Print

SK published the proposals for amendment of the Certification Policy and Certificate Profile of Organisation Certificates

24.11.2014

SK published the proposals for amendment of the Certification Policy and Certificate Profile of Organisation Certificates on the November 14th 2014. The proposals for amendment of both versions have been published for comment by 14.12.2014.

After the electronic publication of the proposals for amendment, customers have an opportunity to submit substantiated comments on the amendment proposals, which is followed by an analysis of comments submitted lasting for up to 30 days. A new version of the certification policy will be published in 60 days from the electronic publication of the proposal for amendment on the SK website or alternatively the amendment proposal will be withdrawn.

The draft version 3.0 of the Certification Policy applicable to Organisation Certificates is available here.
The draft version 2.0 of the Profile of Organisation Certificates is available here

Both documents will become effective on 13.02.2015 unless due to comments the amendment proposal is withdrawn.

Document drafts may be commented upon during a 30-day period up to 14.12.2014 via email to the address support[A]sk.ee.

The primary changes that have been implemented in new versions are provided below.

  • In order to ensure higher security, the signing algorithm used in the Certificate Revocation Lists (CRL) of Organisation Certificates is changed. The SHA-256 hashing algorithm will be adopted instead of SHA-1 algorithm used so far.
  • The list of permitted key algorithms has been added to in order to expand the opportunity to use different algorithms for issuing certificates.
  • A CAA record (Certification Authority Authorization record) description and non-handling in the processing of applications for the certificates. Addressing the CAA record in the policy is required on the basis of the Cabforum document titled "Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates" which SK as a certification authority must comply with in order to issue SSL certificates. As CAA records are not yet widely adopted and there are no reliable methods to verify them, SK is currently unable to assume the obligation of verifying these records.
  • The list of signers of the applications for the SSL server certificates has been added to.

The content of all changes is available in further detail in the document drafts.