path: root/design/hs_pki_policy
diff options
Diffstat (limited to 'design/hs_pki_policy')
1 files changed, 12 insertions, 0 deletions
diff --git a/design/hs_pki_policy b/design/hs_pki_policy
new file mode 100644
index 0000000..b90e145
--- /dev/null
+++ b/design/hs_pki_policy
@@ -0,0 +1,12 @@
+Root CA cert valid for 6y
+Root CA CRL valid for 14m
+ * need ceremony at least once per y to renew CRL
+KC certificates valid for 8m (verify calculation of influence on possible new CA)
+CA certs valid for 1y
+ Limited certificate depth to 1 (so it can't issue CA)
+CA CRL valid for 1d (or even less)
+End user / device certificates valid for 3m