uspki · lachellel · Mar 28, 2019 · Mar 26, 2019 · Mar 26, 2019 · Mar 26, 2019
diff --git a/assets/docs/US_Federal_Public_Trust_TLS_Certificate_Policy_v1_0_draft.pdf b/assets/docs/US_Federal_Public_Trust_TLS_Certificate_Policy_v1_0_draft.pdf
diff --git a/certificate-policy.md b/certificate-policy.md
diff --git a/certificate-profile-OCSP-responder.md b/certificate-profile-OCSP-responder.md
@@ -21,4 +21,4 @@
 | id-pkix-ocsp-nocheck {1.3.6.1.5.5.7.48.1.5} | Mandatory | False | Null |
 | Extended Key Usage   |   Mandatory  | True | **Required Extended Key Usage:** <br> id-kp-OCSPSigning {1.3.6.1.5.5.7.3.9} <br><br> **Prohibited Extended Key Usage:** <br> All others, including anyEKU EKU {2.5.29.37.0} |
 | Certificate Policies   |  Mandatory  | False | **Required Certificate Policy Fields:** <br>See Section 7.1.6.4. The certificate shall include all the certificate policy OIDs for all certificates issued by the CA and covered by the OCSP responses. <br><br>**Optional Certificate Policy Fields:** <br> certificatePolicies:policyQualifiers <br> policyQualifierId   id-qt 1 <br> qualifier:cPSuri |
-| Authority Information Access   | Optional | False | **Required AIA Fields:** <br><br> **Id-ad-caIssuers** <br> Publicly accessible URI of Issuing CA’s certificate accessMethod = {1.3.6.1.5.5.7.48.2} <br> All instances of this access method shall include the HTTP URI name form to specify an HTTP accessible location containing either a single DER encoded certificate, or a BER or DER encoded “certs-only” CMS message as specified in [RFC5272].
+| Authority Information Access   | Optional | False | **Required AIA Fields:** <br><br> **Id-ad-caIssuers** <br> Publicly accessible URI of Issuing CA’s certificate accessMethod = {1.3.6.1.5.5.7.48.2} <br> All instances of this access method shall include the HTTP URI name form to specify an HTTP accessible location containing either a single DER encoded certificate, or a BER or DER encoded “certs-only” CMS message as specified in [RFC 5272].
diff --git a/certificate-profile-root-CA.md b/certificate-profile-root-CA.md
@@ -12,7 +12,7 @@
 
 | **Extension** |  **Required**   | **Critical** | **Value and Requirements** |
 | :-------- | :----------------|:----------------|:----------------|
-| subjectInfoAccess  | Mandatory | False |  id-ad-caRepository (1.3.6.1.5.5.7.48.5):<br>At least one instance of this access method shall be included.  All instances of this access method shall include the HTTP URI name form to specify an HTTP accessible location containing a BER or DER encoded “certs-only” CMS message as specified in [RFC5272]. |
+| subjectInfoAccess  | Mandatory | False |  id-ad-caRepository (1.3.6.1.5.5.7.48.5):<br>At least one instance of this access method shall be included.  All instances of this access method shall include the HTTP URI name form to specify an HTTP accessible location containing a BER or DER encoded “certs-only” CMS message as specified in [RFC 5272]. |
 | basicConstraints   | Mandatory | True |  cA=True <br> The pathLenConstraint field shall not be present. |
 | subjectKeyIdentifier | Mandatory | False |  Octet String <br> Derived using SHA-1 hash of the public key  |
 | keyUsage   | Mandatory | True | Bit positions for keyCertSign and cRLSign shall be set. <br> If the Root CA Private Key is used for signing OCSP responses, then the digitalSignature bit shall also be set.|   
diff --git a/certificate-profile-server-authentication.md b/certificate-profile-server-authentication.md
@@ -10,7 +10,7 @@ There are two (2) differences in the certificate profile implementations between
 | **Field or Extension** | **Domain Validation** | **Organization Validation**  |
 | :-------- | :---: | :---: |
 | Subject Identity Information  | cn=\<one domain name>,c=US | cn=\<one domain name>,S=District of Columbia,O=U.S.Government,c=US |
-| Certificate Policies   | Asserts both the US Government and CAB Forum policy OIDs for Domain Validation      | Asserts both the US Government and CAB Forum policy OIDs for Organization Validation  |
+| Certificate Policies   | Asserts both the U.S. Government and CAB Forum policy OIDs for Domain Validation      | Asserts both the U.S. Government and CAB Forum policy OIDs for Organization Validation  |
 
 Below is the full server authentication certificate profile with _all_ fields and extensions.
