draft-ietf-pkix-ipki-new-rfc2527-01.txt

PKIX的RFC英文文档

assurances other than identity that may come into use.

The scope does not extend to defining security policies generally 
(such as organization security policy, system security policy, or 
data labeling policy).  Further, this document does not define a 
specific CP or CPS.  Moreover, in presenting a framework, this 
document should be viewed and used as a flexible tool presenting 
topics that should be considered of particular relevance to CPs or 
CPSs, and not as a rigid formula for producing CPs or CPSs.
 
This document assumes that the reader is familiar with the general 
concepts of digital signatures, certificates, and public-key 
infrastructure (PKI), as used in X.509, the DSG, and the PAG.

Chokhani, Ford, Sabett, Merrill, & Wu    INTERNET DRAFT    [Page 5]


2.  DEFINITIONS

This document makes use of the following defined terms:

Activation data - Data values, other than keys, that are required to 
operate cryptographic modules and that need to be protected (e.g., a 
PIN, a passphrase, or a manually-held key share).

Authentication - The process of establishing that individuals, 
organizations, or things are who or what they claim to be.  In the 
context of a PKI, authentication can be the process of establishing 
that that an individual or organization applying for or seeking 
access to something under a certain name is, in fact, the proper 
individual or organization.  This process corresponds to the second 
process involved with identification, as shown in the definition of 
"identification" below.  Authentication can also refer to a security 
service that provides assurances that individuals, organizations, or 
things are who or what they claim to be or that a message or other 
data originated from a specific individual, organization, or device.  
Thus, it is said that a digital signature of a message authenticates 
the message's sender.
 
CA-certificate - A certificate for one CA's public key issued by 
another CA.

Certificate policy (CP) - A named set of rules that indicates the 
applicability of a certificate to a particular community and/or 
class of application with common security requirements.  For 
example, a particular CP might indicate applicability of a type of 
certificate to the authentication of parties engaging in business-
to-business transactions for the trading of goods or services within 
a given price range.  
 
Certification path - An ordered sequence of certificates that, 
together with the public key of the initial object in the path, can 
be processed to obtain that of the final object in the path. 
 
Certification Practice Statement (CPS) - A statement of the 
practices that a certification authority employs in issuing, 
managing, revoking, and renewing or re-keying certificates.

CPS Summary (or CPS Abstract) - A subset of the provisions of a 
complete CPS that is made public by a CA.

Identification - The process of establishing the identity of an 
individual or organization, i.e., to show that an individual or 
organization is a specific individual or organization.  In the 
context of a PKI, identification refers to two processes:  (1) 
establishing that a given name of an individual or organization 
corresponds to a real-world identity of an individual or 
organization, and (2) establishing that an individual or 
organization applying for or seeking access to something under that 
name is, in fact, the named individual or organization.  A person 

Chokhani, Ford, Sabett, Merrill, & Wu    INTERNET DRAFT    [Page 6]

seeking identification may be a certificate applicant, an applicant 
for employment in a trusted position within a PKI participant, or 
a person seeking access to a network or software application, such 
as a CA administrator seeking access to CA systems.

Issuing certification authority (issuing CA) - In the context of a 
particular certificate, the issuing CA is the CA that issued the 
certificate (see also Subject certification authority).

Participant - An individual or organization that plays a role within 
a given PKI as a subscriber, relying party, CA, RA, certificate 
manufacturing authority, repository service provider, or similar 
entity.

PKI Disclosure Statement (PDS) - An instrument that supplements a CP 
or CPS by disclosing critical information about the policies and 
practices of a CA/PKI.  A PDS is a vehicle for disclosing and 
emphasizing information normally covered in detail by associated CP 
and/or CPS documents.  Consequently, a PDS is not intended to 
replace a CP or CPS.
 
Policy qualifier - Policy-dependent information that may accompany a 
CP identifier in an X.509 certificate.  Such information can include 
a pointer to the URL of the applicable CPS or relying party 
agreement.  It may also include text (or number causing the 
appearance of text) that contains terms of the use of the 
certificate or other legal information.

Registration authority (RA) - An entity that is responsible for one 
or more of the following functions:  the identification and 
authentication of certificate applicants, the approval or rejection 
of certificate applications, initiating certificate revocations or 
suspensions under certain circumstances, processing subscriber 
requests to revoke or suspend their certificates, and approving or 
rejecting requests by subscribers to renew or re-key their 
certificates.  RAs, however, do not sign or issue certificates 
(i.e., an RA is delegated certain tasks on behalf of a CA).  [Note:  
The term Local Registration Authority (LRA) is sometimes used in 
other documents for the same concept.]

Relying party - A recipient of a certificate who acts in reliance on 
that certificate and/or any digital signatures verified using that 
certificate.  In this document, the terms "certificate user" and 
"relying party" are used interchangeably.

Relying party agreement (RPA) - An agreement between a certification 
authority and relying party that typically establishes the rights 
and responsibilities between those parties regarding the 
verification of digital signatures or other uses of certificates.
 
Set of provisions - A collection of practice and/or policy 
statements, spanning a range of standard topics, for use in 
expressing a CP or CPS employing the approach described in this 
framework.
 
Chokhani, Ford, Sabett, Merrill, & Wu    INTERNET DRAFT    [Page 7]

Subject certification authority (subject CA) - In the context of 
a particular CA-certificate, the subject CA is the CA whose public 
key is certified in the certificate (see also Issuing certification 
authority).

Subscriber - A subject of a certificate who is issued a certificate. 

Subscriber Agreement - An agreement between a CA and a subscriber 
that establishes the right and responsibilities of the parties 
regarding the issuance and management of certificates.

