draft-ietf-pkix-ipki-new-rfc2527-01.txt

PKIX的RFC英文文档

types of applications for which it is suitable for use.  Each 
department or agency wishing to operate a certification authority in 
this PKI may be required to write its own certification practice 
statement to support this CP by explaining how it meets the 
requirements of the CP.  At the same time, a department's or 
agency's CPS may support other certificate policies.

An additional difference between a CP and CPS concerns the level of 
detail of the provisions in each.  Although the level of detail may 
vary among CPSs, a CPS will generally be more detailed than a CP.  A 
CPS provides a detailed description of procedures and controls in 
place to meet the CP requirements, while a CP is more general.

The main differences between CPs and CPSs can therefore be 
summarized as follows: 

(a)  A PKI uses a CP to establish requirements that state what 
participants within it must do.  A single CA or organization can use 
a CPS to disclose how it meets the requirements of a CP or how it 
implements its practices and controls.

(b)  A CP facilitates interoperation through cross-certification, 
unilateral certification, or other means.  Therefore, it is intended 
to cover multiple CAs.  By contrast, a CPS is a statement of a 
single CA or organization.  Its purpose is not to facilitate 
interoperation (since doing so is the function of a CP).

(c)  A CPS is generally more detailed than a CP and specifies how 
the CA meets the requirements specified in the one or more CPs under 
which it issues certificates.

In addition to populating the certificate policies extension with 
the applicable CP object identifier, a certification authority may 
include, in certificates it issues, a reference to its certification 
practice statement.  A standard way to do this, using a CP 
qualifier, is described in Section 3.4.
 
3.6 RELATIONSHIP AMONG CPs, CPSs, AGREEMENTS, AND OTHER DOCUMENTS

CPs and CPSs play a central role in documenting the requirements and 
practices of a PKI.  Nonetheless, they are not the only documents 
relevant to a PKI.  For instance, subscriber agreements and relying 
party agreements play a critical role in allocating responsibilities 
to subscribers and relying parties relating to the use of 
certificates and key pairs, and establish the terms and conditions 

Chokhani, Ford, Sabett, Merrill, & Wu    INTERNET DRAFT    [Page 15]


under which certificates are issued, managed, and used.  The term 
subscriber agreement is defined by the PAG as:  "An agreement 
between a CA and a subscriber that establishes the right and 
obligations of the parties regarding the issuance and management of 
certificates." [ABA2]  The PAG defines a relying party agreement as:  
"An agreement between a certification authority and relying party 
that typically establishes the rights and obligations between those 
parties regarding the verification of digital signatures or other 
uses of certificates." [ABA2]

As mentioned in Section 3.5, a subscriber agreement, relying party 
agreement, or an agreement that combines subscriber and relying 
party terms may also serve as a CPS.  In other PKIs, however, a 
subscriber or relying party agreement may incorporate some or all of 
the terms of a CP or CPS by reference.  Yet other PKIs may distill 
from a CP and/or CPS the terms that are applicable to a subscriber 
and place such terms in a self-contained subscriber agreement, 
without incorporating a CP or CPS by reference.  They may use the 
same method to distill relying party terms from a CP and/or CPS and 
place such terms in a self-contained relying party agreement.  
Creating such self-contained agreements has the advantage of 
creating documents that are easier for consumers to review.  In some 
cases, subscribers or relying parties may be deemed to be 
"consumers" under applicable law, who are subject to certain 
statutory or regulatory protections.  Under the legal systems of 
civil law countries, incorporating a CP or CPS by reference may not 
be effective to bind consumers to the terms of an incorporated CP or 
CPS.

CPs and CPSs may be incorporated by reference in other documents, 
including:
* Interoperability agreements (including agreements between CAs for 
cross-certification, unilateral certification, or other forms of 
interoperation),
* Vendor agreements (under which a PKI vendor agrees to meet 
standards set forth in a CP or CPS), or
* A PDS.
See [ABA2]

A PDS serves a similar function to a CPS Summary.  It is a 
relatively short document containing only a subset of critical 
details about a PKI or CA.  It may differ from a CPS Summary, 
however, in that its purpose is to act as a summary of information 
about the overall nature of the PKI, as opposed to simply a 
condensed form of the CPS.  Moreover, its purpose is to distill 
information about the PKI, as opposed to protecting security 
sensitive information contained in an unpublished CPS, although a 
PDS could also serve that function.

Just as writers may wish to refer to a CP or CPS or incorporate it 
by reference in an agreement or PDS, a CP or CPS may refer to other 
documents when establishing requirements or making disclosures.  For 
instance, a CP may set requirements for certificate content by 
referring to an external document setting forth a standard 

Chokhani, Ford, Sabett, Merrill, & Wu    INTERNET DRAFT    [Page 16]


certificate profile.  Referencing external documents permits a CP 
or CPS to impose detailed requirements or make detailed disclosures 
without having to reprint lengthy provisions from other documents 
within the CP or CPS.  Moreover, referencing a document in a CP or 
CPS is another useful way of dividing disclosures between public 
information and security sensitive confidential information (in 
addition to or as an alternative to publishing a CPS Summary).  For 
example, a PKI may want to publish a CP or CPS, but maintain site 
construction parameters for CA high security zones as confidential 
information.  In that case, the CP or CPS could reference an 
external manual or document containing the detailed site 
construction parameters.

