PreambleThe Cynics at Large maintain a hierarchy of X509 certificates for their own use, and that of select associates and customers. While we are not in the business of running a commercial certificate authority, we understand that once we provide certificates for others to use, we become responsible for their security and orderly mantainance. Hence, these policy pages.
SummaryHere is a nontechnical paraphrasing of the (somewhat technical) content below: We think we know what we are doing, and we think we are reasonably secure against electronic attack. At least one of us does this kind of thing for a living. If you use our certificates correctly, you should be able to get a better-than-average degree of security communicating with us. If you are wondering whether to trust this assessment, or how much trust to place in the proper functioning of our security certificates and associated machinery, read below for details, or ask a knowledgeable friend to do so for you.
We don't mean to attach any particular legal meaning to our certificates, so if you're interested in legally binding us to anything, you need to use other means (such as letters with physical signatures) to do so.
Physical Security and PracticesThe private signing keys of our certificate authorities were generated and are maintained on a system that is not connected to any network. Certificate requests are signed offline; requests and signed objects are transported via removable media. The keys are protected with reasonably secure passphrases, and the computer hardware itself resides in a private residence with no public access. Backups of the signing system are encrypted.
Having said all that, you need to understand that we have taken no heroic measures to defend against physical assault. A burglar breaking into our home may carry off the hardware used for signing, leaving only the encryption passwords and procedures between her and compromise. Our defenses are geared primarily against network attacks, which we judge to be the most likely source of compromise.
Certificate Issuance CriteriaHere are the rules on why, how, and to who we may issue certificates.
Cynical Root CertificateThe Cynical Root Certificate is the root of all certificates issued by us. Its sole purpose is to sign the active signing certificate for the Cynics. It will never sign a leaf certificate.
Cynical Signing CertificateThe active Cynical Signing Certificate signs only intermediate signing certificates designated for specific uses. It will never sign a leaf certificate.
Cynical Server CertificatesThe Cynical Server Signing Key only signs server certificates for Cynics at Large. It will never sign anyone else's servers or services, nor will it sign any client certificates of any kind.
Cynical Client CertificatesThe Cynical Client Signing Key only signs client certificates for Cynics at Large. It will never sign anyone else's client certificates, nor will it sign any server certificates of any kind.
Third Party CertificatesAt some point, we may issue certificates to people who do not belong to The Cynics. If we do, these certificates will trace back to the Cynical Root Key, but not to the Cynical Signing Key. In other words, if we issue third party certificates of any kind, we will create a separate signing certificate directly signed by our root certificate to anchor such a certificate hierarchy. To avoid trusting such third party certificates, express trust in our signing (or server and/or client) certificates rather than our root.
The criteria for issuing such third-party signing certificates are solely at our whim. We consider each case individually. The only common thread is that after due consideration, we think that the recipient is a cool person or organization who we think deserves to be associated with us, and that we don't think we will feel ashamed of such an association. We might be proven wrong on that eventually, but we don't think so right now. If you are wondering why we signed any particular certificate, feel free to inquire.
If these rules sound too weird or vague to you, then by all means don't trust our root certificate. That's why we offer this hierarchy. It's your choice. You can trust The Cynics without extending your trust to our third party certificates by trusting the Cynical Signing Key mentioned above.
Online AccessWe maintain online servers that can be used to determine the validity of certificates issued by us. Suitable X509v3 extensions are embedded in all our certificates, referring to the locations of these services.
Root certificates can be retrieved at any time from our certificates page. These are plain ASN.1 (DER) format certificate files. Each certificate also contains extensions that refer to all signing certificates that make up its complete certificate chain.
Certificate revocation lists (CRLs) are available online. Each certificate contains a reference to the HTTP address where its current CRL can be retrieved. We also support OCSP and run our own HTTP responder; our certificates have corresponding extensions.
Revocation PoliciesCynics at Large maintain up-to-date certificate revocation lists (CRLs) for all our signing keys. These CRLs are available online via HTTP for either automatic or manual retrieval as needed. We do not currently publish a human-readable list of revoked certificates; use your computer's software as it was intended.
We will revoke our own certificates for all the usual reasons. We will revoke certificates issued to others at their request, after convincing ourselves that the request was authentic. We will also revoke a certificate issued to others if we determine, at our sole discretion, that any information given to us when we issued the certificate has changed in a way that would have changed our mind about issuing it. That does not imply anything bad; it may just mean that circumstances have changed somehow. If you are wondering why we revoked a particular certificate, feel free to inquire.
We also maintain an HTTP OCSP responder at http://certificates.cynic.org/ocsp/. This responder is freely accessible to anyone using our certificates. It will not respond for certificates of any other certificate authority.