|
|
 |
PKI Policies and Procedures: Certificate Policy
The certificate policy sets out the rules necessary to deploy and maintain a PKI with a stated assurance level. It
A certificate policy is defined in the ITU-T X.509 version 3 certificate specification as a "named set of rules that indicates the applicability of a certificate to a particular community and/or class of application with common security requirements." The SPYRUS certificate policy is based on and complies with both the ITU-T specification and the Internet Engineering Task Force (IETF) RFC 2527: PKI Certificate Policy and Certification Practice Framework. The IETF Framework is used worldwide to ensure interoperability and conformance to a recognized standard.
The certificate policy is not published, but it is subject to external review for audit, accreditation, and certification. After the corresponding certification practices statement is published, the certificate policy cannot be changed except through formal change procedures. Many organizations require more than one certificate policy for different assurance levels and communities of users. SPYRUS can prepare these policies so that all interoperability falls within the policy framework.
A certificate policy addresses the legal, business, and technical requirements of a PKI. It is derived from business objectives and policies, and ensures compliance with applicable legislation and regulation, such as the Health Insurance Portability and Accountability Act in the U. S., and EU Directive 1999/93/EC on electronic signature in the European Union.
The SPYRUS certificate policy template is adaptable to any jurisdictional framework. It establishes a set of rules to enable particular types of business activities and transactions. Through conformance with IETF specifications in areas such as certificate formats, protocols, and algorithms, the certificate policy sets out a technical framework to meet international standards and business objectives.
|
|
