A certificate policy (CP) is a document which aims to state what are the different entities of a public key infrastructure (PKI), their roles and their duties. This document is published in the PKI perimeter.

When in use with X.509 certificates, a specific field can be set to include a link to the associated certificate policy. Thus, during an exchange, any relying party has an access to the assurance level associated with the certificate, and can decide on the level of trust to put in the certificate.

RFC 3647

edit

The reference document for writing a certificate policy is, as of December 2010, RFC 3647. The RFC proposes a framework for the writing of certificate policies and Certification Practice Statements (CPS). The points described below are based on the framework presented in the RFC.

Main points

edit

Architecture

edit

The document should describe the general architecture of the related PKI, present the different entities of the PKI and any exchange based on certificates issued by this very same PKI.

Certificate uses

edit

An important point of the certificate policy is the description of the authorized and prohibited certificate uses. When a certificate is issued, it can be stated in its attributes what use cases it is intended to fulfill. For example, a certificate can be issued for digital signature of e-mail (aka S/MIME), encryption of data, authentication (e.g. of a Web server, as when one uses HTTPS) or further issuance of certificates (delegation of authority). Prohibited uses are specified in the same way.

Naming, identification and authentication

edit

The document also describes how certificates names are to be chosen, and besides, the associated needs for identification and authentication. When a certification application is filled, the certification authority (or, by delegation, the registration authority) is in charge of checking the information provided by the applicant, such as his identity. This is to make sure that the CA does not take part in an identity theft.

Key generation

edit

The generation

Procedures

edit

The different procedures for certificate application, issuance, acceptance, renewal, re-key, modification and revocation are a large part of the document. These procedures describe how each actor of the PKI has to act in order for the whole assurance level to be accepted.

Operational controls

edit

Then, a chapter is found regarding physical and procedural controls, audit and logging procedures involved in the PKI to ensure data integrity, availability and confidentiality.

Technical controls

edit

This part describes what are the technical requirements regarding key sizes, protection of private keys (by use of key escrow) and various types of controls regarding the technical environment (computers, network).

Certificate revocation lists

edit

Those lists are a vital part of any public key infrastructure, and as such, a specific chapter is dedicated to the description of the management associated with these lists, to ensure consistency between certificate status and the content of the list.

Audit and assessments

edit

The PKI needs to be audited to ensure it complies with the rules stated in its documents, such as the certificate policy. The procedures used to assess such compliance are described here.

Other

edit

This last chapter tackles all remaining points, by example all the PKI-associated legal matters.

References

edit