Appendix B: Guidelines for Agencies Choosing a SEEMAIL

· Participating Agencies SHOULD ensure that their CA provides at least a five-day overlap between certificate renewal and expiry of existing certificates, to provide sufficient time for old certificates to be renewed without incurring a significant outage.

· Provide a full range of interfaces to the CRL e.g. file, LDAP or OCSP

Note: With regards LDAP, there is no guaranteed common LDAP schema standard for all CAs. For BaycorpID, a certificate is easily found in their directory by setting the 'search base' to c=NZ, filtering on the e-mail address (domain-confidentiality-authority@agency.govt.nz), then requesting the 'usercertificate' attribute of the entry that is found.

· Provide a 'search base', 'filter spec', and certificate attribute name (e.g. 'usercertificate') by means of which certificates can be retrieved. (Note that the filter spec may be the entire distinguished name).