[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: RFC 3647 - CP vs CPS

Title: Message
You should always have a CPS so that your procedures are detailed.  The CPS can also provide a baseline to audit against.  You may be able to use the sections of the CPS for relying parties and subscribers.
 
Whether you need a CP as well and OID (OID can be assigned based on CPS alone) depends on whether you plan to cross certify and whether the cross certifying party is willing to perform policy mapping based on the CPS or not.   Same question you need to ask yourself.  Will you be able to use your procedures and perform mapping to some one else's CP which is at requirement/what level and not at procedures level.
-----Original Message-----
From: owner-ietf-pkix@xxxxxxxxxxxx [mailto:owner-ietf-pkix@xxxxxxxxxxxx] On Behalf Of Kazin, Joel
Sent: Thursday, March 17, 2005 9:14 AM
To: VAHUJA@xxxxxxx; ietf-pkix@xxxxxxx
Cc: VAHUJA@xxxxxxx
Subject: Re: RFC 3647 - CP vs CPS

No you don't need a CP and CPS if you have a single issuing CA with a self signed root certificate as your PKI.  Section 3.7 describes a Set of Provisions as "A set of provisions is a collection of practice and/or policy statements, spanning a range of standard topics for use in expressing a CP or CPS employing the approach described in this framework ..."  Just call your document a Set of Provisions (SoP). However, unless your PKI is small and does not need to be very secure, I wouldn't use just a single CA in a PKI.  A off-line self signed root and a Issuing CA is a more suitable design. Typically, you would have three documents the SoP for the Root, a CP and CPS for the Issuing CA.     


At 07:41 AM 3/17/2005 -0600, VAHUJA@xxxxxxx wrote:
The RFC outlines the various aspects of CP vs CPS. For a self-signed CA signing and issuing certificates,  is there a need for both documents, or one document outlining both policies and practices would suffice?
 
I have checked RFC 3647 - specifically Sections 3.4, 3.5 and 3.6. It does not directly address this approach. It talks of a CPS summary and of having combined Subscriber and RP Agreements.
 
Are there any examples some one is aware of where a single document has been used?
 
Thanks in advance,
 
Vijay
 
Vijay Ahuja Ph.D.
President
Cipher Solutions, Inc.
vijay@xxxxxxxxxxxxxxxxxxx
O: 919 848 3040
C: 919 349 0549
www.CipherSolutions.com
Suite C, 6070 Six Forks Road
Raleigh NC 27609
"Security is our Passion"


Joel S. Kazin CPA, CISA, CISSP, CISM
Senior Consultant
Atos Origin
40 Old Sleepy Hollow Road
Pleasantville, New York 10570-3802
USA
Phone  +1 914-769-8780
Mobile  +1 914-564-1484
email    joel.kazin@xxxxxxxxxxxxxx
www.atosorigin.com