Policy CAs:

K

Kristin L. Griffin

I am still not completely sure as to the functions of a Policy CA. I
understand that it is an intermediate CA.

And I understand the definition found on Technet (below). What I am not
clear on is HOW it describes these policies and how it forces other CAs below
it to abide by the rules.

I have added specific questions in line below:

Thanks! Kristin

Policy CA definition on Technet:

The role of a policy CA is to describe the policies and procedures that an
organization implements to secure its PKI, the processes that validate the
identity of certificate holders, and the processes that enforce the
procedures that manage certificates.

---> how does it decribe the procedures? I know about the website URL for
policy statements, but how does it describe the processes and procedures?
What form do they take? A website with text? A template?

A policy CA issues certificates only to
other CAs. The CAs that receive these certificates must uphold and enforce
the policies that the policy CA defined.

----> How are the chiild CAs forced to uphold and enforce the policies?

It is not mandatory to use policy CAs unless different divisions, sectors,
or locations of your organization require different issuance policies and
procedures. However, if your organization requires different issuance
policies and procedures, you must add policy CAs to the hierarchy to define
each unique policy.

---> How are the policies defined? Are they done in the .inf files? What
makes up the policy exactly?

For example, an organization can implement one policy CA
for all certificates that it issues internally to employees and another
policy CA for all certificates that it issues to non-employees.


Thanks,

Kristin
 
B

Brian Komar

Kristen,
Two resources you need to keep in mind:
1) For a description of a CPS, please see RFC 3647. This gives you an idea
of what is involved in the policy side of a PKI. You have been focusing on
the technical side, and are omitting the policy side (personally, I feel
that a PKI is 90 % policy and only 10% technical). Another good resource is
the FBCA CP (http://www.cio.gov/fpkipa/documents/FBCA_CP_RFC3647.pdf).
2) Policy is enforced by written policy and people following these policies.
If you do not follow the policy, an audit can result in a tear down and
rebuild scenario.

Brian

"Kristin L. Griffin" <KristinLGriffin@discussions.microsoft.com> wrote in
message news:14D851EB-CC20-4A4A-AF20-FC5FA7EE10EE@microsoft.com...
>I am still not completely sure as to the functions of a Policy CA. I
> understand that it is an intermediate CA.
>
> And I understand the definition found on Technet (below). What I am not
> clear on is HOW it describes these policies and how it forces other CAs
> below
> it to abide by the rules.
>
> I have added specific questions in line below:
>
> Thanks! Kristin
>
> Policy CA definition on Technet:
>
> The role of a policy CA is to describe the policies and procedures that an
> organization implements to secure its PKI, the processes that validate the
> identity of certificate holders, and the processes that enforce the
> procedures that manage certificates.
>
> ---> how does it decribe the procedures? I know about the website URL for
> policy statements, but how does it describe the processes and procedures?
> What form do they take? A website with text? A template?
>
> A policy CA issues certificates only to
> other CAs. The CAs that receive these certificates must uphold and enforce
> the policies that the policy CA defined.
>
> ----> How are the chiild CAs forced to uphold and enforce the policies?
>
> It is not mandatory to use policy CAs unless different divisions, sectors,
> or locations of your organization require different issuance policies and
> procedures. However, if your organization requires different issuance
> policies and procedures, you must add policy CAs to the hierarchy to
> define
> each unique policy.
>
> ---> How are the policies defined? Are they done in the .inf files? What
> makes up the policy exactly?
>
> For example, an organization can implement one policy CA
> for all certificates that it issues internally to employees and another
> policy CA for all certificates that it issues to non-employees.
>
>
> Thanks,
>
> Kristin
>
 
You must log in or register to reply here.

Similar threads

D
OpenSSL Certificates used for NPS EAP - Reason Code 295 (CA certificates is not trusted by the policy provider)
Replies
0
Views
43
Dave Baddorf
D
N
Enrollment of certificate producing error 0x800706be
Replies
0
Views
28
Nicholas Farmer
N
I
Not able to modify Local Group Policy with powershell commands
Replies
0
Views
45
Iman_Y
I
I
Not able to modify Local Group Policy with powershell commands
Replies
0
Views
28
Iman_Y
I
A
DLL get blocked after downloading from internet on customer site but not locally where we build it due to CAS policy. Unable to figure out what Group
Replies
0
Views
60
ARCHANA PILLAI
A
Back
Top Bottom