Certificate policy
In the X.509 version 3 digital certificate standard, certificate policies are the applications which a certifying CA declares a specific public/private key fit for. Typical certificate policies include:
- digital signature of e-mail, aka S/MIME
- encryption of data
- verification of Web site identity
- further issuance of certificates (delegation of authority)
The framework and intention of certificate policies are described in RFC 2527, where Certification Practice Statements (CPS) are also described.
Critical vs. non-critical policies
According to the RFC, policies may be marked as critical or non-critical. This distinction is largely to limit the liability of the CA. Policies which are marked as critical should be the only ones a digital certificate is used for. That is, if a critical certificate policy designates a certificate for use in digitally signing electronic communication, it should not be used for encryption. If it is in fact used for encryption and the confidentiality of the encrypted data is compromised, the CA has limited liability.