The IT Law Wiki
The IT Law Wiki

Definition[]

A certification policy is

a specialized form of administrative policy tuned to electronic transactions performed during certificate management. A certificate policy addresses all aspects associated with the generation, production, distribution, accounting, compromise recovery and administration of digital certificates.[1]

In public key infrastructure (PKI) implementations, the certification policy is a set of rules governing the intended use of certificates and the level of trust that a particular PKI will support.

Overview[]

It contains items such as the obligations of the certification authority, its liabilities and warranties, confidentiality policy, identification and authentication requirements, and details of what information will be contained in the certificates. The certificate policy provides the criteria that can be used by others to determine whether to trust certificates issued by the certification authority and is also the basis for accreditation of the certification authority.

The second document, called a "certification practices statement," contains a more detailed description of the mechanics followed by a certification authority in issuing and otherwise managing certificates. It outlines the procedures used to implement the policies with regard to certificate issuance, user identification and registration, certificate lifetimes and revocation, and publishing practices for certificates and certificate revocation lists. It also states the operational practices followed by the certification authority to ensure security. The "certification practices statement" is used to outline operational procedures for the certification authority's personnel and also provides additional information to the relying party.

References[]

  1. DM3595-001, at 4.