draft-ietf-pkix-ipki-new-rfc2527-01.txt

PKIX的RFC英文文档

4.1.1  Overview

This subcomponent provides a general introduction to the document 
being written.  This subcomponent can also be used to provide a 

Chokhani, Ford, Sabett, Merrill, & Wu    INTERNET DRAFT    [Page 19]
synopsis of the PKI to which the CP or CPS applies.  For example, 
it may set out different levels of assurance provided by 
certificates within the PKI.  Depending on the complexity and scope 
of the particular PKI, a diagrammatic representation of the PKI 
might be useful here.

4.1.2  Document Name and Identification

This subcomponent provides any applicable names or other 
identifiers, including ASN.1 object identifiers, for the document.  
An example of such a document name would be the US Federal 
Government Policy for Secure E-mail.

4.1.3  PKI Participants

This subcomponent describes the identity or types of entities that 
fill the roles of participants within a PKI, namely: 
 
* Certification authorities, i.e., the entities that issue 
certificates.  A CA is the issuing CA with respect to the 
certificates it issues and is the subject CA with respect to the CA 
certificate issued to it.  CAs may be organized in a hierarchy in 
which an organization's CA issues certificates to CAs operated by 
subordinate organizations, such as a branch, division, or department 
within a larger organization.
 
* Registration authorities, i.e., the entities that establishment 
enrollment procedures for end-user certificate applicants, perform 
identification and authentication of certificate applicants, 
initiate or pass along revocation requests for certificates, and 
approve applications for renewal or re-keying certificates on behalf 
of a CA.  Subordinate organizations within a larger organization can 
act as RAs for the CA serving the entire organization, but RAs may 
also be external to the CA.

* Subscribers.  Examples of subscribers who receive certificates 
from a CA include employees of an organization with its own CA, 
banking or brokerage customers, organizations hosting e-commerce 
sites, organizations participating in a business-to-business 
exchange, and members of the public receiving certificates from a CA 
issuing certificates to the public at large.

* Relying parties.  Examples of relying parties include employees of 
an organization having its own CA who receive digitally signed e-
mails from other employees, persons buying goods and services from 
e-commerce sites, organizations participating in a business-to-
business exchange who receive bids or orders from other 
participating organizations, and individuals and organizations doing 
business with subscribers who have received their certificates from 
a CA issuing certificates to the public.  Relying parties may or may 
not also be subscribers within a given PKI.

* Other participants, such as certificate manufacturing 
authorities, providers of repository services, and other entities 
providing PKI-related services.

Chokhani, Ford, Sabett, Merrill, & Wu    INTERNET DRAFT    [Page 20]

4.1.4  Certificate usage

This subcomponent contains:
 
* A list or the types of applications for which the issued 
certificates are suitable, such as electronic mail, retail 
transactions, contracts, and a travel order, and/or
 
* A list or the types of applications for which use of the issued 
certificates is prohibited.

In the case of a CP or CPS describing different levels of assurance, 
this subcomponent can describe applications or types of applications 
that are appropriate or inappropriate for the different levels of 
assurance.

4.1.5  Policy Administration

This subcomponent includes the name and mailing address of the 
organization that is responsible for the drafting, registering, 
maintaining, and updating of this CP or CPS.  It also includes the 
name, electronic mail address, telephone number, and fax number of a 
contact person.  As an alternative to naming an actual person, the 
document may name a title or role, an e-mail alias, and other 
generalized contact information.  In some cases, the organization may
state that its contact person, alone or in combination with others, 
is available to answer questions about the document.

Moreover, when a formal or informal policy authority is responsible 
for determining whether a CA should be allowed to operate within or 
interoperate with a PKI, it may wish to approve the CPS of the CA as 
being suitable for the policy authority's CP.  If so, this 
subcomponent can include the name or title, electronic mail address 
(or alias), telephone number, fax number, and other generalized 
information of the entity in charge of making such a determination.  
Finally, in this case, this subcomponent also includes the 
procedures by which this determination is made.

4.1.6  Definitions and acronyms
This subcomponent contains a list of definitions for defined terms 
used within the document, as well as a list of acronyms in the 
document and their meanings. 

4.2  PUBLICATION AND REPOSITORY RESPONSIBILITIES

This component contains any applicable provisions regarding:
* An identification of the entity or entities that operate 
repositories within the PKI, such as a CA, certificate manufacturing 
authority, or independent repository service provider;
 
*The responsibility of a PKI participant to publish information 
regarding its practices, certificates, and the current status of 
such certificates, which may include the responsibilities of making 
the CP or CPS publicly available using various mechanisms and of 

Chokhani, Ford, Sabett, Merrill, & Wu    INTERNET DRAFT    [Page 21]
identifying components, subcomponents, and elements of such 
documents that exist but are not made publicly available, for 
instance, security controls, clearance procedures, or trade secret 
information due to their sensitivity;
 
* When information must be published and the frequency of 
publication; and
 
* Access control on published information objects including CPs, 
CPS, certificates, certificate status, and CRLs.

