Chapter 3. Policies and PKI

A public key infrastructure (PKI) is only as secure as the policies and procedures that are implemented by an organization in conjunction with its PKI. Three policy documents directly affect the design of an organization’s PKI:

• Security policy A security policy is a document that defines an organization’s standards in regard to security. The policy usually includes the assets an organization considers valuable, potential threats to those assets, and, in general terms, measures that must be taken to protect these resources.

• Certification policy A certification policy (CP) is a document that describes the measures an organization will use to validate the identity of a certificate’s subject and for what purposes a certificate following the certificate policy can be used. Validation might require a requestor-provided account and password submitted to the organization’s directory, or photo identification and submission to a background check through a registration authority (RA) process.

• Certification practice statement A certification practice statement (CPS) is a public document that describes how a certification authority (CA) is managed by an organization to uphold its security and certificate policies. A CPS is published at a CA and describes the operation of the CA.