ChanakanLabs Certification Practice Statement (CPS)

Version: 1.0
Effective Date: 2025-12-28
Last Updated: 2025-12-28

1. Introduction

This Certification Practice Statement (CPS) describes the practices, procedures, and controls used by ChanakanLabs in operating its private Public Key Infrastructure (PKI). This CPS applies to all certificates issued by the ChanakanLabs Certification Authority (CA), including document-signing certificates, OCSP responder certificates, and Timestamp Authority (TSA) certificates.

This PKI is operated for private, non-public trust use cases, including internal, academic, and organizational document signing. Certificates issued under this CPS are not intended to be equivalent to nationally qualified or legally regulated trust services.

2. PKI Hierarchy

Root Certification Authority (Root CA)
Offline, self-signed trust anchor used solely to sign Intermediate CA certificates.
Intermediate Certification Authority (Issuing CA)
Online CA responsible for issuing end-entity certificates.
Document Signing Certificates
End-entity certificates issued to natural persons for signing documents.
OCSP Responder
Provides real-time certificate status information.
Timestamp Authority (TSA)
Issues RFC 3161-compliant timestamps to support long-term validation (LTV).

3. Certificate Types and Usage

3.1 Document Signing Certificates

Document-signing certificates are issued to identified natural persons and are intended for:

Signing PDF and other electronic documents
Content commitment and integrity protection
Long-term validation when combined with timestamping

These certificates include:

Key Usage: digitalSignature, nonRepudiation
Extended Key Usage: emailProtection, codeSigning

They must not be used for TLS, authentication, or encryption unless explicitly stated.

3.2 OCSP Responder Certificates

OCSP responder certificates are issued to the OCSP service operated by ChanakanLabs and are used exclusively to sign OCSP responses.

Extended Key Usage: OCSPSigning
Key Usage: digitalSignature
id-pkix-ocsp-nocheck extension present

OCSP responder certificates are not subject to revocation checking.

3.3 Timestamp Authority (TSA) Certificates

TSA certificates are issued for the sole purpose of issuing RFC 3161 timestamp tokens.

Extended Key Usage: timeStamping
Key Usage: digitalSignature, nonRepudiation
Certificate Policies explicitly defined
id-pkix-ocsp-nocheck extension present

TSA certificates are long-lived and not revoked during normal operation.

4. Identity Verification

4.1 Document Signing Certificates

Applicants for document-signing certificates must provide identifying information including:

Given Name
Surname
Organization (if applicable)
Contact email address

A pseudonymous internal identifier is used in the serialNumber subject attribute. National identification numbers are not stored in certificates to preserve privacy.

Identity verification is performed using methods appropriate to the intended trust context (e.g., organizational records, academic affiliation, or direct operator verification).

4.2 Service Certificates (OCSP, TSA)

Service certificates are issued to systems controlled by ChanakanLabs. No personal identity verification is applicable.

5. Certificate Issuance

Certificates are issued only after:

Successful CSR validation
Policy compliance checks
Operator authorization

All certificates are generated using cryptographic keys of at least 2048-bit RSA.

6. Certificate Revocation

6.1 Revocation Reasons

Private key compromise
Cessation of affiliation
Incorrect issuance
Supersession by a new certificate

6.2 Revocation Mechanisms

Revocation information is provided via:

Online Certificate Status Protocol (OCSP)
Certificate Revocation Lists (CRLs)

7. Long-Term Validation (LTV)

ChanakanLabs supports long-term validation through RFC 3161 timestamping, OCSP-based revocation checking, and embedding of validation data in signed documents when supported by client software.

Automatic LTV recognition depends on the trust policies of the validating application.

8. Key Management

8.1 Key Protection

CA and TSA private keys are protected by strong passphrases
Access is restricted to authorized operators
Offline storage is used where feasible

8.2 Key Lifetimes

Key Type	Typical Lifetime
Root CA	10–20 years
Intermediate CA	5–10 years
TSA	5–10 years
Document Signing	1 year or less

9. Audit and Logging

The following events are logged:

Certificate issuance
Certificate revocation
OCSP responses
TSA timestamp issuance

10. Limitations of Liability

Certificates issued under this CPS are provided without warranty. ChanakanLabs shall not be liable for damages arising from misuse, misinterpretation, or reliance beyond the intended scope of this PKI.

11. Compliance and Legal Considerations

This CPS documents internal practices and does not claim compliance with eIDAS, Adobe AATL, or other regulated trust frameworks unless explicitly stated.

12. CPS Updates

This CPS may be updated at any time. Updated versions will be published at:

https://pki.chanakanlabs.com/cps.html

13. Contact Information

ChanakanLabs PKI Operations
Email: [email protected]