[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Certificate Policies (was Re: Trivial PKI Question)

To: Anders Rundgren <anders.rundgren@xxxxxxxxx>
Subject: Re: Certificate Policies (was Re: Trivial PKI Question)
From: Steve Hanna <steve.hanna@xxxxxxx>
Date: Mon, 10 Mar 2003 17:01:48 -0500
Cc: chris.gilbert@xxxxxxxxxxxxx, ietf-pkix@xxxxxxx
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
References: <> <>
Sender: owner-ietf-pkix@xxxxxxxxxxxx

I've been meaning to correct a comment you made in an
earlier message:

Chris Gilbert wrote:
> > The two are likely to contain different certificatePolicies.

You responded:

> <CertificatePolicyRant>
> It is interesting to note that CPSs are frequently mentioned in this context
> in spite of the fact that none of the major crypto-packages (Windows
> and Java) offers any way to specify CPSs as a part of a CA trust acceptance
> process.  The reason for this is simple: Computers don't understand
> legal matters and CPSs are deployment-wise anything but standardized.
> Peter Gutman's term "Kitchen sink extensions" is a fair description of
> the value of CPSs for practical purposes.  Do "SysAdmins" ever
> bother about the CPS of their VeriSign web-server certificates?
> My Thawt web-server cert does not even have a CPS extension and
> I haven't missed it that much.  CPSs were designed by lawyers for
> lawyers.  But lawyers do not run e-business systems, write application
> software packages, or know how to handle a Java keystore.
> </CertificatePolicyRant>

You're confusing a Certification Practice Statement (CPS)
with a Certificate Policy. A CPS is typically written by
lawyers for lawyers and can't be evaluated by a machine.
But that doesn't mean that the Certificate Policies
extension isn't useful or supported. It's a completely
different beast.

The Certificate Policies extension allows a CA to include
OIDs in a PKC indicating the policy (or policies) under
which the PKC was issued. This is especially important when
there's more than one certificate policy in use within a
group of CAs (high assurance, low assurance, or whatever).
The relying party needs to distinguish which certificate
policy (or policies) applies to each certificate.

J2SE 1.4 and later allows applications to specify which
certificate policy OIDs are acceptable when they request
validation of a certification path. And we handle policy
mapping properly. I don't know how many applications use
these features, but they are provided.

As for whether it's useful or important to include a CPS Pointer
in a certificate, I don't know. I'll leave that up to the
lawyers.

Thanks,

Steve

Follow-Ups:
- RE: Certificate Policies (was Re: Trivial PKI Question)
  - From: Santosh Chokhani

References:
- Re: Trivial PKI Question
  - From: chris . gilbert
- Re: Trivial PKI Question
  - From: Anders Rundgren

Prev by Date: Re: Agenda Requests for PKIX (seriously)
Next by Date: Re: basicConstraints with CA=False in EE certs
Previous by thread: Re: Trivial PKI Question
Next by thread: RE: Certificate Policies (was Re: Trivial PKI Question)
Index(es):
- Date
- Thread