Validation - The process of identification of certificate 
applicants.  "Validation" is a subset of "identification" and refers 
to identification in the context of establishing the identity of 
certificate applicants. 

3.  CONCEPTS

This section explains the concepts of CP and CPS, and describes 
their relationship with other PKI documents, such as subscriber 
agreements and relying party agreements.  Other related concepts are 
also described.  Some of the material covered in this section and in 
some other sections is specific to certificate policies extensions 
as defined X.509 version 3.  Except for those sections, this 
framework is intended to be adaptable to other certificate formats 
that may come into use.

3.1  CERTIFICATE POLICY

When a certification authority issues a certificate, it is providing 
a statement to a certificate user (i.e., a relying party) that a 
particular public key is bound to the identity and/or other 
attributes of a particular entity (the certificate subject, which is 
usually also the subscriber).  The extent to which the relying party 
should rely on that statement by the CA, however, needs to be 
assessed by the relying party or entity controlling or coordinating 
the way relying parties or relying party applications use 
certificates.  Different certificates are issued following different 
practices and procedures, and may be suitable for different 
applications and/or purposes.
 
The X.509 standard defines a CP as "a named set of rules that 
indicates the applicability of a certificate to a particular 
community and/or class of application with common security 
requirements" [ISO1].  An X.509 Version 3 certificate may identify a 
specific applicable CP, which may be used by a relying party to 
decide whether or not to trust a certificate, associated public key, 
or any digital signatures verified using the public key for a 
particular purpose.

CPs typically fall into two major categories.  First, some CPs 
"indicate the applicability of a certificate to a particular 
community" [ISO1].  These CPs set forth requirements for 
certificate usage and requirements on members of a community.  
For instance, a CP may focus on the needs of a geographical community, 

Chokhani, Ford, Sabett, Merrill, & Wu    INTERNET DRAFT    [Page 8]
such as the ETSI policy requirements for CAs issuing qualified 
certificates [ETS].  Also, a CP of this kind may focus on the 
needs of a specific vertical-market community, such as 
financial services [IDT].

The second category of typical CPs "indicate the applicability of a 
certificate to a . . . class of application with common security 
requirements."  These CPs identify a set of applications or uses for 
certificates and say that these applications or uses require a 
certain level of security.  They then set forth PKI requirements 
that are appropriate for these applications or uses.  A CP within 
this category often makes sets requirements appropriate for a 
certain "level of assurance" provided by certificates, relative to 
certificates issued pursuant to related CPs.  These levels of 
assurance may correspond to "classes" or "types" of certificates.

For instance, the Government of Canada PKI Policy Management 
Authority (GOC PMA) has established eight certificate policies in a 
single document [GOC], four policies for certificates used for 
digital signatures and four policies for certificates used for 
confidentiality encryption.  For each of these applications, the 
document establishes four levels of assurances:  rudimentary, basic, 
medium, and high.  The GOC PMA described certain types of digital 
signature and confidentiality uses in the document, each with a 
certain set of security requirements, and grouped them into eight 
categories.  The GOC PMA then established PKI requirements for each 
of these categories, thereby creating eight types of certificates, 
each providing rudimentary, basic, medium, or high levels of 
assurance.  The progression from rudimentary to high levels 
corresponds to increasing security requirements and corresponding 
increasing levels of assurance.

A CP is represented in a certificate by a unique number called 
an "Object Identifier" (OID).  That OID, or at least an "arc", can be
registered.  An "arc" is the beginning of the numerical sequence of 
an OID and is assigned to a particular organization.  The 
registration process follows the procedures specified in ISO/IEC and 
ITU standards.  The party that registers the OID or arc also can 
publish the text of the CP, for examination by relying parties.  Any 
one certificate will typically declare a single CP or, possibly, be 
issued consistent with a small number of different policies.  Such 
declaration appears in the Certificate Policies extension of a X.509 
Version 3 certificate.  When a CA places multiple CPs within a 
certificate's Certificate Policies extension, the CA is asserting 
that the certificate is appropriate for use in accordance with any 
of the listed CPs.

CPs also constitute a basis for an audit, accreditation, or another 
assessment of a CA.  Each CA can be assessed against one or more 
certificate policies or CPSs that it is recognized as implementing.  
When one CA issues a CA-certificate for another CA, the issuing CA 
must assess the set of certificate policies for which it trusts the 
subject CA (such assessment may be based upon an assessment with 
respect to the certificate policies involved).  The assessed set of 

Chokhani, Ford, Sabett, Merrill, & Wu    INTERNET DRAFT    [Page 9]


certificate policies is then indicated by the issuing CA in the 
CA-certificate.  The X.509 certification path processing logic 
employs these CP indications in its well-defined trust model.

3.2  CERTIFICATE POLICY EXAMPLES

For example purposes, suppose that the International Air Transport 
Association (IATA) undertakes to define some certificate policies 
for use throughout the airline industry, in a PKI operated by IATA 
in combination with PKIs operated by individual airlines.  Two CPs 
might be defined - the IATA General-Purpose CP, and the IATA 
Commercial-Grade CP.  

The IATA General-Purpose CP could be used by industry personnel for 
protecting routine information (e.g., casual electronic mail) and 
for authenticating connections from World Wide Web browsers to 
servers for general information retrieval purposes. The key pairs 
may be generated, stored, and managed using low-cost, software-based 
systems, such as commercial browsers.  Under this policy, a 
certificate may be automatically issued to anybody listed as an 
employee in the corporate directory of IATA or any member airline 
who submits a signed certificate request form to a network 
administrator in his or her organization.