Policy CAs:

  • Thread starter Thread starter Kristin L. Griffin
  • Start date Start date
K

Kristin L. Griffin

I am still not completely sure as to the functions of a Policy CA. I
understand that it is an intermediate CA.

And I understand the definition found on Technet (below). What I am not
clear on is HOW it describes these policies and how it forces other CAs below
it to abide by the rules.

I have added specific questions in line below:

Thanks! Kristin

Policy CA definition on Technet:

The role of a policy CA is to describe the policies and procedures that an
organization implements to secure its PKI, the processes that validate the
identity of certificate holders, and the processes that enforce the
procedures that manage certificates.

---> how does it decribe the procedures? I know about the website URL for
policy statements, but how does it describe the processes and procedures?
What form do they take? A website with text? A template?

A policy CA issues certificates only to
other CAs. The CAs that receive these certificates must uphold and enforce
the policies that the policy CA defined.

----> How are the chiild CAs forced to uphold and enforce the policies?

It is not mandatory to use policy CAs unless different divisions, sectors,
or locations of your organization require different issuance policies and
procedures. However, if your organization requires different issuance
policies and procedures, you must add policy CAs to the hierarchy to define
each unique policy.

---> How are the policies defined? Are they done in the .inf files? What
makes up the policy exactly?

For example, an organization can implement one policy CA
for all certificates that it issues internally to employees and another
policy CA for all certificates that it issues to non-employees.


Thanks,

Kristin
 
Kristen,
Two resources you need to keep in mind:
1) For a description of a CPS, please see RFC 3647. This gives you an idea
of what is involved in the policy side of a PKI. You have been focusing on
the technical side, and are omitting the policy side (personally, I feel
that a PKI is 90 % policy and only 10% technical). Another good resource is
the FBCA CP (http://www.cio.gov/fpkipa/documents/FBCA_CP_RFC3647.pdf).
2) Policy is enforced by written policy and people following these policies.
If you do not follow the policy, an audit can result in a tear down and
rebuild scenario.

Brian

"Kristin L. Griffin" <KristinLGriffin@discussions.microsoft.com> wrote in
message news:14D851EB-CC20-4A4A-AF20-FC5FA7EE10EE@microsoft.com...
>I am still not completely sure as to the functions of a Policy CA. I
> understand that it is an intermediate CA.
>
> And I understand the definition found on Technet (below). What I am not
> clear on is HOW it describes these policies and how it forces other CAs
> below
> it to abide by the rules.
>
> I have added specific questions in line below:
>
> Thanks! Kristin
>
> Policy CA definition on Technet:
>
> The role of a policy CA is to describe the policies and procedures that an
> organization implements to secure its PKI, the processes that validate the
> identity of certificate holders, and the processes that enforce the
> procedures that manage certificates.
>
> ---> how does it decribe the procedures? I know about the website URL for
> policy statements, but how does it describe the processes and procedures?
> What form do they take? A website with text? A template?
>
> A policy CA issues certificates only to
> other CAs. The CAs that receive these certificates must uphold and enforce
> the policies that the policy CA defined.
>
> ----> How are the chiild CAs forced to uphold and enforce the policies?
>
> It is not mandatory to use policy CAs unless different divisions, sectors,
> or locations of your organization require different issuance policies and
> procedures. However, if your organization requires different issuance
> policies and procedures, you must add policy CAs to the hierarchy to
> define
> each unique policy.
>
> ---> How are the policies defined? Are they done in the .inf files? What
> makes up the policy exactly?
>
> For example, an organization can implement one policy CA
> for all certificates that it issues internally to employees and another
> policy CA for all certificates that it issues to non-employees.
>
>
> Thanks,
>
> Kristin
>
 
Back
Top