RFC 2527 (rfc2527) - Page 2 of 45

Internet X

Alternative Format: Original Text Document
< Previous
Next >
RFC 2527                          PKIX                        March 1999


   and legal obligations of the CA (for example, warranties and
   limitations on liability).

   A Version 3 X.509 certificate may contain a field declaring that one
   or more specific certificate policies applies to that certificate
   [ISO1].  According to X.509, a certificate policy is "a named set of
   rules that indicates the applicability of a certificate to a
   particular community and/or class of application with common security
   requirements." A certificate policy may be used by a certificate user
   to help in deciding whether a certificate, and the binding therein,
   is sufficiently trustworthy for a particular application.  The
   certificate policy concept is an outgrowth of the policy statement
   concept developed for Internet Privacy Enhanced Mail [PEM1] and
   expanded upon in [BAU1].

   A more detailed description of the practices followed by a CA in
   issuing and otherwise managing certificates may be contained in a
   certification practice statement (CPS) published by or referenced by
   the CA.  According to the American Bar Association Digital Signature
   Guidelines (hereinafter "ABA Guidelines"), "a CPS is a statement of
   the practices which a certification authority employs in issuing
   certificates." [ABA1]

1.2  PURPOSE

   The purpose of this document is to establish a clear relationship
   between certificate policies and CPSs, and to present a framework to
   assist the writers of certificate policies or CPSs with their tasks.
   In particular, the framework identifies the elements that may need to
   be considered in formulating a certificate policy or a CPS.  The
   purpose is not to define particular certificate policies or CPSs, per
   se.

1.3  SCOPE

   The scope of this document is limited to discussion of the contents
   of a certificate policy (as defined in X.509) or CPS (as defined in
   the ABA Guidelines).  In particular, this document describes the
   types of information that should be considered for inclusion in a
   certificate policy definition or a CPS.  While the framework as
   presented generally assumes use of the X.509 version 3 certificate
   format, it is not intended that the material be restricted to use of
   that certificate format.  Rather, it is intended that this framework
   be adaptable to other certificate formats that may come into use.

   The scope does not extend to defining security policies generally
   (such as organization security policy, system security policy, or
   data labeling policy) beyond the policy elements that are considered



Chokhani & Ford              Informational
< Previous
Next >