LinnemanLabs Certificate Practice Statement

OID: 1.3.6.1.4.1.65302.1.1

1. CA Overview

LinnemanLabs operates a private PKI rooted to an offline ECDSA P-384 key stored on hardware security tokens (YubiKey). The root CA issues intermediate certificates for specific trust functions.

2. Certificate Hierarchy

3. Key Management

Root CA private key generated on air-gapped system, stored on hardware security token (YubiKey), duplicate backup stored in separate physical location. Private key never exists on networked systems.

Fulcio CA and TSA timestamp private keys are non-exportable in AWS KMS. All signing operations occur via KMS API calls.

SPIRE upstream CA private key is stored in AWS Secrets Manager with IAM access controls and CloudTrail audit logging. SPIRE operational signing keys are non-exportable in AWS KMS.

4. Certificate Lifecycle

Root CA: 10 years. Intermediates: 3 years. Fulcio signing certs: 10 minutes. SPIRE SVIDs: 1 hour. TSA timestamps: per-request.

5. Transparency

Fulcio certificates are logged to a private Certificate Transparency log (TesseraCT). Signing events are logged to a private transparency log (Rekor). Trust material is published at /.well-known/trusted_root.json.

6. Contact

Keith Linneman - keith@linnemanlabs.com