Internet X.509 Public Key Infrastructure Certificate Policy and Certification Practices Framework
RFC 2527

Document Type RFC - Informational (March 1999; Errata)
Obsoleted by RFC 3647
Authors Santosh Chokhani  , Warwick Ford 
Last updated 2020-01-21
Stream IETF
Formats plain text html pdf htmlized with errata bibtex
Stream WG state (None)
Document shepherd No shepherd assigned
IESG IESG state RFC 2527 (Informational)
Consensus Boilerplate Unknown
Telechat date
Responsible AD (None)
Send notices to (None)
Network Working Group                                        S. Chokhani
Request for Comments: 2527                      CygnaCom Solutions, Inc.
Category: Informational                                          W. Ford
                                                          VeriSign, Inc.
                                                              March 1999

                Internet X.509 Public Key Infrastructure
        Certificate Policy and Certification Practices Framework

Status of this Memo

   This memo provides information for the Internet community.  It does
   not specify an Internet standard of any kind.  Distribution of this
   memo is unlimited.

Copyright Notice

   Copyright (C) The Internet Society (1999).  All Rights Reserved.


   This document presents a framework to assist the writers of
   certificate policies or certification practice statements for
   certification authorities and public key infrastructures.  In
   particular, the framework provides a comprehensive list of topics
   that potentially (at the writer's discretion) need to be covered in a
   certificate policy definition or a certification practice statement.



   A public-key certificate (hereinafter "certificate") binds a public-
   key value to a set of information that identifies the entity (such as
   person, organization, account, or site) associated with use of the
   corresponding private key (this entity is known as the "subject" of
   the certificate).  A certificate is used by a "certificate user" or
   "relying party" that needs to use, and rely upon the accuracy of, the
   public key distributed via that certificate (a certificate user is
   typically an entity that is verifying a digital signature from the
   certificate's subject or an entity sending encrypted data to the
   subject).  The degree to which a certificate user can trust the
   binding embodied in a certificate depends on several factors. These
   factors include the practices followed by the certification authority
   (CA) in authenticating the subject; the CA's operating policy,
   procedures, and security controls; the subject's obligations (for
   example, in protecting the private key); and the stated undertakings

Chokhani & Ford              Informational                      [Page 1]
RFC 2527                          PKIX                        March 1999

   and legal obligations of the CA (for example, warranties and
   limitations on liability).

   A Version 3 X.509 certificate may contain a field declaring that one
   or more specific certificate policies applies to that certificate
   [ISO1].  According to X.509, a certificate policy is "a named set of
   rules that indicates the applicability of a certificate to a
   particular community and/or class of application with common security
   requirements." A certificate policy may be used by a certificate user
   to help in deciding whether a certificate, and the binding therein,
   is sufficiently trustworthy for a particular application.  The
   certificate policy concept is an outgrowth of the policy statement
   concept developed for Internet Privacy Enhanced Mail [PEM1] and
   expanded upon in [BAU1].

   A more detailed description of the practices followed by a CA in
   issuing and otherwise managing certificates may be contained in a
   certification practice statement (CPS) published by or referenced by
   the CA.  According to the American Bar Association Digital Signature
   Guidelines (hereinafter "ABA Guidelines"), "a CPS is a statement of
   the practices which a certification authority employs in issuing
   certificates." [ABA1]


   The purpose of this document is to establish a clear relationship
   between certificate policies and CPSs, and to present a framework to
   assist the writers of certificate policies or CPSs with their tasks.
   In particular, the framework identifies the elements that may need to
   be considered in formulating a certificate policy or a CPS.  The
   purpose is not to define particular certificate policies or CPSs, per

1.3  SCOPE

   The scope of this document is limited to discussion of the contents
   of a certificate policy (as defined in X.509) or CPS (as defined in
   the ABA Guidelines).  In particular, this document describes the
   types of information that should be considered for inclusion in a
   certificate policy definition or a CPS.  While the framework as
   presented generally assumes use of the X.509 version 3 certificate
   format, it is not intended that the material be restricted to use of
   that certificate format.  Rather, it is intended that this framework
   be adaptable to other certificate formats that may come into use.

   The scope does not extend to defining security policies generally
   (such as organization security policy, system security policy, or
   data labeling policy) beyond the policy elements that are considered

Show full document text