bug 540: Adjustments to the CPS as voted by the policy group
authorMichael Tänzer <neo@nhng.de>
Thu, 22 Dec 2011 18:28:23 +0000 (19:28 +0100)
committerMichael Tänzer <neo@nhng.de>
Thu, 22 Dec 2011 18:28:23 +0000 (19:28 +0100)
Signed-off-by: Michael Tänzer <neo@nhng.de>
www/policy/CertificationPracticeStatement.html

index e17056b..2a9bd11 100644 (file)
@@ -3203,54 +3203,50 @@ The form of the PGP signatures depends on several factors, therefore no stipulat
 <h4><a name="p7.1.2" id="p7.1.2">7.1.2. Certificate extensions</a></h4>
 
 <p>
-Client certificates include the following extensions:.
+  Client certificates include the following extensions:
 </p>
-<ul><li>
-    basicConstraints=CA:FALSE (critical)
-  </li><li>
-    keyUsage=digitalSignature,keyEncipherment,cRLSign
-  </li><li>
-  </li><li>
-    extendedKeyUsage=emailProtection,clientAuth,serverAuth,msEFS,msSGC,nsSGC
-  </li><li>
-    authorityInfoAccess = OCSP;URI:http://ocsp.cacert.org
-  </li><li>
-    subjectAltName=(as per <a href="#p3.1.1">&sect;3.1.1.</a>).
-</li></ul>
+<ul>
+  <li>basicConstraints=CA:FALSE (critical)</li>
+  <li>keyUsage=digitalSignature,keyEncipherment,keyAgreement (critical)</li>
+  <li>extendedKeyUsage=emailProtection,clientAuth,msEFS,msSGC,nsSGC</li>
+  <li>authorityInfoAccess = OCSP;URI:http://ocsp.cacert.org</li>
+  <li>crlDistributionPoints=URI:&lt;crlUri&gt; where &lt;crlUri&gt; is replaced 
+    with the URI where the certificate revocation list relating to the 
+    certificate is found</li>
+  <li>subjectAltName=(as per <a href="#p3.1.1">&sect;3.1.1.</a>).</li>
+</ul>
   <ul class="q">
     <li> what about Client Certificates Adobe Signing extensions ?</li>
     <li> SubjectAltName should become critical if DN is removed http://tools.ietf.org/html/rfc5280#section-4.2.1.6</li>
   </ul>
 
-
 <p>
-Server certificates include the following extensions:
+  Server certificates include the following extensions:
 </p>
-<ul><li>
-    basicConstraints=CA:FALSE (critical)
-  </li><li>
-    keyUsage=digitalSignature,keyEncipherment
-  </li><li>
-    extendedKeyUsage=clientAuth,serverAuth,nsSGC,msSGC
-  </li><li>
-    authorityInfoAccess = OCSP;URI:http://ocsp.cacert.org
-  </li><li>
-    subjectAltName=(as per <a href="#p3.1.1">&sect;3.1.1.</a>).
-</li></ul>
+<ul>
+  <li>basicConstraints=CA:FALSE (critical)</li>
+  <li>keyUsage=digitalSignature,keyEncipherment,keyAgreement (critical)</li>
+  <li>extendedKeyUsage=clientAuth,serverAuth,nsSGC,msSGC</li>
+  <li>authorityInfoAccess = OCSP;URI:http://ocsp.cacert.org</li>
+  <li>crlDistributionPoints=URI:&lt;crlUri&gt; where &lt;crlUri&gt; is replaced 
+    with the URI where the certificate revocation list relating to the 
+    certificate is found</li>
+  <li>subjectAltName=(as per <a href="#p3.1.1">&sect;3.1.1.</a>).</li>
+</ul>
 
 <p>
-Code-Signing certificates include the following extensions:
+  Code-Signing certificates include the following extensions:
 </p>
-
-<ul><li>
-    basicConstraints=CA:FALSE (critical)
-  </li><li>
-    keyUsage=digitalSignature,keyEncipherment
-  </li><li>
-    extendedKeyUsage=emailProtection,clientAuth,codeSigning,msCodeInd,msCodeCom,msEFS,msSGC,nsSGC
-  </li><li>
-    authorityInfoAccess = OCSP;URI:http://ocsp.cacert.org
-</li></ul>
+<ul>
+  <li>basicConstraints=CA:FALSE (critical)</li>
+  <li>keyUsage=digitalSignature,keyEncipherment,keyAgreement (critical)</li>
+  <li>extendedKeyUsage=emailProtection,clientAuth,codeSigning,msCodeInd,msCodeCom,msEFS,msSGC,nsSGC</li>
+  <li>authorityInfoAccess = OCSP;URI:http://ocsp.cacert.org</li>
+  <li>crlDistributionPoints=URI:&lt;crlUri&gt; where &lt;crlUri&gt; is replaced 
+    with the URI where the certificate revocation list relating to the 
+    certificate is found</li>
+  <li>subjectAltName=(as per <a href="#p3.1.1">&sect;3.1.1.</a>).</li>
+</ul>
   <ul class="q">
     <li> what about subjectAltName for Code-signing</li>
   </ul>