Certificate policy


Certificate policy

A certificate policy is a document which aims to state what are the different actors of a public key infrastructure (PKI), their roles and their duties. This document is published in the PKI perimeter.

When in use with X.509 certificates, a specific field can be set to include a link to the associated certificate policy. Thus, during an exchange, any relying party has an access to the assurance level associated with the certificate, and can make a decision concerning the level of trust to put in the certificate.

Contents

RFC 3647

The reference document for writing a certificate policy is, as of December 2010, RFC 3647. The RFC proposes a framework for the writing of certificate policies and certification practice statements. The points described below are based on the framework presented in the RFC.

Main points

Architecture

The document should describe the general architecture of the related PKI, present the different actors of the PKI and any exchange based on certificates issued by this very same PKI.

Certificate uses

An important point of the certificate policy is the description of the authorized and prohibited certificate uses. When a certificate is issued, it can be stated in its attributes what use cases it is intended to fulfill. For example, a certificate can be issued for digital signature of e-mail (aka S/MIME), encryption of data, authentication (e.g. of a Web server, as when one uses HTTPS) or further issuance of certificates (delegation of authority). Prohibited uses are specified in the same way.

Naming, identification and authentication

The document describes also how are certificates names to be chosen, and besides, the associated needs for identification and authentication. When a certification application is filled, the certification authority (or, by delegation, the registration authority) is in charge of checking the information provided by the applicant, such as his identity. This is to make sure that the CA is not take part in an identity theft.

Key generation

The generation of the keys is also mentioned in a certificate policy. Users may be allowed to generate their own keys and submit them to the CA for generation of an associated certificate. The PKI may also choose to prohibit user-generated keys, and provide a separated and probably more secure way of generating the keys (for example, by using a hardware security module).

Procedures

The different procedures for certificate application, issuance, acceptance, renewal, re-key, modification and revocation are a large part of the document. These procedures describe how each actor of the PKI has to act in order for the whole assurance level to be accepted.

Operational controls

Then, a chapter is found regarding physical and procedural controls, audit and logging procedures involved in the PKI to ensure data integrity, availability and confidentiality.

Technical controls

This part describes what are the technical requirements regarding key sizes, protection of private keys (by use of key escrow) and various types of controls regarding the technical environment (computers, network).

Certificate revocation lists

The CRLs are a vital part of any PKI, and as such, a specific chapter is dedicated to the description of the management associated with these lists, to ensure consistency between certificate status and the content of the list.

Audit and assessments

The PKI needs to be audited to ensure it complies with the rules stated in its documents, such as the certificate policy. The procedures used to assess such compliance are described here.

Other

This last chapter tackles all remaining points, by example all the PKI-associated legal matters.

References


Wikimedia Foundation. 2010.

Look at other dictionaries:

  • Certificate for Students Achieving the Proficiency Level of Upper Secondary School Graduates — (高等学校卒業程度認定試験 Kōtōgakkō Sotsugyōteidoninteishiken) is an examination, taken by individuals who did not graduate upper secondary school(High school). This exam is provided by Lifelong Learning Promotion Division, Lifelong Learning Policy Bureau,… …   Wikipedia

  • Certificate of Annuity — (COA) is a financial instrument/security issued by government agencies which guarantee the initial interest rate for funds on deposit for the entire length of the maturity of the security. Typical maturity/tenor for these deposit instruments are… …   Wikipedia

  • Certificate revocation list — In the operation of some cryptosystems, usually public key infrastructures (PKIs), a certificate revocation list (CRL) is a list of certificates (or more specifically, a list of serial numbers for certificates) that have been revoked or are no… …   Wikipedia

  • certificate — /sartifakat/ A written assurance, or official representation, that some act has or has not been done, or some event occurred, or some legal formality has been complied with. A written assurance made or issuing from some court, and designed as a… …   Black's law dictionary

  • certificate — /sartifakat/ A written assurance, or official representation, that some act has or has not been done, or some event occurred, or some legal formality has been complied with. A written assurance made or issuing from some court, and designed as a… …   Black's law dictionary

  • certificate of insurance — A certificate giving abbreviated details of the cover provided by an insurance policy. In a motor insurance policy or an employers liability policy, the information that must be shown on the certificate of insurance is laid down by law and in… …   Accounting dictionary

  • certificate of insurance — A certificate giving abbreviated details of the cover provided by an insurance policy. In a motor insurance policy or an employers liability insurance policy, the information that must be shown on the certificate of insurance is laid down by law… …   Big dictionary of business and management

  • Certificate of Advanced European Studies — The Certificate of Advanced European Studies (French: Certificat de Hautes Études Européennes) is a postgraduate qualification, equivalent to a master s degree, that was awarded by the College of Europe, a postgraduate elite school in Bruges,… …   Wikipedia

  • certificate of insurance — A document that describes an insurance policy. It is issued for informational purposes only. It is not legal evidence of insurance and may even describe a policy that has not yet been issued. See binder. American Banker Glossary * * * certificate …   Financial and business terms

  • Certificate of deposit — This article is specific to the United States. For a more general article, see Time deposit. Banking in the United States Monetary policy The Federal Reserve System Regulation Lending Credit card Deposit accounts Savings account Checking account …   Wikipedia


Share the article and excerpts

Direct link
Do a right-click on the link above
and select “Copy Link”

We are using cookies for the best presentation of our site. Continuing to use this site, you agree with this.