You can own and operate a Digi-CA™ system without ever putting in place any statutory documents or standards compliance and many organisations because their application is commercial and doesn’t need third part accreditation. ‘Best Practice’ means you should consider having a CP and we would recommend the following:
Having specific fields added to your certificates is normally not required unless you are seeking accreditation or are issuing to millions of users and is a common practice when considering National IDs, e Passports, Health IDs, etc. At the deepest level, this may include Object ID [OID] fields and the need to register these OIDs with the Internet Assigned Numbers Authority [IANA]. Digi-CAST1™ will advise you on this should it be required and carry out this level of customisation and registration where appropriate.
|Expiry Date:||2007-02-14 00:00:00 GMT|
|Invited on:||2006-02-02 17:40:17 GMT|
|Invitation Name:||Mary Brown|
|Requested on:||2006-02-02 18:51:09 GMT|
|Approved on:||2006-02-12 18:55:52 GMT|
|Activated on:||2006-02-13 19:00:33 GMT|
|Common Name:||Bob Smith|
|Locality/City:||Pompano Beach, FL|
|Secret Question:||Favourite pet's name?|
|Secret Answer:||Johnny Cash|
The CP for the Digi-CA™ is an important document because it clearly identifies the processes and procedures of your CA operation in a single document. It also adds to the credibility, security and acceptance when getting the people to accept and use your digital certificates. There is a standard recognised format for writing a CP but we suggest that you don’t need to follow this RFC format unless your CA requires certification or accreditation.
In sub section 220.127.116.11, the CP is the ‘Who, What, Where and How’ document that describes the principles of the Digi-CA™ usage and how they are to be distributed. This CP is agreed before the Digi-CA™ is operational and all certificates must then be deployed in accordance with the CP.
CPS control using your own CPS is only required if you are building a Trust Centre using Digi-CA™ Server Xg. The CPS should follow the RFC 2527 format in compliance with European Telecommunications Standards Institute [ETSI] 101 456. The Digi-CAST1™ Team will advise your legal technical teams on the best approach using these internationally recognised standards.
Creating your own CPS is a time consuming and complex process that will require several specialist consultants and may take several months to complete. Referencing an existing CPS such as the one used by Digi-Sign is probably the most practical approach. You should only consider drafting your own CPS if you are setting up a national or international Trust Centre.