 
@@ -33,7 +33,7 @@ Below is the full server authentication certificate profile with _all_ fields an
 | Extended Key Usage   | Mandatory | False | **Required Extended Key Usage:** <br> Server Authentication id-kp-serverAuth {1.3.6.1.5.5.7.3.1} <br><br> **Optional Extended Key Usage:** <br> Client Authentication id-kp-clientAuth {1.3.6.1.5.5.7.3.2} <br> <br>**Prohibited Extended Key Usage:** <br> anyEKU EKU {2.5.29.37.0} <br> all others |
 | Certificate Policies   |  Mandatory  | False | **Required Certificate Policy Fields:** <br>See Section 7.1.6.4. One US Government certificate policy OID listed in Section 7.1.6.1 asserting compliance with this CP, and one CAB Forum certificate policy OID listed in Section 7.1.6.1 asserting compliance with the CAB Forum Baseline Requirements.  <br><br>**Optional Certificate Policy Fields:** <br> certificatePolicies:policyQualifiers <br> policyQualifierId   id-qt 1 <br> qualifier:cPSuri |
 | Subject Alternative Name   | Mandatory | False  | This extension shall contain at least one entry. Each entry shall be a dNSName containing the Fully-Qualified Domain Name of a server. This extension shall not include any Internal Name values. <br> All entries shall be validated in accordance with Section 3.2.2.4. <br>Underscore characters (“_”) shall not be present in dNSName entries.  |
-| Authority Information Access   | Mandatory | False | **Required AIA Fields:** <br> **OCSP** <br> Publicly accessible URI of Issuing CA's OCSP responder accessMethod = {1.3.6.1.5.5.7.48.1} <br><br> **Id-ad-caIssuers** <br> Publicly accessible URI of Issuing CA’s certificate accessMethod = {1.3.6.1.5.5.7.48.2} <br> All instances of this access method shall include the HTTP URI name form to specify an HTTP accessible location containing either a single DER encoded certificate, or a BER or DER encoded “certs-only” CMS message as specified in [RFC5272]. |
+| Authority Information Access   | Mandatory | False | **Required AIA Fields:** <br> **OCSP** <br> Publicly accessible URI of Issuing CA's OCSP responder accessMethod = {1.3.6.1.5.5.7.48.1} <br><br> **Id-ad-caIssuers** <br> Publicly accessible URI of Issuing CA’s certificate accessMethod = {1.3.6.1.5.5.7.48.2} <br> All instances of this access method shall include the HTTP URI name form to specify an HTTP accessible location containing either a single DER encoded certificate, or a BER or DER encoded “certs-only” CMS message as specified in [RFC 5272]. |
 | CRL Distribution Points   | Optional | False | If included, shall include at least one HTTP URI to the location of a publicly accessible, full and complete CRL. The reasons and cRLIssuer fields shall be omitted.  |
 | Private Extensions        | Optional | False | Only extensions that have context for use on the public Internet are allowed.  Private extensions must not cause interoperability issues.  CA shall be aware of and defend reason for including in the certificate, and use of Private Extensions shall be approved by the FPKI Policy Authority. |
 | Transparency Information  | Optional | False | If included, shall include two or more SCTs or inclusion proofs. <br> From RFC 6962, contains one or more "TransItem" structures in a "TransItemList".|
diff --git a/certificate-profile-subordinate-CA.md b/certificate-profile-subordinate-CA.md
@@ -18,7 +18,7 @@
 | subjectKeyIdentifier   | Mandatory | False |  Octet String <br> Derived using SHA-1 hash of the public key  |
 | keyUsage  | Mandatory | True | Bit positions for keyCertSign and cRLSign shall be set. <br> If the Subordinate CA Private Key is used for signing OCSP responses, then the digitalSignature bit shall also be set. |
