2 - Policies and documentation

Documented policies plays an important role in the secure and consistent management of the PKI. The goal is to minimize financial and operational threats and risks in the digital world. Well-described policies and security measures increase overall trust in the ecosystem of trust services and are a condition for successful operation. The basis for these matters lies in relevant laws and regulations, international standards and best practices.

It consists of:

  • formal policies and practice statements for supported PKI services and use-cases
  • formal management of agreements between parties involved in the PKI
  • certificate and key management rules
  • roles and responsibilities in the management of the PKI
  • documented disclosure statements
  • maintenance and review of policies and documentation
  • code of practice for information security management, techniques and risk management

Properly documented policies keeps the PKI assets trusted over the time and serves as a basis for integrated processes and procedures. It is a living management system that is continuously updated and changed as technologies, security, and compliance requirements change.

The Certificate Policy (CP) defines the overall policies and requirements of a PKI, the Certification Practice Statement (CPS) provides detailed operational procedures followed by the Certification Authority (CA), and the disclosure statement offers transparency about the CA’s identity and services to relying parties.

Category maturity levels description

Maturity levelDescription
1 - InitialThere are no or limited policies and documentation.
2 - BasicThe scope of policies is defined. Documented policies are not in the full scope and are not fully implemented and followed.
3 - AdvancedDocumentation and policies are in the full scope implemented, including CP and CPS.
4 - ManagedDisclosure of information contains all relevant policies and documentation. CP and CPS are published and available. There is a documentation management in place that covers the policies and documentation.
5 - OptimizedPolicies are periodically reviewed and updated according to the changes in the PKI and its environment, and organizational strategy and goals. Policies are followed and enforced, communicated and understood.

Requirements

#RequirementWeight
1The scope of policies is defined and documented2
2Certificate Policy is documented and published5
3Certification Practice Statement is documented and published5
4Disclosure statement is documented and published4
5Policies are periodically reviewed and updated3

Details

The scope of policies is defined and documented

Guidance

Each PKI implementation and use case is different, therefore it requires different care. The scope of policies that are applicable for the implementation should be defined and documented. When the proper description of the policies scope is provided, it helps all parties involved to understand the purpose of the policies and their applicability.

The scope can include the following:

  • Identification of the policies required for the implementation
  • Reasoning why the policies are required or not required
  • Structure of policies and documentation
  • List of policies with references, versions, etc.
  • Any other relevant information

Assessment

  • The scope of policies is defined and documented
  • The scope of policies is complete
  • Interview with the management and PKI responsible personnel to confirm the scope

References

Certificate policy is documented and published

Guidance

Certificate Policy (CP) is used to establish the controls of the issuing party and the roles and responsibilities of its entities for the specific PKI implementation and use case. It’s used to provide assurance to partners and show the trustworthiness by the use of standards. It can be considered as a high level contract between the parties involved in the PKI and therefore should be published and available to all parties involved.

CPs are described in a document form where the content may differ. Multiple policies can be part of a single document for different use cases. A CP contains a set of rules that indicates the applicability of a certificate to a particular community and/or class of applications with common security requirements or level of security (for instance certificates for the purpose of: persons, domains, organizations, authenticity and confidentiality, services). To uniquely identify the purpose of the certificates the CP contains unique numbers (Object Identifier, OID) which needs to be registered.

In general a CP addresses the following items:

  • Types of certificates
  • Document name and identification
  • PKI participants
  • Certificate usage
  • Policy administration
  • Definitions
  • Publication and repository responsibilities
  • Identification and authentication
  • Certificate life-cycle operational requirements
  • Facility management and operational controls
  • Technical security controls
  • Certificate, CRL, and OCSP profiles
  • Compliance audit and other assessments
  • Other business and legal matters

Assessment

  • The CP is properly documented in its full scope
  • The CP clearly defines the scope of the policy, such as the purpose of the security and assurance levels, the type and use of its certificates and parties involved
  • The legal rights and responsibilities of parties are described in the CP
  • CP has listed correct object identifiers for the purpose it’s used for
  • Verify that the CP is published and available to all parties involved
  • Interview with the management and PKI responsible personnel to confirm the CP is accurate and followed

References

Certification practice statement is documented and published

Guidance

In addition to a CP, there is typically a Certification Practice Statement (CPS). While a CP is more at a strategic level, detailed information about how things should be carried out is part of a CPS (tactical level). The CP and CPS can be combined into a single managed document, however they are typically split for most of the PKI implementations for better orientation.

The CPS covers the same items as the CP, but includes technical detail of how the CP is implemented. All parties involved in the PKI should be aware of the CPS and follow it. The CPS is a living document that is continuously updated and changed as technologies, security, and compliance requirements change.

Assessment

  • The CPS is properly documented in its full scope
  • CPS is published and available to all parties involved
  • Interview with the management and PKI responsible personnel to confirm the CPS is accurate and followed
  • Confirm that the information in the CPS is consistent with the information in the CP

References

Disclosure statement is documented and published

Guidance

The disclosure statement (DS) is a document that describes the PKI and its services. It refers to a document that discloses the relevant information about the CA and its services to the relying parties.

It typically includes information like:

  • CA’s identity, legal status, and contact information
  • Certificate types, verification procedures and compliance with standards
  • Reliance limits
  • Obligations of the CA and the relying parties
  • Warranty and liability limitations
  • Agreement, CP and CPS
  • Privacy policy
  • Refund policy and claims
  • Information on audit and compliance

The purpose of a DS is to provide transparency to relying parties, allowing them to assess the trustworthiness and reliability of the CA before relying on its certificates.

Assessment

  • The DS is properly documented in its full scope
  • DS is published and available to all parties involved
  • Interview with the management and PKI responsible personnel to confirm the DS is accurate
  • Confirm that the information in the DS is consistent with the information in the CP and CPS

References

Policies are periodically reviewed and updated

Guidance

Policies are living documents that are continuously updated and changed as technologies, security, and compliance requirements change. The policies should be reviewed and updated periodically. The frequency of review should be determined by the organization. Good practice is to review policies at least annually or when there are significant changes in the PKI or its environment.

Assessment

  • The policies are reviewed and updated periodically
  • Check the last review date of the policies
  • Implementation of review process
  • Validation of documentation and reviews
  • Interview with the management and PKI responsible personnel to confirm the policies are reviewed and updated periodically

References

Participate in our community discussions and/or join the consortium