4.3  IDENTIFICATION AND AUTHENTICATION

This component describes the procedures used to authenticate the 
identity and/or other attributes of an end-user certificate 
applicant to a CA or RA prior to certificate issuance.  In addition, 
the component sets forth the procedures for authenticating the 
identity and the criteria for accepting applicants of entities 
seeking to become CAs, RAs, or other entities operating in or 
interoperating with a PKI.  It also describes how parties requesting 
re-key or revocation are authenticated.  This component also 
addresses naming practices, including the recognition of trademark 
rights in certain names.  

4.3.1  Naming

This subcomponent includes the following elements regarding naming 
and identification of the subscribers:
 
* Types of names assigned to the subject, such as X.500 
distinguished names; RFC-822 names; and X.400 names;
 
* Whether names have to be meaningful or not;(3)
 
* Whether or not subscribers can be anonymous or pseudonymous, and, 
if they can, what names are assigned to or can be used by anonymous 
subscribers;

* Rules for interpreting various name forms, such as the X.500 
standard and RFC-822;
 
* Whether names have to be unique; and
 
* Recognition, authentication, and role of trademarks.

4.3.2  Initial Identity Validation

This subcomponent contains the following elements for the 
identification and authentication procedures for the initial 
registration for each subject type (CA, RA, subscriber, or other 
participant):
 
* If and how the subject must prove possession of the companion 
private key for the public key being registered, for example, a 
digital signature in the certificate request message;(4)

Chokhani, Ford, Sabett, Merrill, & Wu    INTERNET DRAFT    [Page 22]
* Identification and authentication requirements for 
organizational identity of subscriber or participant (CA; RA; 
subscriber (in the case of certificates issued to organizations or 
devices controlled by an organization), or other participant), for 
example, consulting the database of a service that identifies 
organizations or inspecting an organization's articles of 
incorporation;
 
* Identification and authentication requirements for an individual 
subscriber or a person acting on behalf of an organizational 
subscriber or participant (CA, RA, in the case of certificates 
issued to organizations or devices controlled by an organization, 
the subscriber, or other participant),(5) including:
 
* Type of documentation and/or number of identification credentials 
required;
* How a CA or RA authenticates the identity of the organization or 
individual based on the documentation or credentials provided;
* If the individual must present personally to the authenticating CA 
or RA;
* How an individual as an organizational person is authenticated, 
such as by reference to duly signed authorization documents or a 
corporate identification badge.
 
* List of subscriber information that is not verified (called "non-
verified subscriber information") during the initial registration;

* Validation of authority involves a determination of whether a 
person has specific rights, entitlements, or permissions, including 
the permission to act on behalf of an organization to obtain a 
certificate; and

* In the case of applications by a CA wishing to operate within, or 
interoperate with, a PKI, this subcomponent contains the criteria by 
which a PKI, CA, or policy authority determines whether or not the 
CA is suitable for such operations or interoperation.  Such 
interoperation may include cross-certification, unilateral 
certification, or other forms of interoperation.

4.3.3  Identification and Authentication for Re-key Requests

This subcomponent addresses the following elements for the 
identification and authentication procedures for re-key for each 
subject type (CA, RA, subscriber, and other participants):
 
* Identification and authentication requirements for routine re-key, 
such as a re-key request that contains the new key and is signed 
using the current valid key; and
 
* Identification and authentication requirements for re-key after 
certificate revocation.  One example is the use of the same process 
as the initial identity validation.
 
4.3.4  Identification and Authentication for Revocation Requests

Chokhani, Ford, Sabett, Merrill, & Wu    INTERNET DRAFT    [Page 23]


This subcomponent describes the identification and authentication 
procedures for a revocation request by each subject type (CA, RA, 
subscriber, and other participant).  Examples include a revocation 
request digitally signed with the private key whose companion public 
key needs to be revoked and a digitally signed request by the RA.
  
4.4  CERTIFICATE LIFE-CYCLE OPERATIONAL REQUIREMENTS

This component is used to specify requirements imposed upon issuing 
CA, subject CAs, RAs, subscribers, or other participants with 
respect to the life-cycle of certificate.  

Within each subcomponent, separate consideration may need to be 
given to subject CAs, RAs, subscribers, and other participants.

4.4.1  Certificate Application

This subcomponent is used to address the following requirements 
regarding subject certificate application:

* Who can submit a certificate application, such as a certificate 
subject or the RA; and
 
* Enrollment process used by subjects to submit certificate 
applications and responsibilities in connection with this process.  
An example of this process is where the subject generates the key 
pair and sends a certificate request to the RA.  The RA validates 
and signs the request and sends it to the CA.  A CA or RA may have 
the responsibility to establish an enrollment process in