A public key infrastructure (PKI) is only as secure as the policies and procedures that are implemented by an organization in conjunction with its PKI. Three policy documents directly affect PKI design:
■ Security policy. A security policy is a document that defines an organization's standards in regard to security. The policy usually includes the assets an organization considers valuable, potential threats to those assets, and, in general terms, measures that must be taken to protect these resources.
■ Certificate policy. A certificate policy is a document that describes the measures an organization will use to validate the identity of a certificate's subject. Validation might require a requestor-provided account and password combination submitted to the organization's directory or photo identification and submission to a background check through a registration authority (RA) process.
■ Certificate practice statement (CPS). A CPS is a public document that describes how a certification authority (CA) is managed by an organization to uphold its security and certificate policies. A CPS is published at a CA and describes the operation of the CA.
Security policies, certificate policies, and CPSs are typically created by members of an organization's legal, human resources, and information technology (IT) departments. The PKI design must enforce these policies.
Warning Certificate policies and CPSs are used by other organizations to determine how well they trust certificates issued by an organization's CA hierarchy. You trust a certificate from another organization when you allow that certificate to be used on your network for signing or encryption purposes. Deploying a PKI without implementing certificate policies and CPSs can result in a PKI that causes your organization to be deemed untrustworthy by other organizations.
A dependency exists between the security policy, certificate policy, and CPS in a PKI. (See Figure 3-1.)
Security (1 Policy
Certificate (2) Policy
Figure 3-1 The dependency between the security policy, certificate policy, and certificate practice statement (CPS)
An organization must first develop a security policy, which defines the organization's security standards. Next, a certificate policy is drafted to enforce and reflect the organization's security policy. Finally, the CPS defines the CA's management procedures that enforce the certificate policy.
Note Security policies, certificate policies, and CPSs are typically legal documents that must be reviewed by an organization's legal department or legal representatives before publication to ensure that the documents are enforceable and do not misrepresent the organization's intent.
Was this article helpful?