Certificate Practice Statements and Certificate Policies, Essay Example
Having searched the internet for Certificate Practice Statements and Certificate Policies that published by particular organizations, a sense of the restrictions established has been acquired. The statements that were researched include those of X.509 Certification Authority, DigiCert, Entrust, and Starfield Technologies. Right away, the differences in approach were obvious. Some companies spend a lot more resources and words on the description of their policies. While others spend much less. As such, certain questions may be answered but few generalizations may be made based on the sources investigated.
The first question is: Based on what is read and known, do they seem adequate? Collectively they do seem adequate. Indeed, it is the challenge of any such policy to tie up any loopholes, but without including supporting case law, it is unrealistic to say that any are failsafe. Nevertheless, each seems to focus on certain risks. The PKI-Lite Certification policy is perhaps the most lacking of the four that have been researched (2005). It might be because “Lite” versions of software and supporting infrastructure tend to be geared toward the academic and student community, and the PKI-Lite Certification addresses these entities specifically. Furthermore, because such student versions of software and supporting infrastructure (particularly across the Web) are not normally used for long-term commercial prospects and that learners tend to make more unintentionally erroneous actions with respect to such policies, it would stand to reason that PKI-Lite’s policy statement is, well, lite.
The second question is: Have any weaknesses that should be addressed been obviated? On the contrary, some of the reviewed policies seem like overkill. Take the DigiCert policy. It seems nearly fascist in some respects. It states that the end-user may request a revocation of certification in writing and with sufficient cause, but DigiCert itself may revoke a certification for no reason whatsoever (2009). This necessitates another question. What is the business logic behind such a stern and potentially abused policy? Of the four researched statements, Starfield Technologies’s seems the most even handed (2007). It is clear and concise – not too short, not too long and addresses major concerns of the certifiers. Entrust’s policy seems to follow suit with respect to the brevity and specificity of the message (Boeyen, 1997). It was interesting to note that one of the statements specifically stated that the service was not sufficient for projects that require comprehensive safety mechanisms such as the airline industry.
Still, the question remains. Why do some companies make such a big deal of certification statements while others seem disinterested and still others fall somewhere in between? Having searched the internet for Certificate Practice Statements and Certificate Policies that published by organizations, a sense of the established restrictions has been acquired. Companies do not want their certifications to be misused. Some companies seem to want the restrictions to be so tough that ownership is easily revoked. It is understandable that some protections are necessary while others seem like overkill.
Boeyen, Sharon. . Certificate Policy and Certification Practice Statement. Feb. 1997. Web. June 13, 2012. <http://www.entrust.com/resources/pdf/cps.pdf>
DigiCert. Certificate Policy and Certification Practice Statement. May 29, 2009. Web. June 13, 2012. <http://www.digicert.com/docs/cps/DigiCert_CPS.pdf>
Starfield Technologies, Inc. Certificate Policy and Certification Practice Statement. January 9, 2007. Web. June 13, 2012. <https://certificates.godaddy.com/repository/StarfieldCP-CPS_V20.pdf>
Walsey, David. X.509 Certification Authority Policy & Practices: Higher Education PKI-Lite. April 5, 2005. Web. June 13, 2012. <http://middleware.internet2.edu/hepki-tag/pki-lite/pki-lite-policy-practices-current.html>
Time is precious
don’t waste it!