158:
The different procedures for certificate application, issuance, acceptance, renewal, re-key, modification and revocation are a large part of the document. These procedures describe how each actor of the PKI has to act in order for the whole assurance level to be accepted.
82:
An important point of the certificate policy is the description of the authorized and prohibited certificate uses. When a certificate is issued, it can be stated in its attributes what use cases it is intended to fulfill. For example, a certificate can be issued for
211:
are a vital part of any public key infrastructure, and as such, a specific chapter is dedicated to the description of the management associated with these lists, to ensure consistency between certificate status and the content of the list.
37:, a specific field can be set to include a link to the associated certificate policy. Thus, during an exchange, any relying party has an access to the assurance level associated with the certificate, and can decide on the
74:
The document should describe the general architecture of the related PKI, present the different entities of the PKI and any exchange based on certificates issued by this very same PKI.
220:
The PKI needs to be audited to ensure it complies with the rules stated in its documents, such as the certificate policy. The procedures used to assess such
135:) is in charge of checking the information provided by the applicant, such as his identity. This is to make sure that the CA does not take part in an
498:
374:
319:
325:
469:
313:
770:
591:
800:
407:
513:
301:
272:
734:
58:
426:
111:) or further issuance of certificates (delegation of authority). Prohibited uses are specified in the same way.
739:
336:
551:
521:
420:
119:
The document also describes how certificates names are to be chosen, and besides, the associated needs for
531:
401:
208:
712:
475:
571:
503:
442:
24:
692:
655:
622:
295:
281:
795:
453:
437:
342:
232:
This last chapter tackles all remaining points, by example all the PKI-associated legal matters.
192:
128:
432:
396:
307:
132:
34:
759:
660:
380:
265:
221:
120:
191:
This part describes what are the technical requirements regarding key sizes, protection of
199:) and various types of controls regarding the technical environment (computers, network).
8:
676:
49:
The reference document for writing a certificate policy is, as of
December 2010,
27:(PKI), their roles and their duties. This document is published in the PKI perimeter.
627:
353:
84:
632:
448:
386:
258:
241:
61:(CPS). The points described below are based on the framework presented in the RFC.
50:
358:
180:
245:
54:
172:
148:
136:
124:
100:
789:
413:
348:
23:(CP) is a document which aims to state what are the different entities of a
707:
481:
176:
57:. The RFC proposes a framework for the writing of certificate policies and
38:
108:
754:
196:
104:
96:
16:
Document that describe different entities of public key infrastructure
749:
561:
526:
167:
Then, a chapter is found regarding physical and procedural controls,
566:
556:
541:
606:
601:
586:
576:
764:
717:
697:
596:
581:
546:
92:
250:
744:
702:
536:
331:
168:
88:
31:
114:
171:
and logging procedures involved in the PKI to ensure
127:. When a certification application is filled, the
787:
296:Transport Layer Security / Secure Sockets Layer
202:
499:Export of cryptography from the United States
266:
375:Automated Certificate Management Environment
320:DNS-based Authentication of Named Entities
273:
259:
326:DNS Certification Authority Authorization
115:Naming, identification and authentication
215:
162:
788:
470:Domain Name System Security Extensions
314:Application-Layer Protocol Negotiation
254:
186:
77:
13:
408:Online Certificate Status Protocol
14:
812:
302:Datagram Transport Layer Security
142:
59:Certification Practice Statements
735:Certificate authority compromise
740:Random number generator attacks
427:Extended Validation Certificate
280:
69:
337:HTTP Strict Transport Security
64:
1:
235:
153:
421:Domain-validated certificate
203:Certificate revocation lists
7:
402:Certificate revocation list
44:
41:to put in the certificate.
10:
817:
476:Internet Protocol Security
289:Protocols and technologies
801:Public key infrastructure
727:
685:
669:
648:
641:
615:
512:
504:Server-Gated Cryptography
491:
462:
443:Public key infrastructure
368:Public-key infrastructure
367:
288:
25:public key infrastructure
656:Man-in-the-middle attack
623:Certificate Transparency
227:
131:(or, by delegation, the
767:(in regards to TLS 1.0)
720:(in regards to SSL 3.0)
454:Self-signed certificate
438:Public-key cryptography
359:Perfect forward secrecy
343:HTTP Public Key Pinning
129:certification authority
771:Kazakhstan MITM attack
433:Public key certificate
397:Certificate revocation
308:Server Name Indication
133:registration authority
760:Lucky Thirteen attack
661:Padding oracle attack
381:Certificate authority
216:Audit and assessments
224:are described here.
