rfc2527.txt

RFC 的详细文档！

   such topic.  Rather, a particular certificate policy or CPS may state
   "no stipulation" for a component, subcomponent, or element on which
   the particular certificate policy or CPS imposes no requirements.  In
   this sense, the list of topics can be considered a checklist of



Chokhani & Ford              Informational                     [Page 12]

RFC 2527                          PKIX                        March 1999


   topics for consideration by the certificate policy or CPS writer.  It
   is recommended that each and every component and subcomponent be
   included in a certificate policy or CPS, even if there is "no
   stipulation"; this will indicate to the reader that a conscious
   decision was made to include or exclude that topic.  This protects
   against inadvertent omission of a topic, while facilitating
   comparison of different certificate policies or CPSs, e.g., when
   making policy mapping decisions.

   In a certificate policy definition, it is possible to leave certain
   components, subcomponents, and/or elements unspecified, and to
   stipulate that the required information will be indicated in a policy
   qualifier.  Such certificate policy definitions can be considered
   parameterized definitions.  The set of provisions should reference or
   define the required policy qualifier types and should specify any
   applicable default values.

4.1 INTRODUCTION

   This component identifies and introduces the set of provisions, and
   indicates the types of entities and applications for which the
   specification is targeted.

   This component has the following subcomponents:

      * Overview;

      * Identification;

      * Community and Applicability; and

      * Contact Details.

4.1.1  Overview

   This subcomponent provides a general introduction to the
   specification.

4.1.2  Identification

   This subcomponent provides any applicable names or other identifiers,
   including ASN.1 object identifiers, for the set of provisions.

4.1.3  Community and Applicability

   This subcomponent describes the types of entities that issue
   certificates or that are certified as subject CAs (2, 3), the types
   of entities that perform RA functions (4), and the types of entities



Chokhani & Ford              Informational                     [Page 13]

RFC 2527                          PKIX                        March 1999


   that are certified as subject end entities or subscribers. (5, 6)

   This subcomponent also contains:

      * A list of applications for which the issued certificates are
        suitable.  (Examples of application in this case are: electronic
        mail, retail transactions, contracts, travel order, etc.)

      * A list of applications for which use of the issued certificates
        is restricted.  (This list implicitly prohibits all other uses
        for the certificates.)

      * A list of applications for which use of the issued certificates
        is prohibited.

4.1.4  Contact Details

   This subcomponent includes the name and mailing address of the
   authority that is responsible for the registration, maintenance, and
   interpretation of this certificate policy or CPS.  It also includes
   the name, electronic mail address, telephone number, and fax number
   of a contact person.

4.2  GENERAL PROVISIONS

   This component specifies any applicable presumptions on a range of
   legal and general practices topics.

   This component contains the following subcomponents:

      * Obligations;

      * Liability;

      * Financial Responsibility;

      * Interpretation and Enforcement;

      * Fees;

      * Publication and Repositories;

      * Compliance Audit;

      * Confidentiality; and

      * Intellectual Property Rights.




Chokhani & Ford              Informational                     [Page 14]

RFC 2527                          PKIX                        March 1999


   Each subcomponent may need to separately state provisions applying to
   the entity types: CA, repository, RA, subscriber, and relying party.
   (Specific provisions regarding subscribers and relying parties are
   only applicable in the Liability and Obligations subcomponents.)

4.2.1  Obligations

   This subcomponent contains, for each entity type, any applicable
   provisions regarding the entity's obligations to other entities.
   Such provisions may include:

      * CA and/or RA obligations:
         *  Notification of issuance of a certificate to the
            subscriber who is the subject of the certificate being
            issued;
         *  Notification of issuance of a certificate to others
            than the subject of the certificate;
         *  Notification of revocation or suspension of a
            certificate to the subscriber whose certificate is being
            revoked or suspended; and
         *  Notification of revocation or suspension of a
            certificate to others than the subject whose certificate
            is being revoked or suspended.

      * Subscriber obligations:

         *  Accuracy of representations in certificate application;
         *  Protection of the entity's private key;
         *  Restrictions on private key and certificate use; and
         *  Notification upon private key compromise.

