Minimum requirements for RA - Testbed 1
---------------------------------------
An acceptable procedure for confirming the identity of the requestor and the
right to ask for a certificate
e.g. by personal contact or some other rigorous method

The RA should be the appropriate person to make decisions on the right to
ask for a certificate and must follow the CP.


Communication between RA and CA
-------------------------------

Either by signed e-mail or some other acceptable method, e.g. personal
(phone) contact with known person


Minimum requirements for CA - Testbed 1
---------------------------------------

The issuing machine must be:
        a dedicated machine
        located in a secure environment
        be managed in an appropriately secure way by a trained person
        the private key (and copies) should be locked in a safe or other
secure place
        the private keu must be encrypted with a pass phrase having at least
15 characters
        the pass phrase must only be known by the Certificate issuer(s)
        not be connected to any network

minimum length of user private keys must be 1024
min length of CA private key must be 2048

requests for machine certificates must be signed by personal certificates or
verified by other appropriate means

lifetime of personal certificates should be no longer than one year.

question: how many farm nodes will require host certs?
How long should these certs live?

Every CA must generate and maintain a CRL.
The lifetime of the CRL should be no more than 30 days.
This must be updated immediately after every revocation and at least before
the expiry of the lifetime.

All clients must update their local copies of CRL's at least once per day.

Users must generate their own private key and must keep this private and
secure.

Revocation
----------

loss of or compromised private key
person left organisation
Can be requested by either the user or the RA


Publishing
----------

Publishing of user public keys is not required.


Recording - audit trail
-----------------------

RAs must record and archive
        all requests
        all confirmations

CAs must record and archive
        all requests for certs
        all issued certs
        all requests for revocation
        all issued CRLs
        login/logout/reboot of the issuing machine