3.4.3 Policy Certification Authorities

The policy statement submitted by a prospective PCA must address the topics in the following outline. Additional policy information may be contained in the statement, but PCAs are requested not to use these statements as advertising vehicles.

1. PCA Identity The DN of the PCA must be specified. A postal address, an Internet mail address, and telephone (and optional fax) numbers must be provided for (human) contact with the PCA. The date on which this statement is effective, and its scheduled duration must be specified.

2. PCA Scope Each PCA must describe the community which the PCA plans to serve. A PCA should indicate if it will certify organizational, residential, and/or PERSONA CAs. There is not a requirement that a single PCA serve only one type of CA, but if a PCA serves multiple types of CAs, the policy statement must specify clearly how a user can distinguish among these classes. If the PCA will operate CAs to directly serve residential or PERSONA users, it must so state.

3. PCA Security & Privacy Each PCA must specify the technical and procedural security measures it will employ in the generation and protection of its component pair. If any security requirements are imposed on CAs certified by the PCA these must be specified as well. A PCA also must specify what measures it will take to protect the privacy of any information collected in the course of certifying CAs. If the PCA operates one or more CAs directly, to serve residential or PERSONA users, then this statement on privacy measures applies to these CAs as well.

4. Certification Policy Each PCA must specify the policy and procedures which govern its certification of CAs and how this policy applies transitively to entities (users or subordinate CAs) certified by these CAs. For example, a PCA must state what procedure is employed to verify the claimed identity of a CA, and the CA's right to use a DN. Similarly, if any requirements are imposed on CAs to validate the identity of users, these requirements must be specified. Since all PCAs are required to cooperate in the resolution of potential DN conflicts, each PCA is required to specify the procedure it will employ to resolve such conflicts. If the PCA imposes a maximum validity interval for the CA certificates it issues, and/or for user (or subordinate CA) certificates issued by the CAs it certifies, then these restrictions must be specified.

5. CRL Management Each PCA must specify the frequency with which it will issue scheduled CRLs. It also must specify any constraints it imposes on the frequency of scheduled issue of CRLs by the CAs it certifies, and by subordinate CAs. Both maximum and minimum constraints should be specified. Since the IPRA policy calls for each CRL issued by a CA to be forwarded to the cognizant PCA, each PCA must specify a mailbox address to which CRLs are to be transmitted. The PCA also must specify a mailbox address for CRL queries. If the PCA offers any additional CRL management services, e.g., archiving of old CRLs, then procedures for invoking these services must be specified. If the PCA requires CAs to provide any additional CRL management services, such services must be specified here.

6. Naming Conventions If the PCA imposes any conventions on DNs used by the CAs it certifies, or by entities certified by these CAs, these conventions must be specified. If any semantics are associated with such conventions, these semantics must be specified.

7. Business Issues If a legal agreement must be executed between a PCA and the CAs it certifies, reference to that agreement must be noted, but the agreement itself ought not be a part of the policy statement. Similarly, if any fees are charged by the PCA this should be noted, but the fee structure per se ought not be part of this policy statement.

8. Other Any other topics the PCA deems relevant to a statement of its policy can be included. However, the PCA should be aware that a policy statement is considered to be an immutable, long lived document and thus considerable care should be exercised in deciding what material is to be included in the statement.