RFC 2527 (rfc2527) - Page 2 of 45
Internet X
Alternative Format: Original Text Document
RFC 2527 PKIX March 1999
and legal obligations of the CA (for example, warranties and
limitations on liability).
A Version 3 X.509 certificate may contain a field declaring that one
or more specific certificate policies applies to that certificate
[ISO1]. According to X.509, a certificate policy is "a named set of
rules that indicates the applicability of a certificate to a
particular community and/or class of application with common security
requirements." A certificate policy may be used by a certificate user
to help in deciding whether a certificate, and the binding therein,
is sufficiently trustworthy for a particular application. The
certificate policy concept is an outgrowth of the policy statement
concept developed for Internet Privacy Enhanced Mail [PEM1] and
expanded upon in [BAU1].
A more detailed description of the practices followed by a CA in
issuing and otherwise managing certificates may be contained in a
certification practice statement (CPS) published by or referenced by
the CA. According to the American Bar Association Digital Signature
Guidelines (hereinafter "ABA Guidelines"), "a CPS is a statement of
the practices which a certification authority employs in issuing
certificates." [ABA1]
1.2 PURPOSE
The purpose of this document is to establish a clear relationship
between certificate policies and CPSs, and to present a framework to
assist the writers of certificate policies or CPSs with their tasks.
In particular, the framework identifies the elements that may need to
be considered in formulating a certificate policy or a CPS. The
purpose is not to define particular certificate policies or CPSs, per
se.
1.3 SCOPE
The scope of this document is limited to discussion of the contents
of a certificate policy (as defined in X.509) or CPS (as defined in
the ABA Guidelines). In particular, this document describes the
types of information that should be considered for inclusion in a
certificate policy definition or a CPS. While the framework as
presented generally assumes use of the X.509 version 3 certificate
format, it is not intended that the material be restricted to use of
that certificate format. Rather, it is intended that this framework
be adaptable to other certificate formats that may come into use.
The scope does not extend to defining security policies generally
(such as organization security policy, system security policy, or
data labeling policy) beyond the policy elements that are considered
Chokhani & Ford Informational