RE: Certificate Policies (was Re: Trivial PKI Question)

["Joel S. Kazin" <jkazin@xxxxxxxxxxxxxxxxxxxxxx>]

RFC 3280 allows a CA to include both the OID of the CP and the OID of the
CPS within a certificate. I specify this when writing CP and CPS
documents.  While I would not recommend it, and one attorney
actually asked for it, the CA can also include the full text of a user
notice within the certificate. From RFC 3280.

id-ce-certificatePolicies
OBJECT IDENTIFIER ::=  { id-ce 32 }

   anyPolicy OBJECT IDENTIFIER ::= { id-ce-certificate-policies
0 }

   certificatePolicies ::= SEQUENCE SIZE (1..MAX) OF
PolicyInformation

   PolicyInformation ::= SEQUENCE {
        policyIdentifier  
CertPolicyId,
        policyQualifiers  
SEQUENCE SIZE (1..MAX) OF
                               
PolicyQualifierInfo OPTIONAL }

   CertPolicyId ::= OBJECT IDENTIFIER

   PolicyQualifierInfo ::= SEQUENCE {
        policyQualifierId 
PolicyQualifierId,
       
qualifier          ANY
DEFINED BY policyQualifierId }

   -- policyQualifierIds for Internet policy
qualifiers

   id-qt         
OBJECT IDENTIFIER ::=  { id-pkix 2 }
   id-qt-cps      OBJECT IDENTIFIER
::=  { id-qt 1 }
   id-qt-unotice  OBJECT IDENTIFIER ::=  { id-qt 2
}

   PolicyQualifierId ::=
        OBJECT IDENTIFIER ( id-qt-cps
| id-qt-unotice )

   Qualifier ::= CHOICE {
       
cPSuri          
CPSuri,
       
userNotice       UserNotice }


At 06:46 PM 3/10/2003 -0500, Santosh Chokhani wrote:

> Steve:
>
> CPS is not necessarily written by lawyers.  A CPS is a description
> of
> procedures used to meet the CP requirements.  If one is following
> RFC 2527
> framework, lawyers may write legal sections within Chapter 2.  Rest
> of the
> CPS is better written by systems folks who know about the operating
> procedures and security controls.

I agreed with Santosh. With a few exceptions, mostly the ABA-ISC folks
and a few legal firms, attorneys at large corporations deploying a PKI do
not initially know what a CP is and would not be ready to write
one.  Writing a CPS is a job for someone with a background in IT
controls and operations.  One of the major delays in implementing a
large PKI is getting the organization's attorneys to review and approve
the CP and CPS documents.  Getting approval for RFC 2527bis will
help a bit as it keeps the legal sections of the "framework"
together.     


> The CPS pointer is provided in the
> certificate in case the relying party
> wants to review the controls used in generation and revocation of a
> certificate.
>
> I agree with you in terms of policy OIDs in the certificates.
>
> -----Original Message-----
> From: owner-ietf-pkix@xxxxxxxxxxxx
> [mailto:owner-ietf-pkix@xxxxxxxxxxxx]
> On
> Behalf Of Steve Hanna
> Sent: Monday, March 10, 2003 5:02 PM
> To: Anders Rundgren
> Cc: chris.gilbert@xxxxxxxxxxxxx; ietf-pkix@xxxxxxx
> Subject: Re: Certificate Policies (was Re: Trivial PKI 
> Question)
>
>
>
> I've been meaning to correct a comment you made in an
> earlier message:
>
> Chris Gilbert wrote:
> > > The two are likely to contain different
> certificatePolicies.
>
> You responded:
>
> > <CertificatePolicyRant>
> > It is interesting to note that CPSs are frequently mentioned in this
> > context in spite of the fact that none of the major crypto-packages
> > (Windows and Java) offers any way to specify CPSs as a part of a CA
> > trust acceptance process.  The reason for this is simple:
> Computers 
> > don't understand legal matters and CPSs are deployment-wise anything
> > but standardized. Peter Gutman's term "Kitchen sink
> extensions" is a 
> > fair description of the value of CPSs for practical purposes. 
> Do 
> > "SysAdmins" ever bother about the CPS of their VeriSign
> web-server 
> > certificates? My Thawt web-server cert does not even have a CPS
> > extension and I haven't missed it that much.  CPSs were
> designed by 
> > lawyers for lawyers.  But lawyers do not run e-business
> systems, write 
> > application software packages, or know how to handle a Java
> keystore. 
> > </CertificatePolicyRant>
>
> You're confusing a Certification Practice Statement (CPS)
> with a Certificate Policy. A CPS is typically written by lawyers for
> lawyers
> and can't be evaluated by a machine. But that doesn't mean that the
> Certificate Policies extension isn't useful or supported. It's a
> completely
> different beast.
>
> The Certificate Policies extension allows a CA to include
> OIDs in a PKC indicating the policy (or policies) under
> which the PKC was issued. This is especially important when there's
> more
> than one certificate policy in use within a group of CAs (high
> assurance,
> low assurance, or whatever). The relying party needs to distinguish
> which
> certificate policy (or policies) applies to each certificate.
>
> J2SE 1.4 and later allows applications to specify which certificate
> policy
> OIDs are acceptable when they request validation of a certification
> path.
> And we handle policy mapping properly. I don't know how many
> applications
> use these features, but they are provided.
>
> As for whether it's useful or important to include a CPS Pointer in
> a
> certificate, I don't know. I'll leave that up to the lawyers.
>
> Thanks,
>
> Steve

Senior Consultant
Technical Consulting Practice, Northeast Region
Schlumberger Network Solutions

jkazin@xxxxxxxxxxxxxxxxxxxxxx
www.slb.com/nws

35 Waterview Blvd.
Suite 210
Parsippany, NJ 07054-1200
USA

Phone  +1 914-769-8780
Mobile  +1 914-645-5598