Definitions, Acronyms and Abbreviations
Certificate Policy (CP) – a document listing the rules to be abided by when issuing and managing Certificates.
Certificate Practice Statement (CPS) – lists the procedures to be followed when issuing and managing Certificates.
Certificate Policy (CP)
A Certificate Policy [ 4 ] describes the rules under which a particular certificate is issued. These include the rules governing generation, distribution, and administration of the Digital Certificates, and the policies to be followed in the event of any possible Key compromises.
A CA may define a different CP for each different type of Certificate it issues. This is quite common practice – especially where a CA applies different rules in checking the credentials of different classes of Certificate Holders.
Certificate Policies often make explicit statements on the CA’s liability to a Relying Party in the event that information in a certificate is shown to be wrong.
Relying Parties should check the CP before deciding whether or not to trust the Certificate.
It is important to note that, many commercially available PKI enabled products do not allow users to configure a list of trusted Certificate Policies in the same way that they allow users to configure a list of trusted CAs. For this reason some organisations such as Verisign typically use different sub-CAs to issue certificates under different policies (in effect having one sub-CA per policy).
Certification Practice Statement (CPS)
The CPS contains a more detailed description of the practices and procedures a CA follows when issuing and managing Digital Certificates. It is tailored to the organisation's PKI operating environment and organisational structure.
Where a CP defines what the rules are, the CPS describes how to implement those rules.
Appendix [ A.1 ] provides more information on the legal difference between a PC and CPS.
Read more