies a CRL location, the CA must produce CRLs. Furthermore, the CA must update the CRL as promised in the CRL's next issue field. Notes for PKI implementors
Certification Policy	HE PKI-Lite Policy OID		N	We recommend that you omit the HEPKI PKI-Lite policy OID. If you are willing to take some risk about how future applications may interpret this field you may choose to include the HE PKI-Lite policy OID. If this field is included, the meaning of the OID should be described in the Certification Policy and Practices statement.
Subject Alt Name	E=	email:jas@youruniversity.edu	Y	The Email identifier should be in both the Subject and SubjectAlt name field if S/MIME is a planned application.
CPS Pointer	URI	Pointer to CA's Certification Practices Statement	Y	The publication of a Certification Practices Statement is required by the HE PKI-Lite Policy. This pointer should point to an on-line copy of your Certification Policy and Certification Practices Statement. Notes for PKI implementors
Other fields			?	CAs may include other elements in certificated as needed. HEPKI-TAG recommends that certificates be kept as simple as possible to maximize interoperability.

Certificate Profile Summary Table Legend

We recommend that no certificate extensions be marked critical.

Specified column

Y	The profile specifies the use of this field as documented.
N	The profile does not specify the usage but may recommend a way to use the field.
?	Still undecided.
italics	Example of an optional element.

HE PKI-Lite Certificate Profile Implementor Notes

Issuer Field
Some certification authorities have found it beneficial to place a version number into the CN of the Issuer field and increment this number with major changes to the CA.
Certificate Validity Period
The validity period of a HE-PKI-Lite certificate is recommended to be no longer than 13 months. Validity periods on the order of hours may be common for some CAs. This validity period was chosen to enable some low risk applications where authorization is implied given successful authentication (e.g. access to some site licensed library materials). However, as a general rule, authentication and authorization should be distinct processes whenever possible. Some institutions may choose to have student certificates expire during a rolling period of time in September. This will ensure that students are back on campus to ease the support workload and minimize help desk traffic by spreading certificate expirations across the month.
Subject Field
Implementors should consider planned applications before deciding on the naming convention used in Subject field of the certificates they issue. If S/MIME is a planned application, real user names with email addresses included in both the Subject and Subject Alternative Name are specified. If S/MIME is not a planned application, implementors may prefer to use a pseudo-anonymous identifier in the Subject field to enhance privacy. Some mechanism for campus application developers to map pseudo-anonymous identifiers into campus computing ids is likely to be needed if this mechanism is chosen. CA's issuing certificates containing real names and email addresses should ensure that their users understand that by using their certificate they are making this information available to the remote server. An analogy of showing your ID card to the remote server may be a useful way to explain the concept to your users.
The HE-PKI-Lite Policy requires the following attributes for a subject name:
- Subject names must uniquely map to an individual while the certificate is valid.
- Subject names should map uniquely to the same individual in perpetuity.
- The CA must publish its practice on the uniqueness of Subject names.
CRL Distribution Points
The HE-PKI-Lite profile does not require the use of revocation or CRLs. Our advice is to use CRLs to revoke certificates when the user's private key may have been compromised but to not use CRLs for other purposes. For example, we recommend the use of directory-based authorization after PKI-based authentication to handle cases such as when a student is no longer at the university or when a faculty member retires.
The HE-PKI-Lite Policy requires that CAs listing CRL Distribution Points implement the following practices:
- Certificates are actually revoked as needed.
- New CRLs are issued by the specified Next Issue date.
- The CA's revocation practice is documented in the CA's Certicication Practices Statement (CPS).
Public Key Length
There may be circumstances where key lengths shorter than 1024 are reasonable and acceptable. An example may be the case of short-lived certificates that don't need to provide long-term protection for data in an environment with limited computational resources. Key lengths of less than 1024 bits are not recommended for CAs issuing certificates with validity periods of many weeks or months.
Note: some older PKI software may have problems with key lengths of greater than 512 bits.
Certificate Practices Statement Pointer
HEPKI has developed a merged Certification Policy and Certification Practices Statement document template. This document is designed so that with a few small edits a campus will have a reasonable set of policy and practices documents ready for use.

Higher Education PKI-Lite End Entity Certificate Profile

Certificate Profile Summary Table Legend

HE PKI-Lite Certificate Profile Implementor Notes

Higher Education PKI-Lite
End Entity Certificate Profile