-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Title:  Unzane Certificate Authority Policy
Author: Gerald Turner <gturner@unzane.com>
Date:   Fri May  2 01:15:35 UTC 2014

* Policy

  The 'Unzane Certificate Authority (ECDSA)' and 'Unzane Certificate Authority
  (RSA)' are self-signed X.509 Certificate Authorities maintained by Gerald
  Turner.

  Each CA has signed intermediate certificates 'Unzane Intermediate Certificate
  Authority (ECDSA)' and 'Unzane Intermediate Certificate Authority (RSA)'

  The intermediates are used for signing various TLS services hosted within the
  DNS zone 'unzane.com'.  These TLS enabled services include at least LDAP,
  SMTP, IMAP, XMPP, IPsec IKE, and HTTPS protocols.

  In the future the intermediates may be used to sign certificates of services
  *outside* of the DNS zone 'unzane.com', but will be limited to services
  operated by people which I, Gerald Turner, have a personal relationship with.

* Revocation

  Certificate Revocation Lists are published at distribution points
  https://www.unzane.com/x509/revocation-ecdsa.pem and
  https://www.unzane.com/x509/revocation-rsa.pem.

  In the event that individual services are compromised, lost, or abandoned,
  then it's certificate will be published to the CRL, unless it's deemed
  adequately destroyed (such as the IPsec key of a portable device that is
  decommissioned).

  In the event that the intermediate keys are compromised, all keys signed by
  the intermediate and the intermediate ceritificate itself will be published
  to the CRL.

  If the offline root CA key is ever compromised (blackbagged), the CRL shall
  be updated with revocations of every descendant certificate and then a new CA
  will be created with a different CRL distribution point URL.

* Technical Details

  Certificate management performed using GnuTLS 'certtool' version 3.2 and some
  light shell scripting.

  The certtool argument '--sec-param=ultra' confers some absurd key sizes: RSA
  15424!

  certtool supports generation ECDSA keys, unfortunately only the NIST curves
  are supported, as is the case of most software, OpenSSL, NSS, etc.

  Many of the usual X.509/X.500 Subject fields have been ignored (such as
  Country, State, Organizational Unit, etc.).  Since the X.509 structure
  supports Unicode, the Organization field within the subject has been set to
  🆄🅽🆉🅰🅽🅴 (vain use of Unicode 6.0).

  Expiration dates have been set to the "Year 2038" bug.

  Activation dates have been set to the time of the public disclosure of the
  OpenSSL Heartbleed vulnerability.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQJ8BAEBCgBmBQJTkjBqXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQyNDg1Q0Q2RDIzMEY2RUE3RDI5Njg0QzZC
Q0EwMUYwNzcxQTk2RkNEAAoJELygHwdxqW/NlNgQALLvbxKQn4lUWl1paV+fml2N
BL3Oi9Y1fWkPK71M6tNEsMluBqoUhjCETi0nicO9jVDz1TxNV/gTc8MI4FEmILSn
tnJqKge8ECCyEg4VnKSq7ImhvyvXJ6yYtxup/NFJDYLgE/uaC2I1tVJ1stuJmMUB
hG2GOCgB2lGM68Ml2v92vwgZNNbV3JB+5iaDoeVTpGjObtLbNf6vQsRRVSuoe6eS
KivANHsaiTd1+Cf+GvpNc8uX9vlIYiNoOy+frMCgTXY7+pyOyOPRIp9DpvJGI94B
gg9dzemOC0d9WQXwGNBr7WvVXC+NXAcwEm1ejA4JkPRbcZxBHUDPF9WqlTuoIGjt
Nt1M0LQ8bcQi2WHColOFGeY5Rkdv2NMB0oT3PEaRaUY7yunNpko4lmKae1W3EY6f
xt0QsCIz9sp9MAwszNHEATE9mqXsaRABOqPV8xvuKYqYeBqNFw4SCFJ4xIYoAWPe
DCLRNbzIgke6UXLD3tm8YhIp0HjyGS6SM9lTZFzZIwX+kcxZhW09SCZZ6K63pnBR
S5BkUE2FKO63dFvrVT9dymx8mbwMHWgKAcTcn9vfuJTcRXHyEmBDZ23E4fM92qU1
eJfm9AJxZxaPPs0PFqb2fPvETVPI7MSp+XfEagCG5xTTD6LoCRsGsPjt1FY/OGkQ
QcQL4I45vbziI/R5jepg
=/mMh
-----END PGP SIGNATURE-----