RSS |
 |
| F E A T U R E | |
|
|
|
Gear Up Your PKI Pilot
July 26, 1999 |
||||||||||||
|
|
Defining CPs and CPSes
A CP--identified in a certificate with a unique registered OID (Object Identifier) that is understood by all users of the certificate--details in broad terms the certificate's intended use. CPs are used to define acceptable levels of trust among all parties involved. For example, a CP for high security-access control may state that the user's fingerprints or photograph associated with a certificate be on file with the originating CA (Certificate Authority). A CP doesn't specify the format of the data--only that the data be there. CPs should be created alongside other organizational policies, such as acceptable-use and general security policies. Given the information in the CP, users can choose to trust the certificate as issued. A CPS details in specific terms the procedures, formats and processes that are in place to ensure the integrity of the PKI. The CPS can be a promulgated practice statement, a contractual agreement between parties or other legal binding.
The CP and the CPS work in tandem to state your organization's stance regarding PKI. Both also may be used to instantiate legal agreements, define audit controls, and stipulate warranties and remedies. |
|
|
|||||||||
|
PAGE: 1 I 2 I 3 I 4 I 5 I 6 I 7 I 8 I NEXT PAGE |
||||||||||||
