Internet X.509 Public Key Infrastructure Certificate Policy and Certification Practices Framework
RFC 3647
Document Type RFC - Informational (November 2003; Errata)
Obsoletes RFC 2527
Last updated 2015-10-14
Stream IETF
Formats plain text pdf html bibtex
Stream WG state (None)
Document shepherd No shepherd assigned
IESG IESG state RFC 3647 (Informational)
Consensus Boilerplate Unknown
Telechat date
Responsible AD Russ Housley
Send notices to <wpolk@nist.gov>
Email authors IPR References Referenced by Nits 
Network Working Group                                        S. Chokhani
Request for Comments: 3647                Orion Security Solutions, Inc.
Obsoletes: 2527                                                  W. Ford
Category: Informational                                   VeriSign, Inc.
                                                               R. Sabett
                                                      Cooley Godward LLP
                                                              C. Merrill
                                                 McCarter & English, LLP
                                                                   S. Wu
                                                        Infoliance, Inc.
                                                           November 2003

                Internet X.509 Public Key Infrastructure
        Certificate Policy and Certification Practices Framework

Status of this Memo

   This memo provides information for the Internet community.  It does
   not specify an Internet standard of any kind.  Distribution of this
   memo is unlimited.

Copyright Notice

   Copyright (C) The Internet Society (2003).  All Rights Reserved.

Abstract

   This document presents a framework to assist the writers of
   certificate policies or certification practice statements for
   participants within public key infrastructures, such as certification
   authorities, policy authorities, and communities of interest that
   wish to rely on certificates.  In particular, the framework provides
   a comprehensive list of topics that potentially (at the writer's
   discretion) need to be covered in a certificate policy or a
   certification practice statement.  This document supersedes RFC 2527.

Table of Contents

   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  4
       1.1.  Background . . . . . . . . . . . . . . . . . . . . . . .  4
       1.2.  Purpose. . . . . . . . . . . . . . . . . . . . . . . . .  5
       1.3.  Scope. . . . . . . . . . . . . . . . . . . . . . . . . .  6
   2.  Definitions. . . . . . . . . . . . . . . . . . . . . . . . . .  6
   3.  Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . .  9
       3.1.  Certificate Policy . . . . . . . . . . . . . . . . . . .  9
       3.2.  Certificate Policy Examples. . . . . . . . . . . . . . . 11
       3.3.  X.509 Certificate Fields . . . . . . . . . . . . . . . . 12

Chokhani, et al.             Informational                      [Page 1]
RFC 3647        Internet X.509 Public Key Infrastructure   November 2003

             3.3.1.  Certificate Policies Extension . . . . . . . . . 12
             3.3.2.  Policy Mappings Extension. . . . . . . . . . . . 13
             3.3.3.  Policy Constraints Extension . . . . . . . . . . 13
             3.3.4.  Policy Qualifiers. . . . . . . . . . . . . . . . 14
       3.4.  Certification Practice Statement . . . . . . . . . . . . 15
       3.5.  Relationship Between CP and CPS. . . . . . . . . . . . . 16
       3.6.  Relationship Among CPs, CPSs, Agreements, and
             Other Documents. . . . . . . . . . . . . . . . . . . . . 17
       3.7.  Set of Provisions. . . . . . . . . . . . . . . . . . . . 20
   4.  Contents of a Set of Provisions. . . . . . . . . . . . . . . . 21
       4.1.  Introduction . . . . . . . . . . . . . . . . . . . . . . 22
             4.1.1.  Overview . . . . . . . . . . . . . . . . . . . . 22
             4.1.2.  Document Name and Identification . . . . . . . . 22
             4.1.3.  PKI Participants . . . . . . . . . . . . . . . . 23
             4.1.4.  Certificate Usage. . . . . . . . . . . . . . . . 24
             4.1.5.  Policy Administration. . . . . . . . . . . . . . 24
             4.1.6.  Definitions and Acronyms . . . . . . . . . . . . 24
       4.2.  Publication and Repository Responsibilities. . . . . . . 25
       4.3.  Identification and Authentication (I&A). . . . . . . . . 25
             4.3.1.  Naming . . . . . . . . . . . . . . . . . . . . . 25
             4.3.2.  Initial Identity Validation. . . . . . . . . . . 26
             4.3.3.  I&A for Re-key Requests. . . . . . . . . . . . . 27
             4.3.4.  I&A for Revocation Requests. . . . . . . . . . . 27
       4.4.  Certificate Life-Cycle Operational Requirements. . . . . 27
             4.4.1.  Certificate Application. . . . . . . . . . . . . 28
             4.4.2.  Certificate Application Processing . . . . . . . 28
             4.4.3.  Certificate Issuance . . . . . . . . . . . . . . 28
             4.4.4.  Certificate Acceptance . . . . . . . . . . . . . 29
             4.4.5.  Key Pair and Certificate Usage . . . . . . . . . 29
             4.4.6.  Certificate Renewal. . . . . . . . . . . . . . . 30
             4.4.7.  Certificate Re-key . . . . . . . . . . . . . . . 30
             4.4.8.  Certificate Modification . . . . . . . . . . . . 31
             4.4.9.  Certificate Revocation and Suspension. . . . . . 31
             4.4.10. Certificate Status Services. . . . . . . . . . . 33
Show full document text
ISOC IETF Trust RFC Editor IRTF IESG IETF IAB IASA & IAOC IETF Tools IANA