Not all requirements are defined by an organization. In some cases, especially if you expect to use certificates in conjunction with other organizations, you might have to
Note Methods for defining CRL and CA certificate publication URLs are discussed in detail in Chapter 6.
meet external requirements, such as those defined by other organizations or by the governments of countries in which your organization conducts business. Examples of external requirements include:
■ Enabling external organizations to recognize employee-used certificates. Different solutions exist for this scenario. You can choose to not deploy an internal PKI and simply obtain certificates from commercial CAs, such as VeriSign or RSA. Alternatively, you can use cross-certification or qualified subordination to define which external certificates you trust.
Note Cross-certification and qualified subordination are discussed in detail in Chapter 13.
■ Using your organization's certificate at partner organizations. In some cases, the certificates issued by your CA hierarchy will be used by your employees for encryption or signing purposes at another organization. You might have to create custom certificates to meet the requirements of the other organization. One solution is to implement a CA hierarchy that defines separate internal and external policy CAs. (See Figure 5-10.)
In this example, all certificates for use with partners are issued by the Partners CA. If different issuance policies are required for these certificates, the issuance policies are defined in the CPS deployed at the external policy CA.
■ Industry or government legislation. Several countries have legislation that affects the design of a CA hierarchy. For example, Canada recently passed the Personal Information Protection and Electronic Documents Act. This act regulates the management of a customer's personal information when held by a private-sector company. The act requires that someone be accountable for compliance—and this person should be involved in the deployment and design of the CA hierarchy to ensure that all requirements of the Act are enforced in the design.
More Info You can obtain a copy of Canada's Personal Information Protec tion and Electronic Documents Act at http//laws.justice.gc.ca/en/p-8.6 /91355.html.
■ Certificates for nonemployees. If you issue certificates to nonemployees, you must ensure that the CPS outlines nonemployee responsibilities and clearly defines the revocation policy in case you must revoke a certificate. Using a CA hierarchy like the one defined in Figure 5-10, you can deploy a separate certificate policy that includes greater detail for external clients.
■ Validating certificates on external networks. When designing the configuration of each CA, you must ensure that the CRL and CA certificate are published to externally accessible locations, such as a Web server in a demilitarized zone (DMZ). This allows certificate validation to take place from the external network when using applications, such as extranet Web servers and VPN solutions when connections originate from the Internet.
Was this article helpful?