8.2. KMF Policy-Enforcement Mechanism

Popular key-management systems currently lack interfaces or utilities for configuring the policies that govern the use of keys and certificates on the system. X.509v3 certificates are designed to be extensible and potentially contain a great deal of metadata that can be used to dictate how those certificates can be used by PKI-enabled applications. Additionally, the validation algorithms for X.509 certificates as defined in the PKIX specification (RFC 3280) have a set of input parameters that control various decisions in the validation process.

KMF introduces a system-wide PKI policy database. Applications must use the KMF library in order to take advantage of the policy enforcement system. Administrators define policies that the KMF library uses when performing operations that involve certificates.