cispec

org.cispec.key-type

recommended: any CI that is a cryptographic key, certificate, or credential

org.cispec.key-type records the type of cryptographic key, certificate, or credential a Change Item is — the category that determines what it can be used for, what standards govern it, and what lifecycle management procedures apply.

Applies to any CI that is a cryptographic or identity artefact: GPG keys, X.509 certificates, SSH keys, FIDO2 credentials, S/MIME certificates, code-signing certificates, TLS certificates, hardware security module (HSM) key slots, and any other cryptographic material tracked as a CI.

Value format

A lower-case slug identifying the key or credential type.

org.cispec.key-type=x509-tls
org.cispec.key-type=x509-code-signing
org.cispec.key-type=x509-ca
org.cispec.key-type=gpg
org.cispec.key-type=ssh-ed25519
org.cispec.key-type=fido2
org.cispec.key-type=hsm-slot
org.cispec.key-type=s-mime

Conformance

org.cispec.key-type is RECOMMENDED for any CI that is a cryptographic key, certificate, or credential. Not REQUIRED for Declared conformance.

Attestation

key-type is independently attestable against the certificate or key’s own metadata — an X.509 certificate’s extended key usage (EKU) fields authoritatively specify what the certificate may be used for; a GPG key’s capability flags specify signing, encryption, authentication, and certification capabilities.

Resolution and relation

key-type paired with algorithm and key-length gives the complete cryptographic profile of a credential CI. Paired with expiry and owner it supports certificate lifecycle management and rotation planning.

Document identifier

OID: 1.3.6.1.4.1.42387.2.6.6.2
GUID: 936e9ec5-0d4b-5e02-bac2-4e6af6f3ab08

Related terms