Re: [IETF-PKIX] Critical extensions and Policy OIDs

[Sharon Boeyen <sharon.boeyen@xxxxxxxxxxx>]

Further to Charles and Bob's comments on policies and CPS:
>
Charles said:
>We have both, these are published in closed communities.

This is similar to what I am seeing among a number of our customers as
well. Especially in the enterprise CA community - the CPStypically
contains a significant amount of highly sensitive information which
corporations operating an enterprise CA have no need nor desire to make
publicly available, unless they have a business reason to do so. In my
opinion the way this will evolve is that very detailed CPS documents
have and continue to be produced by organizations. These will probably
be used mostly for audit, accreditation, internal process management,
quality assurance and consideration by other security domains when
establishing a cross-certification agreement with them. I think you
will, however, see very high level overviews of CPS documents published
eventually by many of CAs of this type.

In a public service CA environment, the business reasons to publish a
CPS are much more obvious and I believe you will see a much higher
percentage (but not all) of service providers publish at least some form
of a CPS.

On certificate policies I am aware of organizations which are defining
these but again most are not making this information publicly available
at least not at this time.

I would  note however, that draft certificate policies produced within
the Government of Canada (8 of them - 4 for encryption and 4 for digital
signature) were supplied to the ABA ISC at its October meeting as an
informational reference document. I understand that the same drafts were
made available to last week's ANSI X9.45 meeting for information.

Certificate policies are valuable for use within a single security
domain as well as between domains through cross-certification and as
more and more policy definitions become more widely disseminated, it is
my opinion that some adoption of  common ones, at least within industry
sectors, will emerge.
>
Bob said:
>:I'm not aware of any CAs that are actually including a policy OID in their
>:certificates to date -- if someone does know of some examples it might be
>:quite helpful -- maybe even a defacto practice.

Please remember that there is a community of CAs which are operated by
individual corporations which are not offering CA services to the
general public. These include corporate CAs primarily issuing
certificates for their own employees, banks offering services such as
home banking to their own banking customers, and many other scenarios as
well. There is no reason for these organizations to make their policies
and practices publicly known, other than to their own community of
interest (which includes CAs with which they cross certify). Just
because you aren't aware of it doesn't necessarily mean it isn't
happening.
>
>Charles said:
>Its just an OID.

I agree and as such it is merely a tool to convey, through its inclusion
in a certificate, the policy under which a CA issued a cert. It is
valuable in both end-entity certs and cross-certs. The technical, legal,
business and policy issues surrounding the issuance and use of these
OIDs are important but in the end they are only OIDs. PKIX is not the
best venue for determining the legal notice of an OID we should be
making sure that the tools are available within the certificate
structure to support such determinations by the legal community, but not
>try to make those determinations here.
>
>
>------------------
>Sharon Boeyen
>Entrust Technologies
>
>mailto:boeyen@entrust.com       Tel: (613) 247-3181
>http://www.entrust.com          Fax: (613) 247-3690
>         Orchestrating Enterprise Security
>
>
>