Grading Rules
The grading rules feature enhances the governance capabilities of Horizon, clearly displaying the quality of a certificate using different criteria. Currently, there is only one grading policy which is the Horizon grading policy designed by EverTrust experts using common reference documents.
The grading mechanism works as following:
-
Each rule is evaluated individually;
-
The score of each ruleset is calculated by adding the scores of each of its rules and dividing it by the max note for each ruleset, giving a score \(s_i \in [-1,1]\) for each ruleset;
-
The effective score for the grading policy is calculated through a weighted sum: \( S = \sum_i w_i * s_i \) with \( w_i\) being the weight of each ruleset;
-
The sum of the weights is calculated: \( W = \sum_i w_i \) ;
-
The score of the certificate for this grading policy is then calculated by dividing S by W: \(cert\_score = \frac{S}{W} \in [-1,1]\) , then the score is put back over 100 and the certificate grade is applied with the following scale:
Breakdown of the grading rules
ANSSI Cryptographic Content
The ANSSI Cryptographic Content Ruleset is created from the good practices advocated by the French ANSSI to ensure good cryptographic material when dealing with X509 certificates (based on the RGS). This ruleset has a maximum possible score of 70 and has a weight of 50 in the Horizon Grading Policy.
Details
| Rule | Score if satisfied | Score if not satisfied |
|---|---|---|
Certificate Policy OID should be specified |
10 |
0 |
Certificate should contain at least a CRLDP or an AIA OCSP URL |
10 |
0 |
Certificate should contain the subject key identifier extension |
10 |
0 |
Certificate subject and issuer should differ and authority key identifier should be defined |
10 |
0 |
Certificate issuer should contain the country element ('C') |
5 |
0 |
Certificate issuer should contain the organization element ('O') |
5 |
0 |
Certificate issuer should contain the organizational unit element ('OU') or organisational identifier ('organizationIdentifier') |
5 |
0 |
Certificate subject should contain the country element ('C') |
5 |
0 |
Certificate subject should contain the organization element ('O') |
5 |
0 |
Certificate subject should contain the organizational unit element ('OU') or organisational identifier ('organizationIdentifier') |
5 |
0 |
CA/B Forum Ruleset
The CA/B Forum Ruleset contains good practices for certificates from the CA/B Forum advocations.
This ruleset has a maximum possible score of 40 and has a weight of 60 in the Horizon Grading Policy.
Details
| Rule | Score if satisfied | Score if not satisfied |
|---|---|---|
CP OID extension is not empty |
10 |
0 |
Character '_' is forbidden in SAN DNS (penalty rule) |
0 |
-10 |
SAN DNS field must not end with '.' (penalty rule) |
0 |
-10 |
Certificate lifetime is less than 397 days |
10 |
0 |
Certificate serial number is longer than 8 bytes |
10 |
0 |
SAN DNS field is not empty |
10 |
0 |
Total |
40 |
-20 |
NIST and ANSSI ECDSA Cryptographic Ruleset (Weight 100, Maximum score 35)
The NIST and ANSSI ECDSA Cryptographic Ruleset contains good practices when dealing with elliptic curves cryptography for the certificate’s private key.
This ruleset has a maximum possible score of 35 and has a weight of 100 in the Horizon Grading Policy.
Details
| Rule | Score if satisfied | Score if not satisfied |
|---|---|---|
EC key algorithm should be P-256, P-384 or P-521 |
25 |
0 |
Signing hash algorithm should be SHA-256, SHA-384, SHA-512, SHA-3-256, SHA-3-384 or SHA-3-512 |
10 |
0 |
Total |
35 |
0 |
EMail Certificate Ruleset
The EMail Certificate Ruleset contains good practices written by the EverTrust experts regarding the use of S/MIME certificates.
This ruleset has a maximum possible score of 20 and has a weight of 60 in the Horizon Grading Policy.
