in Index   Prev   Next

RFC 3647

Internet X.509 Public Key Infrastructure Certificate Policy and Certification Practices Framework

Pages: 94
Obsoletes:  2527
Part 4 of 4 – Pages 88 to 94
First   Prev   None

Top   ToC   RFC3647 - Page 88   prevText

9. References

[ABA1] American Bar Association, Digital Signature Guidelines: Legal Infrastructure for Certification Authorities and Secure Electronic Commerce, 1996.
Top   ToC   RFC3647 - Page 89
   [ABA2] American Bar Association, PKI Assessment Guidelines, v0.30,
          Public Draft For Comment, June 2001.

   [BAU1] Michael. S. Baum, Federal Certification Authority Liability
          and Policy, NIST-GCR-94-654, June 1994, available at

   [ETS]  European Telecommunications Standards Institute, "Policy
          Requirements for Certification Authorities Issuing Qualified
          Certificates," ETSI TS 101 456, Version 1.1.1, December 2000.

   [GOC]  Government of Canada PKI Policy Management Authority, "Digital
          Signature and Confidentiality Certificate Policies for the
          Government of Canada Public Key Infrastructure," v.3.02, April

   [IDT]  Identrus, LLC, "Identrus Identity Certificate Policy" IP-IPC
          Version 1.7, March 2001.

   [ISO1] ISO/IEC 9594-8/ITU-T Recommendation X.509, "Information
          Technology - Open Systems Interconnection: The Directory:
          Authentication Framework," 1997 edition. (Pending publication
          of 2000 edition, use 1997 edition.)

   [PEM1] Kent, S., "Privacy Enhancement for Internet Electronic Mail:
          Part II: Certificate-Based Key Management", RFC 1422, February

   [PKI1] Housley, R., Polk, W. Ford, W. and D. Solo, "Internet X.509
          Public Key Infrastructure Certificate and Certificate
          Revocation List (CRL) Profile", RFC 3280, April 2002.

   [CPF]  Chokhani, S. and W. Ford, "Internet X.509 Public Key
          Infrastructure, Certificate Policy and Certification Practices
          Statement Framework", RFC 2527, March 1999.

10. Notes

1. A paper copy of the ABA Digital Signature Guidelines can be purchased from the ABA. See for ordering details. The DSG may also be downloaded without charge from the ABA website at 2. A draft of the PKI Assessment Guidelines may be downloaded without charge from the ABA website at
Top   ToC   RFC3647 - Page 90
   3.  The term "meaningful" means that the name form has commonly
       understood semantics to determine the identity of a person and/or
       organization.  Directory names and RFC 822 names may be more or
       less meaningful.

   4.  The subject may not need to prove to the CA that the subject has
       possession of the private key corresponding to the public key
       being registered if the CA generates the subject's key pair on
       the subject's behalf.

   5.  Examples of means to identify and authenticate individuals
       include biometric means (such as thumb print, ten finger print,
       and scan of the face, palm, or retina), a driver's license, a
       credit card, a company badge, and a government badge.

   6.  Certificate "modification" does not refer to making a change to
       an existing certificate, since this would prevent the
       verification of any digital signatures on the certificate and
       cause the certificate to be invalid.  Rather, the concept of
       "modification" refers to a situation where the information
       referred to in the certificate has changed or should be changed,
       and the CA issues a new certificate containing the modified
       information.  One example is a subscriber that changes his or her
       name, which would necessitate the issuance of a new certificate
       containing the new name.

   7.  The n out of m rule allows a private key to be split in m parts.
       The m parts may be given to m different individuals.  Any n parts
       out of the m parts may be used to fully reconstitute the private
       key, but having any n-1 parts provides one with no information
       about the private key.

   8.  A private key may be escrowed, backed up, or archived.  Each of
       these functions has a different purpose.  Thus, a private key may
       go through any subset of these functions depending on the
       requirements.  The purpose of escrow is to allow a third party
       (such as an organization or government) to obtain the private key
       without the cooperation of the subscriber.  The purpose of back
       up is to allow the subscriber to reconstitute the key in case of
       the destruction or corruption of the key for business continuity
       purposes.  The purpose of archives is to provide for reuse of the
       private key in the future, e.g., use to decrypt a document.

   9.  WebTrust refers to the "WebTrust Program for Certification
       Authorities," from the American Institute of Certified Public
       Accountants, Inc., and the Canadian Institute of Chartered
Top   ToC   RFC3647 - Page 91
   10. See <>.

   11. All or some of the following items may be different for the
       various types of entities, i.e., CA, RA, and end entities.

11. List of Acronyms

ABA - American Bar Association CA - Certification Authority CP - Certificate Policy CPS - Certification Practice Statement CRL - Certificate Revocation List DAM - Draft Amendment FIPS - Federal Information Processing Standard I&A - Identification and Authentication IEC - International Electrotechnical Commission IETF - Internet Engineering Task Force IP - Internet Protocol ISO - International Organization for Standardization ITU - International Telecommunications Union NIST - National Institute of Standards and Technology OID - Object Identifier PIN - Personal Identification Number PKI - Public Key Infrastructure PKIX - Public Key Infrastructure (X.509) (IETF Working Group) RA - Registration Authority RFC - Request For Comment URL - Uniform Resource Locator US - United States
Top   ToC   RFC3647 - Page 92

12. Authors' Addresses

Santosh Chokhani Orion Security Solutions, Inc. 3410 N. Buchanan Street Arlington, VA 22207 Phone: (703) 237-4621 Fax: (703) 237-4920 EMail: Warwick Ford VeriSign, Inc. 6 Ellery Square Cambridge, MA 02138 Phone: (617) 642-0139 EMail: Randy V. Sabett, J.D., CISSP Cooley Godward LLP One Freedom Square, Reston Town Center 11951 Freedom Drive Reston, VA 20190-5656 Phone: (703) 456-8137 Fax: (703) 456-8100 EMail: Charles (Chas) R. Merrill McCarter & English, LLP Four Gateway Center 100 Mulberry Street Newark, New Jersey 07101-0652 Phone: (973) 622-4444 Fax: (973) 624-7070 EMail:
Top   ToC   RFC3647 - Page 93
   Stephen S. Wu
   Infoliance, Inc.
   800 West El Camino Real
   Suite 180
   Mountain View, CA  94040

   Phone:  (650) 917-8045
   Fax:    (650) 618-1454
Top   ToC   RFC3647 - Page 94

13. Full Copyright Statement

Copyright (C) The Internet Society (2003). All Rights Reserved. This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this paragraph are included on all such copies and derivative works. However, this document itself may not be modified in any way, such as by removing the copyright notice or references to the Internet Society or other Internet organizations, except as needed for the purpose of developing Internet standards in which case the procedures for copyrights defined in the Internet Standards process must be followed, or as required to translate it into languages other than English. The limited permissions granted above are perpetual and will not be revoked by the Internet Society or its successors or assignees. This document and the information contained herein is provided on an "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Acknowledgement Funding for the RFC Editor function is currently provided by the Internet Society.