Professional Documents
Culture Documents
Practice Statements
The definition of certificate policies and the certificate practice statement (CPS) is often
forgotten by technically-oriented planners. The basis for both the certificate policy and CPS are
the organizations security policy.
Creating these documents is usually a joint responsibility of the legal, human resources, and
information security departments.
Security Policy
The security policy is a high-level document that is created by the corporate IT group. It defines
a set of rules about the use and provision of security services in the organization, and should
reflect your organization's business and IT strategy. The security policy should answer high-level
PKI questions, such as:
Certificate Policy
A certificate policy focuses on certificates and the CA's responsibilities regarding these
certificates. It defines certificate characteristics such as usage, enrollment and issuance
procedures, as well as liability issues.
The following references define a certificate policy as a set of rules that determine if a certificate
is applicable to either a community or a class of applications that have common security
requirements.
For more information about the X.509 standard, see the International Telecommunication Union
Web site.
For more information about the European Electronic Signature Standardization Initiative
(EESSI) definition, see the EESSI Web site.
A certificate policy typically answers the question about what purposes the certificate serves, and
under which policies and procedures the certificate has been issued. A certificate policy typically
addresses the following issues:
Legal issues, such as liability, that might arise if the CA becomes compromised or is used
for something other than its intended purpose
Private key management requirements, such as storage on smart cards or other hardware
devices
Requirements for users of the certificates, including what users must do if their private
keys are lost or compromised
Minimum length for the public key and private key pairs
The certificate policy is typically defined by members of an organization who are known as the
policy authority. The policy authority typically consists of representatives from different core
departments, including management, legal, audit, human resources, and other departments.
Overall, the policy authority members will also be members of the group that defined the