Certificate policy: Difference between revisions
switch to built-in RFC linking |
switch to built-in RFC linking (I missed one last time) |
||
| Line 15: | Line 15: | ||
== References == |
== References == |
||
* RFC 2527 |
|||
[http://www.ietf.org/rfc/rfc2527.txt RFC 2527] |
|||
[[Category:Key management]] |
[[Category:Key management]] |
||
Revision as of 16:16, 11 January 2007
Certificate policies are, in the X.509 version 3 digital certificate standard, the applications which a certifying CA declares a specific public/private key fit for. Typical certificate policies include:
- digital signature of e-mail, aka S/MIME
- encryption of data
- verification of Web site identity
- further issuance of certificates (delegation of authority)
The framework and intention of certificate policies are described in RFC 2527, where Certification Practice Statements (CPS) are also described.
Critical vs. non-critical policies
According to the RFC, policies may be marked as critical or non-critical. This distinction is largely to limit the liability of the CA. Policies which are marked as critical should be the only ones a digital certificate is used for. That is, if a critical certificate policy designates a certificate for use in digitally signing electronic communication, it should not be used for encryption. If it is in fact used for encryption and the confidentiality of the encrypted data is compromised, the CA has limited liability.
References
- RFC 2527