Re: RFC 3647 - CP vs CPS

["Kazin, Joel" <Joel.Kazin@xxxxxxxxxxxxxx>]

No you don't need a CP and CPS if you have a single issuing CA with a
self signed root certificate as your PKI.  Section 3.7 describes a
Set of Provisions as "A set of provisions is a collection of
practice and/or policy statements, spanning a range of standard topics
for use in expressing a CP or CPS employing the approach described in
this framework ..."  Just call your document a Set of
Provisions (SoP). However, unless your PKI is small and does not need to
be very secure, I wouldn't use just a single CA in a PKI.  A
off-line self signed root and a Issuing CA is a more suitable design.
Typically, you would have three documents the SoP for the Root, a CP and
CPS for the Issuing CA.      


At 07:41 AM 3/17/2005 -0600, VAHUJA@xxxxxxx wrote:
> The RFC outlines the various
> aspects of CP vs CPS. For a self-signed CA signing and issuing
> certificates,  is there a need for both documents, or one document
> outlining both policies and practices would suffice? 
>  
> I have checked RFC 3647 - specifically Sections 3.4, 3.5 and 3.6. It does
> not directly address this approach. It talks of a CPS summary and of
> having combined Subscriber and RP Agreements.
>  
> Are there any examples some one is aware of where a single document has
> been used?
>  
> Thanks in advance,
>  
> Vijay
>  
> Vijay Ahuja Ph.D.
> President
> Cipher Solutions, Inc.
> vijay@xxxxxxxxxxxxxxxxxxx
> O: 919 848 3040
> C: 919 349 0549
> www.CipherSolutions.com
> Suite C, 6070 Six Forks Road
> Raleigh NC 27609
> "Security is our Passion"

Joel S. Kazin CPA, CISA, CISSP, CISM
Senior Consultant
Atos Origin
40 Old Sleepy Hollow Road
Pleasantville, New York 10570-3802
USA
Phone  +1 914-769-8780
Mobile  +1 914-564-1484
email    joel.kazin@xxxxxxxxxxxxxx
www.atosorigin.com