 | extkeyUsage |  Mandatory  | False | This extension is required for Technically Constrained Subordinate CAs per Section 7.1.5. <br> Required Extended Key Usage: <br> Server Authentication id-kp-serverAuth {1.3.6.1.5.5.7.3.1} <br><br> Optional Extended Key Usage: <br> Client Authentication id-kp-clientAuth {1.3.6.1.5.5.7.3.2} <br>id-kp-OCSPSigning {1.3.6.1.5.5.7.3.9} <br> Other values may be present consistent with use for server authentication, with approval by the FPKIPA. |
-| certificatePolicies |  Mandatory  | False | See Section 7.1.6.3. At least one US Government certificate policy OID listed in Section 7.1.6.1 asserting compliance with this CP, and one CAB Forum certificate policy OID listed in Section 7.1.6.1 asserting compliance with the CAB Forum Baseline Requirements. The certificate shall include all the certificate policy OIDs for all certificates issued by the CA.  |
-| authorityInformationAccess | Mandatory | False | OCSP: <br> Publicly accessible URI of Issuing CA's OCSP responder accessMethod = {1.3.6.1.5.5.7.48.1} <br>At least one instance of the OCSP responder access method shall be included. All instances of this access method shall include the HTTP URI name form.<br><br> id-ad-caIssuers: <br> Publicly accessible URI of Issuing CA’s certificate accessMethod = {1.3.6.1.5.5.7.48.2} <br> All instances of this access method shall include the HTTP URI name form to specify an HTTP accessible location containing either a single DER encoded certificate, or a BER or DER encoded “certs-only” CMS message as specified in [RFC5272]. |
+| certificatePolicies |  Mandatory  | False | See Section 7.1.6.3. At least one U.S. Government certificate policy OID listed in Section 7.1.6.1 asserting compliance with this CP, and one CAB Forum certificate policy OID listed in Section 7.1.6.1 asserting compliance with the CAB Forum Baseline Requirements. The certificate shall include all the certificate policy OIDs for all certificates issued by the CA.  |
+| authorityInformationAccess | Mandatory | False | OCSP: <br> Publicly accessible URI of Issuing CA's OCSP responder accessMethod = {1.3.6.1.5.5.7.48.1} <br>At least one instance of the OCSP responder access method shall be included. All instances of this access method shall include the HTTP URI name form.<br><br> id-ad-caIssuers: <br> Publicly accessible URI of Issuing CA’s certificate accessMethod = {1.3.6.1.5.5.7.48.2} <br> All instances of this access method shall include the HTTP URI name form to specify an HTTP accessible location containing either a single DER encoded certificate, or a BER or DER encoded “certs-only” CMS message as specified in [RFC 5272]. |
 | cRLDistributionPoints | Mandatory | False | At least one instance shall be included and shall specify a HTTP URI to the location of a publicly accessible CRL. All URIs included shall be publicly accessible and shall specify the HTTP protocol only.  The reasons and cRLIssuer fields shall be omitted. |
 | nameConstraints | Mandatory | True | See Section 7.1.5.  |
diff --git a/crl-profile.md b/crl-profile.md
@@ -7,7 +7,7 @@
 | Issuer Distinguished Name  |  Distinguished Name of the CA Issuer |
 | thisUpdate   | Encoded as UTCTime for dates through 2049 and GeneralizedTime for dates thereafter <br> See Section 4.9.7 for publishing intervals.  |
 | nextUpdate   | Encoded as UTCTime for dates through 2049 and GeneralizedTime for dates thereafter <br> See Section 4.9.7 for validity period intervals. |
-| Revoked Certificates List   |  0 or more 2-tuple of certificate serial number and revocation date (Expressed in UTCTime for dates until end of 2049 and GeneralizedTime for dates thereafter )  |
+| Revoked Certificates List   |  0 or more 2-tuple of certificate serial number and revocation date (Expressed in UTCTime for dates until end of 2049 and GeneralizedTime for dates thereafter)  |
 | Issuer Signature  |   sha256 WithRSAEncryption {1 2 840 113549 1 1 11}    |