Re: Certificate Policies (real-world vs. PKIX)

["Anders Rundgren" <anders.rundgren@xxxxxxxxx>]

Guys,

I'm sorry that I mixed CP and CPS but I would like to extend
the scope of my previous "policy-rant" to include all legal
information inserted in EE-certificates whatever it is called
and whatever its purpose may be.

I look on this issue from a pragmatic point of view.

In case you are interested in how hands-on thinking works here is
some of this admittedly "low-brow" stuff.   The advantage with
"low-brow" solutions is that they are robust and can be understood
by people who do not have a degree in informatics.

Coping with different policies according to the real-world 
------------------------------------------------------------------

All commercial CAs of any significance have selected the same
method which is to have a separate CA for each "product" as run-time
checks of policies only complicates things for their customers (and is
in no way standardized). 

That is, Policy <==> CA.  No more, no less.

Coping with different policies according to PKIX (?)
------------------------------------------------------------

I hope that you at least acknowledge that in order to use [1] policy
extensions in a wider scope where numerous CAs are involved,
they must all adhere to the same definitions.  But, AFAIK it is
- very hard to standardize "information" & "content" in general
- likely to be magnitudes harder to standardize legal stuff

Question: If policy extensions only work within rather limited 
circles why use [1] such at all?  

1] "use" in this case refers to application SW reading policy 
extensions and "acting" differently depending on what they got.
Note: To put legal stuff in EE-certificates essentially only to please
lawyers or management is completely outside of this discussion.


In case you think I am wrong, I suggest you take on the completely 
death-defying task to make the UN create standard policy profiles.

OTOH I believe Kofi Annan has some more urgent real-world
business to cater for.  And "our" problem has de-facto already
been solved, although using another method than originally planned.

cheers,
Anders

----- Original Message ----- 
From: "Santosh Chokhani" <chokhani@xxxxxxxxxxxx>
To: "'Steve Hanna'" <steve.hanna@xxxxxxx>; "'Anders Rundgren'" <anders.rundgren@xxxxxxxxx>
Cc: <chris.gilbert@xxxxxxxxxxxxx>; <ietf-pkix@xxxxxxx>
Sent: Tuesday, March 11, 2003 00:46
Subject: RE: Certificate Policies (was Re: Trivial PKI Question)


Steve:

CPS is not necessarily written by lawyers.  A CPS is a description of
procedures used to meet the CP requirements.  If one is following RFC 2527
framework, lawyers may write legal sections within Chapter 2.  Rest of the
CPS is better written by systems folks who know about the operating
procedures and security controls.

The CPS pointer is provided in the certificate in case the relying party
wants to review the controls used in generation and revocation of a
certificate.

I agree with you in terms of policy OIDs in the certificates.

-----Original Message-----
From: owner-ietf-pkix@xxxxxxxxxxxx [mailto:owner-ietf-pkix@xxxxxxxxxxxx] On
Behalf Of Steve Hanna
Sent: Monday, March 10, 2003 5:02 PM
To: Anders Rundgren
Cc: chris.gilbert@xxxxxxxxxxxxx; ietf-pkix@xxxxxxx
Subject: Re: Certificate Policies (was Re: Trivial PKI Question)



I've been meaning to correct a comment you made in an
earlier message:

Chris Gilbert wrote:
> > The two are likely to contain different certificatePolicies.

You responded:

> <CertificatePolicyRant>
> It is interesting to note that CPSs are frequently mentioned in this 
> context in spite of the fact that none of the major crypto-packages 
> (Windows and Java) offers any way to specify CPSs as a part of a CA 
> trust acceptance process.  The reason for this is simple: Computers 
> don't understand legal matters and CPSs are deployment-wise anything 
> but standardized. Peter Gutman's term "Kitchen sink extensions" is a 
> fair description of the value of CPSs for practical purposes.  Do 
> "SysAdmins" ever bother about the CPS of their VeriSign web-server 
> certificates? My Thawt web-server cert does not even have a CPS 
> extension and I haven't missed it that much.  CPSs were designed by 
> lawyers for lawyers.  But lawyers do not run e-business systems, write 
> application software packages, or know how to handle a Java keystore. 
> </CertificatePolicyRant>

You're confusing a Certification Practice Statement (CPS)
with a Certificate Policy. A CPS is typically written by lawyers for lawyers
and can't be evaluated by a machine. But that doesn't mean that the
Certificate Policies extension isn't useful or supported. It's a completely
different beast.

The Certificate Policies extension allows a CA to include
OIDs in a PKC indicating the policy (or policies) under
which the PKC was issued. This is especially important when there's more
than one certificate policy in use within a group of CAs (high assurance,
low assurance, or whatever). The relying party needs to distinguish which
certificate policy (or policies) applies to each certificate.

J2SE 1.4 and later allows applications to specify which certificate policy
OIDs are acceptable when they request validation of a certification path.
And we handle policy mapping properly. I don't know how many applications
use these features, but they are provided.

As for whether it's useful or important to include a CPS Pointer in a
certificate, I don't know. I'll leave that up to the lawyers.

Thanks,

Steve