Difference between CP and CPS Rumi, March 23, 2011 Definitions, Acronyms and Abbreviations Certificate Policy (CP) – a document listing the rules to be abided by when issuing and managing Certificates. Certificate Practice Statement (CPS) – lists the procedures to be followed when issuing and managing Certificates. Certificate Policy (CP) A Certificate Policy [ 4 ] describes the rules under which a particular certificate is issued. These include the rules governing generation, distribution, and administration of the Digital Certificates, and the policies to be followed in the event of any possible Key compromises. A CA may define a different CP for each different type of Certificate it issues. This is quite common practice – especially where a CA applies different rules in checking the credentials of different classes of Certificate Holders. Certificate Policies often make explicit statements on the CA’s liability to a Relying Party in the event that information in a certificate is shown to be wrong. Relying Parties should check the CP before deciding whether or not to trust the Certificate. It is important to note that, many commercially available PKI enabled products do not allow users to configure a list of trusted Certificate Policies in the same way that they allow users to configure a list of trusted CAs. For this reason some organisations such as Verisign typically use different sub-CAs to issue certificates under different policies (in effect having one sub-CA per policy). Certification Practice Statement (CPS) The CPS contains a more detailed description of the practices and procedures a CA follows when issuing and managing Digital Certificates. It is tailored to the organisation's PKI operating environment and organisational structure. Where a CP defines what the rules are, the CPS describes how to implement those rules. Appendix [ A.1 ] provides more information on the legal difference between a PC and CPS. [ A.1 ] What is the Difference between a Certificate Policy and a Certificate Practice Statement? The terms CP and CPS often create significant confusion – or are incorrectly used interchangeably. They are in fact quite different as illustrated in this Appendix. Below are some definitions of the terms “Certification Practice Statement” and “Certificate Policy”. [ A.1.1 ] Certification Practice Statement (CPS) Definitions A statement of the practices which a CA employs in issuing certificates. (From: American Bar Association, Digital Signature Guidelines, 1996) A certification practice statement is a detailed statement by a CA as to its practices, that potentially needs to be understood and consulted by subscribers and certificate users (relying parties). (From: Chokhani and Ford, RFC 3647: Internet X.509 Public Key Infrastructure Certificate Policy and Certification Practices Framework, 2003). A document that sets out what happens in practice to support the policy statements made in the CP in a Public Key Infrastructure. [ A.1.2 ] Certificate Policy (CP) Definitions A named set of rules that indicates the applicability of a certificate to a particular community and/or class of application with common security requirements. (From: Chokhani and Ford, RFC 2527: Internet X.509 Public Key Infrastructure Certificate Policy and Certification Practices Framework, 1999). A document that sets out the rights, duties and obligations of each party in a Public Key Infrastructure. [ A.1.2.1 ] Differences between the Certification Practice Statement (CPS) and the Certificate Policy (CP) In broad terms, the difference is that the CP states what assurance can be placed in a certificate issued by the CA, whereas the CPS states how the CA establishes that assurance. Several authoritative statements discussing the differences between the CP and CPS have been published. For example, the extract below is from RFC 2527: Internet X.509 Public Key Infrastructure Certificate Policy and Certification Practices Framework, 1999: “The concepts of certificate policy and CPS come from different sources and were developed for different reasons. However, their interrelationship is important. A certification practice statement is a detailed statement by a certification authority as to its practices, that potentially needs to be understood and consulted by subscribers and certificate users (relying parties). Although the level of detail may vary among CPSs, they will generally be more detailed than certificate policy definitions. Indeed, CPSs may be quite comprehensive, robust documents providing a description of the precise service offerings, detailed procedures of the life-cycle management of certificates, and more -a level of detail which weds the CPS to a particular (proprietary) implementation of a service offering. Although such detail may be indispensable to adequately disclose, and to make a full assessment of trustworthiness in the absence of accreditation or other recognized quality metrics, a detailed CPS does not form a suitable basis for interoperability between CAs operated by different organizations. Rather, certificate policies best serve as the vehicle on which to base common interoperability standards and common assurance criteria on an industry-wide (or possibly more global) basis. A CA with a single CPS may support multiple certificate policies (used for different application purposes and/or by different certificate user communities). Also, multiple different CAs, with non-identical certification practice statements, may support the same certificate policy. “ The main difference between certificate policy and CPS can therefore be summarized as follows: (a) Most organizations that operate public or inter-organizational certification authorities will document their own practices in CPSs or similar statements. The CPS is one of the organization's means of protecting itself and positioning its business relationships with subscribers and other entities. (b) There is strong incentive, on the other hand, for a certificate policy to apply more broadly than to just a single organization. If a particular certificate policy is widely recognized and imitated, it has great potential as the basis of automated certificate acceptance in many systems, including unmanned systems and systems that are manned by people not independently empowered to determine the acceptability of different presented certificates.” Another example is from the Model Certificate Policy: Part A ~ Introduction and Approach, by the USA Government Information Technology Services, Federal PKI Steering Committee, Legal Policy Working Group, 1998. This document claims that a CP and a CPS differ in terms of: authorship purpose specificity, and approach. These differences are summarized in the table below. Sample Clauses Illustrating the Difference From: Model Certificate Policy: Part A ~ Introduction and Approach, Government Information Technology Services, Federal PKI Steering Committee, Legal Policy Working Group, 1998) [ A.1.2.3 ] Summary of the Different Uses of a CPS vs a CP Collected Articles PKI