Certificate Practice Statements and Policies
A Certificate Policy and Certification Practice Statement (CP/CPS) are outlines of legal, commercial and technical principles and practices that organizations employ in providing certification services. These certificates are used in conjunction with a private key infrastructure (PKI) and certified by a Certificate Authority (CA). “Both the certificate policy and the CPS help the user of a PKI determine the level of trust that those departments can put in the certificates that are issued by a CA” (Microsoft, 2013).
The CP document intends to define what the principal entities of the PKI are, their roles and their duties. Of all the CP/CPS documents viewed, it was apparent that the requirements
of these documents were adequate in informing what the acknowledgment of liability is and
the limitation of warranty. The obligations and liabilities are stated such as the following:
CA liability; CA obligations; certificate user obligations; principal obligations; acceptance of limitation; and consent (Entrust, 2013).
Weaknesses were not apparent in viewed documents.
A sample CP/CPS created for a school, for instance, would contain the following, but not limited to these items:
• PKI participants such as certifying authorities, trusted registrants and subscribers;
• Certificate usage as to what is appropriate and what is prohibited;
• Policy administration by the organization, contact person and who determines policy;
• Rules for identification and authentication, naming conventions for types of names and meaningfulness and prohibited use of anonymous or pseudo names;
• Certificate application on who can submit an application, enrollment process, application processing, approval or rejection of applications and time to process applications;
• Certificate issuance, expiration, acceptance, renewal, revocation and recovery;
• Protection of certificate;
• Certificate life cycle;
• Privacy and disclosure; and
• Warranties, liabilities and indemnities.
When all is said and done, there are ways to protect the certificate and keys issued. “Whether private keys are stored in hardware or software, it is important that they be adequately protected. To ensure basic protection, never share the key in plain text, always store keys in files or folders that are themselves password protected or encrypted, do not make copies of keys, and destroy expired keys”
Formal policy and procedures are required through the use of Certificate Policies and Certification Practice Statements. These are key components in establishing the degree of trust placed in digital certificates issued by a Certification Authority. These components help ensure that policies and practices can be easily interpreted by the users and administrators of certificates issued by a CA (Entrust, 2013).
The digital certificate allows an entity taking part in an electronic transaction to prove its identity to other participants in the transaction. These digital certificates are used in commercial environments as a digital equivalent of a person’s identification card and, as such, should be protected in the same respect!