Policies and PKI

Without formal policies, there is little point in going to all the trouble to build a Public Key Infrastructure (PKI) to issue certificates. There may be improvements in the central administration and management of course, but you will have gained very little when it comes to limiting your obligations and liabilities, or even understanding them, as far as they relate to certificates issued from your organization.

Equally, there is little prospect of a subscriber understanding what assurances and warranties are derived from a certificate which has been issued from your certificate authority. Can a subscriber or relying party even know if they can trust the public key belongs to the individual or entity in the certificate? There are many questions that are completely left to chance without formal policies to underpin a Public Key Infrastructure (PKI).

Ideally, we would want to encourage you to develop a formal Policy Authority for your PKI. A Certificate Policy (CP) and a Certificate Practice Statement (CPS). Admittedly, extensive documents with dozens of pages of policy for an internal PKI, issuing a small amount of certificates, may not be practical, or even required, but any substantive infrastructure should have a formal policy document, even to adhere to best practice.

Even if none of your certificates have external scrutiny, it’s a matter of credibility that your infrastructure has been built to a certain level of competency and is underpinned with formal security standards. Fortunately, there is a well-designed RFC template (RFC 3647) which we have a great deal of experience in adapting to most business requirements. We are very capable at interpreting you general security procedures and converting them into a formal PKI Policy Authority and devising Certificate policies that will fit your business.