Documents that a PKI may wish to refer to in a CP or CPS include:
* A security policy,
* Training, operational, installation, and user manuals (which may 
contain operational requirements),
* Standards documents that apply to particular aspects of the PKI 
(such as standards specifying the level of protection offered by any 
hardware tokens used in the PKI or standards applicable to the site 
construction),
* Key management plans,
* Human resource guides and employment manuals (which may describe 
some aspects of personnel security practices), and
* E-mail policies (which may discuss subscriber and relying party 
responsibilities, as well as the implications of key management, if 
applicable).
See [ABA2]

3.7  SET OF PROVISIONS

A set of provisions is a collection of practice and/or policy 
statements, spanning a range of standard topics, for use in 
expressing a CP or CPS employing the approach described in this 
framework by covering the topic appearing in Section 5 below, which 
are described in detail in Section 4 below.  

A CP can be expressed as a single set of provisions.

A CPS can be expressed as a single set of provisions with each 
component addressing the requirements of one or more certificate 
policies, or, alternatively, as an organized collection of sets of 
provisions.  For example, a CPS could be expressed as a combination 
of the following:

(a)  a list of certificate policies supported by the CPS;

(b)  for each CP in (a), a set of provisions that contains 
statements responding to that CP by filling in details not 
stipulated in that policy or expressly left to the discretion of the 
CA (in its CPS) ; such statements serve to state how this particular 
CPS implements the requirements of the particular CP; or

Chokhani, Ford, Sabett, Merrill, & Wu    INTERNET DRAFT    [Page 17]



 (c)  a set of provisions that contains statements regarding the 
certification practices on the CA, regardless of CP.

The statements provided in (b) and (c) may augment or refine the 
stipulations of the applicable CP, but generally must not conflict 
with any of the stipulations of such CP.  In certain cases, however, 
a policy authority may permit exceptions to the requirements in a 
CP, because certain compensating controls of the CA are disclosed in 
its CPS that allow the CA to provide assurances that are equivalent 
to the assurances provided by CAs that are in full compliance with 
the CP.
  
This framework outlines the contents of a set of provisions, in 
terms of nine primary components, as follows:

1.  Introduction
2.  Publication and Repository
3.  Identification and Authentication
4.  Certificate Life-Cycle Operational Requirements
5.  Facilities, Management, and Operational Controls
6.  Technical Security Controls
7.  Certificate, CRL, and OCSP Profile
8.  Compliance audit
9.  Other Business and Legal Matters

PKIs can use this simple framework of nine primary components to 
write a simple CP or CPS.  Moreover, a CA can use this same 
framework to write a subscriber agreement, relying party agreement, 
or agreement containing subscriber and relying party terms.  If a CA 
uses this simple framework to construct an agreement, it can use 
paragraph 1 as an introduction or recitals, it can set forth the 
responsibilities of the parties in paragraphs 2-8, and it can use 
paragraph 9 to cover the business and legal issues described in more 
detail in, and using the ordering of, Section 4.9 below (such as 
representations and warranties, disclaimers, and liability 
limitations).  The ordering of topics in this simple framework and 
the business and legal matters Section 4.9 is the same as (or 
similar to) the ordering of topics in a typical software or other 
technology agreement.  Therefore, a PKI can establish a set of core 
documents (with a CP, CPS, subscriber agreement, and relying party 
agreement) all having the same structure and ordering of topics, 
thereby facilitating comparisons and mappings among these documents 
and among the corresponding documents of other PKIs.

This simple framework may also be useful for agreements other than 
subscriber agreements and relying party agreements.  For instance, a 
CA wishing to outsource certain services to an RA or certificate 
manufacturing authority (CMA) may find it useful to use this 
framework as a checklist to write a registration authority agreement 
or outsourcing agreement.  Similarly, two CAs may wish to use this 
simple framework for the purpose of drafting a cross-certification, 
unilateral certification, or other interoperability agreement.

Chokhani, Ford, Sabett, Merrill, & Wu    INTERNET DRAFT    [Page 18]

In short, the primary components of the simple framework 
(specified above) may meet the needs of drafters of short CPs, CPSs, 
subscriber agreements, and relying party agreements.  Nonetheless, 
this framework is extensible, and its coverage of the nine 
components is flexible enough to meet the needs of drafters of 
comprehensive CPs and CPSs.  Specifically, components appearing above 
can be further divided into subcomponents, and a subcomponent may 
comprise multiple elements.  Section 4 provides a more detailed 
description of the contents of the above components, and their 
subcomponents.  Drafters of CPs and CPSs are permitted to add 
additional levels of subcomponents below the subcomponents described 
in Section 4 for the purpose of meeting the needs of the drafter's 
particular PKI.

4.  CONTENTS OF A SET OF PROVISIONS

This section expands upon the contents of the simple framework of 
provisions, as introduced in Section 3.7.  The topics identified in 
this section are, consequently, candidate topics for inclusion in a 
detailed CP or CPS.

While many topics are identified, it is not necessary for a CP or a 
CPS to include a concrete statement for every such topic.  Rather, a 
particular CP or CPS may state "no stipulation" for a component, 
subcomponent, or element on which the particular CP or CPS imposes 
no requirements or makes no disclosure.  In this sense, the list of 
topics can be considered a checklist of topics for consideration by 
the CP or CPS writer.

It is recommended that each and every component and subcomponent be 
included in a CP or CPS, even if there is "no stipulation"; this 
will indicate to the reader that a conscious decision was made to 
include or exclude a provision concerning that topic.  This drafting 
style protects against inadvertent omission of a topic, while 
facilitating comparison of different certificate policies or CPSs, 
e.g., when making policy mapping decisions.

In a CP, it is possible to leave certain components, subcomponents, 
and/or elements unspecified, and to stipulate that the required 
information will be indicated in a policy qualifier, or the document 
to which a policy qualifier points.  Such CPs can be considered 
parameterized definitions.  The set of provisions should reference 
or define the required policy qualifier types and should specify any 
applicable default values.

4.1 INTRODUCTION
 
This component identifies and introduces the set of provisions, and 
indicates the types of entities and applications for which the 
document (either the CP or the CPS being written) is targeted.