Certification Practice Statement Explained

A Certification Practice Statement (CPS) is a document from a certificate authority or a member of a web of trust which describes their practice for issuing and managing public key certificates.^[1]

Some elements of a CPS include documenting practices of:

• issuance
• publication
• archiving
• revocation
• renewal

By detailing the practice of issuance, revocation and renewal, a CPS aids entities in judging the relative reliability of a given certificate authority.^[2]

Certificate authorities

See main article: Certificate authority. In a certificate authority, the CPS should derive from the organization's certificate policy and may be referenced in issued certificates.^[3]

Web of trust

See main article: Web of trust. Because individuals act as certifiers in a web of trust, individual CPS documents are sometimes used. For example, in a PGP WoT, the CPS might state that the certifying entity checked two forms of legal government ID before signing the person's public key.

Digital signatures

See main article: Digital signature. When verifying digital signatures, it's necessary to review the CPS so as to determine the meaning of the issuance of the certificate by the certifying entity.^[4]

External links

• Microsoft.com "Creating Certificate Policies and Certificate Practice Statements"
• Security policy
• Example of a CPS for a Web of Trust: http://www.grep.be/gpg/cert-policy-v2

Notes and References

1. Web site: Internet X.509 Public Key Infrastructure Certificate Policy and Certification Practices Framework . RFC 3647 . 15 . November 2003 . IETF.
2. American Bar Association Digital Signature Guidelines 1996, (section 1.8.1)
3. Web site: Creating Certificate Policies and Certificate Practice Statements .
4. American Bar Association Digital Signature Guidelines 1996,