Policy, CPS, ...

Evolving notes of Vance Vaughan
version of 980619

This is potentially an bottomless sinkhole, but a PKI Policy and Practices Statement (DRAFT) has been started. This page gives background, points to other institutions policies, etc.

One facet of operating a PKI is specifying the policy and Certification Practice Statement (CPS) that govern the operation of the PKI, defining the rights/obligations/limitation on liability etc of the PKI operator, users, relying parties, etc. There is an argument about "open" vs "closed" PKI's - see GTE entry below. For a real explanation of open policy/CPS see PKIX or Entrust below.

Practice varies widely. Some organizations have a CPS but not policy or vice-versa. Some claim to have a CPS but really only have a brief user-notification to the effect that something with legal ramifications and responsibilities might be going on - see Thawte. (These may be examples of the "closed" approach.) Verisign is a good example of a high-end open CPS. U Colorado shows a university trying to do an open PKI right.

Bottom line: For the long-term, creating a policy/CPS for an open PKI seems like a major undertaking with heavy involvement by legal counsel. If we are to issue certificates starting anytime soon, we probably need to find a shortcut. The University of Colorado and Columbia have adopted shortcut approaches, which offer some clues. The PKI Policy and Practices Statement (DRAFT) is based on the Colorado document. (This probably still requires legal counsel - time to bite the bullet and get them involved?)

Annotated references, examples:

• PKIX Part 4. This is the IETF view of policy/CPS. It is comprehensive and huge - even the outline is >200 items.
  Among the topics discussed: having an Object Identifier in the cert point to both policy and CPS; whether they are critical or non-critical; two grades of CP (approx, routine and high-security).
• Guidelines for Constructing Policies Governing the Use of Identity-Based Public Key Certificates - Sept 21, 1998. A 113-page draft document by NACHA (National Automated Clearing House Association) The Internet Council, with comments accepted thru Dec 31, 1998. Includes guidance on if/how to draft a CPS.
• Verisign A high-end CPS, all copyrighted. 13 sections, thanks to N lawyers, M technicians, ... .
  Certificate Classes - legalese behind Verisign's 3 classes of certs.
• U Colorado - PKI project, in particular Policy and Practice Statements is a major, useful collection. They are working on a quick and dirty CPS: UMS Public Key Infrastructure Policy and Procedure Statement; UMS Certificate Authority (CA) Documentation Repository refers to this ond other material.
• Columbia University Certificate Authority Practice Statement (draft) is a quick and dirty example.
• Entrust - a nice pdf document which gives a good overview of policy/CPS ideas but is not a policy or a CPS.
• GTE says they don't have a CPS - they referred me to a white paper: Digital/Electronic Signature State Legislative Models. 971112 - it distinguishes open vs closed PKI models. (Approx) open are wide-ranging, public PKI's (like Verisign) which should have CPS's, closed are special-purpose PKI's which issue certs to particular populations (employees of a company) for particualr purposes. Closed don't need full-blown CPS, just some contract/statement between the issuer and the holder.
  Legislating Market Winners argues strongly against legislation specifiying "open" PKI and contends that open PKI won't be the market winner.
• Certisign - Hope you speak Brazilian...

Send your questions, comments, and suggestions to IR&C
Last updated October 1, 1999