2 Recommendations

2.1.1 We recommend:

• Creating a unique policy OID for each certificate, in anticipation of being able to filter on policy extension in the future.

• Using the OU= field to provide additional information.

• Amending the S.E.E. PKI Certificate Policy to use the CN= field to differentiate certificate types, using the generic format "CN = Commonname [SEEKEY name]"

• Creating and maintaining a SEEKEY Name list to be used to indicate certificate type.

• For anonymous certificates, either "O= - and CN=ANONYMOUS arbitraryString", or "O=orgname and CN=ANONYMOUS arbitraryString".

• The Certificate Policy be amended: Where 'hardened softkeys" are available, they should be used in preference to normal softkeys.

• When choosing whether to include ENCRYPT capability for end-user certificates, sponsors should consider whether they want their users to be able to receive and store encrypted data, and the information management issues surrounding long term storage and retrieval of encrypted information.

• All S.E.E. Key certificates must have a policy extension for the Policy OID of the certificate type (e.g. 2.16.554.101.2.1.1.6), including a userNotice of the certificate type as it appears in the CN (e.g. [SEEKEY ASSOCIATE-ROLE], and a cpsUri of http://see.govt.nz/pki/cp.html# suffixed with the certificate type (e.g. http://see.govt.nz/pki/cp.html#associate-role).