163:Operational controls
107:, as when one uses
677:Bar mitzvah attack
392:Certificate policy
187:Technical controls
21:certificate policy
783:
782:
779:
778:
354:Opportunistic TLS
85:digital signature
30:When in use with
808:
646:
645:
633:HTTPS Everywhere
449:Root certificate
387:CA/Browser Forum
275:
268:
261:
252:
251:
78:Certificate uses
816:
815:
811:
810:
809:
807:
806:
805:
786:
785:
784:
775:
723:
681:
665:
642:Vulnerabilities
637:
611:
514:Implementations
508:
487:
458:
363:
284:
279:
238:
230:
218:
205:
189:
181:confidentiality
165:
156:
145:
117:
80:
72:
67:
47:
17:
12:
11:
5:
814:
804:
803:
798:
796:Key management
781:
780:
777:
776:
774:
773:
768:
762:
757:
752:
747:
742:
737:
731:
729:
728:Implementation
725:
724:
722:
721:
715:
710:
705:
700:
695:
689:
687:
683:
682:
680:
679:
673:
671:
667:
666:
664:
663:
658:
652:
650:
643:
639:
638:
636:
635:
630:
625:
619:
617:
613:
612:
610:
609:
604:
599:
594:
589:
584:
579:
574:
569:
564:
559:
554:
549:
544:
539:
534:
529:
524:
518:
516:
510:
509:
507:
506:
501:
495:
493:
489:
488:
486:
485:
479:
473:
466:
464:
460:
459:
457:
456:
451:
446:
440:
435:
430:
424:
418:
417:
416:
411:
405:
394:
389:
384:
378:
371:
369:
365:
364:
362:
361:
356:
351:
346:
340:
334:
329:
323:
317:
311:
305:
299:
292:
290:
286:
285:
278:
277:
270:
263:
255:
249:
248:
237:
234:
229:
226:
217:
214:
204:
201:
188:
185:
173:data integrity
164:
161:
155:
152:
144:
143:Key generation
141:
137:identity theft
125:authentication
121:identification
116:
113:
101:authentication
79:
76:
71:
68:
66:
63:
46:
43:
39:level of trust
15:
9:
6:
4:
3:
2:
813:
802:
799:
797:
794:
793:
791:
772:
769:
766:
763:
761:
758:
756:
753:
751:
748:
746:
743:
741:
738:
736:
733:
732:
730:
726:
719:
716:
714:
711:
709:
706:
704:
701:
699:
696:
694:
691:
690:
688:
684:
678:
675:
674:
672:
668:
662:
659:
657:
654:
653:
651:
647:
644:
640:
634:
631:
629:
626:
624:
621:
620:
618:
614:
608:
605:
603:
600:
598:
595:
593:
590:
588:
585:
583:
580:
578:
575:
573:
570:
568:
565:
563:
560:
558:
555:
553:
550:
548:
545:
543:
540:
538:
535:
533:
530:
528:
525:
523:
522:Bouncy Castle
520:
519:
517:
515:
511:
505:
502:
500:
497:
496:
494:
490:
483:
480:
477:
474:
471:
468:
467:
465:
461:
455:
452:
450:
447:
444:
441:
439:
436:
434:
431:
428:
425:
422:
419:
415:
414:OCSP stapling
412:
409:
406:
403:
400:
399:
398:
395:
393:
390:
388:
385:
382:
379:
376:
373:
372:
370:
366:
360:
357:
355:
352:
350:
349:OCSP stapling
347:
344:
341:
338:
335:
333:
330:
327:
324:
321:
318:
315:
312:
309:
306:
303:
300:
297:
294:
293:
291:
287:
283:
276:
271:
269:
264:
262:
257:
256:
253:
247:
243:
240:
239:
233:
225:
223:
213:
210:
200:
198:
194:
184:
182:
178:
174:
170:
160:
151:
150:
140:
138:
134:
130:
126:
122:
112:
110:
106:
102:
98:
94:
90:
86:
75:
62:
60:
56:
52:
42:
40:
36:
33:
28:
26:
22:
482:Secure Shell
391:
231:
219:
206:
193:private keys
190:
177:availability
166:
157:
146:
118:
81:
73:
70:Architecture
48:
35:certificates
29:
20:
18:
628:Convergence
282:TLS and SSL
195:(by use of
103:(e.g. of a
65:Main points
790:Categories
755:Heartbleed
236:References
222:compliance
197:key escrow
154:Procedures
149:generation
105:Web server
97:encryption
750:goto fail
562:MatrixSSL
527:BoringSSL
298:(TLS/SSL)
99:of data,
686:Protocol
616:Notaries
592:SChannel
567:mbed TLS
557:LibreSSL
542:cryptlib
472:(DNSSEC)
463:See also
45:RFC 3647
607:wolfSSL
602:stunnel
587:s2n-tls
577:OpenSSL
492:History
478:(IPsec)
765:POODLE
718:POODLE
713:Logjam
698:BREACH
670:Cipher
649:Theory
597:SSLeay
582:Rustls
547:GnuTLS
410:(OCSP)
377:(ACME)
345:(HPKP)
339:(HSTS)
322:(DANE)
316:(ALPN)
304:(DTLS)
244:
207:Those
93:S/MIME
89:e-mail
53:
745:FREAK
708:DROWN
703:CRIME
693:BEAST
537:BSAFE
532:Botan
484:(SSH)
445:(PKI)
404:(CRL)
332:HTTPS
328:(CAA)
310:(SNI)
228:Other
209:lists
169:audit
109:HTTPS
91:(aka
32:X.509
552:JSSE
429:(EV)
423:(DV)
383:(CA)
246:3647
179:and
147:The
123:and
55:3647
572:NSS
242:RFC
95:),
87:of
51:RFC
792::
183:.
175:,
139:.
19:A
274:e
267:t
260:v
Text is available under the Creative Commons Attribution-ShareAlike License. Additional terms may apply.