|
|
|
Certificate Policies |
|
A
Certificate Policy (CP) is defined
in the Internet X.509 Public Key
Infrastructure Certificate Policy
and Certification Practices
Framework as "a named set of rules
that indicates the applicability of
a certificate to a particular
community and/or class of
application with common security
requirements".
When a Certification Authority (CA)
issues a certificate, it is
providing a statement to a
certificate user (i.e. relying
party) that a particular public key
is bound to a particular entity
(i.e. certificate subject). The
extent to which the certificate user
should rely on that statement needs
to be assessed by the certificate
user. The Certificate Policy
provides the information that can be
used by a certificate user to decide
whether or not to trust a
certificate.
Certificate policies are also used
to establish trust relationships
between CAs (i.e. cross
certification). When CAs issue cross
certificates, one CA assesses and
recognizes one or more certificate
polices of the other CA.
Treasury’s PKI establishes an
effective trust model by strict
adherence to policies that govern
the infrastructure. These policies
are as follows:
-
Treasury X.509 Certificate
Policy (CP): As required by
[TDP85-01], [TREAS-CP] provides
detailed policies governing the
issuance and use of digital
certificates. Specifically, this
includes:
-
Definition of trusted roles
and their responsibilities in
maintaining the PKI;
-
Compliance audit parameters;
-
Naming standards for
certificates;
-
Certificate and key lifecycle
management;
-
Records archival;
-
Disaster recovery procedures;
-
Security controls; and
-
Certificate and Certificate
Revocation List (CRL) profiles.
-
Key Recovery Policy For The Department of the Treasury PKI
-
Federal Bridge X.509 CP:
[FBCA-CP] provides policies that
are mapped to Treasury’s own, to
ensure that Treasury may
continue to trust, and be
trusted by, other Federal
agencies.
-
Common Policy X.509 CP: As the
name implies, [COMMON-CP]
provides a set of common policy
requirements that must be met by
all Federal agencies for PIV and
other purposes, as directed in
[FIPS-201]. Note that many of
these requirements are already
met through Treasury’s current
policy; those that are not are
identified in this document and
addressed through future
revisions to Treasury’s own
policy.
|
NOTE: To view and print Adobe Portable Document Format (PDF) files, you must have
Adobe Acrobat Reader v3.0 or above, or the equivalent browser plug-in, installed on your computer. To download a free copy of the
Adobe Acrobat Reader, click here: |
|
|
|
|
|
|