Certificate Policies
A Certificate Policy (CP) is defined in the Internet X.509 Public Key Infrastructure Certificate Policy and Certification Practices Framework as "a named set of rules that indicates the applicability of a certificate to a particular community and/or class of application with common security requirements".

When a Certification Authority (CA) issues a certificate, it is providing a statement to a certificate user (i.e. relying party) that a particular public key is bound to a particular entity (i.e. certificate subject). The extent to which the certificate user should rely on that statement needs to be assessed by the certificate user. The Certificate Policy provides the information that can be used by a certificate user to decide whether or not to trust a certificate.

Certificate policies are also used to establish trust relationships between CAs (i.e. cross certification). When CAs issue cross certificates, one CA assesses and recognizes one or more certificate polices of the other CA.

Treasury's PKI establishes an effective trust model by strict adherence to policies that govern the infrastructure. These policies are as follows:
  • Treasury X.509 Certificate Policy (CP): As required by [TREAS-CP] provides detailed policies governing the issuance and use of digital certificates. Specifically, this includes:

    • Definition of trusted roles and their responsibilities in maintaining the PKI;
    • Compliance audit parameters;
    • Naming standards for certificates;
    • Certificate and key lifecycle management;
    • Records archival;
    • Disaster recovery procedures;
    • Security controls; and
    • Certificate and Certificate Revocation List (CRL) profiles.

  • Federal Bridge Certificate Authority CP & Common Policy Framework Certificate Policy:

    • Federal Bridge X.509 CP: [FBCA-CP] provides policies that are mapped to Treasury's own, to ensure that Treasury may continue to trust, and be trusted by, other Federal agencies.

    • Common Policy X.509 CP: As the name implies, [COMMON-CP] provides a set of common policy requirements that must be met by all Federal agencies for PIV and other purposes, as directed in [FIPS-201]. Note that many of these requirements are already met through Treasury's current policy; those that are not are identified in this document and addressed through future revisions to Treasury's own policy.