Page 589 - StudyBook.pdf
P. 589
Public Key Infrastructure • Chapter 10 573
certificate owners will use the policy information to determine if they want to
accept a certificate.
The certificate policy is a plaintext document that is assigned a unique object
identifier (OID) so that anyone can reference it.There are many standard certificate
policies, but there may be more developed as time goes on.
If a certificate is issued for a public key, and the certificate policy states that this
certificate can be used for document signing, you should not be allowed to encrypt
data using that public key. Even if you were able to do so, the recipient would
likely not be able to decrypt it. (Since keys are simply numbers, it’s technically pos-
sible that the keys could be extracted from the certificate and used against the cer-
tificate policy. Developers should not write code that does this.)
Multiple Policies
Tools and Traps… user has determined are important such as application access, system
Often, a certificate is issued under a number of different policies. Some
policies are of a technical nature, and others are policies the certificate
sign-on, and digitally signing documents. In some cases, such as govern-
ment certificates, it is important that a certificate fall under multiple poli-
cies. When dealing with security systems, it is important to make sure the
CA has a policy covering each item required.
Certificate Practice Statements
It is important to have a policy in place to state what is going to be done, but it is
equally important to explain exactly how to implement those policies.This is
where the Certificate Practice Statement (CPS) comes in.A CPS describes how
the CA plans to manage the certificates it issues. If a CA does not have a CPS
available, or does not trust the practices described in the CPS as being secure
enough, users should consider finding another CA, and not trusting certificates
signed by that CA’s root certificate.
www.syngress.com