      * Relying party obligations:

         *  Purposes for which certificate is used;
         *  Digital signature verification responsibilities;
         *  Revocation and suspension checking responsibilities;
            and
         *  Acknowledgment of applicable liability caps and
            warranties.

      * Repository obligations

         *  Timely publication of certificates and revocation
            information







Chokhani & Ford              Informational                     [Page 15]

RFC 2527                          PKIX                        March 1999


4.2.2  Liability

   This subcomponent contains, for each entity type, any applicable
   provisions regarding apportionment of liability, such as:

      * Warranties and limitations on warranties;

      * Kinds of damages covered (e.g., indirect, special,
        consequential, incidental, punitive, liquidated damages,
        negligence and fraud) and disclaimers;

      * Loss limitations (caps) per certificate or per transaction; and

      * Other exclusions (e.g., Acts of God, other party
        responsibilities).

4.2.3  Financial Responsibility

   This subcomponent contains, for CAs, repository, and RAs, any
   applicable provisions regarding financial responsibilities, such as:

      * Indemnification of CA and/or RA by relying parties;

      * Fiduciary relationships (or lack thereof) between the various
        entities; and

      * Administrative processes (e.g., accounting, audit).

4.2.4  Interpretation and Enforcement

   This subcomponent contains any applicable provisions regarding
   interpretation and enforcement of the certificate policy or CPS,
   addressing such topics as:

      * Governing law;

      * Severability of provisions, survival, merger, and notice; and

      * Dispute resolution procedures.

4.2.5  Fees

   This subcomponent contains any applicable provisions regarding fees
   charged by CAs, repositories, or RAs, such as:

      * Certificate issuance or renewal fees;

      * Certificate access fee;



Chokhani & Ford              Informational                     [Page 16]

RFC 2527                          PKIX                        March 1999


      * Revocation or status information access fee;

      * Fees for other services such as policy information; and

      * Refund policy.

4.2.6  Publication and Repositories

   This subcomponent contains any applicable provisions regarding:

      * A CA's obligations to publish information regarding its
        practices, its certificates, and the current status of such
        certificates;

      * Frequency of publication;

      * Access control on published information objects including
        certificate policy definitions, CPS, certificates, certificate
        status, and CRLs; and

      * Requirements pertaining to the use of repositories operated by
        CAs or by other independent parties.

4.2.7  Compliance Audit

   This subcomponent addresses the following:

      * Frequency of compliance audit for each entity;

      * Identity/qualifictions of the auditor;

      * Auditor's relationship to the entity being audited; (30)

      * List of topics covered under the compliance audit; (31)

      * Actions taken as a result of a deficiency found during
        compliance audit; (32)

      * Compliance audit results: who they are shared with (e.g.,
        subject CA, RA, and/or end entities), who provides them (e.g.,
        entity being audited or auditor), how they are communicated.










Chokhani & Ford              Informational                     [Page 17]

RFC 2527                          PKIX                        March 1999


4.2.8  Confidentiality Policy

   This subcomponent addresses the following:

      * Types of information that must be kept confidential by CA or RA;

      * Types of information that are not considered confidential;

      * Who is entitled to be informed of reasons for revocation and
        suspension of certificates;

      * Policy on release of information to law enforcement officials;

      * Information that can be revealed as part of civil discovery;

      * Conditions upon which CA or RA may disclose upon owner's
        request; and

      * Any other circumstances under which confidential information may
        be disclosed.

4.2.9  Intellectual Property Rights

   This subcomponent addresses ownership rights of certificates,
   practice/policy specifications, names, and keys.

4.3  IDENTIFICATION AND AUTHENTICATION

   This component describes the procedures used to authenticate a
   certificate applicant to a CA or RA prior to certificate issuance.
   It also describes how parties requesting rekey or revocation are
   authenticated.  This component also addresses naming practices,
   including name ownership recognition and name dispute resolution.

   This component has the following subcomponents:

      * Initial Registration;

      * Routine Rekey;

      * Rekey After Revocation; and