[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Request for IESG consideration: CP/CPS Framework

To: "Fillingham, David W." <dwfilli@xxxxxxxxxxxxxx>
Subject: RE: Request for IESG consideration: CP/CPS Framework
From: "Adrian McCullagh" <Adrian.McCullagh@xxxxxxxxxxxxx>
Date: Fri, 22 Nov 2002 15:57:44 +1000
Cc: "'Adrian McCullagh'" <Adrian.McCullagh@xxxxxxxxxxxxx>, asturgeon@xxxxxxxxxx, ietf-pkix@xxxxxxx, "Jeffrey I. Schiller" <jis@xxxxxxx>, owner-ietf-pkix@xxxxxxxxxxxx, "'Paul Hoffman / IMC'" <phoffman@xxxxxxx>, smb@xxxxxxxxxxxxxxxx
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Sender: owner-ietf-pkix@xxxxxxxxxxxx


Dear David,

If one looks at the raison d'etre for a CPS it is very different to that of
the CP.

It is my understanding, and I am open to any correction, that a CPS is a
document that details the practices and procedures established by a CA that
will cover the life-cycle of certificates issued by the CA.  That is it
covers how the certificate will be generated, suspended and revoked.  An
internally focused document covering the internal environment of the CA.
Much like an operations manual for a CA business as they relate to
certificates.

The CP is a very different document which will usually be relied upon by
the relying party and to a certain extent the subscriber.  RFC 2527 states
:

'According to X.509, a certificate policy (CP) is "a named
set of rules that indicates the applicability of a certificate to a
particular community and/or class of applications with common
security requirements."
A CP may be used by a relying party to help
in deciding whether a certificate, and the binding therein, are
sufficiently trustworthy and otherwise appropriate for a particular
application.'

Hence my query as to the applicability of RFC 2527 to the CP.  RFC 2527
concentrates of the internal practices of the CA, which is really the
function of a CPS.  I believe that a separate RFC should be established
that specifically covers the rules that govern the use of a certificate by
a relying party.  This RFC should be much more concise than RFC 2527.
Hence my comment that I believe RFC 2527 to be inappropriate for a CP and
thus overly complex.

It is interesting that the Banking sector has taken the view that a CPS is
an internal document, which I have no problem with, and therefore will not
be published.  A CP on the other hand does need to be published otherwise
the relying party will not be in a position to ascertain/determine any
trust value for the transaction as it relates to the digital signature for
verification.

Dr. Adrian McCullagh Ph. D.
Solicitor/lawyer
Freehills, Australia

Direct 61 7 3258 6603
Telephone 61 7 3258 6666
Facsimile 61 7 3258 6444
http://www.freehills.com

--------------------------------------------------------------------
FREEHILLS
This email is confidential.  If you are not the intended  recipient,
you must not disclose  or  use the  information  contained in it. If
you have received this email in error,  please notify us immediately
by return email and delete the document.
Freehills is not responsible for any changes made to a document other
than those made by Freehills or for the effect of the changes on the
document's meaning.

Liability is limited by the Solicitors' Limitation of Liability Scheme,
approved under the Professional Standards Act 1994 (NSW)
--------------------------------------------------------------------

Follow-Ups:
- RE: Request for IESG consideration: CP/CPS Framework
  - From: Alice Sturgeon
- RE: Request for IESG consideration: CP/CPS Framework
  - From: Marc Poulaud

Prev by Date: RE: No-op LDAP ;binary option
Next by Date: Re: No-op LDAP ;binary option
Previous by thread: RE: Request for IESG consideration: CP/CPS Framework
Next by thread: RE: Request for IESG consideration: CP/CPS Framework
Index(es):
- Date
- Thread