Details
| Rule | Score if satisfied | Score if not satisfied |
|---|---|---|
Certificate with extended key usages 'emailProtection' should contain any of the following key usages: 'digitalSignature', 'nonRepudiation', 'keyEncipherment', 'dataEncipherment' |
10 |
0 |
SAN Email (RFC822Name) field is not empty |
10 |
0 |
Total |
20 |
0 |
IETF PKIX Ruleset
The IETF PKIX Ruleset contains good practices from the IETF PKIX advocations.
This ruleset has a maximum possible score of 30 and has a weight of 100 in the Horizon Grading Policy.
Details
| Rule | Score if satisfied | Score if not satisfied |
|---|---|---|
An entity certificate should not contain a pathlen |
10 |
0 |
Issuer must not be empty |
5 |
0 |
Subject must not be empty |
5 |
0 |
Subject key identifier extension should not be empty |
5 |
0 |
Certificate subject and issuer should differ and authority key identifier should be defined |
5 |
0 |
If defined, AIA OCSP URL should use HTTP (penalty rule) |
0 |
-10 |
If defined, CRLDP should use LDAP or HTTP (penalty rule) |
0 |
-10 |
Non-CA certificate cannot be self-signed (penalty rule) |
0 |
-30 |
The certificate is issued by an untrusted CA (penalty rule) |
0 |
-15 |
Certificate KeyUsage cannot be empty (penalty rule) |
0 |
-10 |
Total |
30 |
-75 |
NIST and ANSSI RSA Cryptographic Ruleset
The NIST and ANSSI RSA Cryptographic Ruleset contains good practices when dealing with RSA cryptography for the certificate’s private key.
This ruleset has a maximum possible score of 35 and has a weight of 100 in the Horizon Grading Policy.
Details
| Rule | Score if satisfied | Score if not satisfied |
|---|---|---|
RSA key size should be greater or equals to 2048 bits |
10 |
0 |
RSA key size should be greater or equals to 3072 bits |
5 |
0 |
RSA key exponent should be greater than 2^16 |
10 |
0 |
Signing hash algorithm should be SHA-256, SHA-384, SHA-512, SHA-3-256, SHA-3-384 or SHA-3-512 |
10 |
0 |
RSA key size should not be less than 2048 bits (penalty rule) |
0 |
-10 |
RSA key size must not be less than 1024 bits (penalty rule) |
0 |
-10 |
Total |
35 |
-20 |
TLS Certificate Ruleset
The TLS certificate ruleset contains good practices for certificates used to identify web servers.
This ruleset has a maximum possible score of 20 and has a weight of 60 in the Horizon Grading Policy.
Details
| Rule | Score if satisfied | Score if not satisfied |
|---|---|---|
Certificate with extended key usages 'TLSServer' should contain key usage 'digitalSignature' |
10 |
0 |
Certificate with extended key usage 'TLSServer' should not have a subject containing the following elements: 'givenname', 'surname' (penalty rule) |
0 |
-5 |
SAN DNS field is not empty |
10 |
0 |
Total |
20 |
-5 |
Applying the grading policy
All certificates that are in Horizon can be graded using grading policies, whether they are discovered or fully managed by the product.
If you want to add a grading policy to a profile, simply go to the profile settings then in the "Common configuration for profile" tab select the grading policies that will be used to grade certificates on this profile.
To remove a grading policy from a profile you just have to unselect it from the drop-down menu.
You can also grade discovered certificates: in the Discovery menu, click on the campaign that you want to apply the grading policies on and then select the grading policies that you want to apply from the drop-down menu.
Again, to remove a grading policy from a discovery campaign, just unselect it from the same drop-down menu.
Manually re-grading certificates
In case anything went wrong in the initial grading of certificates, or if you manually added a new grading policy to an existing profile and you want to manually re-evaluate a grading policy, follow these steps:
-
1. Go to ;
-
2. Select the Grading Policy that you want to manually relaunch and click the
.
All certificates concerned by this grading policy will now be re-graded.