/usr/share/igtf-policy/classic/KEK.signing_policy is in igtf-policy-classic 1.79-1.
This file is owned by root:root, with mode 0o644.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 | # ca-signing-policy.conf, see ca-signing-policy.doc for more information
#
# This is the configuration file describing the policy for what CAs are
# allowed to sign whoses certificates.
#
# This file is parsed from start to finish with a given CA and subject
# name.
# subject names may include the following wildcard characters:
# * Matches any number of characters.
# ? Matches any single character.
#
# CA names must be specified (no wildcards). Names containing whitespaces
# must be included in single quotes, e.g. 'Certification Authority'.
# Names must not contain new line symbols.
# The value of condition attribute is represented as a set of regular
# expressions. Each regular expression must be included in double quotes.
#
# This policy file dictates the following policy:
# -The Globus CA can sign Globus certificates
#
# Format:
#------------------------------------------------------------------------
# token type | def.authority | value
#--------------|---------------|-----------------------------------------
# EACL entry #1|
access_id_CA X509 '/C=JP/O=KEK/OU=CRC/CN=KEK GRID Certificate Authority'
pos_rights globus CA:sign
cond_subjects globus '"/C=JP/O=KEK/OU=CRC/*"'
# end of EACL
|