SEEKEY Certificate Table

Alphanumeric OID / numeric OID / Attributes

Description of characteristics

CN Example

SEEKEY PASSPORT

2.16.554.101.2.1.1.1

PASSPORT, SMART-TOKEN, ID, [SIGN,] [ENCRYPT]

Personal certificate.

Individual is identified using Gatekeeper 100 point system and certificate is not tied to a particular organisation - The DN O field is left blank.

MUST be on a hardware token.

Typically ID.

Optionally SIGN.

Optionally ENCRYPT.

O= CN=Joe Bloggs [SEEKEY PASSPORT]

E=joe.bloggs@ssc.govt.nz

SEEKEY BUSINESS-CARD

2.16.554.101.2.1.1.2

BUSINESS CARD, SMART-TOKEN, ID, [SIGN,] [ENCRYPT]

Employer issued certificate.

MUST be on hardware token.

Typically ID.

Optionally SIGN.

Optionally ENCRYPT.

O=State Services Commission CN=Joe Bloggs [SEEKEY BUSINESS-CARD]

E=joe.bloggs@ssc.govt.nz

SEEKEY ASSOCIATE

2.16.554.101.2.1.1.3

ASSOCIATE, ID, [SIGN,] [ENCRYPT]

Organisation issued associate certificate.

OPTIONAL hardware token.

Typically ID.

Optionally SIGN.

Optionally ENCRYPT.

SHOULD have an OU= liability statement.

O= State Services Commission OU= For internal use only. We disclaim any liability from third parties accepting this certificate for their own purposes. CN=Mary Smith [SEEKEY ASSOCIATE] E=mary.smith@someplace.co.nz

SEEKEY DEVICE

2.16.554.101.2.1.1.4

PASSPORT, ID, ENCRYPT or BUSINESS CARD, ID, ENCRYPT or ASSOCIATE, ID, ENCRYPT

Device certificate.

OPTIONAL hardware token.

Typically ID and ENCRYPT.

Optionally SIGN. NB: Web server certificates cannot use the CN qualifiers as common practice is for the DNS name to match the CN

O=State Services Commission CN=webserver.ssc.govt.nz E=webmaster@ssc.govt.nz

SEEKEY BUSINESS-ROLE

2.16.554.101.2.1.1.5

BUSINESS CARD, SMART-TOKEN, ID, [SIGN,] [ENCRYPT]

Employer issued role certificate.

MUST be on a hardware token.

Typically ID.

Optionally SIGN.

Optionally ENCRYPT.

MUST be issued on a limited basis, to a group of users.

SHOULD have a unique number for each token.

SHOULD have a register showing user / token unique number.

TOKEN may be shared among group of users.

O=State Services Commission CN=Helpdesk [SEEKEY BUSINESS-ROLE] E=helpdesk@ssc.govt.nz

SEEKEY ASSOCIATE-ROLE

2.16.554.101.2.1.1.6

ASSOCIATE, SMART-TOKEN, ID, [SIGN,] [ENCRYPT]

Organisation issued role certificate.

MUST be on a hardware token.

Typically ID.

Optionally SIGN.

Optionally ENCRYPT.

MUST be issued on a limited basis, to a group of users.

SHOULD have a unique number for each token.

SHOULD have a register showing user / token unique number.

SHOULD have an OU= liability statement.

O=State Services Commission OU= For internal use only. We disclaim any liability from third parties accepting this certificate for their own purposes. CN=Helpdesk [SEEKEY ASSOCIATE-ROLE] E=helpdesk@someplace.co.nz

SEEKEY MEMBERSHIP

2.16.554.101.2.1.1.7

PASSPORT, ID or BUSINESS CARD, ID or ASSOCIATE, ID

The concept of Organisation can be covered by Role e.g. a role of "Common Seal of the Company" represents an organisation. The concept of Delegation can be covered by Role. For instance, a PA has the delegated authority to act on behalf of the CEO in certain areas. The PA would have the role of "PA to the CEO". The PA may sign on behalf of the CEO - typically there are other checks and balances to manage issues such as misrepresentation.

The concept of Membership, Registration, Certification or similar capability can be covered by Membership. Typically several people will have the same Membership certificate.

Membership certificate.

Organisational name must match authority that approves membership.

OPTIONAL hardware token.

ID only.

NO SIGN or ENCRYPT.

MAY have duplicates.

MUST be issued on a limited basis, to a group of users.

MUST have a unique number for each token.

MUST have a register showing user / token unique number.

SHOULD have an OU= liability statement.

Different types of membership can be achieved by adding a 3rd part to the name.

O= GOVIS OU= GOVIS warrants this certificate for the purposes of membership only CN=Joe Bloggs [SEEKEY MEMBERSHIP-GOVIS-ASSOCIATE]

O= GOVIS OU= GOVIS warrants this certificate for the purposes of membership only CN=Joe Bloggs [SEEKEY MEMBERSHIP-GOVIS-FELLOW]

SEEKEY PROXY

2.16.554.101.2.1.1.8

PASSPORT, PROXY, SIGN, ENCRYPT or

BUSINESS CARD, PROXY, SIGN, ENCRYPT

Organisation signing on behalf of an individual.

OPTIONAL hardware token.

Typically ID, SIGN, ENCRYPT.

Typically used by mail gateways, to generate a certificate on the fly, for an individual, to sign an outgoing e-mail. This allows s/mime to individual e-mail clients to work without generating an error message.

SHOULD have an OU= liability statement.

O= State Services Commission OU= Proxy certificate used by mail server CN=Joe Bloggs [SEEKEY PROXY] E=joe.bloggs@ssc.govt.nz

SEEKEY PROXY-ACCESS

2.16.554.101.2.1.1.9

BUSINESS CARD, PROXY, ACCESS

Organisation access to a protected resource e.g. part of web server, through a proxy mechanism.

Organisation confirms user identity through minimum of username/password.

Organisation assigns unique username/password to each individual.

NO ID, SIGN or ENCRYPT.

SHOULD have an OU= liability statement.

O= State Services Commission OU= Proxy certificate used by web server CN=Joe Bloggs [SEEKEY PROXY-ACCESS] E=joe.bloggs@ssc.govt.nz

SEEKEY ACCESS-CARD

2.16.554.101.2.1.1.10

BUSINESS CARD, SMART-TOKEN, ACCESS or ASSOCIATE, SMART-TOKEN, ACCESS

General purpose certificate.

MUST be on a hardware token.

NO ID, SIGN or ENCRYPT.

MAY have duplicates.

SHOULD have an OU= liability statement.

O= State Services Commission OU= No validity for signing CN=Laptop [SEEKEY ACCESS-CARD]

SEEKEY ANON-ACCESS-CARD

2.16.554.101.2.1.1.11

ANONYMOUS, SMART-TOKEN, ACCESS

General purpose certificate.

MUST be on a hardware token.

NO ID, SIGN or ENCRYPT.

MAY have duplicates.

SHOULD have an OU= liability statement.

O= - OU=No validity for signing CN=12345678 [SEEKEY ANON-ACCESS-CARD]