|
|
 |
SPYRUS Policies and Procedures - Certificate Policy
The CP is the primary document in the Policies and Procedures Suite. The CP sets out the rules that must be followed in order to deploy and maintain a PKI with a stated assurance level. A Certificate Policy is defined in the ITU-T X.509 version 3 certificate specification as a "named set of rules that indicates the applicability of a certificate to a particular community and/or class of application with common security requirements." In addition to the ITU-T specification, the SPYRUS Certificate Policy Template (CPT) is based on, and complies with, IETF RFC 2527: PKI Certificate Policy and Certification Practice Framework, which is currently under revision. The SPYRUS CPT conforms to the revision, soon to be published by IETF. The IETF Framework is used world-wide to ensure interoperability and conformance to a recognized standard.
The CP is not published, but it is subject to external review for audit, accreditation, and certification purposes. Once the corresponding Certification Practices Statement has been published, the CP cannot be changed except through the formal change procedures. Many organizations require more than one CP for different assurance levels and communities of users. SPYRUS can prepare these policies so that any desired interoperability falls within the policy framework.
A CP addresses the legal, business and technical requirements of a PKI. It is derived from business objectives and policies, and ensures compliance with applicable legislation and regulation, for example, in the U.S. the Health Insurance Portability and Accountability Act, including HIPAA Security regulations and HIPAA Privacy regulations; in the European Union, EU Directive 1999/93/EC on electronic signature. The SPYRUS CPT is adaptable to any jurisdictional framework. In terms of business objectives, the CP establishes a set of rules to enable particular types of business activities and transactions. Finally, through conformance with highly granular IETF specifications on certificate formats, protocols, algorithms, etc., the CP sets out the necessary technical framework to meet international standards and to meet the business objectives.
|
|
